Catalyst 3560 Switch Software Configuration Guide Cisco IOS Release 12.2(50)SE March 2009 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface xlv Audience Purpose xlv xlv Conventions xlvi Related Publications xlvi Obtaining Documentation, Obtaining Support, and Security Guidelines CHAPTER 1 Overview 1-1 Features 1-1 Ease-of-Deployment and Ease-of-Use Features Performance Features 1-3 Management Options 1-4 Manageability Features 1-5 Availability and Redundancy Features 1-7 VLAN Features 1-7 Security Features 1-8 QoS and CoS Features 1-11 Layer 3 Features 1-12 Power over Ethernet Features 1-13 Monitoring Features 1-13
Contents Understanding CLI Error Messages Using Configuration Logging 2-5 2-5 Using Command History 2-6 Changing the Command History Buffer Size 2-6 Recalling Commands 2-6 Disabling the Command History Feature 2-7 Using Editing Features 2-7 Enabling and Disabling Editing Features 2-7 Editing Commands through Keystrokes 2-7 Editing Command Lines that Wrap 2-9 Searching and Filtering Output of show and more Commands 2-10 Accessing the CLI 2-10 Accessing the CLI through a Console Connection or through Te
Contents Modifying the Startup Configuration 3-16 Default Boot Configuration 3-16 Automatically Downloading a Configuration File 3-16 Specifying the Filename to Read and Write the System Configuration Booting Manually 3-17 Booting a Specific Software Image 3-18 Controlling Environment Variables 3-18 3-16 Scheduling a Reload of the Software Image 3-20 Configuring a Scheduled Reload 3-20 Displaying Scheduled Reload Information 3-21 CHAPTER 4 Configuring Cisco EnergyWise 4-1 Managing Single Entities 4-
Contents Examples 4-15 Querying with the Name Attribute 4-15 Querying with Keywords 4-16 Querying to Set Power Levels 4-16 Troubleshooting EnergyWise 4-16 Using CLI Commands 4-17 Verifying the Power Usage 4-17 Additional Information 4-18 Managing Power in a LAN 4-18 Managing Power with IP Routing CHAPTER 5 4-18 Configuring Cisco IOS Configuration Engine 5-1 Understanding Cisco Configuration Engine Software 5-1 Configuration Service 5-2 Event Service 5-3 NameSpace Mapper 5-3 What You Should Know About
Contents Planning a Switch Cluster 6-4 Automatic Discovery of Cluster Candidates and Members 6-4 Discovery Through CDP Hops 6-5 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices Discovery Through Different VLANs 6-6 Discovery Through Different Management VLANs 6-7 Discovery Through Routed Ports 6-8 Discovery of Newly Installed Switches 6-9 HSRP and Standby Cluster Command Switches 6-10 Virtual IP Addresses 6-10 Other Considerations for Cluster Standby Groups 6-11 Automatic Recovery of Cluste
Contents Configuring a System Name and Prompt 7-14 Default System Name and Prompt Configuration Configuring a System Name 7-15 Understanding DNS 7-15 Default DNS Configuration 7-16 Setting Up DNS 7-16 Displaying the DNS Configuration 7-17 Creating a Banner 7-17 Default Banner Configuration 7-17 Configuring a Message-of-the-Day Login Banner Configuring a Login Banner 7-18 7-15 7-18 Managing the MAC Address Table 7-19 Building the Address Table 7-20 MAC Addresses and VLANs 7-20 Default MAC Address Table C
Contents Disabling Password Recovery 9-5 Setting a Telnet Password for a Terminal Line 9-6 Configuring Username and Password Pairs 9-6 Configuring Multiple Privilege Levels 9-7 Setting the Privilege Level for a Command 9-8 Changing the Default Privilege Level for Lines 9-9 Logging into and Exiting a Privilege Level 9-9 Controlling Switch Access with TACACS+ 9-10 Understanding TACACS+ 9-10 TACACS+ Operation 9-12 Configuring TACACS+ 9-12 Default TACACS+ Configuration 9-13 Identifying the TACACS+ Server Host
Contents Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Secure Shell 9-37 Understanding SSH 9-38 SSH Servers, Integrated Clients, and Supported Versions Limitations 9-39 Configuring SSH 9-39 Configuration Guidelines 9-39 Setting Up the Switch to Run SSH 9-39 Configuring the SSH Server 9-40 Displaying the SSH Configuration and Status 9-41 9-36 9-38 Configuring the Switch for Secure Socket Layer HTTP 9-42 Understanding Secure HTTP Servers and Clients 9-42 Cert
Contents 802.1x Readiness Check 10-14 802.1x Authentication with VLAN Assignment 10-14 Using 802.1x Authentication with Per-User ACLs 10-15 802.1x Authentication with Downloadable ACLs and Redirect URLs 10-16 Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL 10-17 Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs 10-17 802.1x Authentication with Guest VLAN 10-17 802.1x Authentication with Restricted VLAN 10-18 802.
Contents Setting the Re-Authentication Number 10-44 Configuring 802.1x Accounting 10-45 Configuring a Guest VLAN 10-46 Configuring a Restricted VLAN 10-47 Configuring the Inaccessible Authentication Bypass Feature 10-49 Configuring 802.1x Authentication with WoL 10-52 Configuring MAC Authentication Bypass 10-53 Configuring NAC Layer 2 802.1x Validation 10-54 Configuring 802.1x Switch Supplicant with NEAT 10-55 Configuring 802.
Contents Using Interface Configuration Mode 11-10 Procedures for Configuring Interfaces 11-11 Configuring a Range of Interfaces 11-11 Configuring and Using Interface Range Macros 11-13 Configuring Ethernet Interfaces 11-14 Default Ethernet Interface Configuration 11-15 Setting the Type of a Dual-Purpose Uplink Port 11-16 Configuring Interface Speed and Duplex Mode 11-17 Speed and Duplex Configuration Guidelines 11-18 Setting the Interface Speed and Duplex Parameters 11-18 Configuring IEEE 802.
Contents CHAPTER 13 Configuring VLANs 13-1 Understanding VLANs 13-1 Supported VLANs 13-2 VLAN Port Membership Modes 13-3 Configuring Normal-Range VLANs 13-4 Token Ring VLANs 13-6 Normal-Range VLAN Configuration Guidelines 13-6 VLAN Configuration Mode Options 13-7 VLAN Configuration in config-vlan Mode 13-7 VLAN Configuration in VLAN Database Configuration Mode Saving VLAN Configuration 13-7 Default Ethernet VLAN Configuration 13-8 Creating or Modifying an Ethernet VLAN 13-9 Deleting a VLAN 13-10 Assi
Contents VMPS Configuration Guidelines 13-29 Configuring the VMPS Client 13-30 Entering the IP Address of the VMPS 13-30 Configuring Dynamic-Access Ports on VMPS Clients 13-30 Reconfirming VLAN Memberships 13-31 Changing the Reconfirmation Interval 13-31 Changing the Retry Count 13-32 Monitoring the VMPS 13-32 Troubleshooting Dynamic-Access Port VLAN Membership 13-33 VMPS Configuration Example 13-33 CHAPTER 15 Configuring Voice VLAN 15-1 Understanding Voice VLAN 15-1 Cisco IP Phone Voice Traffic 15-2
Contents VTP Configuration Guidelines 16-8 Domain Names 16-8 Passwords 16-8 VTP Version 16-8 Configuration Requirements 16-9 Configuring a VTP Server 16-9 Configuring a VTP Client 16-11 Disabling VTP (VTP Transparent Mode) 16-12 Enabling VTP Version 2 16-13 Enabling VTP Pruning 16-14 Adding a VTP Client Switch to a VTP Domain 16-14 Monitoring VTP CHAPTER 14 16-16 Configuring Private VLANs 14-1 Understanding Private VLANs 14-1 IP Addressing Scheme with Private VLANs 14-3 Private VLANs across Multiple
Contents System MTU 16-5 IEEE 802.1Q Tunneling and Other Features Configuring an IEEE 802.
Contents Configuring a Secondary Root Switch 17-16 Configuring Port Priority 17-17 Configuring Path Cost 17-18 Configuring the Switch Priority of a VLAN 17-19 Configuring Spanning-Tree Timers 17-20 Configuring the Hello Time 17-20 Configuring the Forwarding-Delay Time for a VLAN 17-21 Configuring the Maximum-Aging Time for a VLAN 17-21 Configuring the Transmit Hold-Count 17-22 Displaying the Spanning-Tree Status CHAPTER 18 Configuring MSTP 17-22 18-1 Understanding MSTP 18-2 Multiple Spanning-Tree Reg
Contents Configuring Port Priority 18-19 Configuring Path Cost 18-20 Configuring the Switch Priority 18-21 Configuring the Hello Time 18-22 Configuring the Forwarding-Delay Time 18-23 Configuring the Maximum-Aging Time 18-23 Configuring the Maximum-Hop Count 18-24 Specifying the Link Type to Ensure Rapid Transitions Designating the Neighbor Type 18-25 Restarting the Protocol Migration Process 18-25 Displaying the MST Configuration and Status CHAPTER 19 18-24 18-26 Configuring Optional Spanning-Tree Fe
Contents Flex Link Multicast Fast Convergence 20-3 Learning the Other Flex Link Port as the mrouter Port Generating IGMP Reports 20-3 Leaking IGMP Reports 20-4 Configuration Examples 20-4 MAC Address-Table Move Update 20-6 20-3 Configuring Flex Links and the MAC Address-Table Move Update 20-7 Default Configuration 20-8 Configuration Guidelines 20-8 Configuring Flex Links 20-9 Configuring VLAN Load Balancing on Flex Links 20-11 Configuring the MAC Address-Table Move Update Feature 20-12 Monitoring Flex Li
Contents Configuring IP Source Guard 21-16 Default IP Source Guard Configuration 21-16 IP Source Guard Configuration Guidelines 21-17 Enabling IP Source Guard 21-17 Displaying IP Source Guard Information 21-19 Understanding DHCP Server Port-Based Address Allocation 21-19 Configuring DHCP Server Port-Based Address Allocation 21-19 Default Port-Based Address Allocation Configuration 21-19 Port-Based Address Allocation Configuration Guidelines 21-20 Enabling DHCP Server Port-Based Address Allocation 21-20
Contents Configuring IGMP Snooping 23-6 Default IGMP Snooping Configuration 23-7 Enabling or Disabling IGMP Snooping 23-7 Setting the Snooping Method 23-8 Configuring a Multicast Router Port 23-9 Configuring a Host Statically to Join a Group 23-10 Enabling IGMP Immediate Leave 23-10 Configuring the IGMP Leave Timer 23-11 Configuring TCN-Related Commands 23-12 Controlling the Multicast Flooding Time After a TCN Event Recovering from Flood Mode 23-13 Disabling Multicast Flooding During a TCN Event 23-13 Conf
Contents Configuring Protected Ports 24-6 Default Protected Port Configuration 24-6 Protected Port Configuration Guidelines 24-7 Configuring a Protected Port 24-7 Configuring Port Blocking 24-7 Default Port Blocking Configuration 24-8 Blocking Flooded Traffic on an Interface 24-8 Configuring Port Security 24-8 Understanding Port Security 24-9 Secure MAC Addresses 24-9 Security Violations 24-10 Default Port Security Configuration 24-11 Port Security Configuration Guidelines 24-11 Enabling and Configuring Po
Contents Configuring LLDP-MED TLVs 26-6 Configuring Network-Policy TLV 26-7 Configuring Location TLV and Wired Location Service 26-9 Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service CHAPTER 27 Configuring UDLD 27-1 Understanding UDLD 27-1 Modes of Operation 27-1 Methods to Detect Unidirectional Links Configuring UDLD 27-3 Default UDLD Configuration 27-4 Configuration Guidelines 27-4 Enabling UDLD Globally 27-5 Enabling UDLD on an Interface 27-5 Resetting an Interface Disabled by
Contents Configuring RSPAN 28-16 RSPAN Configuration Guidelines 28-16 Configuring a VLAN as an RSPAN VLAN 28-17 Creating an RSPAN Source Session 28-18 Creating an RSPAN Destination Session 28-19 Creating an RSPAN Destination Session and Configuring Incoming Traffic Specifying VLANs to Filter 28-22 Displaying SPAN and RSPAN Status CHAPTER 29 Configuring RMON 28-20 28-23 29-1 Understanding RMON 29-1 Configuring RMON 29-2 Default RMON Configuration 29-3 Configuring RMON Alarms and Events 29-3 Collect
Contents CHAPTER 31 Configuring SNMP 31-1 Understanding SNMP 31-1 SNMP Versions 31-2 SNMP Manager Functions 31-3 SNMP Agent Functions 31-3 SNMP Community Strings 31-4 Using SNMP to Access MIB Variables 31-4 SNMP Notifications 31-5 SNMP ifIndex MIB Object Values 31-5 Configuring SNMP 31-6 Default SNMP Configuration 31-6 SNMP Configuration Guidelines 31-6 Disabling the SNMP Agent 31-7 Configuring Community Strings 31-8 Configuring SNMP Groups and Users 31-9 Configuring SNMP Notifications 31-11 Setting th
Contents Handling Fragmented and Unfragmented Traffic 33-5 Configuring IPv4 ACLs 33-6 Creating Standard and Extended IPv4 ACLs 33-7 Access List Numbers 33-8 ACL Logging 33-8 Creating a Numbered Standard ACL 33-9 Creating a Numbered Extended ACL 33-10 Resequencing ACEs in an ACL 33-14 Creating Named Standard and Extended ACLs 33-14 Using Time Ranges with ACLs 33-16 Including Comments in ACLs 33-18 Applying an IPv4 ACL to a Terminal Line 33-18 Applying an IPv4 ACL to an Interface 33-19 Hardware and Softwar
Contents ACLs and Routed Packets 33-39 ACLs and Multicast Packets 33-40 Displaying IPv4 ACL Configuration CHAPTER 34 Configuring QoS 33-40 34-1 Understanding QoS 34-2 Basic QoS Model 34-3 Classification 34-5 Classification Based on QoS ACLs 34-7 Classification Based on Class Maps and Policy Maps Policing and Marking 34-8 Policing on Physical Ports 34-9 Policing on SVIs 34-10 Mapping Tables 34-12 Queueing and Scheduling Overview 34-13 Weighted Tail Drop 34-13 SRR Shaping and Sharing 34-14 Queueing and
Contents Enabling VLAN-Based QoS on Physical Ports 34-35 Configuring Classification Using Port Trust States 34-36 Configuring the Trust State on Ports within the QoS Domain 34-36 Configuring the CoS Value for an Interface 34-38 Configuring a Trusted Boundary to Ensure Port Security 34-38 Enabling DSCP Transparency Mode 34-40 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain 34-40 Configuring a QoS Policy 34-42 Classifying Traffic by Using ACLs 34-43 Classifying Traffic by Using Class
Contents PAgP Modes 35-4 PAgP Interaction with Virtual Switches and Dual-Active Detection PAgP Interaction with Other Features 35-5 Link Aggregation Control Protocol 35-5 LACP Modes 35-6 LACP Interaction with Other Features 35-6 EtherChannel On Mode 35-6 Load Balancing and Forwarding Methods 35-7 35-5 Configuring EtherChannels 35-8 Default EtherChannel Configuration 35-9 EtherChannel Configuration Guidelines 35-9 Configuring Layer 2 EtherChannels 35-10 Configuring Layer 3 EtherChannels 35-13 Creating Por
Contents Configuring Address Resolution Methods 36-8 Define a Static ARP Cache 36-9 Set ARP Encapsulation 36-9 Enable Proxy ARP 36-10 Routing Assistance When IP Routing is Disabled 36-10 Proxy ARP 36-11 Default Gateway 36-11 ICMP Router Discovery Protocol (IRDP) 36-11 Configuring Broadcast Packet Handling 36-13 Enabling Directed Broadcast-to-Physical Broadcast Translation Forwarding UDP Broadcast Packets and Protocols 36-14 Establishing an IP Broadcast Address 36-15 Flooding IP Broadcasts 36-16 Monitoring
Contents Configuring BGP 36-40 Default BGP Configuration 36-43 Nonstop Forwarding Awareness 36-45 Enabling BGP Routing 36-45 Managing Routing Policy Changes 36-47 Configuring BGP Decision Attributes 36-49 Configuring BGP Filtering with Route Maps 36-51 Configuring BGP Filtering by Neighbor 36-51 Configuring Prefix Lists for BGP Filtering 36-53 Configuring BGP Community Filtering 36-54 Configuring BGP Neighbors and Peer Groups 36-55 Configuring Aggregate Addresses 36-57 Configuring Routing Domain Confederat
Contents Configuring a VPN Routing Session 36-80 Configuring BGP PE to CE Routing Sessions 36-81 Multi-VRF CE Configuration Example 36-82 Displaying Multi-VRF CE Status 36-86 Configuring Protocol-Independent Features 36-86 Configuring Cisco Express Forwarding 36-86 Configuring the Number of Equal-Cost Routing Paths 36-88 Configuring Static Unicast Routes 36-88 Specifying Default Routes and Networks 36-89 Using Route Maps to Redistribute Routing Information 36-90 Configuring Policy-Based Routing 36-94 PBR C
Contents SNMP and Syslog Over IPv6 37-7 HTTP(S) Over IPv6 37-8 Unsupported IPv6 Unicast Routing Features Limitations 37-8 37-8 Configuring IPv6 37-9 Default IPv6 Configuration 37-10 Configuring IPv6 Addressing and Enabling IPv6 Routing 37-10 Configuring Default Router Preference 37-12 Configuring IPv4 and IPv6 Protocol Stacks 37-13 Configuring DHCP for IPv6 Address Assignment 37-14 Default DHCPv6 Address Assignment Configuration 37-14 DHCPv6 Address Assignment Configuration Guidelines 37-14 Enabling DHCP
Contents Configuring a Multicast Router Port 38-8 Enabling MLD Immediate Leave 38-8 Configuring MLD Snooping Queries 38-9 Disabling MLD Listener Message Suppression Displaying MLD Snooping Information CHAPTER 39 Configuring IPv6 ACLs 38-10 38-11 39-1 Understanding IPv6 ACLs 39-2 Supported ACL Features 39-2 IPv6 ACL Limitations 39-3 Configuring IPv6 ACLs 39-3 Default IPv6 ACL Configuration 39-4 Interaction with Other Features 39-4 Creating IPv6 ACLs 39-4 Applying an IPv6 ACL to an Interface 39-8 Disp
Contents IP SLAs Operation Scheduling 41-5 IP SLAs Operation Threshold Monitoring 41-5 Configuring IP SLAs Operations 41-6 Default Configuration 41-6 Configuration Guidelines 41-6 Configuring the IP SLAs Responder 41-8 Analyzing IP Service Levels by Using the UDP Jitter Operation 41-8 Analyzing IP Service Levels by Using the ICMP Echo Operation 41-11 Monitoring IP SLAs Operations CHAPTER 42 41-13 Configuring Enhanced Object Tracking 42-1 Understanding Enhanced Object Tracking 42-1 Configuring Enh
Contents Configuring WCCP 43-5 Default WCCP Configuration 43-5 WCCP Configuration Guidelines 43-5 Enabling the Web Cache Service 43-6 Monitoring and Maintaining WCCP CHAPTER 44 Configuring IP Multicast Routing 43-9 44-1 Understanding Cisco’s Implementation of IP Multicast Routing Understanding IGMP 44-3 IGMP Version 1 44-3 IGMP Version 2 44-3 Understanding PIM 44-4 PIM Versions 44-4 PIM Modes 44-4 PIM Stub Routing 44-5 IGMP Helper 44-6 Auto-RP 44-6 Bootstrap Router 44-7 Multicast Forwarding and Rever
Contents Configuring SSM Mapping 44-19 Monitoring SSM Mapping 44-21 Configuring PIM Stub Routing 44-22 PIM Stub Routing Configuration Guidelines 44-22 Enabling PIM Stub Routing 44-22 Configuring a Rendezvous Point 44-23 Manually Assigning an RP to Multicast Groups 44-23 Configuring Auto-RP 44-25 Configuring PIMv2 BSR 44-29 Using Auto-RP and a BSR 44-33 Monitoring the RP Mapping Information 44-33 Troubleshooting PIMv1 and PIMv2 Interoperability Problems 44-34 Configuring Advanced PIM Features 44-34 Unders
Contents Controlling Route Exchanges 44-55 Limiting the Number of DVMRP Routes Advertised 44-56 Changing the DVMRP Route Threshold 44-56 Configuring a DVMRP Summary Address 44-57 Disabling DVMRP Autosummarization 44-59 Adding a Metric Offset to the DVMRP Route 44-59 Monitoring and Maintaining IP Multicast Routing 44-60 Clearing Caches, Tables, and Databases 44-60 Displaying System and Network Statistics 44-61 Monitoring IP Multicast Routing 44-62 CHAPTER 45 Configuring MSDP 45-1 Understanding MSDP 45-
Contents Adjusting Spanning-Tree Parameters 46-5 Changing the VLAN-Bridge Spanning-Tree Priority 46-5 Changing the Interface Priority 46-6 Assigning a Path Cost 46-6 Adjusting BPDU Intervals 46-7 Disabling the Spanning Tree on an Interface 46-9 Monitoring and Maintaining Fallback Bridging CHAPTER 47 Troubleshooting 46-10 47-1 Recovering from a Software Failure 47-2 Recovering from a Lost or Forgotten Password 47-3 Procedure with Password Recovery Enabled 47-4 Procedure with Password Recovery Disabl
Contents Using Debug Commands 47-19 Enabling Debugging on a Specific Feature 47-19 Enabling All-System Diagnostics 47-20 Redirecting Debug and Error Message Output 47-20 Using the show platform forward Command 47-20 Using the crashinfo Files 47-23 Basic crashinfo Files 47-23 Extended crashinfo Files 47-23 Troubleshooting Tables 47-24 Troubleshooting CPU Utilization 47-24 Possible Symptoms of High CPU Utilization 47-24 Verifying the Problem and Cause 47-24 Troubleshooting Power over Ethernet (PoE) 47-26 T
Contents Creating, Displaying, and Extracting tar Files B-6 Creating a tar File B-6 Displaying the Contents of a tar File B-7 Extracting a tar File B-7 Displaying the Contents of a File B-8 Working with Configuration Files B-8 Guidelines for Creating and Using Configuration Files B-9 Configuration File Types and Location n B-10 Creating a Configuration File By Using a Text Editor B-10 Copying Configuration Files By Using TFTP B-10 Preparing to Download or Upload a Configuration File B y Using TFTP B-10 Dow
Contents Copying Image Files By Using RCP B-32 Preparing to Download or Upload an Image File By Using RCP Downloading an Image File By Using RCP B-34 Uploading an Image File By Using RCP B-36 APPENDIX C Unsupported Commands in Cisco IOS Release 12.
Contents IP Multicast Routing C-7 Unsupported Privileged EXEC Commands C-7 Unsupported Global Configuration Commands C-8 Unsupported Interface Configuration Commands C-8 IP SLA C-8 Unsupported MPLS Health Monitor Commands C-8 Unsupported Ethernet Gatekeeper Registration Commands Unsupported VoIP Call Setup Probe Commands C-8 C-8 IP Unicast Routing C-9 Unsupported Privileged EXEC or User EXEC Commands C-9 Unsupported Global Configuration Commands C-9 Unsupported Interface Configuration Commands C-10 Unsup
Contents NetFlow Commands C-15 Unsupported Global Configuration Commands C-15 Network Address Translation (NAT) Commands C-15 Unsupported Privileged EXEC Commands C-15 QoS C-16 Unsupported Global Configuration Command C-16 Unsupported Interface Configuration Commands C-16 Unsupported Policy-Map Configuration Command C-16 RADIUS C-16 Unsupported Global Configuration Commands C-16 SNMP C-16 Unsupported Global Configuration Commands C-16 SNMPv3 C-17 Unsupported 3DES Encryption Commands C-17 Spanning
Contents Catalyst 3560 Switch Software Configuration Guide xlvi OL-8553-06
Preface Audience This guide is for the networking professional managing the Catalyst 3560 switch, hereafter referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.
Preface Conventions This publication uses these conventions to convey instructions and information: Command descriptions use these conventions: • Commands and keywords are in boldface text. • Arguments for which you supply values are in italic. • Square brackets ([ ]) mean optional elements. • Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements. • Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional element.
Preface • For cluster requirements, see the Release Notes for Cisco Network Assistant (not orderable but available on Cisco.com). • For upgrading information, see the “Downloading Software” section in the release notes.
Preface Catalyst 3560 Switch Software Configuration Guide xlviii OL-8553-06
CH A P T E R 1 Overview This chapter provides these topics about the Catalyst 3560 switch software: • Features, page 1-1 • Default Settings After Initial Switch Configuration, page 1-14 • Network Configuration Examples, page 1-17 • Where to Go Next, page 1-23 In this document, IP refers to IP Version 4 (IPv4) unless there is a specific reference to IP Version 6 (IPv6).
Chapter 1 Overview Features For more information on IPv6 ACLs, see Chapter 39, “Configuring IPv6 ACLs.” Some features described in this chapter are available only on the cryptographic (supports encryption) versions of the software IP base and IP services images. You must obtain authorization to use this feature and to download the cryptographic version of the software from Cisco.com. For more information, see the release notes for this release.
Chapter 1 Overview Features – Applying actions to multiple ports and multiple switches at the same time, such as VLAN and QoS settings, inventory and statistic reports, link- and switch-level monitoring and troubleshooting, and multiple switch software upgrades. – Viewing a topology of interconnected devices to identify existing switch clusters and eligible switches that can join a cluster and to identify link information between switches.
Chapter 1 Overview Features • Port blocking on forwarding unknown Layer 2 unknown unicast, multicast, and bridged broadcast traffic • Cisco Group Management Protocol (CGMP) server support and Internet Group Management Protocol (IGMP) snooping for IGMP Versions 1, 2, and 3: – (For CGMP devices) CGMP for limiting multicast traffic to specified end stations and reducing overall network traffic – (For IGMP devices) IGMP snooping for forwarding multimedia and multicast traffic • IGMP report suppression f
Chapter 1 Overview Features • CLI—The Cisco IOS software supports desktop- and multilayer-switching features. You can access the CLI either by connecting your management station directly to the switch console port or by using Telnet from a remote management station. For more information about the CLI, see Chapter 2, “Using the Command-Line Interface.” • SNMP—SNMP management applications such as CiscoWorks2000 LAN Management Suite (LMS) and HP OpenView.
Chapter 1 Overview Features • Support for the SSM PIM protocol to optimize multicast applications, such as video • Source Specific Multicast (SSM) mapping for multicast applications provides a mapping of source to group, allowing listeners to connect to multicast sources dynamically and reduces dependencies on the application • Support for Enhanced Interior Gateway Routing Protocol (EIGRP) IPv6 to utilize IPv6 transport, communicate with IPv6 peers, and advertise IPv6 routes • Support for these IP
Chapter 1 Overview Features Availability and Redundancy Features • HSRP for command switch and Layer 3 router redundancy • Enhanced object tracking, which separates the tracking mechanism from HSRP and creates a separate, standalone tracking process that can be used by processes other than HSRP • UniDirectional Link Detection (UDLD) and aggressive UDLD for detecting and disabling unidirectional links on fiber-optic interfaces caused by incorrect fiber-optic wiring or port faults • IEEE 802.
Chapter 1 Overview Features • Inter-Switch Link (ISL) and IEEE 802.1Q trunking encapsulation on all ports for network moves, adds, and changes; management and control of broadcast and multicast traffic; and network security by establishing VLAN groups for high-security users and network resources • Dynamic Trunking Protocol (DTP) for negotiating trunking on a link between two devices and for negotiating the type of trunking encapsulation (IEEE 802.
Chapter 1 Overview Features • Standard and extended IP access control lists (ACLs) for defining security policies in both directions on routed interfaces (router ACLs) and VLANs and inbound on Layer 2 interfaces (port ACLs) • Extended MAC access control lists for defining security policies in the inbound direction on Layer 2 interfaces • VLAN ACLs (VLAN maps) for providing intra-VLAN security by filtering traffic based on information in the MAC, IP, and TCP/UDP headers • Source and destination MAC-
Chapter 1 Overview Features – Network Edge Access Topology (NEAT) with 802.1X switch supplicant, host authorization with CISP, and auto enablement to authenticate a switch outside a wiring closet as a supplicant to another switch. – IEEE 802.1x with open access to allow a host to access the network before being authenticated. – IEEE 802.1x authentication with downloadable ACLs and redirect URLs to allow per-user ACL downloads from a Cisco Secure ACS server to an authenticated switch.
Chapter 1 Overview Features QoS and CoS Features • Automatic QoS (auto-QoS) to simplify the deployment of existing QoS features by classifying traffic and configuring egress queues • Automatic quality of service (QoS) Voice over IP (VoIP) enhancement for port -based trust of DSCP and priority queuing for egress traffic • Classification – IP type-of-service/Differentiated Services Code Point (IP ToS/DSCP) and IEEE 802.
Chapter 1 Overview Features Layer 3 Features These are the Layer 3 features: Note Some features noted in this section are available only on the IP services image.
Chapter 1 Overview Features • Nonstop forwarding (NSF) awareness to enable the Layer 3 switch to continue forwarding packets from an NSF-capable neighboring router when the primary route processor (RP) is failing and the backup RP is taking over, or when the primary RP is manually reloaded for a nondisruptive software upgrade (requires the IP services image) • The ability to exclude a port in a VLAN from the SVI line-state up or down calculation • Intermediate System-to-Intermediate System (IS-IS) ro
Chapter 1 Overview Default Settings After Initial Switch Configuration • Time Domain Reflector (TDR) to diagnose and resolve cabling problems on 10/100/1000 copper Ethernet ports • SFP module diagnostic management interface to monitor physical or operational status of an SFP module • Generic online diagnostics to test hardware functionality of the supervisor engine, modules, and switch while the switch is connected to a live network. • Enhanced object tracking for HSRP.
Chapter 1 Overview Default Settings After Initial Switch Configuration • IEEE 802.1x is disabled. For more information, see Chapter 10, “Configuring IEEE 802.1x Port-Based Authentication.” • Port parameters – Operating mode is Layer 2 (switchport). For more information, see Chapter 11, “Configuring Interface Characteristics.” – Interface speed and duplex mode is autonegotiate. For more information, see Chapter 11, “Configuring Interface Characteristics.” – Auto-MDIX is enabled.
Chapter 1 Overview Default Settings After Initial Switch Configuration • The IGMP snooping querier feature is disabled. For more information, see Chapter 23, “Configuring IGMP Snooping and MVR.” • MVR is disabled. For more information, see Chapter 23, “Configuring IGMP Snooping and MVR.” • Port-based traffic – Broadcast, multicast, and unicast storm control is disabled. For more information, see Chapter 24, “Configuring Port-Based Traffic Control.” – No protected ports are defined.
Chapter 1 Overview Network Configuration Examples Network Configuration Examples This section provides network configuration concepts and includes examples of using the switch to create dedicated network segments and interconnecting the segments through Fast Ethernet and Gigabit Ethernet connections.
Chapter 1 Overview Network Configuration Examples Table 1-2 Providing Network Services Network Demands Suggested Design Methods Efficient bandwidth usage for multimedia applications and guaranteed bandwidth for critical applications • Use IGMP snooping to efficiently forward multimedia and multicast traffic.
Chapter 1 Overview Network Configuration Examples Figure 1-1 High-Performance Workgroup (Gigabit-to-the-Desktop) Catalyst 3750 switches 89373 Access-layer Catalyst switches WAN Cisco 2600 router 89374 Access-layer Catalyst switches • Server aggregation (Figure 1-2)—You can use the switches to interconnect groups of servers, centralizing physical security and administration of your network.
Chapter 1 Overview Network Configuration Examples Figure 1-2 Server Aggregation Campus core Catalyst 6500 switches Catalyst 3750 StackWise switch stacks Server racks 89376 Access-layer Catalyst switches Small to Medium-Sized Network Using Catalyst 3560 Switches Figure 1-3 shows a configuration for a network of up to 500 employees. This network uses Catalyst 3560 Layer 3 switches with high-speed connections to two routers.
Chapter 1 Overview Network Configuration Examples Catalyst PoE switch ports automatically detect any Cisco pre-standard and IEEE 802.3af-compliant powered devices that are connected. Each PoE switch port provides 15.4 W of power per port. The powered device, such as a Cisco IP Phone, can receive redundant power when it is also connected to an AC power source. Powered devices not connected to Catalyst PoE switches must be connected to AC power sources to receive power.
Chapter 1 Overview Network Configuration Examples per-user basis. The switch ports are configured as either trusted or untrusted. You can configure a trusted port to trust the CoS value, the DSCP value, or the IP precedence. If you configure the port as untrusted, you can use an ACL to mark the frame in accordance with the network policy. Each switch provides inter-VLAN routing.
Chapter 1 Overview Where to Go Next Long-Distance, High-Bandwidth Transport Configuration Figure 1-5 shows a configuration for sending 8 Gigabits of data over a single fiber-optic cable. The Catalyst 3560 switches have coarse wavelength-division multiplexing (CWDM) fiber-optic SFP modules installed. Depending on the CWDM SFP module, data is sent at wavelengths from 1470 to 1610 nm. The higher the wavelength, the farther the transmission can travel.
Chapter 1 Overview Where to Go Next Catalyst 3560 Switch Software Configuration Guide 1-24 OL-8553-06
CH A P T E R 2 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your Catalyst 3560 switch.
Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the hostname Switch. Table 2-1 Command Mode Summary Mode Access Method Prompt User EXEC Begin a session with Switch> your switch. Exit Method About This Mode Enter logout or quit. Use this mode to • Change terminal settings. • Perform basic tests.
Chapter 2 Using the Command-Line Interface Understanding the Help System Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method Interface configuration While in global configuration mode, enter the interface command (with a specific interface). Switch(config-if)# To exit to global Use this mode to configure configuration mode, parameters for the Ethernet enter exit. ports. To return to privileged EXEC mode, press Ctrl-Z or enter end.
Chapter 2 Using the Command-Line Interface Understanding Abbreviated Commands Table 2-2 Help Summary (continued) Command Purpose ? List all commands available for a particular command mode. For example: Switch> ? command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword.
Chapter 2 Using the Command-Line Interface Understanding CLI Error Messages Understanding CLI Error Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Table 2-3 Common CLI Error Messages Error Message Meaning How to Get Help % Ambiguous command: "show con" You did not enter enough characters for your switch to recognize the command.
Chapter 2 Using the Command-Line Interface Using Command History Using Command History The software provides a history or record of commands that you have entered. The command history feature is particularly useful for recalling long or complex commands or entries, including access lists.
Chapter 2 Using the Command-Line Interface Using Editing Features Disabling the Command History Feature The command history feature is automatically enabled. You can disable it for the current terminal session or for the command line. These procedures are optional. To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Press Ctrl-F, or press the right arrow key. Move the cursor forward one character. Press Ctrl-A. Move the cursor to the beginning of the command line. Press Ctrl-E. Move the cursor to the end of the command line. Press Esc B. Move the cursor back one word. Press Esc F. Move the cursor forward one word. Press Ctrl-T.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Scroll down a line or screen on displays that are longer than the terminal screen can display. Press the Return key. Scroll down one line. Press the Space bar. Scroll down one screen. Press Ctrl-L or Ctrl-R. Redisplay the current command line.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands. This is useful when you need to sort through large amounts of output or if you want to exclude output that you do not need to see. Using these commands is optional.
CH A P T E R 3 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assigning the IP address and default gateway information) for the Catalyst 3560 switch by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The normal boot process involves the operation of the boot loader software, which performs these activities: • Performs low-level CPU initialization. It initializes the CPU registers, which control where physical memory is mapped, its quantity, its speed, and so forth. • Performs power-on self-test (POST) for the CPU subsystem.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Note If you are using DHCP, do not respond to any of the questions in the setup program until the switch receives the dynamically assigned IP address and reads the configuration file. If you are an experienced user familiar with the switch configuration steps, manually configure the switch. Otherwise, use the setup program described previously.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DHCP-based autoconfiguration replaces the BOOTP client functionality on your switch. DHCP Client Request Process When you boot up your switch, the DHCP client is invoked and requests configuration information from a DHCP server when the configuration file is not present on the switch.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Understanding DHCP-based Autoconfiguration and Image Update You can use the DHCP image upgrade features to configure a DHCP server to download both a new image and a new configuration file to one or more switches in a network. This helps ensure that each new switch added to a network receives the same image and configuration.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Note The configuration file that is downloaded from TFTP is merged with the existing configuration in the running configuration but is not saved in the NVRAM unless you enter the write memory or copy running-configuration startup-configuration privileged EXEC command. Note that if the downloaded configuration is saved to the startup configuration, the feature is not triggered during subsequent system restarts.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information If you do not configure the DHCP server with the lease options described previously, it replies to client requests with only those parameters that are configured. If the IP address and the subnet mask are not in the reply, the switch is not configured. If the router IP address or the TFTP server name are not found, the switch might send broadcast, instead of unicast, TFTP requests.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the Relay Device You must configure a relay device, also referred to as a relay agent, when a switch sends broadcast packets that require a response from a host on a different LAN. Examples of broadcast packets that the switch might send are DHCP, DNS, and in some cases, TFTP packets. You must configure this relay device to forward received broadcast packets on an interface to the destination host.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information • The IP address and the configuration filename is reserved for the switch, but the TFTP server address is not provided in the DHCP reply (one-file read method). The switch receives its IP address, subnet mask, and the configuration filename from the DHCP server.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Table 3-2 DHCP Server Configuration Switch A Switch B Switch C Switch D Binding key (hardware address) 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 IP address 10.0.0.21 10.0.0.22 10.0.0.23 10.0.0.24 Subnet mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Router address 10.0.0.10 10.0.0.10 10.0.0.10 10.0.0.10 DNS server address 10.0.0.2 10.0.0.2 10.0.0.2 10.0.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the DHCP Auto Configuration and Image Update Features Using DHCP to download a new image and a new configuration to a switch requires that you configure at least two switches: One switch acts as a DHCP and TFTP server. The client switch is configured to download either a new configuration file or a new configuration file and a new image file.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring DHCP Auto-Image Update (Configuration File and Image) Beginning in privileged EXEC mode, follow these steps to configure DHCP autoconfiguration to configure TFTP and DHCP settings on a new switch to download a new image and a new configuration file. Note Before following the steps in this table, you must create a text file (for example, autoinstall_dhcp) that will be uploaded to the switch.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Switch(dhcp-config)# exit Switch(config)# tftp-server flash:config-boot.text Switch(config)# tftp-server flash:c3560-ipservices-mz.122-44.3.SE.tar Switch(config)# tftp-server flash:boot-config.text Switch(config)# tftp-server flash: autoinstall_dhcp Switch(config)# interface gigabitethernet0/4 Switch(config-if)# no switchport Switch(config-if)# ip address 10.10.10.1 255.255.255.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Note You should only configure and enable the Layer 3 interface. Do not assign an IP address or DHCP-based autoconfiguration with a saved configuration.
Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Checking and Saving the Running Configuration You can check the configuration settings that you entered or changes that you made by entering this privileged EXEC command: Switch# show running-config Building configuration... Current configuration: 1363 bytes ! version 12.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Modifying the Startup Configuration These sections describe how to modify the switch startup configuration: • Default Boot Configuration, page 3-16 • Automatically Downloading a Configuration File, page 3-16 • Booting Manually, page 3-17 • Booting a Specific Software Image, page 3-18 • Controlling Environment Variables, page 3-18 See also Appendix B, “Working with the Cisco IOS File System, Configu
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Beginning in privileged EXEC mode, follow these steps to specify a different configuration filename: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 boot config-file flash:/file-url Specify the configuration file to load during the next boot-up cycle. For file-url, specify the path (directory) and the configuration filename.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Booting a Specific Software Image By default, the switch attempts to automatically boot up the system using information in the BOOT environment variable. If this variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Environment variables store two kinds of data: • Data that controls code, which does not read the Cisco IOS configuration file. For example, the name of a boot loader helper file, which extends or patches the functionality of the boot loader can be stored as an environment variable. • Data that controls code, which is responsible for reading the Cisco IOS configuration file.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Scheduling a Reload of the Software Image You can schedule a reload of the software image to occur on the switch at a later time (for example, late at night or during the weekend when the switch is used less), or you can synchronize a reload network-wide (for example, to perform a software upgrade on all switches in the network). Note A scheduled reload must take place within approximately 24 days.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Proceed with reload? [confirm] To cancel a previously scheduled reload, use the reload cancel privileged EXEC command. Displaying Scheduled Reload Information To display information about a previously scheduled reload or to find out if a reload has been scheduled on the switch, use the show reload privileged EXEC command.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Catalyst 3560 Switch Software Configuration Guide 3-22 OL-8553-06
CH A P T E R 4 Configuring Cisco EnergyWise The Catalyst 3560 switch command reference has command syntax and usage information. • Managing Single Entities, page 4-1 • Managing Multiple Entities, page 4-12 • Troubleshooting EnergyWise, page 4-16 • Additional Information, page 4-18 For more information about EnergyWise, go to http://www.cisco.com/en/US/products/ps10195/tsd_products_support_series_home.html.
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities EnergyWise uses a distributed model to manage energy usage. • Switches are grouped in an EnergyWise domain and become domain entities. They receive messages from and send them to other domain entities. • An entity in the EnergyWise domain responds to queries. • An entity participating in EnergyWise controls the power usage of connected PoE devices, such as an IP phone, an IP camera, or a PoE-enabled device.
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities Figure 4-1 Typical Network 1 SNMP Manager SNMP 3 3 3 2 TCP Catalyst 6500 switches 3 Catalyst non-PoE switches 3 3 3 3 Catalyst PoE switches 3 IP IP phone 1 Entity managing power usage 2 Domain Access point Cisco IP camera 3 205655 3 Wireless controller Entities Single PoE Switch Scenario Managing the power usage when • A PoE entity powers on or off the connected entities.
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities Figure 4-2 Single PoE Switch Example Catalyst PoE switch 1 3 Catalyst non-PoE switch 1 3 WAN Catalyst non-PoE switch 1 3 Router 3 Catalyst PoE switch 1 3 2 3 3 IP phone IP Cisco IP camera 1 Entity managing power usage 2 Domain IP phone 3 205656 IP 3 Entities EnergyWise Power Level The EnergyWise power level is for both a PoE port and a switch. The range is from 0 to 10. The default power level is 10.
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities EnergyWise Importance Set the EnergyWise importance value on a PoE port or a switch to rank domain entities. The range is from 1 to 100. The default importance value is 1. EnergyWise Names, Roles, and Keywords Set an EnergyWise-specific entity name to identify the domain entity. • For a PoE port, the default is a short version of the port name; for example, Gi0.2 for Gigabit Ethernet 0/2. • For a switch, the default is the hostname.
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities Manually Managing Power • Powering the Entity, page 4-6 • Configuring Entity Attributes, page 4-7 • Powering the PoE Port, page 4-8 • Configuring PoE-Port Attributes, page 4-8 Powering the Entity Beginning in privileged EXEC mode: Command Purpose Step 1 show energywise (Optional) Verify that EnergyWise is disabled. Step 2 configure terminal Enter global configuration mode.
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities Configuring Entity Attributes Beginning in privileged EXEC mode: Command Purpose Step 1 show energywise (Optional) Verify that EnergyWise is enabled. Step 2 configure terminal Enter global configuration mode. Step 3 energywise importance importance (Optional) Set the importance of the entity. The range is from 1 to 100. The default is 1. Step 4 energywise keywords word,word,...
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities Step 10 Command Purpose show energywise Verify your entries. show energywise domain Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file. Powering the PoE Port Beginning in privileged EXEC mode: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities Step 4 Command Purpose energywise keywords word,word,... (Optional) Assign at least one keyword for the port. When assigning multiple keywords, separate the keywords with commas, and do not use spaces between keywords. • You can enter alphanumeric characters and symbols such as #, (, %, !, or &. • Do not use an asterisk (*) or a blank space between the characters and symbols. By default, no keywords are defined.
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities Command Step 3 Purpose energywise domain domain-name secret [0 | 7] Enable EnergyWise on the entity, assign the entity to a domain password [protocol udp port udp-port-number with the specified domain-name, and set the password for secure [interface interface-id | ip ip-address]] communication among the entities in the domain. • (Optional) 0—Use an unencrypted password. This is the default. • (Optional) 7—Use a hidden password.
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities Command Step 6 Purpose energywise level 0 recurrence importance (Optional) Schedule the power-off recurrence. importance at minute hour day_of_month month • importance importance—Set the importance of the port in day_of_week the domain. The range is from 1 to 100. The default is 1. • minute—The range is from 0 to 59. Use * for the wildcard. • hour—The range is from 0 to 23. Use * for the wildcard.
Chapter 4 Configuring Cisco EnergyWise Managing Multiple Entities Manually Managing Power To power on the lab IP phones now: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# energywise domain cisco secret cisco protocol udp port 43440 ip 2.2.4.44 Switch(config)# interface gigabitethernet0/3 Switch(config-if)# energywise importance 65 Switch(config-if)# energywise name labphone.5 Switch(config-if)# energywise role role.
Chapter 4 Configuring Cisco EnergyWise Managing Multiple Entities Multiple PoE Switch Scenario Figure 4-3 Multiple PoE Switches Example WAN Catalyst PoE switch 1 3 Router 3 Router Catalyst non-PoE switches Catalyst non-PoE switches 3 3 3 2 3 3 3 3 3 IP IP phone Catalyst PoE switches 1 3 IP Cisco IP camera 1 Entity managing power usage 2 Domain IP phone 3 IP IP phone 205657 Catalyst PoE switches 1 Entities EnergyWise Query • Collect power usage information.
Chapter 4 Configuring Cisco EnergyWise Managing Multiple Entities Use EnergyWise importance values to select entities in a query. For example, an office phone is less important than an emergency phone that should never be in sleep mode. Query results show entities, such as PoE ports, with importance values less than or equal to the specified value in the query. The entity sending a query to all domain entities receives the results.
Chapter 4 Configuring Cisco EnergyWise Managing Multiple Entities Command Step 2 Purpose energywise query importance importance (Optional) Run a query to power on or power off the domain {keywords word,word,... | name name} set level entities or PoE ports. level Caution Use this query with care because it affects the entity on which you enter the command and other domain entities that match the query criteria. • importance importance—Filter the results based on the importance value.
Chapter 4 Configuring Cisco EnergyWise Troubleshooting EnergyWise Querying with Keywords To show the power usage of IP phones with different names, different roles, and importance values less than or equal to 80, but all with the Admin keyword, run this query on Switch 1: Switch# energywise query importance 80 keyword Admin collect usage EnergyWise query, timeout is 3 seconds: Host ---192.168.40.2 192.168.50.2 Queried: Name ---shipping.1 orders.1 2 Responded: Usage ----6.3 (W) 10.3 (W) 2 Time: 0.
Chapter 4 Configuring Cisco EnergyWise Troubleshooting EnergyWise Using CLI Commands Table 4-2 EnergyWise Commands Command Purpose clear energywise neighbors privileged EXEC Delete the EnergyWise neighbor tables on the entity. It immediately discovers the neighbors and recreates the table. no energywise interface configuration Disable EnergyWise on the PoE port. no energywise domain global configuration Disable EnergyWise on the entity.
Chapter 4 Configuring Cisco EnergyWise Additional Information Additional Information • Managing Power in a LAN, page 4-18 • Managing Power with IP Routing, page 4-18 Managing Power in a LAN Multiple switches connected in the same LAN and in the same EnergyWise domain.
Chapter 4 Configuring Cisco EnergyWise Additional Information Figure 4-5 EnergyWise with IP Routing LAN 20 LAN 10 Switch 1 192.168.1.2 Port 24 Switch 2 Router A Port 1 192.168.1.1/24 Port 24 192.168.2.1/24 Port 1 192.168.2.2 Switch 3 205695 192.168.1.3 On Switch 1, to prevent a disjointed domain, manually assign Switch 2 as a static neighbor or the reverse. Switch(config)# energywise neighbor 192.168.2.2 43440 Switch 1 discovers Switch 3 as a neighbor because they are in the same LAN.
Chapter 4 Configuring Cisco EnergyWise Additional Information Note To prevent a disjointed domain, you can also configure a helper address on Router A and specify that the router use UDP to forward broadcast packets with the ip helper-address address interface configuration command. ip forward-protocol udp [port] global configuration command.
CH A P T E R 5 Configuring Cisco IOS Configuration Engine This chapter describes how to configure the feature on the Catalyst 3560 switch. Note For complete configuration information for the Cisco Configuration Engine, go to http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.html For complete syntax and usage information for the commands used in this chapter, go to the Cisco IOS Network Management Command Reference, Release 12.4 at http://www.cisco.
Chapter 5 Configuring Cisco IOS Configuration Engine Understanding Cisco Configuration Engine Software Figure 5-1 Configuration Engine Architectural Overview Service provider network Configuration engine Data service directory Configuration server Event service 141327 Web-based user interface Order entry configuration management • Configuration Service, page 5-2 • Event Service, page 5-3 • What You Should Know About the CNS IDs and Device Hostnames, page 5-3 Configuration Service The Configur
Chapter 5 Configuring Cisco IOS Configuration Engine Understanding Cisco Configuration Engine Software Event Service The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine. The Event Service is a highly capable publish-and-subscribe communication method.
Chapter 5 Configuring Cisco IOS Configuration Engine Understanding Cisco Configuration Engine Software DeviceID Each configured switch participating on the event bus has a unique DeviceID, which is analogous to the switch source address so that the switch can be targeted as a specific destination on the bus. All switches configured with the cns config partial global configuration command must access the event bus.
Chapter 5 Configuring Cisco IOS Configuration Engine Understanding Cisco IOS Agents Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent.
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Incremental (Partial) Configuration After the network is running, new services can be added by using the Cisco IOS agent. Incremental (partial) configurations can be sent to the switch. The actual configuration can be sent as an event payload by way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation.
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Table 5-1 Prerequisites for Enabling Automatic Configuration (continued) Device DHCP server TFTP server CNS Configuration Engine Note Required Configuration • IP address assignment • TFTP server IP address • Path to bootstrap configuration file on the TFTP server • Default gateway IP address • A bootstrap configuration file that includes the CNS configuration commands that enable the switch to communicate with
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cns event {hostname | ip-address} [port-number] [backup] [failover-time seconds] [keepalive seconds retry-count] [reconnect time] [source ip-address] Enable the event agent, and enter the gateway parameters.
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: • The cns config initial global configuration command enables the Cisco IOS agent and initiates an initial configuration on the switch.
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Step 7 Command Purpose discover {controller controller-type | dlci [subinterface subinterface-number] | interface [interface-type] | line line-type} Specify the interface parameters in the CNS connect profile. • For controller controller-type, enter the controller type. • For dlci, enter the active data-link connection identifiers (DLCIs).
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Step 13 Command Purpose cns id interface num {dns-reverse | ipaddress | mac-address} [event] [image] (Optional) Set the unique EventID or ConfigID used by the Configuration Engine. or • For interface num, enter the type of interface–for example, ethernet, group-async, loopback, or virtual-template. This setting specifies from which interface the IP or MAC address should be retrieved to define the unique ID.
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Step 14 Command Purpose cns config initial {hostname | ip-address} [port-number] [event] [no-persist] [page page] [source ip-address] [syntax-check] Enable the Cisco IOS agent, and initiate an initial configuration. • For {hostname | ip-address}, enter the hostname or the IP address of the configuration server. • (Optional) For port-number, enter the port number of the configuration server.
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents This example shows how to configure an initial configuration on a remote switch when the switch IP address is known. The Configuration Engine IP address is 172.28.129.22. Switch(config)# cns template connect template-dhcp Switch(config-tmpl-conn)# cli ip address dhcp Switch(config-tmpl-conn)# exit Switch(config)# cns template connect ip-route Switch(config-tmpl-conn)# cli ip route 0.0.0.0 0.0.0.
Chapter 5 Configuring Cisco IOS Configuration Engine Displaying CNS Configuration Displaying CNS Configuration Table 5-2 Privileged EXEC show Commands Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed. show cns config stats Displays statistics about the Cisco IOS agent.
CH A P T E R 6 Clustering Switches This chapter provides the concepts and procedures to create and manage Catalyst 3560 switch clusters. You can create and manage switch clusters by using Cisco Network Assistant (hereafter known as Network Assistant), the command-line interface (CLI), or SNMP. For complete procedures, see the online help. For the CLI cluster commands, see the switch command reference.
Chapter 6 Clustering Switches Understanding Switch Clusters In a switch cluster, 1 switch must be the cluster command switch and up to 15 other switches can be cluster member switches. The total number of switches in a cluster cannot exceed 16 switches. The cluster command switch is the single point of access used to configure, manage, and monitor the cluster member switches. Cluster members can belong to only one cluster at a time.
Chapter 6 Clustering Switches Understanding Switch Clusters Cluster Command Switch Characteristics A cluster command switch must meet these requirements: • It is running Cisco IOS Release 12.1(19)EA1 or later. • It has an IP address. • It has Cisco Discovery Protocol (CDP) version 2 enabled (the default). • It is not a command or cluster member switch of another cluster.
Chapter 6 Clustering Switches Planning a Switch Cluster • If a cluster standby group exists, it is connected to every standby cluster command switch through at least one common VLAN. The VLAN to each standby cluster command switch can be different. • It is connected to the cluster command switch through at least one common VLAN.
Chapter 6 Clustering Switches Planning a Switch Cluster Following these connectivity guidelines ensures automatic discovery of the switch cluster, cluster candidates, connected switch clusters, and neighboring edge devices: • Discovery Through CDP Hops, page 6-5 • Discovery Through Non-CDP-Capable and Noncluster-Capable Devices, page 6-6 • Discovery Through Different VLANs, page 6-6 • Discovery Through Different Management VLANs, page 6-7 • Discovery Through Routed Ports, page 6-8 • Discovery o
Chapter 6 Clustering Switches Planning a Switch Cluster Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-3 Discovery Through Different VLANs Command device VLAN 62 VLAN trunk 9,16 VLAN 50 VLAN trunk 9,16 VLAN 16 VLAN trunk 4,16 101322 VLAN 62 Discovery Through Different Management VLANs Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 cluster command switches can discover and manage cluster member switches in different VLANs and different management VLANs.
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-4 Discovery Through Different Management VLANs with a Layer 3 Cluster Command Switch Command device Standby command device VLAN 9 VLAN 16 VLAN 16 VLAN 62 Device 5 (management VLAN 62) VLAN trunk 4, 62 Device 7 (management VLAN 4) Device 4 (management VLAN 16) VLAN 62 Device 9 (management VLAN 62) VLAN 9 Device 6 (management VLAN 9) VLAN 9 Device 8 (management VLAN 9) VLAN 4 Device 10 (management VLAN 4) 101323 Device 3 (manageme
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-5 Discovery Through Routed Ports Command device VLAN 9 RP RP VLAN 62 VLAN 9 VLAN 62 VLAN 9 Member device 7 (management VLAN 62) 101324 VLAN 4 Discovery of Newly Installed Switches To join a cluster, the new, out-of-the-box switch must be connected to the cluster through one of its access ports. An access port (AP) carries the traffic of and belongs to only one VLAN.
Chapter 6 Clustering Switches Planning a Switch Cluster HSRP and Standby Cluster Command Switches The switch supports Hot Standby Router Protocol (HSRP) so that you can configure a group of standby cluster command switches.
Chapter 6 Clustering Switches Planning a Switch Cluster manage the cluster, you must access the active cluster command switch through the virtual IP address, not through the command-switch IP address. This is in case the IP address of the active cluster command switch is different from the virtual IP address of the cluster standby group. If the active cluster command switch fails, the standby cluster command switch assumes ownership of the virtual IP address and becomes the active cluster command switch.
Chapter 6 Clustering Switches Planning a Switch Cluster Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL cluster member switches must be connected to the cluster standby group through their management VLANs.
Chapter 6 Clustering Switches Planning a Switch Cluster When the previously active cluster command switch resumes its active role, it receives a copy of the latest cluster configuration from the active cluster command switch, including members that were added while it was down. The active cluster command switch sends a copy of the cluster configuration to the cluster standby group. IP Addresses You must assign IP information to a cluster command switch.
Chapter 6 Clustering Switches Planning a Switch Cluster If you change the member-switch password to be different from the command-switch password and save the change, the switch is not manageable by the cluster command switch until you change the member-switch password to match the command-switch password. Rebooting the member switch does not revert the password back to the command-switch password. We recommend that you do not change the member-switch password after it joins a cluster.
Chapter 6 Clustering Switches Using the CLI to Manage Switch Clusters Using the CLI to Manage Switch Clusters You can configure cluster member switches from the CLI by first logging into the cluster command switch. Enter the rcommand user EXEC command and the cluster member switch number to start a Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual.
Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters cluster member switch. The cluster command switch uses this community string to control the forwarding of gets, sets, and get-next messages between the SNMP management station and the cluster member switches. Note When a cluster standby group is configured, the cluster command switch can change without your knowledge.
CH A P T E R 7 Administering the Switch This chapter describes how to perform one-time operations to administer the Catalyst 3560 switch.
Chapter 7 Administering the Switch Managing the System Time and Date The system clock can provide time to these services: • User show commands • Logging and debugging messages The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight saving time) so that the time appears correctly for the local time zone.
Chapter 7 Administering the Switch Managing the System Time and Date Figure 7-1 shows a typical network example using NTP. Switch A is the NTP master, with Switches B, C, and D configured in NTP server mode, in server association with Switch A. Switch E is configured as an NTP peer to the upstream and downstream switches, Switch B and Switch F.
Chapter 7 Administering the Switch Managing the System Time and Date These sections contain this configuration information: • Default NTP Configuration, page 7-4 • Configuring NTP Authentication, page 7-4 • Configuring NTP Associations, page 7-5 • Configuring NTP Broadcast Service, page 7-6 • Configuring NTP Access Restrictions, page 7-8 • Configuring the Source IP Address for NTP Packets, page 7-10 • Displaying the NTP Configuration, page 7-11 Default NTP Configuration Table 7-1 shows the
Chapter 7 Administering the Switch Managing the System Time and Date Step 3 Command Purpose ntp authentication-key number md5 value Define the authentication keys. By default, none are defined. • For number, specify a key number. The range is 1 to 4294967295. • md5 specifies that message authentication support is provided by using the message digest algorithm 5 (MD5). • For value, enter an arbitrary string of up to eight characters for the key.
Chapter 7 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to form an NTP association with another device: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp peer ip-address [version number] [key keyid] [source interface] [prefer] Configure the switch system clock to synchronize a peer or to be synchronized by a peer (peer association).
Chapter 7 Administering the Switch Managing the System Time and Date The switch can send or receive NTP broadcast packets on an interface-by-interface basis if there is an NTP broadcast server, such as a router, broadcasting time information on the network. The switch can send NTP broadcast packets to a peer so that the peer can synchronize to it. The switch can also receive NTP broadcast packets to synchronize its own clock.
Chapter 7 Administering the Switch Managing the System Time and Date Step 5 Command Purpose ntp broadcastdelay microseconds (Optional) Change the estimated round-trip delay between the switch and the NTP broadcast server. The default is 3000 microseconds; the range is 1 to 999999. Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 7 Administering the Switch Managing the System Time and Date Step 3 Command Purpose access-list access-list-number permit source [source-wildcard] Create the access list. • For access-list-number, enter the number specified in Step 2. • Enter the permit keyword to permit access if the conditions are matched. • For source, enter the IP address of the device that is permitted access to the switch. • (Optional) For source-wildcard, enter the wildcard bits to be applied to the source.
Chapter 7 Administering the Switch Managing the System Time and Date Disabling NTP Services on a Specific Interface NTP services are enabled on all interfaces by default. Beginning in privileged EXEC mode, follow these steps to disable NTP packets from being received on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to disable.
Chapter 7 Administering the Switch Managing the System Time and Date Displaying the NTP Configuration You can use two privileged EXEC commands to display NTP information: Note • show ntp associations [detail] • show ntp status For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Chapter 7 Administering the Switch Managing the System Time and Date Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command. The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source such as NTP, the flag is set. If the time is not authoritative, it is used only for display purposes.
Chapter 7 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 7 Administering the Switch Configuring a System Name and Prompt Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone date [month Configure summer time to start on the first date and end on the second date year hh:mm month date year hh:mm date.
Chapter 7 Administering the Switch Configuring a System Name and Prompt These sections contain this configuration information: • Default System Name and Prompt Configuration, page 7-15 • Configuring a System Name, page 7-15 • Understanding DNS, page 7-15 Default System Name and Prompt Configuration The default switch system name and prompt is Switch.
Chapter 7 Administering the Switch Configuring a System Name and Prompt These sections contain this configuration information: • Default DNS Configuration, page 7-16 • Setting Up DNS, page 7-16 • Displaying the DNS Configuration, page 7-17 Default DNS Configuration Table 7-2 shows the default DNS configuration. Table 7-2 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
Chapter 7 Administering the Switch Creating a Banner Command Purpose Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.
Chapter 7 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message. For c, enter the delimiting character of your choice, for example, a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text.
Chapter 7 Administering the Switch Managing the MAC Address Table • Configuring MAC Address Notification Traps, page 7-22 • Adding and Removing Static Address Entries, page 7-24 • Configuring Unicast MAC Address Filtering, page 7-25 • Disabling MAC Address Learning on a VLAN, page 7-26 • Displaying Address Table Entries, page 7-27 Building the Address Table With multiple MAC addresses supported on all ports, you can connect any port on the switch to individual workstations, repeaters, switches,
Chapter 7 Administering the Switch Managing the MAC Address Table Default MAC Address Table Configuration Table 7-3 shows the default MAC address table configuration. Table 7-3 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned Static addresses None configured Changing the Address Aging Time Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use.
Chapter 7 Administering the Switch Managing the MAC Address Table Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode.
Chapter 7 Administering the Switch Managing the MAC Address Table Step 5 Command Purpose mac address-table notification [interval value] | [history-size value] Enter the trap interval time and the history table size. • (Optional) For interval value, specify the notification trap interval in seconds between each set of traps that are generated to the NMS. The range is 0 to 2147483647 seconds; the default is 1 second.
Chapter 7 Administering the Switch Managing the MAC Address Table Adding and Removing Static Address Entries A static address has these characteristics: • It is manually entered in the address table and must be manually removed. • It can be a unicast or multicast address. • It does not age and is retained when the switch restarts. You can add and remove static addresses and define the forwarding behavior for them.
Chapter 7 Administering the Switch Managing the MAC Address Table This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packet is received in VLAN 4 with this MAC address as its destination address, the packet is forwarded to the specified port: Switch(config)# mac address-table static c2f3.220a.
Chapter 7 Administering the Switch Managing the MAC Address Table Command Purpose Step 4 show mac address-table static Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable unicast MAC address filtering, use the no mac address-table static mac-addr vlan vlan-id global configuration command.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to disable MAC address learning on a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no mac address-table learning vlan vlan-id Disable MAC address learning on the specified VLAN or VLANs. You can specify a single VLAN ID or a range of VLAN IDs separated by a hyphen or comma. Valid VLAN IDs are 1 to 4094.
Chapter 7 Administering the Switch Managing the ARP Table Managing the ARP Table To communicate with a device (over Ethernet, for example), the software first must learn the 48-bit MAC address or the local data link address of that device. The process of learning the local data link address from an IP address is called address resolution. The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or MAC addresses and the VLAN ID.
CH A P T E R 8 Configuring SDM Templates This chapter describes how to configure the Switch Database Management (SDM) templates on the Catalyst 3560 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 8 Configuring SDM Templates Understanding the SDM Templates Table 8-1 Approximate Number of Feature Resources Allowed by Each Template Resource Access Default Routing VLAN Unicast MAC addresses 4K 6K 3K 12 K IGMP groups and multicast routes 1K 1K 1K 1K Unicast routes 6K 8K 11 K 0 • Directly connected hosts 4K 6K 3K 0 • Indirect routes 2K 2K 8K 0 Policy-based routing ACEs 512 0 512 0 QoS classification ACEs 512 512 512 512 Security ACEs 2K 1K 1K 1K
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template Table 8-2 Approximate Feature Resources Allowed by Dual IPv4-IPv6 Templates Resource IPv4-and-IPv6 Default IPv4-and-IPv6 Routing IPv4-and-IPv6 VLAN Unicast MAC addresses 2K 1536 8K IPv4 IGMP groups and multicast routes 1K 1K 1K Total IPv4 unicast routes: 3K 2816 0 • Directly connected IPv4 hosts 2K 1536 0 • Indirect IPv4 routes 1K 1280 0 IPv6 multicast groups 1K 1152 1K Total IPv6 unicast routes: 3K 2
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template • Use the sdm prefer vlan global configuration command only on switches intended for Layer 2 switching with no routing. When you use the VLAN template, no system resources are reserved for routing entries, and any routing is done through software. This overloads the CPU and severely degrades routing performance. • Do not use the routing template if you do not have routing enabled on your switch.
Chapter 8 Configuring SDM Templates Displaying the SDM Templates This is an example of an output display when you have changed the template and have not reloaded the switch: Switch# show sdm prefer The current template is "desktop routing" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.
Chapter 8 Configuring SDM Templates Displaying the SDM Templates Switch# show sdm prefer routing "desktop routing" template: The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.
CH A P T E R 9 Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 3560 switch.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands • If you want to use username and password pairs, but you want to store them centrally on a server instead of locally, you can store them in a database on a security server. Multiple networking devices can then use the same database to obtain user authentication (and, if necessary, authorization) information. For more information, see the “Controlling Switch Access with TACACS+” section on page 9-10.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable secret passwords: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password [level level] {password | encryption-type encrypted-password} Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2: Switch(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8 Disabling Password Recovery By default, any end user with physical access to the switch can recover from a lost password by interrupting the boot process while the switch is powering on and then by entering a new password.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting a Telnet Password for a Terminal Line When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use. The setup program also prompts you to configure your switch for Telnet access through a password.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username and a password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 username name [privilege level] {password encryption-type password} Enter the username, privilege level, and password for each user.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting the Privilege Level for a Command Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 privilege mode level level command Set the privilege level for a command.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line vty line Select the virtual terminal line on which to restrict access. Step 3 privilege level level Change the default privilege level for the line.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Controlling Switch Access with TACACS+ This section describes how to enable and configure Terminal Access Controller Access Control System Plus (TACACS+), which provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 9-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ server 1) Catalyst 6500 series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) 171.20.10.8 101230 Configure the switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers). Enable AAA. Create a login authentication method list. Apply the list to the terminal lines.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: 1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user. The user enters a username, and the switch then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ These sections contain this configuration information: • Default TACACS+ Configuration, page 9-13 • Identifying the TACACS+ Server Host and Setting the Authentication Key, page 9-13 • Configuring TACACS+ Login Authentication, page 9-14 • Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 9-16 • Starting TACACS+ Accounting, page 9-17 Default TACACS+ Configuration TACACS+ a
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Step 4 Command Purpose aaa group server tacacs+ group-name (Optional) Define the AAA server-group with a group name. This command puts the switch in a server group subconfiguration mode. Step 5 server ip-address (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command. Starting TACACS+ Accounting The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS • Configuring RADIUS, page 9-19 • Displaying the RADIUS Configuration, page 9-32 Understanding RADIUS RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco routers and switches. Clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Transitioning from RADIUS to TACACS+ Services Remote PC R1 RADIUS server R2 RADIUS server T1 TACACS+ server T2 TACACS+ server Workstation 86891 Figure 9-2 RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: 1. The user is prompted to enter a username and password. 2.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS software uses the first method listed to authenticate, to authorize, or to keep accounts on users. If that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted. You should have access to and should configure a RADIUS server before configuring RADIUS features on your switch.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange responses. To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon and a secret text (key) string that it shares with the switch.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting: Switch(config)# radius-server host host1 Note You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 8 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 9-23. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information). Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the switch and all RADIUS servers.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“ This example shows how to specify an authorized VLAN in the RADIUS server database: cisco-avpair= ”tunnel-type(#64)=VLAN(13)” cisco-avpair= ”tunnel-medium-type(#65)=802 media(6)” cisco-avpair= ”tunnel-private-group-ID(#81)=vlanid” This example shows how to apply an in
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring the Switch for Vendor-Proprietary RADIUS Server Communication Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Displaying the RADIUS Configuration To display the RADIUS configuration, use the show running-config privileged EXEC command. Controlling Switch Access with Kerberos This section describes how to enable and configure the Kerberos security system, which authenticates requests for network resources by using a trusted third party.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Note A Kerberos server can be a Catalyst 3560 switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol. The Kerberos credential scheme uses a process called single logon. This process authenticates a user once and then allows secure authentication (without encrypting another password) wherever that user credential is accepted.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 9-2 Kerberos Terms (continued) Term Definition Kerberos realm A domain consisting of users, hosts, and network services that are registered to a Kerberos server. The Kerberos server is trusted to verify the identity of a user or network service to another user or network service. Note The Kerberos realm name must be in all uppercase characters.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Authenticating to a Boundary Switch This section describes the first layer of security through which a remote user must pass. The user must first authenticate to the boundary switch. This process then occurs: 1. The user opens an un-Kerberized Telnet connection to the boundary switch. 2. The switch prompts the user for a username and password. 3. The switch requests a TGT from the KDC for this user. 4.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization When you add or create entries for the hosts and users, follow these guidelines: Note • The Kerberos principal name must be in all lowercase characters. • The Kerberos instance name must be in all lowercase characters. • The Kerberos realm name must be in all uppercase characters.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Step 6 Command Purpose username name [privilege level] {password encryption-type password} Enter the local database, and establish a username-based authentication system. Repeat this command for each user. • For name, specify the user ID as one word. Spaces and quotation marks are not allowed. • (Optional) For level, specify the privilege level the user has after gaining access. The range is 0 to 15.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell For SSH configuration examples, see the “SSH Configuration Examples” section in the “Configuring Secure Shell” chapter of the Cisco IOS Security Configuration Guide, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter0918 6a00800ca7d5.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Limitations These limitations apply to SSH: • The switch supports Rivest, Shamir, and Adelman (RSA) authentication. • SSH supports only the execution-shell application. • The SSH server and the SSH client are supported only on DES (56-bit) and 3DES (168-bit) data encryption software. • The switch does not support the Advanced Encryption Standard (AES) symmetric encryption algorithm.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell 3. Generate an RSA key pair for the switch, which automatically enables SSH. Follow this procedure only if you are configuring the switch as an SSH server. 4. Configure user authentication for local or remote access. This step is required. For more information, see the “Configuring the Switch for Local Authentication and Authorization” section on page 9-36.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Step 3 Command Purpose ip ssh {timeout seconds | authentication-retries number} Configure the SSH control parameters: • Specify the time-out value in seconds; the default is 120 seconds. The range is 0 to 120 seconds. This parameter applies to the SSH negotiation phase. After the connection is established, the switch uses the default time-out values of the CLI-based sessions.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP For more information about these commands, see the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter0918 6a00800ca7cd.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP When a connection attempt is made, the HTTPS server provides a secure connection by issuing a certified X.509v3 certificate, obtained from a specified CA trustpoint, to the client. The client (usually a Web browser), in turn, has a public key that allows it to authenticate the certificate. For secure HTTP connections, we highly recommend that you configure a CA trustpoint.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP For additional information on Certificate Authorities, see the “Configuring Certification Authority Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References. CipherSuites A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Default SSL Configuration The standard HTTP server is enabled. SSL is enabled. No CA trustpoints are configured. No self-signed certificates are generated. SSL Configuration Guidelines When SSL is used in a switch cluster, the SSL session terminates at the cluster commander. Cluster member switches must run standard HTTP.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Command Purpose Step 12 crypto ca enroll name Obtain the certificate from the specified CA trustpoint. This command requests a signed certificate for each RSA key pair. Step 13 end Return to privileged EXEC mode. Step 14 show crypto ca trustpoints Verify the configuration. Step 15 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Command Purpose Step 8 ip http path path-name (Optional) Set a base HTTP path for HTML files. The path specifies the location of the HTTP server files on the local system (usually located in system flash memory). Step 9 ip http access-class access-list-number (Optional) Specify an access list to use to allow access to the HTTP server.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Beginning in privileged EXEC mode, follow these steps to configure a secure HTTP client: Command Purpose configure terminal Enter global configuration mode. ip http client secure-trustpoint name (Optional) Specify the CA trustpoint to be used if the remote HTTP server requests client authentication.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Because SSH also relies on AAA authentication, and SCP relies further on AAA authorization, correct configuration is necessary. Note • Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch. • Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman (RSA) key pair.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Catalyst 3560 Switch Software Configuration Guide 9-50 OL-8553-06
CH A P T E R 10 Configuring IEEE 802.1x Port-Based Authentication IEEE 802.1x port-based authentication prevents unauthorized devices (clients) from gaining access to the network. The Catalyst 3560 switch command reference and the “RADIUS Commands” section in the Cisco IOS Security Command Reference, Release 12.2, have command syntax and usage information. • Understanding IEEE 802.1x Port-Based Authentication, page 10-1 • Configuring 802.1x Authentication, page 10-29 • Displaying 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • 802.1x Authentication with VLAN Assignment, page 10-14 • Using 802.1x Authentication with Per-User ACLs, page 10-15 • 802.1x Authentication with Guest VLAN, page 10-17 • 802.1x Authentication with Restricted VLAN, page 10-18 • 802.1x Authentication with Inaccessible Authentication Bypass, page 10-19 • 802.1x Authentication with Voice VLAN Ports, page 10-21 • 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • Authentication server—performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 10-2 shows the authentication process. Figure 10-2 Authentication Flowchart Start No Is the client IEEE 802.1x capable? IEEE 802.1x authentication process times out. Is MAC authentication bypass enabled? 1 Yes Yes Start IEEE 802.1x port-based authentication. Client identity is invalid The switch gets an EAPOL message, and the EAPOL message exchange begins.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The Termination-Action RADIUS attribute (Attribute [29]) specifies the action to take during re-authentication. The actions are Initialize and ReAuthenticate. When the Initialize action is set (the attribute value is DEFAULT), the 802.1x session ends, and connectivity is lost during re-authentication.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 10-3 Message Exchange Authentication server (RADIUS) Client EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS Access-Request EAP-Request/OTP RADIUS Access-Challenge EAP-Response/OTP RADIUS Access-Request EAP-Success RADIUS Access-Accept Port Authorized 101228 EAPOL-Logoff Port Unauthorized If 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Authentication Manager In Cisco IOS Release 12.2(46)SE and earlier, you could not use the same authorization methods, including CLI commands and messages, on this switch and also on other network devices, such as a Catalyst 6000. You had to use separate authentication configurations. Cisco IOS Release 12.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Per-User ACLs and Filter-Ids In releases earlier than Cisco IOS Release 12.2(50)SE, an ACL configured on the switch is not compatible with an ACL configured on another device running Cisco IOS software, such as a Catalyst 6000 switch. In Cisco IOS Release 12.2(50)SE or later, the ACLs configured on the switch are compatible with other devices running Cisco IOS release.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Table 10-2 Authentication Manager Commands and Earlier 802.1x Commands (continued) The authentication manager commands in Cisco IOS Release 12.2(50)SE or later The equivalent 802.1x commands in Cisco IOS Release 12.2(46)SE and earlier Description authentication order dot1x mac-auth-bypass Enable the MAC authentication bypass feature.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • auto—enables 802.1x authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port changes from down to up or when an EAPOL-start frame is received.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The switch supports Multi-Domain Authentication (MDA), which allows both a data device and a voice device, such as an IP Phone (Cisco or non-Cisco), to connect to the same switch port. For more information, see the “Multidomain Authentication” section on page 10-11.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • Active fallback mechanisms such as guest VLAN and restricted VLAN remain configured after a port changes from single-host or multiple-host mode to multidomain mode. • Switching a port host mode from multidomain to single-host or multiple-hosts mode removes all authorized devices from the port. • If a data domain is authorized first and placed in the guest VLAN, non-802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication 802.1x Accounting Attribute-Value Pairs The information sent to the RADIUS server is represented in the form of Attribute-Value (AV) pairs. These AV pairs provide data for different applications. (For example, a billing application might require information that is in the Acct-Input-Octets or the Acct-Output-Octets attributes of a RADIUS packet.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication 802.1x Readiness Check The 802.1x readiness check monitors 802.1x activity on all the switch ports and displays information about the devices connected to the ports that support 802.1x. You can use this feature to determine if the devices connected to the switch ports are 802.1x-capable.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication – If the VLAN configuration change of one device results in matching the other device configured or assigned VLAN, then authorization of all devices on the port is terminated and multidomain host mode is disabled until a valid configuration is restored where data and voice device configured VLANs no longer match.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication the egress direction. MAC ACLs are supported only in the ingress direction. The switch supports VSAs only in the ingress direction. It does not support port ACLs in the egress direction on Layer 2 ports. For more information, see Chapter 33, “Configuring Network Security with ACLs.” Use only the extended ACL syntax style to define the per-user configuration stored on the RADIUS server.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Note If a downloadable ACL or redirect URL is configured for a client on the authentication server, a default port ACL on the connected client switch port must also be configured. Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL The switch uses these cisco-av-pair VSAs: • url-redirect is the HTTP to HTTPS URL. • url-redirect-acl is the switch ACL name or number.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication When you enable a guest VLAN on an 802.1x port, the switch assigns clients to a guest VLAN when the switch does not receive a response to its EAP request/identity frame or when EAPOL packets are not sent by the client. The switch maintains the EAPOL packet history.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication restricted VLAN allows users without valid credentials in an authentication server (typically, visitors to an enterprise) to access a limited set of services. The administrator can control the services available to the restricted VLAN. Note You can configure a VLAN to be both the guest VLAN and the restricted VLAN if you want to provide the same services to both types of users.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication When this feature is enabled, the switch checks the status of the configured RADIUS servers whenever the switch tries to authenticate a host connected to a critical port. If a server is available, the switch can authenticate the host.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication 802.1x Authentication with Voice VLAN Ports A voice VLAN port is a special access port associated with two VLAN identifiers: • VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone connected to the port. • PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone. The PVID is the native VLAN of the port.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The port security violation modes determine the action for security violations. For more information, see the “Security Violations” section on page 24-10. • When you manually remove an 802.1x client address from the port security table by using the no switchport port-security mac-address mac-address interface configuration command, you should re-authenticate the 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication 802.1x Authentication with MAC Authentication Bypass You can configure the switch to authorize clients based on the client MAC address (see Figure 10-2 on page 10-4) by using the MAC authentication bypass feature. For example, you can enable this feature on 802.1x ports connected to devices such as printers. If 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • Private VLAN—You can assign a client to a private VLAN. • Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an 802.1x port is authenticated with MAC authentication bypass, including hosts in the exception list. For more configuration information, see the “Authentication Manager” section on page 10-7. Network Admission Control Layer 2 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Open1x Authentication Open1x authentication allows a device access to a port before that device is authenticated. When open authentication is configured, a new host on the port can only send traffic to the switch. After the host is authenticated, the policies configured on the RADIUS server are applied to that host.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing user traffic from multiple VLANs coming from supplicant switches. This can be achieved by configuring the cisco-av-pair as device-traffic-class=switch at the ACS. (You can configure this under the group or user setttings.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication For more information, see the “Authentication Manager” section on page 10-7 and the “Configuring Web Authentication” section on page 10-60. Web Authentication with Automatic MAC Check You can use web authentication with automatic MAC check to authenticate a client that does not support 802.1x or web-browser functionality.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 10-7 Authentication Successful” Banner This banner can also be customized, as shown in Figure 10-8. • Add a switch, router, or company name to the banner by using the ip admission auth-proxy-banner http banner-text global configuration command. • Add a logo or text file to the banner by using the ip admission auth-proxy-banner http file-path global configuration command.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Figure 10-9 Login Screen With No Banner For more information, see the “Configuring a Web Authentication Local Banner” section on page 10-64. Configuring 802.1x Authentication These sections contain this configuration information: • Default 802.1x Authentication Configuration, page 10-30 • 802.1x Authentication Configuration Guidelines, page 10-31 • Configuring 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication • Configuring a Restricted VLAN, page 10-47 (optional) • Configuring the Inaccessible Authentication Bypass Feature, page 10-49 (optional) • Configuring 802.1x Authentication with WoL, page 10-52 (optional) • Configuring MAC Authentication Bypass, page 10-53 (optional) • Configuring NAC Layer 2 802.1x Validation, page 10-54 (optional) • Configuring 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Table 10-4 Default 802.1x Authentication Configuration (continued) Feature Default Setting Maximum retransmission number 2 times (number of times that the switch will send an EAP-request/identity frame before restarting the authentication process).
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication • The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3 routed ports, but it is not supported on these port types: – Trunk port—If you try to enable 802.1x authentication on a trunk port, an error message appears, and 802.1x authentication is not enabled. If you try to change the mode of an 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication – If the client is running Windows XP and the port to which the client is connected is in the critical-authentication state, Windows XP might report that the interface is not authenticated. – If the Windows XP client is configured for DHCP and has an IP address from the DHCP server, receiving an EAP-Success message on a critical port might not re-initiate the DHCP configuration process.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring 802.1x Readiness Check The 802.1x readiness check monitors 802.1x activity on all the switch ports and displays information about the devices connected to the ports that support 802.1x. You can use this feature to determine if the devices connected to the switch ports are 802.1x-capable. The 802.1x readiness check is allowed on all ports that can be configured for 802.1x.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring Voice Aware 802.1x Security You use the voice aware 802.1x security feature on the switch to disable only the VLAN on which a security violation occurs, whether it is a data or voice VLAN. You can use this feature in IP phone deployments where a PC is connected to the IP phone. A security violation found on the data VLAN results in the shutdown of only the data VLAN.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication This example shows how to configure the switch to shut down any VLAN on which a security violation error occurs: Switch(config)# errdisable detect cause security-violation shutdown vlan This example shows how to re-enable all VLANs that were error disabled on port Gigabit Ethernet 0/2.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring 802.1x Authentication To configure 802.1x port-based authentication, you must enable authentication, authorization, and accounting (AAA) and specify the authentication method list. A method list describes the sequence and authentication method to be queried to authenticate a user.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 8 interface interface-id Specify the port connected to the client to enable for 802.1x authentication, and enter interface configuration mode. Step 9 switchport mode access (Optional) Set the port to access mode only if you configured the RADIUS server in Step 6 and Step 7. Step 10 authentication port-control auto Enable 802.1x authentication on the port.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on the switch. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Configure the RADIUS server parameters.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring the Host Mode Beginning in privileged EXEC mode, follow these steps to allow a single host (client) or multiple hosts on an 802.1x-authorized port. Use the multi-domain keyword to configure multidomain authentication (MDA) to enable authentication of both a host and a voice device, such as an IP phone (Cisco or non-Cisco) on the same switch port. This procedure is optional.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication This example shows how to enable 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show authentication interface-id Verify your entries. or show dot1x interface interface-id Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable periodic re-authentication, use the no authentication periodic or the no dot1x reauthentication interface configuration command.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 5 Command Purpose show authentication interface-id Verify your entries. or show dot1x interface interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default quiet time, use the no dot1x timeout quiet-period interface configuration command.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Setting the Switch-to-Client Frame-Retransmission Number You can change the number of times that the switch sends an EAP-request/identity frame (assuming no response is received) to the client before restarting the authentication process.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to set the re-authentication number. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure 802.1x accounting after AAA is enabled on your switch. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Step 3 aaa accounting dot1x default start-stop group radius Enable 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 5 Command Purpose dot1x guest-vlan vlan-id Specify an active VLAN as an 802.1x guest VLAN. The range is 1 to 4094. You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an 802.1x guest VLAN. Step 6 end Return to privileged EXEC mode. Step 7 show authentication interface-id Verify your entries.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 4 Command Purpose authentication port-control auto Enable 802.1x authentication on the port. or dot1x port-control auto Step 5 dot1x auth-fail vlan vlan-id Specify an active VLAN as an 802.1x restricted VLAN. The range is 1 to 4094. You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an 802.1x restricted VLAN.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 6 dot1x auth-fail max-attempts max attempts Specify a number of authentication attempts to allow before a port moves to the restricted VLAN. The range is 1 to 3, and the default is 3. Step 7 end Return to privileged EXEC mode. Step 8 show authentication interface-id (Optional) Verify your entries.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 4 Command Purpose radius-server host ip-address [acct-port udp-port] [auth-port udp-port] [test username name [idle-time time] [ignore-acct-port] [ignore-auth-port]] [key string] (Optional) Configure the RADIUS server parameters by using these keywords: • acct-port udp-port—Specify the UDP port for the RADIUS accounting server. The range for the UDP port number is from 0 to 65536. The default is 1646.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 7 Command Purpose dot1x critical [recovery action reinitialize | vlan vlan-id] Enable the inaccessible authentication bypass feature, and use these keywords to configure the feature: • recovery action reinitialize—Enable the recovery feature, and specify that the recovery action is to authenticate the port when an authentication server is available.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Step 3 Purpose authentication control-direction {both Enable 802.1x authentication with WoL on the port, and use these | in} keywords to configure the port as bidirectional or unidirectional. or • both—Sets the port as bidirectional. The port cannot receive packets from or send packets to the host. By default, the port is bidirectional. • in—Sets the port as unidirectional.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 4 Command Purpose dot1x mac-auth-bypass [eap | timeout activity {value}] Enable MAC authentication bypass. (Optional) Use the eap keyword to configure the switch to use EAP for authorization. (Optional) Use the timeout activity keywords to configured the number of seconds that a connected host can be inactive before it is placed in an unauthorized state. The range is 1 to 65535.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Step 5 Purpose dot1x timeout reauth-period {seconds | Set the number of seconds between re-authentication attempts. server} The keywords have these meanings: • seconds—Sets the number of seconds from 1 to 65535; the default is 3600 seconds.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 3 interface interface-id Specify the port to be configured, and enter interface configuration mode. Step 4 switchport mode access (Optional) Set the port mode to access. Step 5 authentication port-control auto Set the port-authentication mode to auto. Step 6 dot1x pae authenticator Configure the interface as a port access entity (PAE) authenticator.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring a Downloadable Policy Beginning in privileged EXEC mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number deny source source-wildcard log Defines the default port ACL by using a source address and wildcard. The access-list-number is a decimal number from 1 to 99 or 1300 to 1999.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 12 show ip device tracking all Displays information about the entries in the IP device tracking table. Step 13 copy running-config startup-config (Optional) Saves your entries in the configuration file. This example shows how to configure a switch for a downloadable policy: Switch# config terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring Open1x Beginning in privileged EXEC mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Step 3 authentication control-direction {both | in} (Optional) Configure the port control as unidirectional or bidirectional.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 3 Command Purpose aaa authentication login default group radius Use RADIUS authentication. Before you can use this authentication method, you must configure the RADIUS server. For more information, see Chapter 9, “Configuring Switch-Based Authentication.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure a port to use web authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip admission name rule proxy http Define a web authentication rule. Note The same rule cannot be used for both web authentication and NAC Layer 2 IP validation.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 9 Command Purpose authentication port-control auto Enable 802.1x authentication on the interface. or dot1x port-control auto Step 10 authentication fallback fallback-profile or dot1x fallback fallback-profile Configure the port to authenticate a client by using web authentication when no 802.1x supplicant is detected on the port.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring a Web Authentication Local Banner Beginning in privileged EXEC mode, follow these steps to configure a local banner on a switch that has web authentication configured. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip admission auth-proxy-banner http [banner-text | file-path] Enable the local banner.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Displaying 802.1x Statistics and Status This example shows how to disable 802.1x authentication on the port: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# no dot1x pae authenticator Resetting the 802.1x Authentication Configuration to the Default Values Beginning in privileged EXEC mode, follow these steps to reset the 802.1x authentication configuration to the default values. This procedure is optional.
CH A P T E R 11 Configuring Interface Characteristics This chapter defines the types of interfaces on the Catalyst 3560 switch and describes how to configure them.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 13, “Configuring VLANs.” Packets received on a port are forwarded only to ports that belong to the same VLAN as the receiving port.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types Access Ports An access port belongs to and carries the traffic of only one VLAN (unless it is configured as a voice VLAN port). Traffic is received and sent in native formats with no VLAN tagging. Traffic arriving on an access port is assumed to belong to the VLAN assigned to the port. If an access port receives a tagged packet (Inter-Switch Link [ISL] or IEEE 802.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types on the customer switch. Packets entering the tunnel port on the edge switch, already IEEE 802.1Q-tagged with the customer VLANs, are encapsulated with another layer of an IEEE 802.1Q tag (called the metro tag), containing a VLAN ID unique in the service-provider network, for each customer.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types Note You cannot delete interface VLAN 1. SVIs provide IP host connectivity only to the system; in Layer 3 mode, you can configure routing across SVIs. Although the switch supports a total or 1005 VLANs (and SVIs), the interrelationship between the number of SVIs and routed ports and the number of other features being configured might impact CPU performance because of hardware limitations.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types is a monitoring port, you might configure autostate exclude on that port so that the VLAN goes down when all other ports go down. When enabled on a port, autostate exclude applies to all VLANs that are enabled on that port. The VLAN interface is brought up when one Layer 2 port in the VLAN has had time to converge (transition from STP listening-learning state to forwarding state).
Chapter 11 Configuring Interface Characteristics Understanding Interface Types Power over Ethernet Ports Catalyst 3560 PoE-capable switch ports automatically supply power to these connected devices (if the switch senses that there is no power on the circuit): • Cisco pre-standard powered devices (such as Cisco IP Phones and Cisco Aironet access points) • IEEE 802.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types After device detection, the switch determines the device power requirements based on its type: • A Cisco pre-standard powered device does not provide its power requirement when the switch detects it, so the switch allocates 15.4 W as the initial allocation for power budgeting. The initial power allocation is the maximum amount of power that a powered device requires.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types If granting power would exceed the system power budget, the switch denies power, ensures that power to the port is turned off, generates a syslog message, and updates the LEDs. After power has been denied, the switch periodically rechecks the power budget and continues to attempt to grant the request for power.
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode Figure 11-1 Connecting VLANs with the Catalyst 3560 Switch Layer 3 switch with routing enabled SVI 1 Host A SVI 2 172.20.129.1 Host B VLAN 20 VLAN 30 101350 172.20.128.1 When the IP services image is running on the switch, the switch supports two methods of forwarding traffic between interfaces: routing and fallback bridging.
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode • Module number—The module or slot number on the switch (always 0 on the Catalyst 3560 switch). • Port number—The interface number on the switch. The port numbers always begin at 1, starting with the far left port when facing the front of the switch, for example, fastethernet0/1 or gigabitethernet0/1.
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode Beginning in privileged EXEC mode, follow these steps to configure a range of interfaces with the same parameters: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface range {port-range | macro macro_name} Specify the range of interfaces (VLANs or physical ports) to be configured, and enter interface-range configuration mode.
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode This example shows how to use the interface range global configuration command to set the speed on ports 1 to 4 to 100 Mb/s: Switch# configure terminal Switch(config)# interface range gigabitethernet0/1 - 4 Switch(config-if-range)# speed 100 This example shows how to use a comma to add different interface type strings to the range to enable Fast Ethernet ports 1 to 3 and Gigabit Ethernet ports 1 and 2 to receive flow-cont
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces – gigabitethernet module/{first port} - {last port}, where the module is always 0 – port-channel port-channel-number - port-channel-number, where the port-channel-number is 1 to 48. Note When you use the interface ranges with port channels, the first and last port-channel number must be active port channels. • You must add a space between the first interface number and the hyphen when entering an interface-range.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces • Configuring Interface Speed and Duplex Mode, page 11-17 • Configuring IEEE 802.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Table 11-2 Default Layer 2 Ethernet Interface Configuration (continued) Feature Default Setting Protected port Disabled (Layer 2 interfaces only). See the “Configuring Protected Ports” section on page 24-6. Port security Disabled (Layer 2 interfaces only). See the “Default Port Security Configuration” section on page 24-11. Port Fast Disabled.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Step 3 Command Purpose media-type {auto-select | rj45 | sfp} Select the interface and type of a dual-purpose uplink port. The keywords have these meanings: • auto-select—The switch dynamically selects the type. When link up is achieved, the switch disables the other type until the active link goes down. When the active link goes down, the switch enables both types until one of them links up.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces These sections describe how to configure the interface speed and duplex mode: • Speed and Duplex Configuration Guidelines, page 11-18 • Setting the Interface Speed and Duplex Parameters, page 11-18 Speed and Duplex Configuration Guidelines When configuring an interface speed and duplex mode, note these guidelines: • Fast Ethernet (10/100-Mb/s) ports support all speed and duplex options.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Step 3 Command Purpose speed {10 | 100 | 1000 | auto [10 | 100 | 1000] | nonegotiate} Enter the appropriate speed parameter for the interface: • Enter 10, 100, or 1000 to set a specific speed for the interface. The 1000 keyword is available only for 10/100/1000 Mb/s ports. • Enter auto to enable the interface to autonegotiate speed with the connected device.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring IEEE 802.3x Flow Control Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. If one port experiences congestion and cannot receive any more traffic, it notifies the other port by sending a pause frame to stop sending until the condition clears.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Auto-MDIX on an Interface When automatic medium-dependent interface crossover (auto-MDIX) is enabled on an interface, the interface automatically detects the required cable connection type (straight through or crossover) and configures the connection appropriately.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring a Power Management Mode on a PoE Port For most situations, the default configuration (auto mode) works well, providing plug-and-play operation. No further configuration is required. However, use the following procedure to give a PoE port higher priority, to make it data only, or to specify a maximum wattage to disallow high-power powered devices on a port.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces For information about the output of the show power inline user EXEC command, see the command reference for this release. For more information about PoE-related commands, see the “Troubleshooting Power over Ethernet Switch Ports” section on page 47-12. For information about configuring voice VLAN, see Chapter 15, “Configuring Voice VLAN.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Beginning in privileged EXEC mode, follow these steps to configure the amount of power budgeted to a powered device connected to each PoE port on a switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no cdp run (Optional) Disable CDP. Step 3 power inline consumption default wattage Configure the power consumption of powered devices connected to each the PoE port on the switch.
Chapter 11 Configuring Interface Characteristics Configuring Layer 3 Interfaces Beginning in privileged EXEC mode, follow these steps to add a description for an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface for which you are adding a description, and enter interface configuration mode. Step 3 description string Add a description (up to 240 characters) for an interface.
Chapter 11 Configuring Interface Characteristics Configuring Layer 3 Interfaces A Layer 3 switch can have an IP address assigned to each routed port and SVI. There is no defined limit to the number of SVIs and routed ports that can be configured in a switch. However, the interrelationship between the number of SVIs and routed ports and the number of other features being configured might have an impact on CPU usage because of hardware limitations.
Chapter 11 Configuring Interface Characteristics Configuring the System MTU This example shows how to configure a port as a routed port and to assign it an IP address: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet0/2 Switch(config-if)# no switchport Switch(config-if)# ip address 192.20.135.21 255.255.255.
Chapter 11 Configuring Interface Characteristics Configuring the System MTU Note You cannot configure a routing MTU size that exceeds the system MTU size. If you change the system MTU size to a value smaller than the currently configured routing MTU size, the configuration change is accepted, but not applied until the next switch reset. When the configuration change takes effect, the routing MTU size automatically defaults to the new system MTU size.
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Command Purpose Step 6 copy running-config startup-config Save your entries in the configuration file. Step 7 reload Reload the operating system. If you enter a value that is outside the allowed range for the specific type of interface, the value is not accepted. Once the switch reloads, you can verify your settings by entering the show system mtu privileged EXEC command.
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Table 11-4 Show Commands for Interfaces (continued) Command Purpose show interfaces [interface-id] description (Optional) Display the description configured on an interface or all interfaces and the interface status. show ip interface [interface-id] (Optional) Display the usability status of all interfaces configured for IP routing or the specified interface.
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Note The clear counters privileged EXEC command does not clear counters retrieved by using Simple Network Management Protocol (SNMP), but only those seen with the show interface privileged EXEC command. Shutting Down and Restarting the Interface Shutting down an interface disables all functions on the specified interface and marks the interface as unavailable on all monitoring command displays.
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 3560 Switch Software Configuration Guide 11-32 OL-8553-06
CH A P T E R 12 Configuring Auto Smartports Macros This chapter describes how to configure and apply Auto Smartports and static Smartports macros on the Catalyst 3560 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 12 Configuring Auto Smartports Macros Configuring Auto Smartports Configuring Auto Smartports • Default Auto Smartports Configuration, page 12-2 • Auto Smartports Configuration Guidelines, page 12-3 • Enabling Auto Smartports, page 12-3 • Configuring Auto Smartports Built-in Macros, page 12-4 • Configuring Event Triggers, page 12-6 • Configuring Auto Smartports User-Defined Macros, page 12-9 Default Auto Smartports Configuration • Auto Smartports is disabled.
Chapter 12 Configuring Auto Smartports Macros Configuring Auto Smartports Auto Smartports Configuration Guidelines • The built-in macros cannot be deleted or changed. However, you can override a built-in macro by creating a user-defined macro with the same name. To restore the original built-in macro, delete the user-defined macro. • To avoid system conflicts when Auto Smartports macros are applied, remove all port configuration except for 802.1x authentication.
Chapter 12 Configuring Auto Smartports Macros Configuring Auto Smartports You can use the show shell functions and the show shell triggers privileged EXEC command to display the event triggers, the built-in macros, and the built-in macro default values.
Chapter 12 Configuring Auto Smartports Macros Configuring Auto Smartports Step 2 Command Purpose macro auto execute event trigger builtin built-in macro name [parameter=value] [parameter=value] Define mapping from an event trigger to a built-in macro. Specify an event trigger: • CISCO_PHONE_EVENT • CISCO_SWITCH_EVENT • CISCO_ROUTER_EVENT • CISCO_WIRELESS_AP_EVENT • CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT • WORD—Apply a user-defined event trigger.
Chapter 12 Configuring Auto Smartports Macros Configuring Auto Smartports This example shows how to use two built-in Auto Smartports macros for connecting Cisco switches and Cisco IP phones to the switch.
Chapter 12 Configuring Auto Smartports Macros Configuring Auto Smartports Use the no shell trigger identifier global configuration command to delete the event trigger. This example shows how to map a user-defined event trigger called RADIUS_MAB_EVENT to the built-in macro CISCO_DOT1X_MAB_GUEST_AUTO_SMARTPORT, replace the default VLAN with VLAN 10, and how to verify the entries. a. Connect the device to a MAB-enabled switch port. b.
Chapter 12 Configuring Auto Smartports Macros Configuring Auto Smartports Trigger Trigger Trigger Trigger Id: CISCO_ROUTER_EVENT description: Event for router macro environment: NATIVE_VLAN=1 mapping function: CISCO_ROUTER_AUTO_SMARTPORT Trigger Trigger Trigger Trigger Id: CISCO_SWITCH_EVENT description: Event for switch macro environment: NATIVE_VLAN=1 mapping function: CISCO_SWITCH_AUTO_SMARTPORT Trigger Trigger Trigger Trigger Id: CISCO_WIRELESS_AP_EVENT description: Event for Wireless Access Poi
Chapter 12 Configuring Auto Smartports Macros Configuring Auto Smartports function CISCO_SWITCH_AUTO_SMARTPORT () { if [[ $LINKUP -eq YES ]]; then conf t interface $INTERFACE macro description $TRIGGER auto qos voip trust switchport trunk encapsulation dot1q switchport trunk native vlan $NATIVE_VLAN switchport trunk allowed vlan ALL switchport mode trunk exit end else conf t interface $INTERFACE no macro description no auto qos voip trust no switchport mode trunk no switchport trunk encapsulation dot1q no
Chapter 12 Configuring Auto Smartports Macros Configuring Auto Smartports This example shows how to map a user-defined event trigger called Cisco Digital Media Player (DMP) to a user-defined macro. a. Connect the DMP to an 802.1x- or MAB-enabled switch port. b. On the RADIUS server, set the attribute-value pair to auto-smart-port =CISCO_DMP_EVENT. c. On the switch, create the event trigger CISCO_DMP_EVENT, and enter the user-defined macro commands shown below. d.
Chapter 12 Configuring Auto Smartports Macros Configuring Static Smartports Macros Table 12-2 Supported Cisco IOS Shell Keywords (continued) Command Description fi Use as a conditional construct. if Use as a conditional construct. then Use as a conditional construct. -z Use as a conditional construct. $ Variables that begin with the $ character are replaced with a parameter value. # Use the # character to enter comment text.
Chapter 12 Configuring Auto Smartports Macros Configuring Static Smartports Macros Table 12-4 Default Static Smartports Macros Macro Name1 Description cisco-global Use this global configuration macro to enable rapid PVST+, loop guard, and dynamic port error recovery for link state failures. cisco-desktop Use this interface configuration macro for increased network security and reliability when connecting a desktop device, such as a PC, to a switch port.
Chapter 12 Configuring Auto Smartports Macros Configuring Static Smartports Macros Step 4 Command Purpose macro global {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Apply each individual command defined in the macro to the switch by entering macro global apply macro-name. Specify macro global trace macro-name to apply and to debug a macro to find any syntax or configuration errors. Append the macro with the required values by using the parameter value keywords.
Chapter 12 Configuring Auto Smartports Macros Displaying Auto Smartports and Static Smartports Macros This example shows how to display the cisco-desktop macro, to apply the macro and to set the access VLAN ID to 25 on an interface: Switch# show parser macro cisco-desktop -------------------------------------------------------------Macro name : cisco-desktop Macro type : default # Basic interface - Enable data VLAN only # Recommended value for access vlan (AVID) should not be 1 switchport access vlan $AV
CH A P T E R 13 Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 3560 switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS). Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 13 Configuring VLANs Understanding VLANs Figure 13-1 shows an example of VLANs segmented into logically defined networks. Figure 13-1 VLANs as Logically Defined Networks Engineering VLAN Marketing VLAN Accounting VLAN Cisco router Floor 3 Gigabit Ethernet Floor 2 90571 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Chapter 13 Configuring VLANs Understanding VLANs Although the switch supports a total of 1005 (normal range and extended range) VLANs, the number of routed ports, SVIs, and other configured features affects the use of the switch hardware. The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Membership Mode VLAN Membership Characteristics VTP Characteristics Voice VLAN A voice VLAN port is an access port attached to a Cisco VTP is not required; it has no effect on a IP Phone, configured to use one VLAN for voice traffic voice VLAN. and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 15, “Configuring Voice VLAN.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Caution You can cause inconsistency in the VLAN database if you attempt to manually delete the vlan.dat file. If you want to modify the VLAN configuration, use the commands described in these sections and in the command reference for this release. To change the VTP configuration, see Chapter 16, “Configuring VTP.” You use the interface configuration mode to define the port membership mode and to add and remove ports from VLANs.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Token Ring VLANs Although the switch does not support Token Ring connections, a remote device such as a Catalyst 5000 series switch with Token Ring connections could be managed from one of the supported switches.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs VLAN Configuration Mode Options You can configure normal-range VLANs (with VLAN IDs 1 to 1005) by using these two configuration modes: • VLAN Configuration in config-vlan Mode, page 13-7 You access config-vlan mode by entering the vlan vlan-id global configuration command. • VLAN Configuration in VLAN Database Configuration Mode, page 13-7 You access VLAN database configuration mode by entering the vlan database privileged EXEC command.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs When you save VLAN and VTP information (including extended-range VLAN configuration information) in the startup configuration file and reboot the switch, the switch configuration is selected as follows: Caution • If the VTP mode is transparent in the startup configuration, and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file, the VLAN database is ignored (cleared), and the VTP and
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Creating or Modifying an Ethernet VLAN Each Ethernet VLAN in the VLAN database has a unique, 4-digit ID that can be a number from 1 to 1001. VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs. To create a normal-range VLAN to be added to the VLAN database, assign a number and name to the VLAN. Note When the switch is in VTP transparent mode, you can assign VLAN IDs greater than 1006, but they are not added to the VLAN database.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs You can also create or modify Ethernet VLANs by using the VLAN database configuration mode. Note VLAN database configuration mode does not support RSPAN VLAN configuration or extended-range VLANs. Beginning in privileged EXEC mode, follow these steps to use VLAN database configuration mode to create or modify an Ethernet VLAN: Command Purpose Step 1 vlan database Enter VLAN database configuration mode.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Caution When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN. Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no vlan vlan-id Remove the VLAN by entering the VLAN ID.
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Command Purpose Step 7 show interfaces interface-id switchport Verify your entries in the Administrative Mode and the Access Mode VLAN fields of the display. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return an interface to its default configuration, use the default interface interface-id interface configuration command.
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Extended-Range VLAN Configuration Guidelines Follow these guidelines when creating extended-range VLANs: • To add an extended-range VLAN, you must use the vlan vlan-id global configuration command and access config-vlan mode. You cannot add extended-range VLANs in VLAN database configuration mode (accessed by entering the vlan database privileged EXEC command).
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs settings of all parameters. If you enter an extended-range VLAN ID when the switch is not in VTP transparent mode, an error message is generated when you exit from config-vlan mode, and the extended-range VLAN is not created. Extended-range VLANs are not saved in the VLAN database; they are saved in the switch running configuration file.
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Creating an Extended-Range VLAN with an Internal VLAN ID If you enter an extended-range VLAN ID that is already assigned to an internal VLAN, an error message is generated, and the extended-range VLAN is rejected. To manually free an internal VLAN ID, you must temporarily shut down the routed port that is using the internal VLAN ID.
Chapter 13 Configuring VLANs Displaying VLANs Displaying VLANs Use the show vlan privileged EXEC command to display a list of all VLANs on the switch, including extended-range VLANs. The display includes VLAN status, ports, and configuration information. To view normal-range VLANs in the VLAN database (1 to 1005), use the show VLAN database configuration command (accessed by entering the vlan database privileged EXEC command). Table 13-3 lists the commands for monitoring VLANs.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Figure 13-2 shows a network of switches that are connected by ISL trunks. Figure 13-2 Switches in an ISL Trunking Environment Catalyst 6500 series switch ISL trunk ISL trunk ISL trunk ISL trunk Switch Switch Switch VLAN1 Switch VLAN3 VLAN1 VLAN3 45828 VLAN2 VLAN2 You can configure a trunk on a single Ethernet interface or on an EtherChannel bundle.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Table 13-4 Layer 2 Interface Modes Mode Function switchport mode access Puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface regardless of whether or not the neighboring interface is a trunk interface. switchport mode dynamic auto Makes the interface able to convert the link to a trunk link.
Chapter 13 Configuring VLANs Configuring VLAN Trunks IEEE 802.1Q Configuration Considerations The IEEE 802.1Q trunks impose these limitations on the trunking strategy for a network: • In a network of Cisco switches connected through IEEE 802.1Q trunks, the switches maintain one spanning-tree instance for each VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Note • Changing the Pruning-Eligible List, page 13-23 • Configuring the Native VLAN for Untagged Traffic, page 13-23 By default, an interface is in Layer 2 mode. The default mode for Layer 2 interfaces is switchport mode dynamic auto.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Step 3 Command Purpose switchport trunk encapsulation {isl | dot1q | negotiate} Configure the port to support ISL or IEEE 802.1Q encapsulation or to negotiate (the default) with the neighboring interface for encapsulation type. You must configure each end of the link with the same encapsulation type.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Note VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Changing the Pruning-Eligible List The pruning-eligible list applies only to trunk ports. Each trunk port has its own eligibility list. VTP pruning must be enabled for this procedure to take effect. The “Enabling VTP Pruning” section on page 16-14 describes how to enable VTP pruning.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to configure the native VLAN on an IEEE 802.1Q trunk: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Define the interface that is configured as the IEEE 802.1Q trunk, and enter interface configuration mode.
Chapter 13 Configuring VLANs Configuring VLAN Trunks In this way, Trunk 1 carries traffic for VLANs 8 through 10, and Trunk 2 carries traffic for VLANs 3 through 6. If the active trunk fails, the trunk with the lower priority takes over and carries the traffic for all of the VLANs. No duplication of traffic occurs over any trunk port.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 17 interface gigabitethernet 0/1 Define the interface to set the STP port priority, and enter interface configuration mode. Step 18 spanning-tree vlan 8-10 port-priority 16 Assign the port priority of 16 for VLANs 8 through 10. Step 19 exit Return to global configuration mode. Step 20 interface gigabitethernet0/2 Define the interface to set the STP port priority, and enter interface configuration mode.
Chapter 13 Configuring VLANs Configuring VMPS Command Purpose Step 3 switchport trunk encapsulation {isl | dot1q | negotiate} Configure the port to support ISL or IEEE 802.1Q encapsulation. You must configure each end of the link with the same encapsulation type. Step 4 switchport mode trunk Configure the port as a trunk port. The trunk defaults to ISL trunking. Step 5 exit Return to global configuration mode. Step 6 Repeat Steps 2 through 5 on a second interface in Switch A.
Chapter 13 Configuring VLANs Configuring VMPS Understanding VMPS Each time the client switch receives the MAC address of a new host, it sends a VQP query to the VMPS. When the VMPS receives this query, it searches its database for a MAC-address-to-VLAN mapping. The server response is based on this mapping and whether or not the server is in open or secure mode. In secure mode, the server shuts down the port when an illegal host is detected.
Chapter 13 Configuring VLANs Configuring VMPS Dynamic-access ports can be used for direct host connections, or they can connect to a network. A maximum of 20 MAC addresses are allowed per port on the switch. A dynamic-access port can belong to only one VLAN at a time, but the VLAN can change over time, depending on the MAC addresses seen. Default VMPS Client Configuration Table 13-7 shows the default VMPS and dynamic-access port configuration on client switches.
Chapter 13 Configuring VLANs Configuring VMPS Configuring the VMPS Client You configure dynamic VLANs by using the VMPS (server). The switch can be a VMPS client; it cannot be a VMPS server. Entering the IP Address of the VMPS You must first enter the IP address of the server to configure the switch as a client. Note If the VMPS is being defined for a cluster of switches, enter the address on the command switch.
Chapter 13 Configuring VLANs Configuring VMPS Step 4 Command Purpose switchport access vlan dynamic Configure the port as eligible for dynamic VLAN membership. The dynamic-access port must be connected to an end station. Step 5 end Return to privileged EXEC mode. Step 6 show interfaces interface-id switchport Verify your entries in the Operational Mode field of the display. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 13 Configuring VLANs Configuring VMPS Changing the Retry Count Beginning in privileged EXEC mode, follow these steps to change the number of times that the switch attempts to contact the VMPS before querying the next server: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vmps retry count Change the retry count. The retry range is 1 to 10; the default is 3. Step 3 end Return to privileged EXEC mode.
Chapter 13 Configuring VLANs Configuring VMPS Troubleshooting Dynamic-Access Port VLAN Membership The VMPS shuts down a dynamic-access port under these conditions: • The VMPS is in secure mode, and it does not allow the host to connect to the port. The VMPS shuts down the port to prevent the host from connecting to the network. • More than 20 active hosts reside on a dynamic-access port.
Chapter 13 Configuring VLANs Configuring VMPS Figure 13-5 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6500 series switch A Primary VMPS Server 1 Router 172.20.26.150 172.20.22.7 Client switch B End station 1 Dynamic-access port 172.20.26.151 Trunk port Switch C 172.20.26.152 Switch D 172.20.26.153 Switch E 172.20.26.154 Switch F 172.20.26.155 Switch G 172.20.26.156 Switch H 172.20.26.
CH A P T E R 15 Configuring Voice VLAN This chapter describes how to configure the voice VLAN feature on the Catalyst 3560 switch. Voice VLAN is referred to as an auxiliary VLAN in some Catalyst 6500 family switch documentation. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 15 Configuring Voice VLAN Understanding Voice VLAN Figure 15-1 shows one way to connect a Cisco 7960 IP Phone. Figure 15-1 Cisco 7960 IP Phone Connected to a Switch Cisco IP Phone 7960 Phone ASIC P2 3-port switch P3 Access port 101351 P1 PC Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN Note Untagged traffic from the device attached to the Cisco IP Phone passes through the phone unchanged, regardless of the trust state of the access port on the phone.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN • The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled. • If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the same IP subnet. These conditions indicate that they are in the same VLAN: – They both use IEEE 802.1p or untagged frames. – The Cisco IP Phone uses IEEE 802.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN Configuring Cisco IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value. It can use IEEE 802.1p priority tagging to give voice traffic a higher priority and forward all voice traffic through the native (access) VLAN.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN This example shows how to configure a port connected to a Cisco IP Phone to use the CoS value to classify incoming traffic, to use IEEE 802.1p priority tagging for voice traffic, and to use the default native VLAN (VLAN 0) to carry all traffic: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 15 Configuring Voice VLAN Displaying Voice VLAN Step 3 Command Purpose switchport priority extend {cos value | trust} Set the priority of data traffic received from the Cisco IP Phone access port: • cos value—Configure the phone to override the priority received from the PC or the attached device with the specified CoS value. The value is a number from 0 to 7, with 7 as the highest priority. The default priority is cos 0.
Chapter 15 Configuring Voice VLAN Displaying Voice VLAN Catalyst 3560 Switch Software Configuration Guide 15-8 OL-8553-06
CH A P T E R 16 Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the Catalyst 3560 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 16 Configuring VTP Understanding VTP These sections contain this conceptual information: • The VTP Domain, page 16-2 • VTP Modes, page 16-3 • VTP Advertisements, page 16-3 • VTP Version 2, page 16-4 • VTP Pruning, page 16-4 The VTP Domain A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name. A switch can be in only one VTP domain.
Chapter 16 Configuring VTP Understanding VTP VTP Modes You can configure a supported switch to be in one of the VTP modes listed in Table 16-1. Table 16-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
Chapter 16 Configuring VTP Understanding VTP • MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN. • Frame format VTP advertisements distribute this VLAN information for each configured VLAN: • VLAN IDs (ISL and IEEE 802.1Q) • VLAN name • VLAN type • VLAN state • Additional VLAN configuration information specific to the VLAN type VTP Version 2 If you use VTP in your network, you must decide whether to use Version 1 or Version 2.
Chapter 16 Configuring VTP Understanding VTP Figure 16-1 shows a switched network without VTP pruning enabled. Port 1 on Switch A and Port 2 on Switch D are assigned to the Red VLAN. If a broadcast is sent from the host connected to Switch A, Switch A floods the broadcast and every switch in the network receives it, even though Switches C, E, and F have no ports in the Red VLAN.
Chapter 16 Configuring VTP Configuring VTP See the “Enabling VTP Pruning” section on page 16-14. VTP pruning takes effect several seconds after you enable it. VTP pruning does not prune traffic from VLANs that are pruning-ineligible. VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs cannot be pruned. Extended-range VLANs (VLAN IDs higher than 1005) are also pruning-ineligible. VTP pruning is not designed to function in VTP transparent mode.
Chapter 16 Configuring VTP Configuring VTP VTP Configuration Options You can configure VTP by using these configuration modes. • VTP Configuration in Global Configuration Mode, page 16-7 • VTP Configuration in VLAN Database Configuration Mode, page 16-7 You access VLAN database configuration mode by entering the vlan database privileged EXEC command. For detailed information about vtp commands, see the command reference for this release.
Chapter 16 Configuring VTP Configuring VTP VTP Configuration Guidelines These sections describe guidelines you should follow when implementing VTP in your network. Domain Names When configuring VTP for the first time, you must always assign a domain name. You must configure all switches in the VTP domain with the same domain name. Switches in VTP transparent mode do not exchange VTP messages with other switches, and you do not need to configure a VTP domain name for them.
Chapter 16 Configuring VTP Configuring VTP • Do not enable VTP Version 2 on a switch unless all of the switches in the same VTP domain are Version-2-capable. When you enable Version 2 on a switch, all of the Version-2-capable switches in the domain enable Version 2. If there is a Version 1-only switch, it does not exchange VTP information with switches that have Version 2 enabled.
Chapter 16 Configuring VTP Configuring VTP Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show vtp status Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display. When you configure a domain name, it cannot be removed; you can only reassign a switch to a different domain. To return the switch to a no-password state, use the no vtp password global configuration command.
Chapter 16 Configuring VTP Configuring VTP APPLY completed. Exiting.... Switch# Configuring a VTP Client When a switch is in VTP client mode, you cannot change its VLAN configuration. The client switch receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly. Follow these guidelines: Caution • If extended-range VLANs are configured on the switch, you cannot change VTP mode to client. You receive an error message, and the configuration is not allowed.
Chapter 16 Configuring VTP Configuring VTP Note You can also configure a VTP client by using the vlan database privileged EXEC command to enter VLAN database configuration mode and entering the vtp client command, similar to the second procedure under “Configuring a VTP Server” section on page 16-9. Use the no vtp client VLAN database configuration command to return the switch to VTP server mode or the no vtp password VLAN database configuration command to return the switch to a no-password state.
Chapter 16 Configuring VTP Configuring VTP Note You can also configure VTP transparent mode by using the vlan database privileged EXEC command to enter VLAN database configuration mode and by entering the vtp transparent command, similar to the second procedure under the “Configuring a VTP Server” section on page 16-9. Use the no vtp transparent VLAN database configuration command to return the switch to VTP server mode.
Chapter 16 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode. Beginning in privileged EXEC mode, follow these steps to enable VTP pruning in the VTP domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 16 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to verify and reset the VTP configuration revision number on a switch before adding it to a VTP domain: Step 1 Command Purpose show vtp status Check the VTP configuration revision number. If the number is 0, add the switch to the VTP domain. If the number is greater than 0, follow these steps: a. Write down the domain name. b. Write down the configuration revision number. c.
Chapter 16 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 16-3 shows the privileged EXEC commands for monitoring VTP activity. Table 16-3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information.
CH A P T E R 14 Configuring Private VLANs This chapter describes how to configure private VLANs on the Cisco Catalyst 3560 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 14 Configuring Private VLANs Understanding Private VLANs Figure 14-1 Private-VLAN Domain Private VLAN domain Subdomain Subdomain Secondary isolated VLAN 116083 Secondary community VLAN Primary VLAN There are two types of secondary VLANs: • Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.
Chapter 14 Configuring Private VLANs Understanding Private VLANs Primary and secondary VLANs have these characteristics: • Primary VLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports. • Isolated VLAN —A private VLAN has only one isolated VLAN.
Chapter 14 Configuring Private VLANs Understanding Private VLANs Private VLANs across Multiple Switches As with regular VLANs, private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. The trunk port treats the private VLAN as any other VLAN. A feature of private VLANs across multiple switches is that traffic from an isolated port in switch A does not reach an isolated port on Switch B. See Figure 14-2.
Chapter 14 Configuring Private VLANs Configuring Private VLANs Private VLANs and Unicast, Broadcast, and Multicast Traffic In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but devices connected to interfaces in different VLANs must communicate at the Layer 3 level. In private VLANs, the promiscuous ports are members of the primary VLAN, while the host ports belong to secondary VLANs.
Chapter 14 Configuring Private VLANs Configuring Private VLANs Tasks for Configuring Private VLANs To configure a private VLAN, follow these steps: Step 1 Set VTP mode to transparent. Step 2 Create the primary and secondary VLANs and associate them. See the “Configuring and Associating VLANs in a Private VLAN” section on page 14-9. Note If the VLAN is not created already, the private-VLAN configuration process creates it.
Chapter 14 Configuring Private VLANs Configuring Private VLANs • After you have configured private VLANs, use the copy running-config startup config privileged EXEC command to save the VTP transparent mode configuration and private-VLAN configuration in the switch startup configuration file. Otherwise, if the switch resets, it defaults to VTP server mode, which does not support private VLANs. • VTP does not propagate private-VLAN configuration.
Chapter 14 Configuring Private VLANs Configuring Private VLANs To filter out specific IP traffic for a private VLAN, you should apply the VLAN map to both the primary and secondary VLANs. • You can apply router ACLs only on the primary-VLAN SVIs. The ACL is applied to both primary and secondary VLAN Layer 3 traffic. • Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other at Layer 3.
Chapter 14 Configuring Private VLANs Configuring Private VLANs • Do not configure private-VLAN ports on interfaces configured for these other features: – dynamic-access port VLAN membership – Dynamic Trunking Protocol (DTP) – Port Aggregation Protocol (PAgP) – Link Aggregation Control Protocol (LACP) – Multicast VLAN Registration (MVR) – voice VLAN – Web Cache Communication Protocol (WCCP) • A private-VLAN port cannot be a secure port and should not be configured as a protected port.
Chapter 14 Configuring Private VLANs Configuring Private VLANs Command Purpose Step 6 vlan vlan-id (Optional) Enter VLAN configuration mode and designate or create a VLAN that will be an isolated VLAN. The VLAN ID range is 2 to 1001 and 1006 to 4094. Step 7 private-vlan isolated Designate the VLAN as an isolated VLAN. Step 8 exit Return to global configuration mode. Step 9 vlan vlan-id (Optional) Enter VLAN configuration mode and designate or create a VLAN that will be a community VLAN.
Chapter 14 Configuring Private VLANs Configuring Private VLANs Switch(config-vlan)# private-vlan community Switch(config-vlan)# exit Switch(config)# vlan 503 Switch(config-vlan)# private-vlan community Switch(config-vlan)# exit Switch(config)# vlan 20 Switch(config-vlan)# private-vlan association 501-503 Switch(config-vlan)# end Switch(config)# show vlan private vlan Primary Secondary Type Ports ------- --------- ----------------- -----------------------------------------20 501 isolated 20 502 community 2
Chapter 14 Configuring Private VLANs Configuring Private VLANs Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: 20 (VLAN0020) 25 (VLAN0025) Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Adminis
Chapter 14 Configuring Private VLANs Configuring Private VLANs Switch(config)# interface fastethernet0/2 Switch(config-if)# switchport mode private-vlan promiscuous Switch(config-if)# switchport private-vlan mapping 20 add 501-503 Switch(config-if)# end Use the show vlan private-vlan or the show interface status privileged EXEC command to display primary and secondary VLANs and private-VLAN ports on the switch.
Chapter 14 Configuring Private VLANs Monitoring Private VLANs Switch(config)# interface vlan 10 Switch(config-if)# private-vlan mapping 501-502 Switch(config-if)# end Switch# show interfaces private-vlan mapping Interface Secondary VLAN Type --------- -------------- ----------------vlan10 501 isolated vlan10 502 community Monitoring Private VLANs Table 14-1 shows the privileged EXEC commands for monitoring private-VLAN activity.
CH A P T E R 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Virtual private networks (VPNs) provide enterprise-scale connectivity on a shared infrastructure, often Ethernet-based, with the same security, prioritization, reliability, and manageability requirements of private networks.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling Customer traffic tagged in the normal way with appropriate VLAN IDs comes from an IEEE 802.1Q trunk port on the customer device and into a tunnel port on the service-provider edge switch. The link between the customer device and the edge switch is asymmetric because one end is configured as an IEEE 802.1Q trunk port, and the other end is configured as a tunnel port.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling Original (Normal), IEEE 802.1Q, and Double-Tagged Ethernet Packet Formats Source address Destination Length/ address EtherType DA SA Len/Etype DA SA Etype DA SA Etype Frame Check Sequence Data Tag Tag FCS Len/Etype Etype Tag Original Ethernet frame Data Len/Etype FCS IEE 802.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling These sections contain this configuration information: • Default IEEE 802.1Q Tunneling Configuration, page 16-4 • IEEE 802.1Q Tunneling Configuration Guidelines, page 16-4 • IEEE 802.1Q Tunneling and Other Features, page 16-6 • Configuring an IEEE 802.1Q Tunneling Port, page 16-6 Default IEEE 802.1Q Tunneling Configuration By default, IEEE 802.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling These are some ways to solve this problem: • Use ISL trunks between core switches in the service-provider network. Although customer interfaces connected to edge switches must be IEEE 802.1Q trunks, we recommend using ISL trunks for connecting switches in the core layer. • Use the vlan dot1q tag native global configuration command to configure the edge switch so that all packets going out an IEEE 802.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling and Other Features Although IEEE 802.1Q tunneling works well for Layer 2 packet switching, there are incompatibilities between some Layer 2 features and Layer 3 switching. • A tunnel port cannot be a routed port. • IP routing is not supported on a VLAN that includes IEEE 802.1Q ports. Packets received from a tunnel port are forwarded based only on Layer 2 information.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling Command Purpose Step 5 exit Return to global configuration mode. Step 6 vlan dot1q tag native (Optional) Set the switch to enable tagging of native VLAN packets on all IEEE 802.1Q trunk ports. When not set, and a customer VLAN ID is the same as the native VLAN, the trunk port does not apply a metro tag, and packets could be sent to the wrong destination.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling When protocol tunneling is enabled, edge switches on the inbound side of the service-provider network encapsulate Layer 2 protocol packets with a special MAC address and send them across the service-provider network. Core switches in the network do not process these packets but forward them as normal packets.
Chapter 16 Configuring IEEE 802.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling For example, in Figure 16-6, Customer A has two switches in the same VLAN that are connected through the SP network. When the network tunnels PDUs, switches on the far ends of the network can negotiate the automatic creation of EtherChannels without needing dedicated lines. See the “Configuring Layer 2 Tunneling for EtherChannels” section on page 16-14 for instructions.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling See Figure 16-4, with Customer X and Customer Y in access VLANs 30 and 40, respectively. Asymmetric links connect the customers in Site 1 to edge switches in the service-provider network. The Layer 2 PDUs (for example, BPDUs) coming into Switch 2 from Customer Y in Site 1 are forwarded to the infrastructure as double-tagged packets with the well-known MAC address as the destination MAC address.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling • For interoperability with third-party vendor switches, the switch supports a Layer 2 protocol-tunnel bypass feature. Bypass mode transparently forwards control PDUs to vendor switches that have different ways of controlling protocol tunneling.When Layer 2 protocol tunneling is enabled on ingress ports on a switch, egress trunk ports forward the tunneled packets with a special encapsulation.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Command Purpose Step 3 switchport mode access or switchport mode dot1q-tunnel Configure the interface as an access port or an IEEE 802.1Q tunnel port. Step 4 l2protocol-tunnel [cdp | stp | vtp] Enable protocol tunneling for the desired protocol. If no keyword is entered, tunneling is enabled for all three Layer 2 protocols.
Chapter 16 Configuring IEEE 802.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Step 6 Command Purpose l2protocol-tunnel drop-threshold [point-to-point [pagp | lacp | udld]] value (Optional) Configure the threshold for packets-per-second accepted for encapsulation. The interface drops packets if the configured threshold is exceeded. If no protocol option is specified, the threshold applies to each of the tunneled Layer 2 protocol types. The range is 1 to 4096.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Command Purpose Step 6 channel-group channel-group-number Assign the interface to a channel group, and specify desirable for the PAgP mode desirable mode. For more information about configuring EtherChannels, see Chapter 35, “Configuring EtherChannels and Link-State Tracking.” Step 7 exit Return to global configuration mode.
Chapter 16 Configuring IEEE 802.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status Table 16-2 Commands for Monitoring and Maintaining Tunneling (continued) Command Purpose show l2protocol-tunnel interface interface-id Display information about a specific Layer 2 protocol tunneling port. show l2protocol-tunnel summary Display only Layer 2 protocol summary information. show vlan dot1q tag native Display the status of native VLAN tagging on the switch.
CH A P T E R 17 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the Catalyst 3560 switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.
Chapter 17 Configuring STP Understanding Spanning-Tree Features • Spanning-Tree Interoperability and Backward Compatibility, page 17-10 • STP and IEEE 802.1Q Trunks, page 17-10 • VLAN-Bridge Spanning Tree, page 17-10 For configuration information, see the “Configuring Spanning-Tree Features” section on page 17-11. For information about optional spanning-tree features, see Chapter 19, “Configuring Optional Spanning-Tree Features.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch. • The spanning-tree path cost to the root switch. • The port identifier (port priority and MAC address) associated with each Layer 2 interface.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Bridge ID, Switch Priority, and Extended System ID The IEEE 802.1D standard requires that each switch has an unique bridge identifier (bridge ID), which controls the selection of the root switch. Because each VLAN is considered as a different logical bridge with PVST+ and rapid PVST+, the same switch must have a different bridge IDs for each configured VLAN. Each VLAN on the switch has a unique 8-byte bridge ID.
Chapter 17 Configuring STP Understanding Spanning-Tree Features An interface moves through these states: • From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled • From learning to forwarding or to disabled • From forwarding to disabled Figure 17-1 illustrates how an interface moves through the states.
Chapter 17 Configuring STP Understanding Spanning-Tree Features there is only one switch in the network, no exchange occurs, the forward-delay timer expires, and the interface moves to the listening state. An interface always enters the blocking state after switch initialization.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices, as shown in Figure 17-3. Spanning tree automatically disables one interface but enables it if the other one fails. If one link is high-speed and the other is low-speed, the low-speed link is always disabled.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Because each VLAN is a separate spanning-tree instance, the switch accelerates aging on a per-VLAN basis. A spanning-tree reconfiguration on one VLAN can cause the dynamic addresses learned on that VLAN to be subject to accelerated aging. Dynamic addresses on other VLANs can be unaffected and remain subject to the aging interval entered for the switch.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Interoperability and Backward Compatibility Table 17-2 lists the interoperability and compatibility among the supported spanning-tree modes in a network.
Chapter 17 Configuring STP Configuring Spanning-Tree Features To support VLAN-bridge spanning tree, some of the spanning-tree timers are increased. To use the fallback bridging feature, you must have the enhanced multilayer image installed on your switch. For more information, see Chapter 46, “Configuring Fallback Bridging.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Table 17-3 Default Spanning-Tree Configuration (continued) Feature Default Setting Spanning-tree VLAN port cost (configurable on a per-VLAN basis) 1000 Mb/s: 4. 100 Mb/s: 19. 10 Mb/s: 100. Spanning-tree timers Hello time: 2 seconds. Forward-delay time: 15 seconds. Maximum-aging time: 20 seconds.
Chapter 17 Configuring STP Configuring Spanning-Tree Features The switch supports PVST+, rapid PVST+, and MSTP, but only one version can be active at any time. (For example, all VLANs run PVST+, all VLANs run rapid PVST+, or all VLANs run MSTP.) For information about the different spanning-tree modes and how they interoperate, see the “Spanning-Tree Interoperability and Backward Compatibility” section on page 17-10.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Step 7 Command Purpose show spanning-tree summary Verify your entries. and show spanning-tree interface interface-id Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree mode global configuration command. To return the port to its default setting, use the no spanning-tree link-type interface configuration command.
Chapter 17 Configuring STP Configuring Spanning-Tree Features If any root switch for the specified VLAN has a switch priority lower than 24576, the switch sets its own priority for the specified VLAN to 4096 less than the lowest switch priority. (4096 is the value of the least-significant bit of a 4-bit switch priority value as shown in Table 17-1 on page 17-4.) Note The spanning-tree vlan vlan-id root global configuration command fails if the value necessary to be the root switch is less than 1.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Command Purpose Step 4 show spanning-tree detail Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id root global configuration command. Configuring a Secondary Root Switch When you configure a switch as the secondary root, the switch priority is modified from the default value (32768) to 28672.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Configuring Port Priority If a loop occurs, spanning tree uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last.
Chapter 17 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree [vlan vlan-id] port-priority interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree port priorities, see the “Configuring Trunk Ports for Load Sharing” section on page 13-24. Configuring Path Cost The spanning-tree path cost default value is derived from the media speed of an interface.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Note The show spanning-tree interface interface-id privileged EXEC command displays information only for ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. To return to the default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 17-4 describes the timers that affect the entire spanning-tree performance. Table 17-4 Spanning-Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches. Forward-delay timer Controls how long each of the listening and learning states last before the interface begins forwarding.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id forward-time seconds Configure the forward time of a VLAN.
Chapter 17 Configuring STP Displaying the Spanning-Tree Status Configuring the Transmit Hold-Count You can configure the BPDU burst size by changing the transmit hold count value. Note Changing this parameter to a higher value can have a significant impact on CPU utilization, especially in Rapid-PVST mode. Lowering this value can slow down convergence in certain scenarios. We recommend that you maintain the default setting.
CH A P T E R 18 Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Catalyst 3560 switch. Note The multiple spanning-tree (MST) implementation in Cisco IOS Release 12.2(25)SEC is based on the IEEE 802.1s standard. The MST implementations in earlier Cisco IOS releases are prestandard.
Chapter 18 Configuring MSTP Understanding MSTP Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning-tree instances required to support a large number of VLANs.
Chapter 18 Configuring MSTP Understanding MSTP The IST is the only spanning-tree instance that sends and receives BPDUs. All of the other spanning-tree instance information is contained in M-records, which are encapsulated within MSTP BPDUs. Because the MSTP BPDU carries information for all instances, the number of BPDUs that need to be processed to support multiple spanning-tree instances is significantly reduced.
Chapter 18 Configuring MSTP Understanding MSTP The IST connects all the MSTP switches in the region and appears as a subtree in the CIST that encompasses the entire switched domain. The root of the subtree is the CIST regional root. The MST region appears as a virtual switch to adjacent STP switches and MST regions. Figure 18-1 shows a network with three MST regions and a legacy IEEE 802.1D switch (D). The CIST regional root for region 1 (A) is also the CIST root.
Chapter 18 Configuring MSTP Understanding MSTP IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network.
Chapter 18 Configuring MSTP Understanding MSTP Boundary Ports In the Cisco prestandard implementation, a boundary port connects an MST region to a single spanning-tree region running RSTP, to a single spanning-tree region running PVST+ or rapid PVST+, or to another MST region with a different MST configuration. A boundary port also connects to a LAN, the designated switch of which is either a single spanning-tree switch or a switch with a different MST configuration.
Chapter 18 Configuring MSTP Understanding MSTP • The boundary port is not the root port of the CIST regional root—The MSTI ports follow the state and role of the CIST port. The standard provides less information, and it might be difficult to understand why an MSTI port can be alternately blocking when it receives no BPDUs (MRecords). In this case, although the boundary role no longer exists, the show commands identify a port as boundary in the type column of the output.
Chapter 18 Configuring MSTP Understanding RSTP Figure 18-3 illustrates a unidirectional link failure that typically creates a bridging loop. Switch A is the root switch, and its BPDUs are lost on the link leading to switch B. RSTP and MST BPDUs include the role and state of the sending port. With this information, switch A can detect that switch B does not react to the superior BPDUs it sends and that switch B is the designated, not root switch.
Chapter 18 Configuring MSTP Understanding RSTP Port Roles and the Active Topology The RSTP provides rapid convergence of the spanning tree by assigning port roles and by learning the active topology. The RSTP builds upon the IEEE 802.1D STP to select the switch with the highest switch priority (lowest numerical priority value) as the root switch as described in the “Spanning-Tree Topology and BPDUs” section on page 17-3.
Chapter 18 Configuring MSTP Understanding RSTP Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN. It provides rapid convergence for edge ports, new root ports, and ports connected through point-to-point links as follows: • Edge ports—If you configure a port as an edge port on an RSTP switch by using the spanning-tree portfast interface configuration command, the edge port immediately transitions to the forwarding state.
Chapter 18 Configuring MSTP Understanding RSTP Figure 18-4 Proposal and Agreement Handshaking for Rapid Convergence Switch A Proposal Switch B Root Agreement Designated switch F DP F RP Root F DP Proposal Designated switch Agreement F RP Root F DP Designated switch F RP F DP Switch C F RP 88760 DP = designated port RP = root port F = forwarding Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new root port
Chapter 18 Configuring MSTP Understanding RSTP After ensuring that all of the ports are synchronized, the switch sends an agreement message to the designated switch corresponding to its root port. When the switches connected by a point-to-point link are in agreement about their port roles, the RSTP immediately transitions the port states to forwarding. The sequence of events is shown in Figure 18-5. Figure 18-5 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5.
Chapter 18 Configuring MSTP Understanding RSTP The sending switch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN. The port role in the proposal message is always set to the designated port. The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal. The port role in the agreement message is always set to the root port. The RSTP does not have a separate topology change notification (TCN) BPDU.
Chapter 18 Configuring MSTP Configuring MSTP Features • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them. • Protocol migration—For backward compatibility with IEEE 802.1D switches, RSTP selectively sends IEEE 802.
Chapter 18 Configuring MSTP Configuring MSTP Features Table 18-4 Default MSTP Configuration (continued) Feature Default Setting Spanning-tree port priority (configurable on a per-CIST port basis) 128. Spanning-tree port cost (configurable on a per-CIST port basis) 1000 Mbps: 4. 100 Mbps: 19. 10 Mbps: 100. Hello time 2 seconds. Forward-delay time 15 seconds. Maximum-aging time 20 seconds. Maximum hop count 20 hops.
Chapter 18 Configuring MSTP Configuring MSTP Features • For configuration guidelines about UplinkFast and BackboneFast, see the “Optional Spanning-Tree Configuration Guidelines” section on page 19-10. Specifying the MST Region Configuration and Enabling MSTP For two or more switches to be in the same MST region, they must have the same VLAN-to-instance mapping, the same configuration revision number, and the same name.
Chapter 18 Configuring MSTP Configuring MSTP Features To return to the default MST region configuration, use the no spanning-tree mst configuration global configuration command. To return to the default VLAN-to-instance map, use the no instance instance-id [vlan vlan-range] MST configuration command. To return to the default name, use the no name MST configuration command. To return to the default revision number, use the no revision MST configuration command.
Chapter 18 Configuring MSTP Configuring MSTP Features forward-delay time, and maximum-age time for a network of that diameter, which can significantly reduce the convergence time. You can use the hello keyword to override the automatically calculated hello time.
Chapter 18 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure a switch as the secondary root switch. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst instance-id root secondary [diameter net-diameter [hello-time seconds]] Configure a switch as the secondary root switch.
Chapter 18 Configuring MSTP Configuring MSTP Features Step 3 Command Purpose spanning-tree mst instance-id port-priority priority Configure the port priority. • For instance-id, you can specify a single instance, a range of instances separated by a hyphen, or a series of instances separated by a comma. The range is 0 to 4094. • For priority, the range is 0 to 240 in increments of 16. The default is 128. The lower the number, the higher the priority.
Chapter 18 Configuring MSTP Configuring MSTP Features Step 3 Command Purpose spanning-tree mst instance-id cost cost Configure the cost. If a loop occurs, the MSTP uses the path cost when selecting an interface to place into the forwarding state. A lower path cost represents higher-speed transmission. • For instance-id, you can specify a single instance, a range of instances separated by a hyphen, or a series of instances separated by a comma. The range is 0 to 4094.
Chapter 18 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the switch priority. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst instance-id priority priority Configure the switch priority. • For instance-id, you can specify a single instance, a range of instances separated by a hyphen, or a series of instances separated by a comma. The range is 0 to 4094.
Chapter 18 Configuring MSTP Configuring MSTP Features Configuring the Forwarding-Delay Time Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst forward-time seconds Configure the forward time for all MST instances.
Chapter 18 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Hop Count Beginning in privileged EXEC mode, follow these steps to configure the maximum-hop count for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-hops hop-count Specify the number of hops in a region before the BPDU is discarded, and the information held for a port is aged.
Chapter 18 Configuring MSTP Configuring MSTP Features Designating the Neighbor Type A topology could contain both prestandard and IEEE 802.1s standard compliant devices. By default, ports can automatically detect prestandard devices, but they can still receive both standard and prestandard BPDUs. When there is a mismatch between a device and its neighbor, only the CIST runs on the interface. You can choose to set a port to send only prestandard BPDUs.
Chapter 18 Configuring MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 18-5: Table 18-5 Commands for Displaying MST Status Command Purpose show spanning-tree mst configuration Displays the MST region configuration. show spanning-tree mst configuration digest Displays the MD5 digest included in the current MSTCI.
CH A P T E R 19 Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Catalyst 3560 switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+). You can configure only the noted features when your switch is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features At the interface level, you enable BPDU guard on any port by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature. When the port receives a BPDU, it is put in the error-disabled state. The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 19-2 Switches in a Hierarchical Network Backbone switches Root bridge 101231 Distribution switches Active link Blocked link Access switches If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 19-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B L1 L2 L3 43575 Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features The switch tries to find if it has an alternate path to the root switch. If the inferior BPDU arrives on a blocked interface, the root port and other blocked interfaces on the switch become alternate paths to the root switch. (Self-looped ports are not considered alternate paths to the root switch.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 19-6 BackboneFast Example After Indirect Link Failure Switch A (Root) Switch B L1 Link failure L3 BackboneFast changes port through listening and learning states to forwarding state.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Root Guard The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. In such a topology, the spanning tree can reconfigure itself and select a customer switch as the root switch, as shown in Figure 19-8. You can avoid this situation by enabling root guard on SP switch interfaces that connect to switches in your customer’s network.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Understanding Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. This feature is most effective when it is enabled on the entire switched network. Loop guard prevents alternate and root ports from becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Optional Spanning-Tree Configuration Guidelines You can configure PortFast, BPDU guard, BPDU filtering, EtherChannel guard, root guard, or loop guard if your switch is running PVST+, rapid PVST+, or MSTP. You can configure the UplinkFast or the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Note You can use the spanning-tree portfast default global configuration command to globally enable the Port Fast feature on all nontrunking ports. To disable the Port Fast feature, use the spanning-tree portfast disable interface configuration command.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features To disable BPDU guard, use the no spanning-tree portfast bpduguard default global configuration command. You can override the setting of the no spanning-tree portfast bpduguard default global configuration command by using the spanning-tree bpduguard enable interface configuration command.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling UplinkFast for Use with Redundant Links UplinkFast cannot be enabled on VLANs that have been configured with a switch priority. To enable UplinkFast on a VLAN with switch priority configured, first restore the switch priority on the VLAN to the default value by using the no spanning-tree vlan vlan-id priority global configuration command.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can configure the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+. Beginning in privileged EXEC mode, follow these steps to enable BackboneFast. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Root Guard Root guard enabled on an interface applies to all the VLANs to which the interface belongs. Do not enable the root guard on interfaces to be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in the blocked state) replace the root port in the case of a failure.
Chapter 19 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Step 3 Command Purpose spanning-tree loopguard default Enable loop guard. By default, loop guard is disabled. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To globally disable loop guard, use the no spanning-tree loopguard default global configuration command.
CH A P T E R 20 Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the Catalyst 3560 switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 20 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature You configure Flex Links on one Layer 2 interface (the active link) by assigning another Layer 2 interface as the Flex Link or backup link. When one of the links is up and forwarding traffic, the other link is in standby mode, ready to begin forwarding traffic if the other link shuts down.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Figure 20-2 VLAN Flex Links Load Balancing Configuration Example Uplink switch C Uplink switch B Forwarding (51-100) Forwarding (1-50) gi2/0/6 201398 gi2/0/8 Switch A Flex Link Multicast Fast Convergence Flex Link Multicast Fast Convergence reduces the multicast traffic convergence time after a Flex Link failure.
Chapter 20 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature Leaking IGMP Reports To achieve multicast traffic convergence with minimal loss, a redundant data path must be set up before the Flex Link active link goes down. This can be achieved by leaking only IGMP report packets on the Flex Link backup link.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Similarly, both Flex Link ports are part of learned groups. In this example, Gigabit Ethernet0/11 is a receiver/host in VLAN 1, which is interested in two multicast groups: Switch# show ip igmp snooping groups Vlan Group Type Version Port List ----------------------------------------------------------------------1 228.1.5.1 igmp v2 Gi0/11, Gi0/12, Gi0/11 1 228.1.5.
Chapter 20 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature Whenever a host responds to the general query, the switch forwards this report on all the mrouter ports. When you turn on this feature through the command-line port, and when a report is forwarded by the switch on GigabitEthernet0/11, it is also leaked to the backup port GigabitEthernet0/12.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and the MAC Address-Table Move Update Figure 20-3 MAC Address-Table Move Update Example Server Switch C Port 4 Port 3 Switch B Switch D Port 1 Port 2 141223 Switch A PC Configuring Flex Links and the MAC Address-Table Move Update These sections contain this information: • Default Configuration, page 20-8 • Configuration Guidelines, page 20-8 • Configuring Flex Links, page 20-9 • Confi
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and the MAC Address-Table Move Update Default Configuration The Flex Links are not configured, and there are no backup interfaces defined. The preemption mode is off. The preemption delay is 35 seconds. The MAC address-table move update feature is not configured on the switch. Configuration Guidelines Follow these guidelines to configure Flex Links: • You can configure up to 16 backup links.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and the MAC Address-Table Move Update Configuring Flex Links Beginning in privileged EXEC mode, follow these steps to configure a pair of Flex Links: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface, and enter interface configuration mode.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and the MAC Address-Table Move Update Command Purpose Step 3 switchport backup interface interface-id Configure a physical Layer 2 interface (or port channel) as part of a Flex Links pair with the interface. When one link is forwarding traffic, the other interface is in standby mode.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and the MAC Address-Table Move Update Configuring VLAN Load Balancing on Flex Links Beginning in privileged EXEC mode, follow these steps to configure VLAN load balancing on Flex Links: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface, and enter interface configuration mode.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and the MAC Address-Table Move Update When a Flex Link interface comes up, VLANs preferred on this interface are blocked on the peer interface and moved to the forwarding state on the interface that has just come up. In this example, if interface Gi0/6 comes up, VLANs preferred on this interface are blocked on the peer interface Gi0/8 and forwarded on Gi0/6.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and the MAC Address-Table Move Update Command Purpose Step 4 end Return to global configuration mode. Step 5 mac address-table move update transmit Enable the access switch to send MAC address-table move updates to other switches in the network if the primary link goes down and the switch starts forwarding traffic through the standby link. Step 6 end Return to privileged EXEC mode.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Monitoring Flex Links and the MAC Address-Table Move Update Command Purpose Step 4 show mac address-table move update Verify the configuration. Step 5 copy running-config startup config (Optional) Save your entries in the switch startup configuration file. To disable the MAC address-table move update feature, use the no mac address-table move update receive configuration command.
CH A P T E R 21 Configuring DHCP Features and IP Source Guard This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the Catalyst 3560 switch. It also describes how to configure the IP source guard feature.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Snooping • Cisco IOS DHCP Server Database, page 21-6 • DHCP Snooping Binding Database, page 21-6 For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Configuration Guides.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Snooping When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware address. If the addresses match (the default), the switch forwards the packet. If the addresses do not match, the switch drops the packet.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Snooping Figure 21-1 is an example of a metropolitan Ethernet network in which a centralized DHCP server assigns IP addresses to subscribers connected to the switch at the access layer.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Snooping • Remote-ID suboption fields – Suboption type – Length of the suboption type – Remote-ID type – Length of the remote-ID type In the port field of the circuit-ID suboption, the port numbers start at 3. For example, on a switch with 24 10/100 ports and small form-factor pluggable (SFP) module slots, port 3 is the Fast Ethernet 0/1 port, port 4 is the Fast Ethernet 0/2 port, and so forth.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Snooping • Remote-ID suboption fields – The remote-ID type is 1. – The length values are variable, depending on the length of the string that you configure.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Snooping To keep the bindings when the switch reloads, you must use the DHCP snooping database agent. If the agent is disabled, dynamic ARP inspection or IP source guard is enabled, and the DHCP snooping binding database has dynamic bindings, the switch loses its connectivity.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Snooping Configuring DHCP Snooping These sections contain this configuration information: • Default DHCP Snooping Configuration, page 21-8 • DHCP Snooping Configuration Guidelines, page 21-9 • Configuring the DHCP Server, page 21-10 • Configuring the DHCP Relay Agent, page 21-10 • Specifying the Packet Forwarding Address, page 21-10 • Enabling DHCP Snooping and Option 82, page 21-12 • Enabling DHCP Snooping on Private
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Snooping DHCP Snooping Configuration Guidelines These are the configuration guidelines for DHCP snooping. • You must globally enable DHCP snooping on the switch. • DHCP snooping is not active until DHCP snooping is enabled on a VLAN. • Before globally enabling DHCP snooping on the switch, make sure that the devices acting as the DHCP server and the DHCP relay agent are configured and enabled.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Snooping • You can display DHCP snooping statistics by entering the show ip dhcp snooping statistics user EXEC command, and you can clear the snooping statistics counters by entering the clear ip dhcp snooping statistics privileged EXEC command. Do not enable Dynamic Host Configuration Protocol (DHCP) snooping on RSPAN VLANs. If DHCP snooping is enabled on RSPAN VLANs, DHCP packets might not reach the RSPAN destination port.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Snooping helper-address command can be a specific DHCP server IP address, or it can be the network address if other DHCP servers are on the destination network segment. Using the network address enables any DHCP server to respond to requests. Beginning in privileged EXEC mode, follow these steps to specify the packet forwarding address: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Snooping Enabling DHCP Snooping and Option 82 Beginning in privileged EXEC mode, follow these steps to enable DHCP snooping on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip dhcp snooping Enable DHCP snooping globally. Step 3 ip dhcp snooping vlan vlan-range Enable DHCP snooping on a VLAN or range of VLANs. The range is 1 to 4094.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Snooping Step 10 Command Purpose ip dhcp snooping limit rate rate (Optional) Configure the number of DHCP packets per second that an interface can receive. The range is 1 to 2048. By default, no rate limit is configured. Note We recommend an untrusted rate limit of not more than 100 packets per second.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Snooping Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database, see the “DHCP Configuration Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Configuration Guides.
Chapter 21 Configuring DHCP Features and IP Source Guard Displaying DHCP Snooping Information To clear the statistics of the DHCP snooping binding database agent, use the clear ip dhcp snooping database statistics privileged EXEC command. To renew the database, use the renew ip dhcp snooping database privileged EXEC command.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard These sections contain this information: • Source IP Address Filtering, page 21-16 • Source IP and MAC Address Filtering, page 21-16 Source IP Address Filtering When IP source guard is enabled with this option, IP traffic is filtered based on the source IP address.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard IP Source Guard Configuration Guidelines These are the configuration guidelines for IP source guard: • You can configure static IP bindings only on nonrouted ports. If you enter the ip source binding mac-address vlan vlan-id ip-address interface interface-id global configuration command on a routed interface, this error message appears: Static IP source binding can only be configured on switch port.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Step 3 Command Purpose ip verify source Enable IP source guard with source IP address filtering. or ip verify source port-security Enable IP source guard with source IP and MAC address filtering.
Chapter 21 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information Displaying IP Source Guard Information To display the IP source guard information, use one or more of the privileged EXEC commands in Table 21-3: Table 21-3 Commands for Displaying IP Source Guard Information Command Purpose show ip source binding Display the IP source bindings on a switch. show ip verify source Display the IP source guard configuration on the switch.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Server Port-Based Address Allocation Port-Based Address Allocation Configuration Guidelines These are the configuration guidelines for DHCP port-based address allocation: • Only one IP address can be assigned per port. • Reserved addresses (preassigned) cannot be cleared by using the clear ip dhcp binding global configuration command. • Preassigned addresses are automatically excluded from normal dynamic IP address assignment.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Server Port-Based Address Allocation Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip dhcp pool poolname Enter DHCP pool configuration mode, and define the name for the DHCP pool. The pool name can be a symbolic string (such as Engineering) or an integer (such as 0). Step 3 network network-number [mask | /prefix-length] Specify the subnet network number and mask of the DHCP address pool.
Chapter 21 Configuring DHCP Features and IP Source Guard Displaying DHCP Server Port-Based Address Allocation Subnet size (first/next) : 0 / 0 Total addresses : 254 Leased addresses : 0 Excluded addresses : 4 Pending event : none 1 subnet is currently in the pool: Current index IP address range Leased/Excluded/Total 10.1.1.1 10.1.1.1 - 10.1.1.254 0 / 4 / 254 1 reserved address is currently in the pool Address Client 10.1.1.
CH A P T E R 22 Configuring Dynamic ARP Inspection This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 3560 switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 22 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Figure 22-1 Host A (IA, MA) ARP Cache Poisoning A B Host B (IB, MB) Host C (man-in-the-middle) (IC, MC) 111750 C Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA.
Chapter 22 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header. Use the ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command. For more information, see the “Performing Validation Checks” section on page 22-11.
Chapter 22 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a switch running dynamic ARP inspection.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection You use the ip arp inspection log-buffer global configuration command to configure the number of entries in the buffer and the number of entries needed in the specified interval to generate system messages. You specify the type of packets that are logged by using the ip arp inspection vlan logging global configuration command. For configuration information, see the “Configuring the Log Buffer” section on page 22-12.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Dynamic ARP Inspection Configuration Guidelines These are the dynamic ARP inspection configuration guidelines: • Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking. • Dynamic ARP inspection is not effective for hosts connected to switches that do not support dynamic ARP inspection or that do not have this feature enabled.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection in DHCP Environments This procedure shows how to configure dynamic ARP inspection when two switches support this feature. Host 1 is connected to Switch A, and Host 2 is connected to Switch B as shown in Figure 22-2 on page 22-3. Both switches are running dynamic ARP inspection on VLAN 1 where the hosts are located. A DHCP server is connected to Switch A.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 7 Command Purpose show ip arp inspection interfaces Verify the dynamic ARP inspection configuration. show ip arp inspection vlan vlan-range Step 8 show ip dhcp snooping binding Verify the DHCP bindings. Step 9 show ip arp inspection statistics vlan vlan-range Check the dynamic ARP inspection statistics. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 3 Command Purpose permit ip host sender-ip mac host sender-mac [log] Permit ARP packets from the specified host (Host 2). • For sender-ip, enter the IP address of Host 2. • For sender-mac, enter the MAC address of Host 2. • (Optional) Specify log to log a packet in the log buffer when it matches the access control entry (ACE).
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 7 Command Purpose no ip arp inspection trust Configure the Switch A interface that is connected to Switch B as untrusted. By default, all interfaces are untrusted. For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection For configuration guidelines for rate limiting trunk ports and EtherChannel ports, see the “Dynamic ARP Inspection Configuration Guidelines” section on page 22-6. Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip arp inspection validate {[src-mac] [dst-mac] [ip]} Perform a specific check on incoming ARP packets. By default, no checks are performed. The keywords have these meanings: • For src-mac, check the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Beginning in privileged EXEC mode, follow these steps to configure the log buffer. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip arp inspection log-buffer {entries Configure the dynamic ARP inspection logging buffer. number | logs number interval By default, when dynamic ARP inspection is enabled, denied or dropped seconds} ARP packets are logged.
Chapter 22 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Command Purpose Step 5 show ip arp inspection log Verify your settings. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default log buffer settings, use the no ip arp inspection log-buffer {entries | logs} global configuration command.
Chapter 22 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Table 22-4 Commands for Clearing or Displaying Dynamic ARP Inspection Logging Information Command Description clear ip arp inspection log Clears the dynamic ARP inspection log buffer. show ip arp inspection log Displays the configuration and contents of the dynamic ARP inspection log buffer. For more information about these commands, see the command reference for this release.
Chapter 22 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Catalyst 3560 Switch Software Configuration Guide 22-16 OL-8553-06
CH A P T E R 23 Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on the Catalyst 3560 switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action.
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Understanding IGMP Snooping Layer 2 switches can use IGMP snooping to constrain the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with IP multicast devices.
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping IGMP Versions The switch supports IGMP Version 1, IGMP Version 2, and IGMP Version 3. These versions are interoperable on the switch. For example, if IGMP snooping is enabled on an IGMPv2 switch and the switch receives an IGMPv3 report from a host, the switch can forward the IGMPv3 report to the multicast router. Note The switch supports IGMPv3 snooping based only on the destination multicast MAC address.
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping it is not already present. The CPU also adds the interface where the join message was received to the forwarding-table entry. The host associated with that interface receives multicast traffic for that multicast group. See Figure 23-1. Figure 23-1 Initial IGMP Join Message Router A 1 IGMP report 224.1.2.
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 23-2 Second Host Joining a Multicast Group Router A 1 VLAN PFC CPU 0 45751 Forwarding table 2 Host 1 Table 23-2 3 Host 2 4 Host 3 5 Host 4 Updated IGMP Snooping Forwarding Table Destination Address Type of Packet Ports 224.1.2.3 IGMP 1, 2, 5 Leaving a Multicast Group The router sends periodic multicast general queries, and the switch forwards these queries through all ports in the VLAN.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Note You should only use the Immediate Leave feature on VLANs where a single host is connected to each port. If Immediate Leave is enabled in VLANs where more than one host is connected to a port, some hosts might inadvertently be dropped. For configuration steps, see the “Enabling IGMP Immediate Leave” section on page 23-10.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping • Configuring the IGMP Leave Timer, page 23-11 • Configuring TCN-Related Commands, page 23-12 • Configuring the IGMP Snooping Querier, page 23-14 • Disabling IGMP Report Suppression, page 23-15 Default IGMP Snooping Configuration Table 23-3 shows the default IGMP snooping configuration.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to enable IGMP snooping on a VLAN interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id Enable IGMP snooping on the VLAN interface.The VLAN ID range is 1 to 1001 and 1006 to 4094. Note IGMP snooping must be globally enabled before you can enable VLAN snooping. Step 3 end Return to privileged EXEC mode.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to alter the method in which a VLAN interface dynamically accesses a multicast router: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id mrouter learn {cgmp | pim-dvmrp} Enable IGMP snooping on a VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 4 show ip igmp snooping mrouter [vlan vlan-id] Verify that IGMP snooping is enabled on the VLAN interface. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a multicast router port from the VLAN, use the no ip igmp snooping vlan vlan-id mrouter interface interface-id global configuration command.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Note Immediate Leave is supported only on IGMP Version 2 hosts. Beginning in privileged EXEC mode, follow these steps to enable IGMP Immediate Leave: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id immediate-leave Enable IGMP Immediate Leave on the VLAN interface. Step 3 end Return to privileged EXEC mode.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 5 show ip igmp snooping (Optional) Display the configured IGMP leave time. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To globally reset the IGMP leave timer to the default setting, use the no ip igmp snooping last-member-query-interval global configuration command.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Recovering from Flood Mode When a topology change occurs, the spanning-tree root sends a special IGMP leave message (also known as global leave) with the group multicast address 0.0.0.0. However, when you enable the ip igmp snooping tcn query solicit global configuration command, the switch sends the global leave message whether or not it is the spanning-tree root.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring the IGMP Snooping Querier Follow these guidelines when configuring the IGMP snooping querier: • Configure the VLAN in global configuration mode. • Configure an IP address on the VLAN interface. When enabled, the IGMP snooping querier uses the IP address as the query source address.
Chapter 23 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information This example shows how to set the IGMP snooping querier source address to 10.0.0.64: Switch# configure terminal Switch(config)# ip igmp snooping querier 10.0.0.
Chapter 23 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information To display IGMP snooping information, use one or more of the privileged EXEC commands in Table 23-4. Table 23-4 Commands for Displaying IGMP Snooping Information Command Purpose show ip igmp snooping [vlan vlan-id] Display the snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.
Chapter 23 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service-provider network (for example, the broadcast of multiple television channels over a service-provider network). MVR allows a subscriber on a port to subscribe and unsubscribe to a multicast stream on the network-wide multicast VLAN.
Chapter 23 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Figure 23-3 Multicast VLAN Registration Example Multicast VLAN Cisco router Multicast server SP Switch B SP SP SP SP SP SP1 SP2 Multicast data Multicast data Switch A RP1 RP2 RP3 RP4 RP5 RP6 RP7 Customer premises Hub IGMP join Set-top box Set-top box TV data TV RP = Receiver Port SP = Source Port TV 101364 PC Note: All source ports belong to the multicast VLAN.
Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR These messages dynamically register for streams of multicast traffic in the multicast VLAN on the Layer 3 device. Switch B. The access layer switch, Switch A, modifies the forwarding behavior to allow the traffic to be forwarded from the multicast VLAN to the subscriber port in a different VLAN, selectively allowing traffic to cross between two VLANs. IGMP reports are sent to the same IP multicast group address as the multicast data.
Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR • Because MVR on the switch uses IP multicast addresses instead of MAC multicast addresses, aliased IP multicast addresses are allowed on the switch. However, if the switch is interoperating with Catalyst 3550 or Catalyst 3500 XL switches, you should not configure IP addresses that alias between themselves or with the reserved IP multicast addresses (in the range 224.0.0.xxx). • Do not configure MVR on private VLAN ports.
Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 7 end Return to privileged EXEC mode. Step 8 show mvr or show mvr members Verify the configuration. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default settings, use the no mvr [mode | group ip-address | querytime | vlan] global configuration commands.
Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR Command Step 5 Purpose mvr vlan vlan-id group [ip-address] (Optional) Statically configure a port to receive multicast traffic sent to the multicast VLAN and the IP multicast address. A port statically configured as a member of a group remains a member of the group until statically removed. Note In compatible mode, this command applies to only receiver ports. In dynamic mode, it applies to receiver ports and source ports.
Chapter 23 Configuring IGMP Snooping and MVR Displaying MVR Information Displaying MVR Information You can display MVR information for the switch or for a specified interface.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling IGMP filtering is applicable only to the dynamic learning of IP multicast group addresses, not static configuration. With the IGMP throttling feature, you can set the maximum number of IGMP groups that a Layer 2 interface can join.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling • permit: Specifies that matching addresses are permitted. • range: Specifies a range of IP addresses for the profile. You can enter a single IP address or a range with a start and an end address. The default is for the switch to have no IGMP profiles configured. When a profile is configured, if neither the permit nor deny keyword is included, the default is to deny access to the range of IP addresses.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Applying IGMP Profiles To control access as defined in an IGMP profile, use the ip igmp filter interface configuration command to apply the profile to the appropriate interfaces. You can apply IGMP profiles only to Layer 2 access ports; you cannot apply IGMP profiles to routed ports or SVIs. You cannot apply profiles to ports that belong to an EtherChannel port group.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Command Purpose Step 3 ip igmp max-groups number Set the maximum number of IGMP groups that the interface can join. The range is 0 to 4294967294. The default is to have no maximum set. Step 4 end Return to privileged EXEC mode. Step 5 show running-config interface interface-id Verify the configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 23 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Beginning in privileged EXEC mode, follow these steps to configure the throttling action when the maximum number of entries is in the forwarding table: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the physical interface to be configured, and enter interface configuration mode.
CH A P T E R 24 Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Catalyst 3560 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 24 Configuring Port-Based Traffic Control Configuring Storm Control Storm control uses one of these methods to measure traffic activity: • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received (Cisco IOS Release 12.2(25)SE or later).
Chapter 24 Configuring Port-Based Traffic Control Configuring Storm Control Note Because packets do not arrive at uniform intervals, the 1-second time interval during which traffic activity is measured can affect the behavior of storm control. You use the storm-control interface configuration commands to set the threshold value for each traffic type.
Chapter 24 Configuring Port-Based Traffic Control Configuring Storm Control Step 3 Command Purpose storm-control {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]} Configure broadcast, multicast, or unicast storm control. By default, storm control is disabled. The keywords have these meanings: • For level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage (up to two decimal places) of the bandwidth.
Chapter 24 Configuring Port-Based Traffic Control Configuring Storm Control Command Purpose Step 6 show storm-control [interface-id] [broadcast | Verify the storm control suppression levels set on the interface for multicast | unicast] the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 24 Configuring Port-Based Traffic Control Configuring Protected Ports Command Purpose Step 5 interface interface-id Enter interface configuration mode, and specify the interface to be configured. Step 6 small violation-rate pps Configure the threshold rate for the interface to drop incoming packets and error disable the port. The range is 1 to 10,000 packets per second (pps) Step 7 end Return to privileged EXEC mode. Step 8 show interfaces interface-id Verify the configuration.
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Blocking Protected Port Configuration Guidelines You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group. Do not configure a private-VLAN port as a protected port. Do not configure a protected port as a private-VLAN port.
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security Default Port Blocking Configuration The default is to not block flooding of unknown multicast and unicast traffic out of a port, but to flood these packets to all ports. Blocking Flooded Traffic on an Interface Note The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group.
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security These sections contain this conceptual and configuration information: • Understanding Port Security, page 24-9 • Default Port Security Configuration, page 24-11 • Port Security Configuration Guidelines, page 24-11 • Enabling and Configuring Port Security, page 24-13 • Enabling and Configuring Port Security Aging, page 24-17 • Port Security and Private VLANs, page 24-18 Understanding Port Security These sections contain
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. This number is determined by the active Switch Database Management (SDM) template. See Chapter 8, “Configuring SDM Templates.
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security Table 24-1 Security Violation Mode Actions (continued) Violation Mode Traffic is forwarded1 Sends SNMP trap Sends syslog message Displays error message2 Violation counter increments Shuts down port shutdown No Yes Yes No Yes Yes shutdown vlan No Yes Yes No Yes No3 1. Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses. 2.
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security Enabling and Configuring Port Security Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security Command Step 7 Purpose switchport port-security [violation (Optional) Set the violation mode, the action to be taken when a security {protect | restrict | shutdown | violation is detected, as one of these: shutdown vlan}] • protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addres
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security Step 8 Command Purpose switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}] (Optional) Enter a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table. All addresses are now dynamically learned.
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# switchport switchport switchport switchport switchport port-security port-security port-security port-security port-security mac-address 0000.0000.0003 mac-address sticky 0000.0000.0001 vlan voice mac-address 0000.0000.
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security To disable port security aging for all secure addresses on a port, use the no switchport port-security aging time interface configuration command. To disable aging for only statically configured secure addresses, use the no switchport port-security aging static interface configuration command.
Chapter 24 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Secure addresses that are learned on host port get automatically replicated on associated primary VLANs, and similarly, secure addresses learned on promiscuous ports automatically get replicated on all associated secondary VLANs. Static addresses (using mac-address-table static command) cannot be user configured on a secure port.
Chapter 24 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Catalyst 3560 Switch Software Configuration Guide 24-20 OL-8553-06
CH A P T E R 25 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on the Catalyst 3560 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 25 Configuring CDP Configuring CDP Configuring CDP These sections contain this configuration information: • Default CDP Configuration, page 25-2 • Configuring the CDP Characteristics, page 25-2 • Disabling and Enabling CDP, page 25-3 • Disabling and Enabling CDP on an Interface, page 25-4 Default CDP Configuration Table 25-1 shows the default CDP configuration.
Chapter 25 Configuring CDP Configuring CDP Command Purpose Step 6 show cdp Verify your settings. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure CDP characteristics.
Chapter 25 Configuring CDP Monitoring and Maintaining CDP Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and to receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on a port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you are disabling CDP, and enter interface configuration mode.
Chapter 25 Configuring CDP Monitoring and Maintaining CDP Command Description show cdp entry entry-name [protocol | version] Display information about a specific neighbor. You can enter an asterisk (*) to display all CDP neighbors, or you can enter the name of the neighbor about which you want information. You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device.
Chapter 25 Configuring CDP Monitoring and Maintaining CDP Catalyst 3560 Switch Software Configuration Guide 25-6 OL-8553-06
CH A P T E R 27 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 3560 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 27 Configuring UDLD Understanding UDLD In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection. If the ports are connected correctly but the traffic is one way, UDLD does not detect the unidirectional link because the Layer 1 mechanism, which is supposed to detect this condition, does not do so.
Chapter 27 Configuring UDLD Configuring UDLD If the detection window ends and no valid reply message is received, the link might shut down, depending on the UDLD mode. When UDLD is in normal mode, the link might be considered undetermined and might not be shut down. When UDLD is in aggressive mode, the link is considered unidirectional, and the port is disabled.
Chapter 27 Configuring UDLD Configuring UDLD Default UDLD Configuration Table 27-1 shows the default UDLD configuration.
Chapter 27 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring UDLD Displaying UDLD Status Step 3 Command Purpose udld port [aggressive] UDLD is disabled by default. • udld port—Enables UDLD in normal mode on the specified port. • udld port aggressive—Enables UDLD in aggressive mode on the specified port. Note Use the no udld port interface configuration command to disable UDLD on a specified fiber-optic port. For more information about aggressive and normal modes, see the “Modes of Operation” section on page 27-1.
CH A P T E R 26 Configuring LLDP, LLDP-MED, and Wired Location Service This chapter describes how to configure the Link Layer Discovery Protocol (LLDP), LLDP Media Endpoint Discovery (LLDP-MED) and wired location service on the Catalyst 3560 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 26 Configuring LLDP, LLDP-MED, and Wired Location Service Understanding LLDP, LLDP-MED, and Wired Location Service The switch supports these basic management TLVs. These are mandatory LLDP TLVs. • Port description TLV • System name TLV • System description TLV • System capabilities TLV • Management address TLV These organizationally specific LLDP TLVs are also advertised to support LLDP-MED. Note • Port VLAN ID TLV ((IEEE 802.
Chapter 26 Configuring LLDP, LLDP-MED, and Wired Location Service Understanding LLDP, LLDP-MED, and Wired Location Service • Location TLV Provides location information from the switch to the endpoint device. The location TLV can send this information: – Civic location information Provides the civic address information and postal information. Examples of civic location information are street address, road name, and postal community name information.
Chapter 26 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service • Device category is specified as a wired station • State is specified as delete • Serial number, UDI • Time in seconds since the switch detected the disassociation When the switch shuts down, it sends an attachment notification with the state delete and the IP address before closing the NMSP connection to the MSE.
Chapter 26 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Configuration Guidelines • If the interface is configured as a tunnel port, LLDP is automatically disabled. • If you first configure a network-policy profile on an interface, you cannot apply the switchport voice vlan command on the interface. If the switchport voice vlan vlan-id is already configured on an interface, you can apply a network-policy profile on the interface.
Chapter 26 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Beginning in privileged EXEC mode, follow these steps to configure the LLDP characteristics. Note Steps 2 through 5 are optional and can be performed in any order. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 26 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Table 26-2 LLDP-MED TLVs LLDP-MED TLV Description network-policy LLDP-MED network policy TLV power-management LLDP-MED power management TLV Beginning in privileged EXEC mode, follow these steps to enable a TLV on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 26 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Step 3 Command Purpose {voice | voice-signaling} vlan [vlan-id {cos cvalue | dscp dvalue}] | [[dot1p {cos cvalue | dscp dvalue}] | none | untagged] Configure the policy attributes: voice—Specify the voice application type. voice-signaling—Specify the voice-signaling application type. vlan—Specify the native VLAN for voice traffic.
Chapter 26 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Configuring Location TLV and Wired Location Service Beginning in privileged EXEC mode, follow these steps to configure location information for an endpoint and to apply it to an interface. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 location {admin-tag string | civic-location Specify the location information for an endpoint.
Chapter 26 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Beginning in privileged EXEC mode, follow these steps to enable wired location service on the switch. Note Your switch must be running the cryptographic (encrypted) software image to enable the nmsp global configuration commands. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 nmsp enable Enable the NMSP features on the switch.
Chapter 26 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Command Description show lldp interface [interface-id] Display information about interfaces with LLDP enabled. You can limit the display to a specific interface. show lldp neighbors [interface-id] [detail] Display information about neighbors, including device type, interface type and number, holdtime settings, capabilities, and port ID.
Chapter 26 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Catalyst 3560 Switch Software Configuration Guide 26-12 OL-8553-06
CH A P T E R 28 Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 3560 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 28 Configuring SPAN and RSPAN Understanding SPAN and RSPAN These sections contain this conceptual information: • Local SPAN, page 28-2 • Remote SPAN, page 28-2 • SPAN and RSPAN Concepts and Terminology, page 28-3 • SPAN and RSPAN Interaction with Other Features, page 28-8 Local SPAN Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and destination ports are in the same switch.
Chapter 28 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 28-2 Example of RSPAN Configuration RSPAN destination ports RSPAN destination session Switch C Intermediate switches must support RSPAN VLAN RSPAN VLAN RSPAN source session A RSPAN source ports Switch B RSPAN source session B RSPAN source ports 101366 Switch A SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration.
Chapter 28 Configuring SPAN and RSPAN Understanding SPAN and RSPAN An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed over normal trunk ports to the destination switch. An RSPAN destination session takes all packets received on the RSPAN VLAN, strips off the VLAN tagging, and presents them on the destination port.
Chapter 28 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • Transmit (Tx) SPAN—The goal of transmit (or egress) SPAN is to monitor as much as possible all the packets sent by the source interface after all modification and processing is performed by the switch. A copy of each packet sent by the source is sent to the destination port for that SPAN session. The copy is provided after the packet is modified.
Chapter 28 Configuring SPAN and RSPAN Understanding SPAN and RSPAN A source port has these characteristics: • It can be monitored in multiple SPAN sessions. • Each source port can be configured with a direction (ingress, egress, or both) to monitor. • It can be any port type (for example, EtherChannel, Fast Ethernet, Gigabit Ethernet, and so forth).
Chapter 28 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Destination Port Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user, usually a network analyzer. A destination port has these characteristics: • For a local SPAN session, the destination port must reside on the same switch as the source port.
Chapter 28 Configuring SPAN and RSPAN Understanding SPAN and RSPAN RSPAN VLAN The RSPAN VLAN carries SPAN traffic between RSPAN source and destination sessions. It has these special characteristics: • All traffic in the RSPAN VLAN is always flooded. • No MAC address learning occurs on the RSPAN VLAN. • RSPAN VLAN traffic only flows on trunk ports. • RSPAN VLANs must be configured in VLAN configuration mode by using the remote-span VLAN configuration mode command.
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN A physical port that belongs to an EtherChannel group can be configured as a SPAN source port and still be a part of the EtherChannel. In this case, data from the physical port is monitored as it participates in the EtherChannel. However, if a physical port that belongs to an EtherChannel group is configured as a SPAN destination, it is removed from the group.
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Table 28-1 Default SPAN and RSPAN Configuration (continued) Feature Default Setting VLAN filtering On a trunk interface used as a source port, all VLANs are monitored. RSPAN VLANs None configured.
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • On Catalyst 3560-24PS and 3560-48PS switches, egress SPAN routed packets (both unicast and multicast) show the incorrect source MAC address. For local SPAN packets with native encapsulation on the destination port, the packet shows the MAC address of VLAN 1. This problem does not appear with local SPAN when the encapsulation replicate option is used. This limitation does not apply to bridged packets.
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 4 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]} Specify the SPAN session and the destination port (monitoring port). For session_number, specify the session number entered in step 3. Note For local SPAN, you must use the same session number for the source and destination interfaces. For interface-id, specify the destination port.
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional monitoring: Switch(config)# no monitor session 1 source interface gigabitethernet0/1 rx The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored.
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 4 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate] [ingress {dot1q vlan vlan-id | isl | untagged vlan vlan-id | vlan vlan-id}]} Specify the SPAN session, the destination port, the packet encapsulation, and the ingress VLAN and encapsulation. For session_number, specify the session number entered in Step 3. For interface-id, specify the destination port.
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to limit SPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Remove any existing SPAN configuration for the session. For session_number, the range is 1 to 66.
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor traffic received on Gigabit Ethernet trunk port 2, and send traffic for only VLANs 1 through 5 and VLAN 9 to destination Gigabit Ethernet port 1.
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • We recommend that you configure an RSPAN VLAN before you configure an RSPAN source or a destination session. • If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted flooding of RSPAN traffic across the network for VLAN IDs that are lower than 1005.
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to create RSPAN VLAN 901. Switch(config)# vlan 901 Switch(config-vlan)# remote span Switch(config-vlan)# end Creating an RSPAN Source Session Beginning in privileged EXEC mode, follow these steps to start an RSPAN source session and to specify the monitored source and the destination RSPAN VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 6 Command Purpose show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command.
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 7 Command Purpose monitor session session_number destination interface interface-id Specify the RSPAN session and the destination interface. For session_number, enter the number defined in Step 6. In an RSPAN destination session, you must use the same session number for the source RSPAN VLAN and the destination port. For interface-id, specify the destination interface. The destination interface must be a physical interface.
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Step 4 Purpose monitor session session_number Specify the SPAN session, the destination port, the packet destination {interface interface-id [, | -] encapsulation, and the incoming VLAN and encapsulation. [ingress {dot1q vlan vlan-id | isl | untagged For session_number, enter the number defined in Step 4.
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to configure the RSPAN source session to limit RSPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Remove any existing SPAN configuration for the session. For session_number, the range is 1 to 66.
Chapter 28 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions.
Chapter 28 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Catalyst 3560 Switch Software Configuration Guide 28-24 OL-8553-06
CH A P T E R 29 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the Catalyst 3560 switch. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information.
Chapter 29 Configuring RMON Configuring RMON Figure 29-1 Remote Monitoring Example Network management station with generic RMON console application RMON alarms and events configured. SNMP configured. Workstations Workstations 101233 RMON history and statistic collection enabled.
Chapter 29 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station. We recommend that you use a generic RMON console application on the network management station (NMS) to take advantage of the RMON network management capabilities.
Chapter 29 Configuring RMON Configuring RMON Command Step 3 Purpose rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535. • (Optional) For description string, specify a description of the event. • (Optional) Use the log keyword to generate an RMON log entry when the event is triggered.
Chapter 29 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 29 Configuring RMON Displaying RMON Status Command Step 3 Purpose rmon collection stats index [owner ownername] Enable RMON statistic collection on the interface. • For index, specify the RMON group of statistics. The range is from 1 to 65535. • (Optional) For owner ownername, enter the name of the owner of the RMON group of statistics. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries.
CH A P T E R 30 Configuring System Message Logging This chapter describes how to configure system message logging on the Catalyst 3560 switch. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Chapter 30 Configuring System Message Logging Configuring System Message Logging You can access logged system messages by using the switch command-line interface (CLI) or by saving them to a properly configured syslog server. The switch software saves syslog messages in an internal buffer. You can remotely monitor system messages by viewing the logs on a syslog server or by accessing the switch through Telnet or through the console port.
Chapter 30 Configuring System Message Logging Configuring System Message Logging Table 30-1 describes the elements of syslog messages. Table 30-1 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages” section on page 30-8. timestamp formats: Date and time of the message or event.
Chapter 30 Configuring System Message Logging Configuring System Message Logging Table 30-2 Default System Message Logging Configuration (continued) Feature Default Setting Time stamps Disabled. Synchronous logging Disabled. Logging server Disabled. Syslog server IP address None configured. Configuration change logger Disabled Server facility Local7 (see Table 30-4 on page 30-13). Server severity Informational (and numerically lower levels; see Table 30-3 on page 30-9).
Chapter 30 Configuring System Message Logging Configuring System Message Logging Setting the Message Display Destination Device If message logging is enabled, you can send messages to specific locations in addition to the console. Beginning in privileged EXEC mode, use one or more of the following commands to specify the locations that receive messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 30 Configuring System Message Logging Configuring System Message Logging The logging buffered global configuration command copies logging messages to an internal buffer. The buffer is circular, so newer messages overwrite older messages after the buffer is full. To display the messages that are logged in the buffer, use the show logging privileged EXEC command. The first message displayed is the oldest message in the buffer.
Chapter 30 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging synchronous [level [severity-level | all] | limit number-of-buffers] Enable synchronous logging of messages. • (Optional) For level severity-level, specify the message severity level. Messages with a severity level equal to or higher than this value are printed asynchronously. Low numbers mean greater severity and high numbers mean lesser severity. The default is 2.
Chapter 30 Configuring System Message Logging Configuring System Message Logging This example shows part of a logging display with the service timestamps log uptime global configuration command enabled: 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up Enabling and Disabling Sequence Numbers in Log Messages Because there is a chance that more than one log message can have the same time stamp, you can display messages with sequence numbers so that you can unambiguously see a single m
Chapter 30 Configuring System Message Logging Configuring System Message Logging Step 4 Command Purpose logging trap level Limit messages logged to the syslog servers. By default, syslog servers receive informational messages and numerically lower levels (see Table 30-3 on page 30-9). For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 30-12. Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries.
Chapter 30 Configuring System Message Logging Configuring System Message Logging Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the switch history table. You also can change the number of messages that are stored in the history table.
Chapter 30 Configuring System Message Logging Configuring System Message Logging Use the show archive log config {all | number [end-number] | user username [session number] number [end-number] | statistics} [provisioning] privileged EXEC command to display the complete configuration log or the log for specified parameters. The default is that configuration logging is disabled.
Chapter 30 Configuring System Message Logging Configuring System Message Logging Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and how to define the UNIX system logging facility. Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. This procedure is optional.
Chapter 30 Configuring System Message Logging Displaying the Logging Configuration Step 3 Command Purpose logging trap level Limit messages logged to the syslog servers. Be default, syslog servers receive informational messages and lower. See Table 30-3 on page 30-9 for level keywords. Step 4 logging facility facility-type Configure the syslog facility. See Table 30-4 on page 30-13 for facility-type keywords. The default is local7. Step 5 end Return to privileged EXEC mode.
Chapter 30 Configuring System Message Logging Displaying the Logging Configuration Catalyst 3560 Switch Software Configuration Guide 30-14 OL-8553-06
CH A P T E R 31 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the Catalyst 3560 switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Chapter 31 Configuring SNMP Understanding SNMP • SNMP Community Strings, page 31-4 • Using SNMP to Access MIB Variables, page 31-4 • SNMP Notifications, page 31-5 • SNMP ifIndex MIB Object Values, page 31-5 SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157.
Chapter 31 Configuring SNMP Understanding SNMP Table 31-1 identifies the characteristics of the different combinations of security models and levels. Table 31-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication.
Chapter 31 Configuring SNMP Understanding SNMP The SNMP agent also sends unsolicited trap messages to notify an NMS that a significant event has occurred on the agent. Examples of trap conditions include, but are not limited to, when a port or module goes up or down, when spanning-tree topology changes occur, and when authentication failures occur. SNMP Community Strings SNMP community strings authenticate access to MIB objects and function as embedded passwords.
Chapter 31 Configuring SNMP Understanding SNMP SNMP Notifications SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP notifications can be sent as traps or inform requests. In command syntax, unless there is an option in the command to select either traps or informs, the keyword traps refers to either traps or informs, or both. Use the snmp-server host command to specify whether to send SNMP notifications as traps or informs.
Chapter 31 Configuring SNMP Configuring SNMP Configuring SNMP These sections contain this configuration information: • Default SNMP Configuration, page 31-6 • SNMP Configuration Guidelines, page 31-6 • Disabling the SNMP Agent, page 31-7 • Configuring Community Strings, page 31-8 • Configuring SNMP Groups and Users, page 31-9 • Configuring SNMP Notifications, page 31-11 • Setting the CPU Threshold Notification Types and Values, page 31-15 • Setting the Agent Contact and Location Informatio
Chapter 31 Configuring SNMP Configuring SNMP When configuring SNMP, follow these guidelines: • When configuring an SNMP group, do not specify a notify view. The snmp-server host global configuration command autogenerates a notify view for the user and then adds it to the group associated with that user. Modifying the group's notify view affects all users associated with that group. See the Cisco IOS Configuration Fundamentals Command Reference, Release 12.
Chapter 31 Configuring SNMP Configuring SNMP Configuring Community Strings You use the SNMP community string to define the relationship between the SNMP manager and the agent. The community string acts like a password to permit access to the agent on the switch.
Chapter 31 Configuring SNMP Configuring SNMP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] (Optional) If you specified an IP standard access list number in Step 2, then create the list, repeating the command as many times as necessary. • For access-list-number, enter the access list number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 31 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure SNMP on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID {local engineid-string Configure a name for either the local or remote copy of SNMP. | remote ip-address [udp-port port-number] • The engineid-string is a 24-character ID string with the name engineid-string} of the copy of SNMP.
Chapter 31 Configuring SNMP Configuring SNMP Command Step 4 Purpose snmp-server user username groupname Add a new user for an SNMP group. {remote host [udp-port port]} {v1 [access • The username is the name of the user on the host that connects access-list] | v2c [access access-list] | v3 to the agent. [encrypted] [access access-list] [auth {md5 | • The groupname is the name of the group to which the user is sha} auth-password]} associated.
Chapter 31 Configuring SNMP Configuring SNMP Table 31-5 Switch Notification Types (continued) Notification Type Keyword Description config Generates a trap for SNMP configuration changes. copy-config Generates a trap for SNMP copy configuration changes. entity Generates a trap for SNMP entity changes. cpu threshold Allow CPU-related traps. envmon Generates environmental monitor traps. You can enable any or all of these environmental traps: fan, shutdown, status, supply, temperature.
Chapter 31 Configuring SNMP Configuring SNMP Note Though visible in the command-line help strings, the fru-ctrl, insertion, and removal keywords are not supported. To enable the sending of SNMP inform notifications, use the snmp-server enable traps global configuration command combined with the snmp-server host host-addr informs global configuration command. You can use the snmp-server host global configuration command to a specific host to receive the notification types listed in Table 31-5.
Chapter 31 Configuring SNMP Configuring SNMP Step 5 Command Purpose snmp-server host host-addr [informs | traps] [version {1 | 2c | 3 {auth | noauth | priv}}] community-string [notification-type] Specify the recipient of an SNMP trap operation. • For host-addr, specify the name or Internet address of the host (the targeted recipient). • (Optional) Enter informs to send SNMP informs to the host. • (Optional) Enter traps (the default) to send SNMP traps to the host.
Chapter 31 Configuring SNMP Configuring SNMP The snmp-server host command specifies which hosts receive the notifications. The snmp-server enable trap command globally enables the mechanism for the specified notification (for traps and informs). To enable a host to receive an inform, you must configure an snmp-server host informs command for the host and globally enable informs by using the snmp-server enable traps command.
Chapter 31 Configuring SNMP Configuring SNMP Setting the Agent Contact and Location Information Beginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server contact text Set the system contact string. For example: snmp-server contact Dial System Operator at beeper 21555.
Chapter 31 Configuring SNMP Configuring SNMP Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. SNMP Examples This example shows how to enable all versions of SNMP. The configuration permits any SNMP manager to access all objects with read-only permissions using the community string public.
Chapter 31 Configuring SNMP Displaying SNMP Status Displaying SNMP Status To display SNMP input and output statistics, including the number of illegal community string entries, errors, and requested variables, use the show snmp privileged EXEC command. You also can use the other privileged EXEC commands in Table 31-6 to display SNMP information. For information about the fields in the displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
CH A P T E R 32 Configuring Embedded Event Manager For complete syntax and usage information for the commands used in this chapter, see the Catalyst 3560 switch command reference for this release and the Cisco IOS Network Management Command Reference. For complete configuration information, see the Cisco IOS Network Management Configuration Guide, Release 12.4T.
Chapter 32 Configuring Embedded Event Manager Understanding Embedded Event Manager Figure 32-1 Embedded Event Manager Core Event Detectors Core event publishers Cisco IOS parser text Syslog message queue OIR events event manager run CLI command Hardware timers CLI event detector SYSLOG event detector OIR event detector NONE event detector Timer event detector Counter event detector EMBEDDED EVENT MANAGER SERVER EEM POLICY DIRECTOR Subscribes to receive events and implements policy actions
Chapter 32 Configuring Embedded Event Manager Understanding Embedded Event Manager • Counter event detector–Publishes an event when a named counter crosses a specified threshold. • Interface counter event detector– Publishes an event when a generic Cisco IOS interface counter for a specified interface crosses a defined threshold. A threshold can be specified as an absolute value or an incremental value.
Chapter 32 Configuring Embedded Event Manager Understanding Embedded Event Manager – A CRON timer publishes an event by using a UNIX standard CRON specification to define when the event is to be published. A CRON timer never publishes events more than once per minute. • Watchdog event detector (IOSWDSysMon)—Publishes an event only on the master switch when – CPU utilization for a Cisco IOS process crosses a threshold. – Memory utilization for a Cisco IOS process crosses a threshold.
Chapter 32 Configuring Embedded Event Manager Configuring Embedded Event Manager Embedded Event Manager Environment Variables EEM uses environment variables in EEM policies. These variables are defined in a EEM policy tool command language (TCL) script by running a CLI command and the event manager environment command. • User-defined variables Defined by the user for a user-defined policy. • Cisco-defined variables Defined by Cisco for a specific sample policy.
Chapter 32 Configuring Embedded Event Manager Configuring Embedded Event Manager Step 4 Step 5 Command Purpose action label syslog [priority priority-level] msg msg-text Specify the action when an EEM applet is triggered. Repeat this action to add other CLI commands to the applet. • (Optional) The priority keyword specifies the priority level of the syslog messages. If selected, you need to define the priority-level argument.
Chapter 32 Configuring Embedded Event Manager Displaying Embedded Event Manager Information 4 5 _config_cmd1 _config_cmd2 interface Ethernet1/0 no shut This example shows a CRON timer environment variable, which is assigned by the software, to be set to every second minute, every hour of every day: Switch (config)# event manager environment_cron_entry 0-59/2 0-23/1 * * 0-6 This example shows the sample EEM policy named tm_cli_cmd.tcl registered as a system policy.
Chapter 32 Configuring Embedded Event Manager Displaying Embedded Event Manager Information Catalyst 3560 Switch Software Configuration Guide 32-8 OL-8553-06
CH A P T E R 33 Configuring Network Security with ACLs This chapter describes how to configure network security on the Catalyst 3560 switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists. Note Information in this chapter about IP ACLs is specific to IP Version 4 (IPv4). For information about IPv6 ACLs, see Chapter 39, “Configuring IPv6 ACLs.
Chapter 33 Configuring Network Security with ACLs Understanding ACLs You configure access lists on a router or Layer 3 switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use ACLs to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked at router interfaces.
Chapter 33 Configuring Network Security with ACLs Understanding ACLs • When an output router ACL and input port ACL exist in an SVI, incoming packets received on the ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are filtered by the router ACL. Other packets are not filtered. • When a VLAN map, input router ACL, and input port ACL exist in an SVI, incoming packets received on the ports to which a port ACL is applied are only filtered by the port ACL.
Chapter 33 Configuring Network Security with ACLs Understanding ACLs Figure 33-1 Using ACLs to Control Traffic to a Network Host A Host B Research & Development network = ACL denying traffic from Host B and permitting traffic from Host A = Packet 101365 Human Resources network When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
Chapter 33 Configuring Network Security with ACLs Understanding ACLs As with port ACLs, the switch examines ACLs associated with features configured on a given interface. However, router ACLs are supported in both directions. As packets enter the switch on an interface, ACLs associated with all inbound features configured on that interface are examined.
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs • Permit ACEs that check the Layer 3 information in the fragment (including protocol type, such as TCP, UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4 information might have been. • Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer 4 information.
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs • Inbound and outbound rate limiting (except with QoS ACLs) • Reflexive ACLs or dynamic ACLs (except for some specialized dynamic ACLs used by the switch clustering feature) • ACL logging for port ACLs and VLAN maps These are the steps to use IP ACLs on the switch: Step 1 Create an ACL by specifying an access list number or name and the access conditions. Step 2 Apply the ACL to interfaces or terminal lines.
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs Access List Numbers The number you use to denote your ACL shows the type of access list that you are creating. Table 33-1 lists the access-list number and corresponding access list type and shows whether or not they are supported in the switch. The switch supports IPv4 standard and extended access lists, numbers 1 to 199 and 1300 to 2699.
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs The first packet that triggers the ACL causes a logging message right away, and subsequent packets are collected over 5-minute intervals before they appear or logged. The logging message includes the access list number, whether the packet was permitted or denied, the source IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval.
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs Switch(config)# end Switch# show access-lists Standard IP access list 2 10 deny 171.69.198.102 20 permit any The switch always rewrites the order of standard access lists so that entries with host matches and entries with matches having a don’t care mask of 0.0.0.0 are moved to the top of the list, above any entries with non-zero don’t care masks.
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs or or Step 2b Command Purpose access-list access-list-number {deny | permit} protocol any any [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] In access-list configuration mode, define an extended IP access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and an abbreviation for a destination and destination wildcard of 0.0.0.0 255.
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs Step 2d Step 2e Command Purpose access-list access-list-number {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] (Optional) Define an extended ICMP access list and the access conditions. Enter icmp for Internet Control Message Protocol.
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs After creating a numbered extended ACL, you can apply it to terminal lines (see the “Applying an IPv4 ACL to a Terminal Line” section on page 33-18), to interfaces (see the “Applying an IPv4 ACL to an Interface” section on page 33-19), or to VLANs (see the “Configuring VLAN Maps” section on page 33-29).
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs Step 3 Command Purpose deny {source [source-wildcard] | host source | any} [log] In access-list configuration mode, specify one or more conditions denied or permitted to decide if the packet is forwarded or dropped. or • host source—A source and source wildcard of source 0.0.0.0. permit {source [source-wildcard] | host source | any} [log] • any—A source and source wildcard of 0.0.0.0 255.255.255.255.
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACL entries to a specific ACL. However, you can use no permit and no deny access-list configuration mode commands to remove entries from a named ACL.
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs Step 3 Command Purpose absolute [start time date] [end time date] Specify when the function it will be applied to is operational. or periodic day-of-the-week hh:mm to [day-of-the-week] hh:mm or periodic {weekdays | weekend | daily} hh:mm to hh:mm • You can use only one absolute statement in the time range. If you configure more than one absolute statement, only the one configured last is executed.
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs Extended IP access list deny_access 10 deny tcp any any time-range new_year_day_2006 (inactive) Extended IP access list may_access 10 permit tcp any any time-range workhours (inactive) Including Comments in ACLs You can use the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line [console | vty] line-number Identify a specific line to configure, and enter in-line configuration mode. • console—Specify the console terminal line. The console port is DCE.
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to control access to an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Identify a specific interface for configuration, and enter interface configuration mode. The interface can be a Layer 2 interface (port ACL), or a Layer 3 interface (router ACL).
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs Hardware and Software Treatment of IP ACLs ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to the CPU for software processing. If the hardware reaches its capacity to store ACL configurations, packets are sent to the CPU for forwarding. The forwarding rate for software-forwarded traffic is substantially less than for hardware-forwarded traffic.
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs permit permit permit permit tcp tcp tcp tcp source source source source source-wildcard source-wildcard source-wildcard source-wildcard destination destination destination destination destination-wildcard range 5 60 destination-wildcard range 15 160 destination-wildcard range 115 1660 destination-wildcard And if this message appears: ACLMGR-2-NOVMR: Cannot generate hardware representation of access list [chars] The flag-relate
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs Figure 33-3 Using Router ACLs to Control Traffic Server B Payroll Port 2 Port 1 Accounting 172.20.128.64-95 101354 Human Resources 172.20.128.0-31 Server A Benefits This example uses a standard ACL to filter traffic coming into Server B from a port, permitting traffic only from Accounting’s source addresses 172.20.128.64 to 172.20.128.95.
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs Numbered ACLs In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host. Using access list 2, the switch accepts one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the switch accepts addresses on all other network 36.0.0.
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.255 and denies any other TCP traffic. It permits ICMP traffic, denies UDP traffic from any source to the destination address range 171.69.0.0 through 179.69.255.255 with a destination port less than 1024, denies any other IP traffic, and provides a log of the result.
Chapter 33 Configuring Network Security with ACLs Configuring IPv4 ACLs In this example of a named ACL, the Jones subnet is not allowed access: Switch(config)# ip access-list standard prevention Switch(config-std-nacl)# remark Do not allow Jones subnet through Switch(config-std-nacl)# deny 171.69.0.0 0.0.255.
Chapter 33 Configuring Network Security with ACLs Creating Named MAC Extended ACLs 01:26:12:%SEC-6-IPACCESSLOGP:list ext1 denied udp 0.0.0.0(0) -> 255.255.255.255(0), 1 packet 01:31:33:%SEC-6-IPACCESSLOGP:list ext1 denied udp 0.0.0.0(0) -> 255.255.255.255(0), 8 packets Note that all logging entries for IP ACLs start with %SEC-6-IPACCESSLOG with minor variations in format depending on the kind of ACL and the access entry that has been matched.
Chapter 33 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Step 3 Command Purpose {deny | permit} {any | host source MAC address | source MAC address mask} {any | host destination MAC address | destination MAC address mask} [type mask | lsap lsap mask | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump | msdos | mumps | netbios | vines-echo |vines-ip | xns-idp | 0-65535] [cos cos] In extended MAC acce
Chapter 33 Configuring Network Security with ACLs Configuring VLAN Maps • A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one. Beginning in privileged EXEC mode, follow these steps to apply a MAC access list to control access to a Layer 2 interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 33 Configuring Network Security with ACLs Configuring VLAN Maps To create a VLAN map and apply it to one or more VLANs, perform these steps: Step 1 Create the standard or extended IPv4 ACLs or named MAC extended ACLs that you want to apply to the VLAN. See the “Creating Standard and Extended IPv4 ACLs” section on page 33-7 and the “Creating a VLAN Map” section on page 33-31. Step 2 Enter the vlan access-map global configuration command to create a VLAN ACL map entry.
Chapter 33 Configuring Network Security with ACLs Configuring VLAN Maps • When a frame is Layer-2 forwarded within a private VLAN, the same VLAN map is applied at the ingress side and at the egress side. When a frame is routed from inside a private VLAN to an external port, the private-VLAN map is applied at the ingress side. – For frames going upstream from a host port to a promiscuous port, the VLAN map configured on the secondary VLAN is applied.
Chapter 33 Configuring Network Security with ACLs Configuring VLAN Maps Examples of ACLs and VLAN Maps These examples show how to create ACLs and VLAN maps that for specific purposes. Example 1 This example shows how to create an ACL and a VLAN map to deny a packet. In the first map, any packets that match the ip1 ACL (TCP packets) would be dropped. You first create the ip1ACL to permit any TCP packet and no other packets.
Chapter 33 Configuring Network Security with ACLs Configuring VLAN Maps Example 3 In this example, the VLAN map has a default action of drop for MAC packets and a default action of forward for IP packets. Used with MAC extended access lists good-hosts and good-protocols, the map will have the following results: • Forward MAC packets from hosts 0000.0c00.0111 and 0000.0c00.
Chapter 33 Configuring Network Security with ACLs Configuring VLAN Maps Applying a VLAN Map to a VLAN Beginning in privileged EXEC mode, follow these steps to apply a VLAN map to one or more VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan filter mapname vlan-list list Apply the VLAN map to one or more VLAN IDs. The list can be a single VLAN ID (22), a consecutive list (10-22), or a string of VLAN IDs (12, 22, 30).
Chapter 33 Configuring Network Security with ACLs Configuring VLAN Maps Figure 33-4 Wiring Closet Configuration Switch B Switch A Switch C VLAN map: Deny HTTP from X to Y. HTTP is dropped at entry point. Host Y 10.1.1.34 101355 VLAN 1 VLAN 2 Packet Host X 10.1.1.32 If you do not want HTTP traffic switched from Host X to Host Y, you can configure a VLAN map on Switch A to drop all HTTP traffic from Host X (IP address 10.1.1.32) to Host Y (IP address 10.1.1.
Chapter 33 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 33-5 Deny Access to a Server on Another a VLAN VLAN map 10.1.1.100 Subnet 10.1.2.0/8 Server (VLAN 10) 10.1.1.4 Host (VLAN 10) Layer 3 switch Host (VLAN 20) Host (VLAN 10) Packet 101356 10.1.1.8 This example shows how to deny access to a server on another VLAN by creating the VLAN map SERVER 1 that denies access to hosts in subnet 10.1.2.0.8, host 10.1.1.4, and host 10.1.1.8 and permits other IP traffic.
Chapter 33 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Note When you use router ACLs with VLAN maps, packets that require logging on the router ACLs are not logged if they are denied by a VLAN map. If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match the type, the default is to drop the packet. If there is no match clause in the VLAN map, and no action specified, the packet is forwarded if it does not match any VLAN map entry.
Chapter 33 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Examples of Router ACLs and VLAN Maps Applied to VLANs This section gives examples of applying router ACLs and VLAN maps to a VLAN for switched, bridged, routed, and multicast packets. Although the following illustrations show packets being forwarded to their destination, each time the packet’s path crosses a line indicating a VLAN map or an ACL, it is also possible that the packet might be dropped, rather than forwarded.
Chapter 33 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 33-7 Applying ACLs on Bridged Packets VLAN 10 map VLAN 20 map Frame Host B (VLAN 20) Host A (VLAN 10) VLAN 10 101358 Fallback bridge VLAN 20 Packet ACLs and Routed Packets Figure 33-8 shows how ACLs are applied on routed packets. For routed packets, the ACLs are applied in this order: 1. VLAN map for input VLAN 2. Input router ACL 3. Output router ACL 4.
Chapter 33 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration ACLs and Multicast Packets Figure 33-9 shows how ACLs are applied on packets that are replicated for IP multicasting. A multicast packet being routed has two different kinds of filters applied: one for destinations that are other ports in the input VLAN and another for each of the destinations that are in other VLANs to which the packet has been routed.
Chapter 33 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Table 33-2 Commands for Displaying Access Lists and Access Groups (continued) Command Purpose show ip interface interface-id Display detailed configuration and status of an interface. If IP is enabled on the interface and ACLs have been applied by using the ip access-group interface configuration command, the access groups are included in the display.
Chapter 33 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Catalyst 3560 Switch Software Configuration Guide 33-42 OL-8553-06
CH A P T E R 34 Configuring QoS This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the Catalyst 3560 switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 34 Configuring QoS Understanding QoS Understanding QoS Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Chapter 34 Configuring QoS Understanding QoS Figure 34-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 header IP header Data Layer 2 ISL Frame ISL header (26 bytes) Encapsulated frame 1... (24.5 KB) FCS (4 bytes) 3 bits used for CoS Layer 2 802.1Q and 802.
Chapter 34 Configuring QoS Understanding QoS Figure 34-2 shows the basic QoS model. Actions at the ingress port include classifying traffic, policing, marking, queueing, and scheduling: • Classifying a distinct path for a packet by associating it with a QoS label. The switch maps the CoS or DSCP in the packet to a QoS label to distinguish one kind of traffic from another. The QoS label that is generated identifies all future QoS actions to be performed on this packet.
Chapter 34 Configuring QoS Understanding QoS Classification Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification is enabled only if QoS is globally enabled on the switch. By default, QoS is globally disabled, so no classification occurs. During classification, the switch performs a lookup and assigns a QoS label to the packet.
Chapter 34 Configuring QoS Understanding QoS After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Figure 34-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface configuration for classification. Trust DSCP (IP traffic). IP and non-IP traffic Trust DSCP or IP precedence (non-IP traffic). Trust IP precedence (IP traffic). Assign DSCP identical to DSCP in packet.
Chapter 34 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: Note • If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken.
Chapter 34 Configuring QoS Understanding QoS The policy map can contain the police and police aggregate policy-map class configuration commands, which define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded. To enable the policy map, you attach it to a port by using the service-policy interface configuration command. In software releases earlier than Cisco IOS Release 12.2(25)SE, you can apply a policy map only to a physical port.
Chapter 34 Configuring QoS Understanding QoS Policing on Physical Ports In policy maps on physical ports, you can create these types of policers: • Individual—QoS applies the bandwidth limits specified in the policer separately to each matched traffic class. You configure this type of policer within a policy map by using the police policy-map class configuration command. • Aggregate—QoS applies the bandwidth limits specified in an aggregate policer cumulatively to all matched traffic flows.
Chapter 34 Configuring QoS Understanding QoS Figure 34-4 Policing and Marking Flowchart on Physical Ports Start Get the clasification result for the packet. No Is a policer configured for this packet? Yes Check if the packet is in profile by querying the policer. No Yes Pass through Check out-of-profile action configured for this policer. Drop Drop packet. Mark Done 86835 Modify DSCP according to the policed-DSCP map. Generate a new QoS label.
Chapter 34 Configuring QoS Understanding QoS When configuring policing on an SVI, you can create and configure a hierarchical policy map with these two levels: • VLAN level—Create this primary level by configuring class maps and classes that specify the port trust state or set a new DSCP or IP precedence value in the packet. The VLAN-level policy map applies only to the VLAN in an SVI and does not support policers.
Chapter 34 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an QoS label based on the DSCP or CoS value from the classification stage: • During classification, QoS uses configurable mapping tables to derive a corresponding DSCP or CoS value from a received CoS, DSCP, or IP precedence value. These maps include the CoS-to-DSCP map and the IP-precedence-to-DSCP map.
Chapter 34 Configuring QoS Understanding QoS Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 34-6.
Chapter 34 Configuring QoS Understanding QoS CoS 6-7 CoS 4-5 CoS 0-3 WTD and Queue Operation 100% 1000 60% 600 40% 400 0 86692 Figure 34-7 For more information, see the “Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds” section on page 34-67, the “Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set” section on page 34-71, and the “Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID” section on page 34-73.
Chapter 34 Configuring QoS Understanding QoS Queueing and Scheduling on Ingress Queues Figure 34-8 shows the queueing and scheduling flowchart for ingress ports. Figure 34-8 Queueing and Scheduling Flowchart for Ingress Ports Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds. Are thresholds being exceeded? No Yes Drop packet. Send packet to the internal ring. Note 90564 Queue the packet.
Chapter 34 Configuring QoS Understanding QoS You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Chapter 34 Configuring QoS Understanding QoS Figure 34-9 Queueing and Scheduling Flowchart for Egress Ports Start Receive packet from the internal ring. Read QoS label (DSCP or CoS value). Determine egress queue number and threshold based on the label. Are thresholds being exceeded? No Yes Drop packet. Queue the packet. Service the queue according to the SRR weights. Rewrite DSCP and/or CoS value as appropriate. Done 90565 Send the packet out the port.
Chapter 34 Configuring QoS Understanding QoS buffers) or not empty (free buffers). If the queue is not over-limit, the switch can allocate buffer space from the reserved pool or from the common pool (if it is not empty). If there are no free buffers in the common pool or if the queue is over-limit, the switch drops the frame.
Chapter 34 Configuring QoS Understanding QoS modify it. You map a port to queue-set by using the queue-set qset-id interface configuration command. Modify the queue-set configuration to change the WTD threshold percentages. For more information about how WTD works, see the “Weighted Tail Drop” section on page 34-13. Shaped or Shared Mode SRR services each queue-set in shared or shaped mode.
Chapter 34 Configuring QoS Configuring Auto-QoS The input mutation causes the DSCP to be rewritten depending on the new value of DSCP chosen. The set action in a policy map also causes the DSCP to be rewritten. Configuring Auto-QoS You can use the auto-QoS feature to simplify the deployment of existing QoS features.
Chapter 34 Configuring QoS Configuring Auto-QoS Table 34-3 shows the generated auto-QoS configuration for the ingress queues. Table 34-3 Auto-QoS Configuration for the Ingress Queues Ingress Queue Queue Number CoS-to-Queue Map Queue Weight (Bandwidth) Queue (Buffer) Size SRR shared 1 0, 1 81 percent 67 percent Priority 2 2, 3, 4, 5, 6, 7 19 percent 33 percent Table 34-4 shows the generated auto-QoS configuration for the egress queues.
Chapter 34 Configuring QoS Configuring Auto-QoS When you enable auto-QoS by using the auto qos voip cisco-phone, the auto qos voip cisco-softphone, or the auto qos voip trust interface configuration command, the switch automatically generates a QoS configuration based on the traffic type and ingress packet label and applies the commands listed in Table 34-5 to the port.
Chapter 34 Configuring QoS Configuring Auto-QoS Table 34-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically maps DSCP values to an egress queue and to a threshold ID.
Chapter 34 Configuring QoS Configuring Auto-QoS Table 34-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command If you entered the auto qos voip trust command, the switch automatically sets the ingress classification to trust the CoS value received in the packet on a nonrouted port by using the mls qos trust cos command or to trust the DSCP value received in the packet on a routed port by using the mls qos trust dscp command.
Chapter 34 Configuring QoS Configuring Auto-QoS Table 34-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command If you entered the auto qos voip cisco-phone command, the switch automatically creates class maps and policy maps.
Chapter 34 Configuring QoS Configuring Auto-QoS • Beginning with Cisco IOS Release 12.2(40)SE, Auto-Qos VoIP uses the priority-queue interface configuration command for an egress interface. You can also configure a policy-map and trust device on the same interface for Cisco IP phones. • If the switch port was configure by using the auto qos voip cisco-phone interface configuration command in Cisco IOS Release 12.2(37)SE or earlier, the auto-QoS generated commands new to Cisco IOS Release 12.
Chapter 34 Configuring QoS Configuring Auto-QoS Enabling Auto-QoS for VoIP Beginning in privileged EXEC mode, follow these steps to enable auto-QoS for VoIP within a QoS domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 34 Configuring QoS Configuring Auto-QoS Switch(config-if)# auto qos voip trust Auto-QoS Configuration Example This section describes how you could implement auto-QoS in a network, as shown in Figure 34-11. For optimum QoS performance, enable auto-QoS on all the devices in the network. Figure 34-11 Auto-QoS Configuration Example Network Cisco router To Internet Trunk link Trunk link Video server 172.20.10.
Chapter 34 Configuring QoS Displaying Auto-QoS Information Beginning in privileged EXEC mode, follow these steps to configure the switch at the edge of the QoS domain to prioritize the VoIP traffic over all other traffic: Command Purpose Step 1 debug auto qos Enable debugging for auto-QoS. When debugging is enabled, the switch displays the QoS configuration that is automatically generated when auto-QoS is enabled. Step 2 configure terminal Enter global configuration mode.
Chapter 34 Configuring QoS Configuring Standard QoS • show mls qos maps [cos-dscp | cos-input-q | cos-output-q | dscp-cos | dscp-input-q | dscp-output-q] • show mls qos input-queue • show running-config For more information about these commands, see the command reference for this release. Configuring Standard QoS Before configuring standard QoS, you must have a thorough understanding of these items: • The types of applications used and the traffic patterns on your network.
Chapter 34 Configuring QoS Configuring Standard QoS Default Ingress Queue Configuration Table 34-6 shows the default ingress queue configuration when QoS is enabled. Table 34-6 Default Ingress Queue Configuration Feature Queue 1 Queue 2 Buffer allocation 90 percent 10 percent 4 4 0 10 WTD drop threshold 1 100 percent 100 percent WTD drop threshold 2 100 percent 100 percent Bandwidth allocation 1 Priority queue bandwidth 2 1. The bandwidth is equally shared between the queues.
Chapter 34 Configuring QoS Configuring Standard QoS Table 34-9 Default Egress Queue Configuration (continued) Feature Queue 1 Queue 2 Queue 3 Queue 4 Maximum threshold 400 percent 400 percent 400 percent 400 percent SRR shaped weights (absolute) 1 25 0 0 0 SRR shared weights 2 25 25 25 25 1. A shaped weight of zero means that this queue is operating in shared mode. 2. One quarter of the bandwidth is allocated to each queue.
Chapter 34 Configuring QoS Configuring Standard QoS Standard QoS Configuration Guidelines Before beginning the QoS configuration, you should be aware of this information in these sections: • “QoS ACL Guidelines” section on page 34-33 • “Applying QoS on Interfaces” section on page 34-33 • “Policing Guidelines” section on page 34-34 • “General QoS Guidelines” section on page 34-34 QoS ACL Guidelines These are the guidelines with for configuring QoS with access control lists (ACLs): • It is not poss
Chapter 34 Configuring QoS Configuring Standard QoS – After the hierarchical policy map is attached to an SVI, the interface-level policy map cannot be modified or removed from the hierarchical policy map. A new interface-level policy map also cannot be added to the hierarchical policy map. If you want these changes to occur, the hierarchical policy map must first be removed from the SVI. You also cannot add or remove a class map specified in the hierarchical policy map.
Chapter 34 Configuring QoS Configuring Standard QoS Enabling QoS Globally By default, QoS is disabled on the switch. Beginning in privileged EXEC mode, follow these steps to enable QoS. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS globally.
Chapter 34 Configuring QoS Configuring Standard QoS Configuring Classification Using Port Trust States These sections describe how to classify incoming traffic by using port trust states.
Chapter 34 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be trusted, and enter interface configuration mode. Valid interfaces include physical ports. Step 3 mls qos trust [cos | dscp | ip-precedence] Configure the port trust state.
Chapter 34 Configuring QoS Configuring Standard QoS Configuring the CoS Value for an Interface QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports. Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 34 Configuring QoS Configuring Standard QoS the telephone is connected to trust the CoS labels of all traffic received on that port. Use the mls qos trust dscp interface configuration command to configure a routed port to which the telephone is connected to trust the DSCP labels of all traffic received on that port.
Chapter 34 Configuring QoS Configuring Standard QoS Enabling DSCP Transparency Mode In software releases earlier than Cisco IOS Release 12.2(25)SE, if QoS is disabled, the DSCP value of the incoming IP packet is not modified. If QoS is enabled and you configure the interface to trust DSCP, the switch does not modify the DSCP value. If you configure the interface to trust CoS, the switch modifies the DSCP value according to the CoS-to-DSCP map. In Cisco IOS Release 12.
Chapter 34 Configuring QoS Configuring Standard QoS stage of QoS. If the two domains use different DSCP values, you can configure the DSCP-to-DSCP-mutation map to translate a set of DSCP values to match the definition in the other domain. Figure 34-13 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map.
Chapter 34 Configuring QoS Configuring Standard QoS Command Purpose Step 7 show mls qos maps dscp-mutation Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return a port to its non-trusted state, use the no mls qos trust interface configuration command. To return to the default DSCP-to-DSCP-mutation map values, use the no mls qos map dscp-mutation dscp-mutation-name global configuration command.
Chapter 34 Configuring QoS Configuring Standard QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify non-IP traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 34 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended ACL, repeating the command as many times as necessary. • For access-list-number, enter the access list number.
Chapter 34 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Create a Layer 2 MAC ACL by specifying the name of the list. After entering this command, the mode changes to extended MAC ACL configuration.
Chapter 34 Configuring QoS Configuring Standard QoS Classifying Traffic by Using Class Maps You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. The class map defines the criteria to use to match against a specific traffic flow to further classify it. Match statements can include criteria such as an ACL, IP precedence values, or DSCP values.
Chapter 34 Configuring QoS Configuring Standard QoS Command Step 4 Purpose match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported. • For access-group acl-index-or-name, specify the number or name of the ACL created in Step 2.
Chapter 34 Configuring QoS Configuring Standard QoS Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps You can configure a nonhierarchical policy map on a physical port that specifies which traffic class to act on.
Chapter 34 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a nonhierarchical policy map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 class-map [match-all | match-any] class-map-name Create a class map, and enter class-map configuration mode. By default, no class maps are defined. • (Optional) Use the match-all keyword to perform a logical-AND of all matching statements under this class map.
Chapter 34 Configuring QoS Configuring Standard QoS Step 5 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, go to Step 6. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 34 Configuring QoS Configuring Standard QoS Command Purpose Step 8 exit Return to policy map configuration mode. Step 9 exit Return to global configuration mode. Step 10 interface interface-id Specify the port to attach to the policy map, and enter interface configuration mode. Valid interfaces include physical ports. Step 11 service-policy input policy-map-name Specify the policy-map name, and apply it to an ingress port. Only one policy map per ingress port is supported.
Chapter 34 Configuring QoS Configuring Standard QoS Switch(config-ext-mac)# exit Switch(config)# class-map macclass1 Switch(config-cmap)# match access-group maclist1 Switch(config-cmap)# exit Switch(config)# policy-map macpolicy1 Switch(config-pmap)# class macclass1 Switch(config-pmap-c)# set dscp 63 Switch(config-pmap-c)# exit Switch(config-pmap)# class macclass2 maclist2 Switch(config-pmap-c)# set dscp 45 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet0/1
Chapter 34 Configuring QoS Configuring Standard QoS • The hierarchical policy map is attached to the SVI and affects all traffic belonging to the VLAN. The actions specified in the VLAN-level policy map affect the traffic belonging to the SVI. The police action on the port-level policy map affects the ingress traffic on the affected physical interfaces. • When configuring a hierarchical policy map on trunk ports, the VLAN ranges must not overlap.
Chapter 34 Configuring QoS Configuring Standard QoS Command Purpose Step 5 exit Return to global configuration mode. Step 6 class-map [match-all | match-any] class-map-name Create an interface-level class map, and enter class-map configuration mode. By default, no class maps are defined. • (Optional) Use the match-all keyword to perform a logical-AND of all matching statements under this class map. All match criteria in the class map must be matched.
Chapter 34 Configuring QoS Configuring Standard QoS Step 12 Command Purpose police rate-bps burst-byte [exceed-action {drop | policed-dscp-transmit}] Define an individual policer for the classified traffic. By default, no policer is defined. For information on the number of policers supported, see the “Standard QoS Configuration Guidelines” section on page 34-33. • For rate-bps, specify average traffic rate in bits per second (b/s). The range is 8000 to 1000000000.
Chapter 34 Configuring QoS Configuring Standard QoS Step 17 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, omit Step 18. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 34 Configuring QoS Configuring Standard QoS Step 23 Command Purpose service-policy input policy-map-name Specify the VLAN-level policy-map name, and apply it to the SVI. Repeat the previous step and this command to apply the policy map to other SVIs. If the hierarchical VLAN-level policy map has more than one interface-level policy map, all class maps must be configured to the same VLAN-level policy map specified in the service-policy policy-map-name command.
Chapter 34 Configuring QoS Configuring Standard QoS Switch(config-pmap)# class-map cm-2 Switch(config-pmap-c)# match ip dscp 2 Switch(config-pmap-c)# service-policy port-plcmap-1 Switch(config-pmap)# exit Switch(config-pmap)# class-map cm-3 Switch(config-pmap-c)# match ip dscp 3 Switch(config-pmap-c)# service-policy port-plcmap-2 Switch(config-pmap)# exit Switch(config-pmap)# class-map cm-4 Switch(config-pmap-c)# trust dscp Switch(config-pmap)# exit Switch(config)# interface vlan 10 Switch(config-if)# se
Chapter 34 Configuring QoS Configuring Standard QoS Step 4 Command Purpose policy-map policy-map-name Create a policy map by entering the policy map name, and enter policy-map configuration mode. For more information, see the “Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps” section on page 34-48. Step 5 class class-map-name Define a traffic classification, and enter policy-map class configuration mode.
Chapter 34 Configuring QoS Configuring Standard QoS Switch(config-pmap-c)# trust dscp Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# class ipclass2 Switch(config-pmap-c)# set dscp 56 Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet0/1 Switch(config-if)# service-policy input aggflow1 Switch(config-if)# exit Configuring DSCP Maps These sections contain this c
Chapter 34 Configuring QoS Configuring Standard QoS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map cos-dscp dscp1...dscp8 Modify the CoS-to-DSCP map. For dscp1...dscp8, enter eight DSCP values that correspond to CoS values 0 to 7. Separate each DSCP value with a space. The DSCP range is 0 to 63. Step 3 end Return to privileged EXEC mode. Step 4 show mls qos maps cos-dscp Verify your entries.
Chapter 34 Configuring QoS Configuring Standard QoS Switch# show mls qos maps cos-dscp Cos-dscp map: cos: 0 1 2 3 4 5 6 7 -------------------------------dscp: 10 15 20 25 30 35 40 45 Configuring the IP-Precedence-to-DSCP Map You use the IP-precedence-to-DSCP map to map IP precedence values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic.
Chapter 34 Configuring QoS Configuring Standard QoS Switch# show mls qos maps ip-prec-dscp IpPrecedence-dscp map: ipprec: 0 1 2 3 4 5 6 7 -------------------------------dscp: 10 15 20 25 30 35 40 45 Configuring the Policed-DSCP Map You use the policed-DSCP map to mark down a DSCP value to a new value as the result of a policing and marking action. The default policed-DSCP map is a null map, which maps an incoming DSCP value to the same DSCP value.
Chapter 34 Configuring QoS Configuring Standard QoS Configuring the DSCP-to-CoS Map You use the DSCP-to-CoS map to generate a CoS value, which is used to select one of the four egress queues. Table 34-14 shows the default DSCP-to-CoS map. Table 34-14 Default DSCP-to-CoS Map DSCP Value CoS Value 0–7 0 8–15 1 16–23 2 24–31 3 32–39 4 40–47 5 48–55 6 56–63 7 If these values are not appropriate for your network, you need to modify them.
Chapter 34 Configuring QoS Configuring Standard QoS 3 4 5 6 Note : : : : 03 00 00 07 03 05 06 07 00 05 06 07 04 04 04 04 04 04 04 05 05 05 05 05 00 06 06 06 06 07 07 07 07 07 In the above DSCP-to-CoS map, the CoS values are shown in the body of the matrix. The d1 column specifies the most-significant digit of the DSCP; the d2 row specifies the least-significant digit of the DSCP. The intersection of the d1 and d2 values provides the CoS value.
Chapter 34 Configuring QoS Configuring Standard QoS To return to the default map, use the no mls qos dscp-mutation dscp-mutation-name global configuration command. This example shows how to define the DSCP-to-DSCP-mutation map.
Chapter 34 Configuring QoS Configuring Standard QoS Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and to set WTD thresholds. This procedure is optional.
Chapter 34 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent.
Chapter 34 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to allocate bandwidth between the ingress queues. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input bandwidth weight1 weight2 Assign shared round robin weights to the ingress queues. The default setting for weight1 and weight2 is 4 (1/2 of the bandwidth is equally shared between the two queues).
Chapter 34 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the priority queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input priority-queue queue-id bandwidth weight Assign a queue as the priority queue and guarantee bandwidth on the internal ring if the ring is congested.
Chapter 34 Configuring QoS Configuring Standard QoS These sections contain this configuration information: • Configuration Guidelines, page 34-71 • Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set, page 34-71 (optional) • Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID, page 34-73 (optional) • Configuring SRR Shaped Weights on Egress Queues, page 34-74 (optional) • Configuring SRR Shared Weights on Egress Queues, page 34-75 (optional) • Configuri
Chapter 34 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and to drop thresholds for a queue-set. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos queue-set output qset-id buffers allocation1 ... allocation4 Allocate buffers to a queue-set. By default, all allocation values are equally mapped among the four queues (25, 25, 25, 25).
Chapter 34 Configuring QoS Configuring Standard QoS Command Purpose Step 7 show mls qos interface [interface-id] buffers Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos queue-set output qset-id buffers global configuration command. To return to the default WTD threshold percentages, use the no mls qos queue-set output qset-id threshold [queue-id] global configuration command.
Chapter 34 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an egress queue and to a threshold ID. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue output dscp-map queue queue-id threshold threshold-id dscp1...dscp8 Map DSCP or CoS values to an egress queue and to a threshold ID.
Chapter 34 Configuring QoS Configuring Standard QoS You can configure the egress queues for shaped or shared weights, or both. Use shaping to smooth bursty traffic or to provide a smoother output over time. For information about shaped weights, see the “SRR Shaping and Sharing” section on page 34-14. For information about shared weights, see the “Configuring SRR Shared Weights on Egress Queues” section on page 34-75.
Chapter 34 Configuring QoS Configuring Standard QoS Note The egress queue default settings are suitable for most situations. You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution. Beginning in privileged EXEC mode, follow these steps to assign the shared weights and to enable bandwidth sharing on the four egress queues mapped to a port. This procedure is optional.
Chapter 34 Configuring QoS Configuring Standard QoS Step 4 Command Purpose priority-queue out Enable the egress expedite queue, which is disabled by default. When you configure this command, the SRR weight and queue size ratios are affected because there is one less queue participating in SRR. This means that weight1 in the srr-queue bandwidth shape or the srr-queue bandwidth share command is ignored (not used in the ratio calculation). Step 5 end Return to privileged EXEC mode.
Chapter 34 Configuring QoS Displaying Standard QoS Information This example shows how to limit the bandwidth on a port to 80 percent: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# srr-queue bandwidth limit 80 When you configure this command to 80 percent, the port is idle 20 percent of the time. The line rate drops to 80 percent of the connected speed, which is 800 Mb/s. These values are not exact because the hardware adjusts the line rate in increments of six.
CH A P T E R 35 Configuring EtherChannels and Link-State Tracking This chapter describes how to configure EtherChannels on Layer 2 and Layer 3 ports on the Catalyst 3560 switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Chapter 35 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels EtherChannel Overview An EtherChannel consists of individual Fast Ethernet or Gigabit Ethernet links bundled into a single logical link as shown in Figure 35-1.
Chapter 35 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels If a link within an EtherChannel fails, traffic previously carried over that failed link moves to the remaining links within the EtherChannel. If traps are enabled on the switch, a trap is sent for a failure that identifies the switch, the EtherChannel, and the failed link. Inbound broadcast and multicast packets on one link in an EtherChannel are blocked from returning on any other link of the EtherChannel.
Chapter 35 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels After you configure an EtherChannel, configuration changes applied to the port-channel interface apply to all the physical ports assigned to the port-channel interface. Configuration changes applied to the physical port affect only the port where you apply the configuration.
Chapter 35 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Use the silent mode when the switch is connected to a device that is not PAgP-capable and seldom, if ever, sends packets. An example of a silent partner is a file server or a packet analyzer that is not generating traffic. In this case, running PAgP on a physical port connected to a silent partner prevents that switch port from ever becoming operational.
Chapter 35 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels LACP Modes Table 35-2 shows the user-configurable EtherChannel LACP modes for the channel-group interface configuration command. Table 35-2 EtherChannel LACP Modes Mode Description active Places a port into an active negotiating state in which the port starts negotiations with other ports by sending LACP packets.
Chapter 35 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Caution You should use care when using the on mode. This is a manual configuration, and ports on both ends of the EtherChannel must have the same configuration. If the group is misconfigured, packet loss or spanning-tree loops can occur.
Chapter 35 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels single-MAC-address device, source-based forwarding on the switch EtherChannel ensures that the switch uses all available bandwidth to the router. The router is configured for destination-based forwarding because the large number of workstations ensures that the traffic is evenly distributed from the router EtherChannel. Use the option that provides the greatest variety in your configuration.
Chapter 35 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Note Make sure that the ports are correctly configured. For more information, see the “EtherChannel Configuration Guidelines” section on page 35-9.
Chapter 35 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels • When a group is first created, all ports follow the parameters set for the first port to be added to the group.
Chapter 35 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to assign a Layer 2 Ethernet port to a Layer 2 EtherChannel. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify a physical port, and enter interface configuration mode. Valid interfaces include physical ports.
Chapter 35 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Step 4 Command Purpose channel-group channel-group-number mode {auto [non-silent] | desirable [non-silent] | on} | {active | passive} Assign the port to a channel group, and specify the PAgP or the LACP mode. For channel-group-number, the range is 1 to 48. For mode, select one of these keywords: • auto—Enables PAgP only if a PAgP device is detected.
Chapter 35 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels This example shows how to configure an EtherChannel.
Chapter 35 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Step 7 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 8 Assign an Ethernet port to the Layer 3 EtherChannel. For more information, see the “Configuring the Physical Interfaces” section on page 35-14. To remove the port-channel, use the no interface port-channel port-channel-number global configuration command.
Chapter 35 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Step 5 Command Purpose channel-group channel-group-number mode {auto [non-silent] | desirable [non-silent] | on} | {active | passive} Assign the port to a channel group, and specify the PAgP or the LACP mode. For channel-group-number, the range is 1 to 48. This number must be the same as the port-channel-number (logical port) configured in the “Creating Port-Channel Logical Interfaces” section on page 35-13.
Chapter 35 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Switch(config-if-range)# channel-group 5 mode active Switch(config-if-range)# end Configuring EtherChannel Load Balancing This section describes how to configure EtherChannel load balancing by using source-based or destination-based forwarding methods. For more information, see the “Load Balancing and Forwarding Methods” section on page 35-7.
Chapter 35 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels PAgP cannot automatically detect when the partner device is a physical learner and when the local device is an aggregate-port learner. Therefore, you must manually set the learning method on the local device to learn addresses by physical ports. You also must set the load-distribution method to source-based distribution, so that any given source MAC address is always sent on the same physical port.
Chapter 35 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Step 4 Command Purpose pagp port-priority priority Assign a priority so that the selected port is chosen for packet transmission. For priority, the range is 0 to 255. The default is 128. The higher the priority, the more likely that the port will be used for PAgP transmission. Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries.
Chapter 35 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Configuring the LACP System Priority You can configure the system priority for all the EtherChannels that are enabled for LACP by using the lacp system-priority global configuration command. You cannot configure a system priority for each LACP-configured channel. By changing this value from the default, you can affect how the software selects active and standby links.
Chapter 35 Configuring EtherChannels and Link-State Tracking Displaying EtherChannel, PAgP, and LACP Status Beginning in privileged EXEC mode, follow these steps to configure the LACP port priority. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Step 3 lacp port-priority priority Configure the LACP port priority.
Chapter 35 Configuring EtherChannels and Link-State Tracking Understanding Link-State Tracking Understanding Link-State Tracking Link-state tracking, also known as trunk failover, is a feature that binds the link state of multiple interfaces. For example, link-state tracking provides redundancy in the network when used with server NIC adapter teaming.
Chapter 35 Configuring EtherChannels and Link-State Tracking Understanding Link-State Tracking • If any of the upstream interfaces are in the link-up state, the downstream interfaces can change to or remain in the link-up state. • If all of the upstream interfaces become unavailable, link-state tracking automatically puts the downstream interfaces in the error-disabled state.
Chapter 35 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Figure 35-4 Typical Link-State Tracking Configuration Network Layer 3 link Distribution switch 1 Link-state group 1 Link-state group 1 Port 5 Switch A Port Port 1 2 Distribution switch 2 Link-state group 2 Port Port 6 7 Port 8 Port 3 Link-state group 2 Port Port 6 7 Port 8 Port 1 Port 4 Port 2 Port 5 Switch B Port Port 3 4 Linkstate group 2 Linkstate group 1 Linkstate group 1 Linkstate group 2 S
Chapter 35 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Default Link-State Tracking Configuration There are no link-state groups defined, and link-state tracking is not enabled for any group. Link-State Tracking Configuration Guidelines Follow these guidelines to avoid configuration problems: • An interface that is defined as an upstream interface cannot also be defined as a downstream interface in the same or a different link-state group. The reverse is also true.
Chapter 35 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking To disable a link-state group, use the no link state track number global configuration command. Displaying Link-State Tracking Status Use the show link state group command to display the link-state group information. Enter this command without keywords to display information about all link-state groups. Enter the group number to display information specific to the group.
Chapter 35 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Catalyst 3560 Switch Software Configuration Guide 35-26 OL-8553-06
CH A P T E R 36 Configuring IP Unicast Routing This chapter describes how to configure IP Version 4 (IPv4) unicast routing on the Catalyst 3560 switch. Basic routing functions, including static routing and the Routing Information Protocol (RIP), are available with both the IP base image (formerly known as the standard multilayer image [SMI]) and the IP services image (formerly known as the enhanced multilayer image [EMI]).
Chapter 36 Configuring IP Unicast Routing Understanding IP Routing Note • Configuring Protocol-Independent Features, page 36-86 • Monitoring and Maintaining the IP Network, page 36-100 When configuring routing parameters on the switch and to allocate system resources to maximize the number of unicast routes allowed, you can use the sdm prefer routing global configuration command to set the Switch Database Management (sdm) feature to the routing template.
Chapter 36 Configuring IP Unicast Routing Steps for Configuring Routing Static unicast routing forwards packets from predetermined ports through a single path into and out of a network. Static routing is secure and uses little bandwidth, but does not automatically respond to changes in the network, such as link failures, and therefore, might result in unreachable destinations. As networks grow, static routing becomes a labor-intensive liability.
Chapter 36 Configuring IP Unicast Routing Configuring IP Addressing Note A Layer 3 switch can have an IP address assigned to each routed port and SVI. The number of routed ports and SVIs that you can configure is not limited by software. However, the interrelationship between this number and the number and volume of features being implemented might have an impact on CPU utilization because of hardware limitations.
Chapter 36 Configuring IP Unicast Routing Configuring IP Addressing Table 36-1 Default Addressing Configuration (continued) Feature Default Setting IP default gateway Disabled. IP directed broadcast Disabled (all IP directed broadcasts are dropped). IP domain Domain list: No domain names defined. Domain lookup: Enabled. Domain name: Enabled. IP forward-protocol If a helper address is defined or User Datagram Protocol (UDP) flooding is configured, UDP forwarding is enabled on default ports.
Chapter 36 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 3 no switchport Remove the interface from Layer 2 configuration mode (if it is a physical interface). Step 4 ip address ip-address subnet-mask Configure the IP address and IP subnet mask. Step 5 no shutdown Enable the interface. Step 6 end Return to privileged EXEC mode.
Chapter 36 Configuring IP Unicast Routing Configuring IP Addressing Figure 36-2 IP Classless Routing 128.0.0.0/8 128.20.4.1 IP classless 128.20.0.0 128.20.1.0 128.20.3.0 128.20.4.1 Host 45749 128.20.2.0 In Figure 36-3, the router in network 128.20.0.0 is connected to subnets 128.20.1.0, 128.20.2.0, and 128.20.3.0. If the host sends a packet to 120.20.4.1, because there is no network default route, the router discards the packet. Figure 36-3 No IP Classless Routing 128.0.0.0/8 128.20.4.1 128.
Chapter 36 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 4 show running-config Verify your entry. Step 5 copy running-config startup-config (Optional) Save your entry in the configuration file. To restore the default and have the switch forward packets destined for a subnet of a network with no network default route to the best supernet route possible, use the ip classless global configuration command.
Chapter 36 Configuring IP Unicast Routing Configuring IP Addressing Define a Static ARP Cache ARP and other address resolution protocols provide dynamic mapping between IP addresses and MAC addresses. Because most hosts support dynamic address resolution, you usually do not need to specify static ARP cache entries. If you must define a static ARP cache entry, you can do so globally, which installs a permanent entry in the ARP cache that the switch uses to translate IP addresses into MAC addresses.
Chapter 36 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to specify the ARP encapsulation type: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure.
Chapter 36 Configuring IP Unicast Routing Configuring IP Addressing Proxy ARP Proxy ARP, the most common method for learning about other routes, enables an Ethernet host with no routing information to communicate with hosts on other networks or subnets. The host assumes that all hosts are on the same local Ethernet and that they can use ARP to learn their MAC addresses.
Chapter 36 Configuring IP Unicast Routing Configuring IP Addressing The only required task for IRDP routing on an interface is to enable IRDP processing on that interface. When enabled, the default parameters apply. You can optionally change any of these parameters. Beginning in privileged EXEC mode, follow these steps to enable and configure IRDP on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 36 Configuring IP Unicast Routing Configuring IP Addressing Configuring Broadcast Packet Handling After configuring an IP interface address, you can enable routing and configure one or more routing protocols, or you can configure the way the switch responds to network broadcasts. A broadcast is a data packet destined for all hosts on a physical network. The switch supports two kinds of broadcasting: Note • A directed broadcast packet is sent to a specific network or series of networks.
Chapter 36 Configuring IP Unicast Routing Configuring IP Addressing Step 3 Command Purpose ip directed-broadcast [access-list-number] Enable directed broadcast-to-physical broadcast translation on the interface. You can include an access list to control which broadcasts are forwarded.
Chapter 36 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to enable forwarding UDP broadcast packets on an interface and specify the destination address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure.
Chapter 36 Configuring IP Unicast Routing Configuring IP Addressing Flooding IP Broadcasts You can allow IP broadcasts to be flooded throughout your internetwork in a controlled fashion by using the database created by the bridging STP. Using this feature also prevents loops. To support this capability, bridging must be configured on each interface that is to participate in the flooding. If bridging is not configured on an interface, it still can receive broadcasts.
Chapter 36 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to increase spanning-tree-based flooding: Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip forward-protocol turbo-flood Use the spanning-tree database to speed up flooding of UDP datagrams. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entry.
Chapter 36 Configuring IP Unicast Routing Enabling IP Unicast Routing Enabling IP Unicast Routing By default, the switch is in Layer 2 switching mode and IP routing is disabled. To use the Layer 3 capabilities of the switch, you must enable IP routing. Beginning in privileged EXEC mode, follow these steps to enable IP routing: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip routing Enable IP routing.
Chapter 36 Configuring IP Unicast Routing Configuring RIP Using RIP, the switch sends routing information updates (advertisements) every 30 seconds. If a router does not receive an update from another router for 180 seconds or more, it marks the routes served by that router as unusable. If there is still no update after 240 seconds, the router removes all routing table entries for the non-updating router. RIP uses hop counts to rate the value of different routes.
Chapter 36 Configuring IP Unicast Routing Configuring RIP Table 36-4 Default RIP Configuration (continued) Feature Default Setting Timers basic • Update: 30 seconds. • Invalid: 180 seconds. • Hold-down: 180 seconds. • Flush: 240 seconds. Validate-update-source Enabled. Version Receives RIP Version 1 and 2 packets; sends Version 1 packets. Configuring Basic RIP Parameters To configure RIP, you enable RIP routing for a network and optionally configure other parameters.
Chapter 36 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 8 version {1 | 2} (Optional) Configure the switch to receive and send only RIP Version 1 or RIP Version 2 packets. By default, the switch receives Version 1 and 2 but sends only Version 1. You can also use the interface commands ip rip {send | receive} version 1 | 2 | 1 2} to control what versions are used for sending and receiving on interfaces. Step 9 no auto summary (Optional) Disable automatic summarization.
Chapter 36 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 3 ip rip authentication key-chain name-of-chain Enable RIP authentication. Step 4 ip rip authentication mode [text | md5} Configure the interface to use plain text authentication (the default) or MD5 digest authentication. Step 5 end Return to privileged EXEC mode. Step 6 show running-config interface [interface-id] Verify your entries.
Chapter 36 Configuring IP Unicast Routing Configuring RIP To disable IP summarization, use the no ip summary-address rip router configuration command. In this example, the major net is 10.0.0.0. The summary address 10.2.0.0 overrides the autosummary address of 10.0.0.0 so that 10.2.0.0 is advertised out interface Gigabit Ethernet port 2, and 10.0.0.0 is not advertised.
Chapter 36 Configuring IP Unicast Routing Configuring OSPF Configuring OSPF This section briefly describes how to configure Open Shortest Path First (OSPF). For a complete description of the OSPF commands, see the “OSPF Commands” chapter of the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Chapter 36 Configuring IP Unicast Routing Configuring OSPF Default OSPF Configuration Table 36-5 shows the default OSPF configuration. Table 36-5 Default OSPF Configuration Feature Default Setting Interface parameters Cost: No default cost predefined. Retransmit interval: 5 seconds. Transmit delay: 1 second. Priority: 1. Hello interval: 10 seconds. Dead interval: 4 times the hello interval. No authentication. No password specified. MD5 authentication disabled.
Chapter 36 Configuring IP Unicast Routing Configuring OSPF Table 36-5 Default OSPF Configuration (continued) Feature Default Setting Timers LSA group pacing 240 seconds. Timers shortest path first (spf) spf delay: 5 seconds. spf-holdtime: 10 seconds. Virtual link No area ID or router ID defined. Hello interval: 10 seconds. Retransmit interval: 5 seconds. Transmit delay: 1 second. Dead interval: 40 seconds. Authentication key: no key predefined. Message-digest key (MD5): no key predefined. 1.
Chapter 36 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 5 show ip protocols Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To end an OSPF routing process, use the no router ospf process-id global configuration command. This example shows how to configure an OSPF routing process and assign it a process number of 109: Switch(config)# router ospf 109 Switch(config-router)# network 131.108.0.0 255.255.255.
Chapter 36 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 9 ip ospf authentication-key key (Optional) Assign a password to be used by neighboring OSPF routers. The password can be any string of keyboard-entered characters up to 8 bytes in length. All neighboring routers on the same network must have the same password to exchange OSPF information. Step 10 ip ospf message digest-key keyid md5 key (Optional) Enable MDS authentication. • keyid—An identifier from 1 to 255.
Chapter 36 Configuring IP Unicast Routing Configuring OSPF Beginning in privileged EXEC mode, follow these steps to configure area parameters: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router ospf process-id Enable OSPF routing, and enter router configuration mode. Step 3 area area-id authentication (Optional) Allow password-based protection against unauthorized access to the identified area. The identifier can be either a decimal value or an IP address.
Chapter 36 Configuring IP Unicast Routing Configuring OSPF • Virtual links: In OSPF, all areas must be connected to a backbone area. You can establish a virtual link in case of a backbone-continuity break by configuring two Area Border Routers as endpoints of a virtual link. Configuration information includes the identity of the other virtual endpoint (the other ABR) and the nonbackbone link that the two routers have in common (the transit area). Virtual links cannot be configured through a stub area.
Chapter 36 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 7 ip auto-cost reference-bandwidth ref-bw (Optional) Specify an address range for which a single route will be advertised. Use this command only with area border routers. Step 8 distance ospf {[inter-area dist1] [inter-area (Optional) Change the OSPF distance values. The default distance dist2] [external dist3]} for each type of route is 110. The range is 1 to 255.
Chapter 36 Configuring IP Unicast Routing Configuring OSPF Configuring a Loopback Interface OSPF uses the highest IP address configured on the interfaces as its router ID. If this interface is down or removed, the OSPF process must recalculate a new router ID and resend all its routing information out its interfaces. If a loopback interface is configured with an IP address, OSPF uses this IP address as its router ID, even if other interfaces have higher IP addresses.
Chapter 36 Configuring IP Unicast Routing Configuring EIGRP Table 36-6 Show IP OSPF Statistics Commands Command Purpose show ip ospf neighbor [interface-name] [neighbor-id] detail Display OSPF interface neighbor information. show ip ospf virtual-links Display OSPF-related virtual links information. Configuring EIGRP Enhanced IGRP (EIGRP) is a Cisco proprietary enhanced version of the IGRP.
Chapter 36 Configuring IP Unicast Routing Configuring EIGRP is shown in the packet. The reliable transport has a provision to send multicast packets quickly when there are unacknowledged packets pending. Doing so helps ensure that convergence time remains low in the presence of varying speed links. • The DUAL finite state machine embodies the decision process for all route computations. It tracks all routes advertised by all neighbors.
Chapter 36 Configuring IP Unicast Routing Configuring EIGRP Table 36-7 Default EIGRP Configuration (continued) Feature Default Setting Default metric Only connected routes and interface static routes can be redistributed without a default metric. The metric includes: Distance • Bandwidth: 0 or greater kb/s. • Delay (tens of microseconds): 0 or any positive number that is a multiple of 39.1 nanoseconds. • Reliability: any number between 0 and 255 (255 means 100 percent reliability).
Chapter 36 Configuring IP Unicast Routing Configuring EIGRP Note If you have routers on your network that are configured for IGRP, and you want to change to EIGRP, you must designate transition routers that have both IGRP and EIGRP configured. In these cases, perform Steps 1 through 3 in the next section and also see the “Configuring Split Horizon” section on page 36-23. You must use the same AS number for routes to be automatically redistributed.
Chapter 36 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 9 end Return to privileged EXEC mode. Step 10 show ip protocols Verify your entries. Step 11 show ip protocols Verify your entries. For NSF awareness, the output shows: *** IP Routing is NSF aware *** EIGRP NSF enabled Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 36 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 9 show ip eigrp interface Display which interfaces EIGRP is active on and information about EIGRP relating to those interfaces. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no forms of these commands to disable the feature or return the setting to the default value.
Chapter 36 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 12 show key chain Display authentication key information. Step 13 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no forms of these commands to disable the feature or to return the setting to the default value.
Chapter 36 Configuring IP Unicast Routing Configuring BGP Figure 36-4 EIGRP Stub Router Configuration Routed to WAN Switch B Switch C 145776 Switch A Host A Host B Host C For more information about EIGRP stub routing, see “Configuring EIGRP Stub Routing” part of the Cisco IOS IP Configuration Guide, Volume 2 of 3: Routing Protocols, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Configuration Guides.
Chapter 36 Configuring IP Unicast Routing Configuring BGP detailed information about BGP in Internet Routing Architectures, published by Cisco Press, and in the “Configuring BGP” chapter in the Cisco IP and IP Routing Configuration Guide from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Configuration Guides. For details about BGP commands and keywords, see the “IP Routing Protocols” part of the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.
Chapter 36 Configuring IP Unicast Routing Configuring BGP BGP peers initially exchange their full BGP routing tables and then send only incremental updates. BGP peers also exchange keepalive messages (to ensure that the connection is up) and notification messages (in response to errors or special conditions). In BGP, each route consists of a network number, a list of autonomous systems that information has passed through (the autonomous system path), and a list of other path attributes.
Chapter 36 Configuring IP Unicast Routing Configuring BGP Default BGP Configuration Table 36-9 shows the basic default BGP configuration. For the defaults for all characteristics, see the specific commands in the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Table 36-9 Default BGP Configuration Feature Default Setting Aggregate address Disabled: None defined. AS path access list None defined. Auto summary Enabled.
Chapter 36 Configuring IP Unicast Routing Configuring BGP Table 36-9 Default BGP Configuration (continued) Feature Default Setting Multi exit discriminator (MED) Neighbor • Always compare: Disabled. Does not compare MEDs for paths from neighbors in different autonomous systems. • Best path compare: Disabled. • MED missing as worst path: Disabled. • Deterministic MED comparison is disabled. • Advertisement interval: 30 seconds for external peers; 5 seconds for internal peers.
Chapter 36 Configuring IP Unicast Routing Configuring BGP Nonstop Forwarding Awareness The BGP NSF Awareness feature is supported for IPv4 in the IP services image. To enable this feature with BGP routing, you need to enable Graceful Restart.
Chapter 36 Configuring IP Unicast Routing Configuring BGP Step 5 Command Purpose neighbor {ip-address | peer-group-name} remote-as number Add an entry to the BGP neighbor table specifying that the neighbor identified by the IP address belongs to the specified AS. For EBGP, neighbors are usually directly connected, and the IP address is the address of the interface at the other end of the connection. For IBGP, the IP address can be the address of any of the router interfaces.
Chapter 36 Configuring IP Unicast Routing Configuring BGP Router B: Switch(config)# router bgp 200 Switch(config-router)# neighbor 129.213.1.2 remote-as 100 Switch(config-router)# neighbor 175.220.1.2 remote-as 200 Router C: Switch(config)# router bgp 200 Switch(config-router)# neighbor 175.220.212.1 remote-as 200 Switch(config-router)# neighbor 192.208.10.1 remote-as 300 Router D: Switch(config)# router bgp 300 Switch(config-router)# neighbor 192.208.10.
Chapter 36 Configuring IP Unicast Routing Configuring BGP • When soft reset generates inbound updates from a neighbor, it is called dynamic inbound soft reset. • When soft reset sends a set of updates to a neighbor, it is called outbound soft reset. A soft inbound reset causes the new inbound policy to take effect. A soft outbound reset causes the new local outbound policy to take effect without resetting the BGP session.
Chapter 36 Configuring IP Unicast Routing Configuring BGP Configuring BGP Decision Attributes When a BGP speaker receives updates from multiple autonomous systems that describe different paths to the same destination, it must choose the single best path for reaching that destination. When chosen, the selected path is entered into the BGP routing table and propagated to its neighbors. The decision is based on the value of attributes that the update contains and other BGP-configurable factors.
Chapter 36 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, follow these steps to configure some decision attributes: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enable a BGP routing process, assign it an AS number, and enter router configuration mode. Step 3 bgp best-path as-path ignore (Optional) Configure the router to ignore AS path length in selecting a route.
Chapter 36 Configuring IP Unicast Routing Configuring BGP Use the no form of each command to return to the default state. Configuring BGP Filtering with Route Maps Within BGP, route maps can be used to control and to modify routing information and to define the conditions by which routes are redistributed between routing domains. See the “Using Route Maps to Redistribute Routing Information” section on page 36-90 for more information about route maps.
Chapter 36 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, follow these steps to apply a per-neighbor route map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enable a BGP routing process, assign it an AS number, and enter router configuration mode.
Chapter 36 Configuring IP Unicast Routing Configuring BGP Configuring Prefix Lists for BGP Filtering You can use prefix lists as an alternative to access lists in many BGP route filtering commands, including the neighbor distribute-list router configuration command. The advantages of using prefix lists include performance improvements in loading and lookup of large lists, incremental update support, easier CLI configuration, and greater flexibility.
Chapter 36 Configuring IP Unicast Routing Configuring BGP sequence number command; to reenable automatic generation, use the ip prefix-list sequence number command. To clear the hit-count table of prefix list entries, use the clear ip prefix-list privileged EXEC command. Configuring BGP Community Filtering One way that BGP controls the distribution of routing information based on the value of the COMMUNITIES attribute.
Chapter 36 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 5 set comm-list list-num delete (Optional) Remove communities from the community attribute of an inbound or outbound update that match a standard or extended community list specified by a route map. Step 6 exit Return to global configuration mode. Step 7 ip bgp-community new-format (Optional) Display and parse BGP communities in the format AA:NN. A BGP community is displayed in a two-part format 2 bytes long.
Chapter 36 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 7 neighbor {ip-address | peer-group-name} default-originate [route-map map-name] (Optional) Allow a BGP speaker (the local router) to send the default route 0.0.0.0 to a neighbor for use as a default route. Step 8 neighbor {ip-address | peer-group-name} send-community (Optional) Specify that the COMMUNITIES attribute be sent to the neighbor at this IP address.
Chapter 36 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 23 neighbor {ip-address | peer-group-name} soft-reconfiguration inbound (Optional) Configure the software to start storing received updates. Step 24 end Return to privileged EXEC mode. Step 25 show ip bgp neighbors Verify the configuration. Step 26 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 36 Configuring IP Unicast Routing Configuring BGP To delete an aggregate entry, use the no aggregate-address address mask router configuration command. To return options to the default values, use the command with keywords. Configuring Routing Domain Confederations One way to reduce the IBGP mesh is to divide an autonomous system into multiple subautonomous systems and to group them into a single confederation that appears as a single autonomous system.
Chapter 36 Configuring IP Unicast Routing Configuring BGP When the route reflector receives an advertised route, it takes one of these actions, depending on the neighbor: • A route from an external BGP speaker is advertised to all clients and nonclient peers. • A route from a nonclient peer is advertised to all clients. • A route from a client is advertised to all clients and nonclient peers. Hence, the clients need not be fully meshed.
Chapter 36 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enter BGP router configuration mode. Step 3 bgp dampening Enable BGP route dampening. Step 4 bgp dampening half-life reuse suppress max-suppress [route-map map] (Optional) Change the default values of route dampening factors. Step 5 end Return to privileged EXEC mode.
Chapter 36 Configuring IP Unicast Routing Configuring ISO CLNS Routing Table 36-11 IP BGP Clear and Show Commands (continued) Command Purpose show ip bgp cidr-only Display all BGP routes that contain subnet and supernet network masks. show ip bgp community [community-number] [exact] Display routes that belong to the specified communities. show ip bgp community-list community-list-number [exact-match] Display routes that are permitted by the community list.
Chapter 36 Configuring IP Unicast Routing Configuring ISO CLNS Routing The key difference between the ISO IGRP and IS-IS NSAP addressing schemes is in the definition of area addresses. Both use the system ID for Level 1 routing (routing within an area). However, they differ in the way addresses are specified for area routing. An ISO IGRP NSAP address includes three separate fields for routing: the domain, area, and system ID.
Chapter 36 Configuring IP Unicast Routing Configuring ISO CLNS Routing • Configuring IS-IS Global Parameters, page 36-66 • Configuring IS-IS Interface Parameters, page 36-68 Default IS-IS Configuration Table 36-12 shows the default IS-IS configuration. Table 36-12 Default IS-IS Configuration Feature Default Setting Ignore link-state PDU (LSP) errors Enabled. IS-IS type Conventional IS-IS: the router acts as both a Level 1 (station) and a Level 2 (area) router.
Chapter 36 Configuring IP Unicast Routing Configuring ISO CLNS Routing Nonstop Forwarding Awareness The integrated IS-IS NSF Awareness feature is supported for IPv4, beginning with Cisco IOS Release 12.2(25)SEG. The feature allows customer premises equipment (CPE) routers that are NSF-aware to help NSF-capable routers perform nonstop forwarding of packets.
Chapter 36 Configuring IP Unicast Routing Configuring ISO CLNS Routing Command Purpose Step 9 clns router isis [area tag] Enable ISO CLNS on the interface. Step 10 ip address ip-address-mask Define the IP address for the interface. An IP address is required on all interfaces in an area enabled for IS-IS if any one interface is configured for IS-IS routing. Step 11 end Return to privileged EXEC mode. Step 12 show isis [area tag] database detail Verify your entries.
Chapter 36 Configuring IP Unicast Routing Configuring ISO CLNS Routing Configuring IS-IS Global Parameters These are some optional IS-IS global parameters that you can configure: • You can force a default route into an IS-IS routing domain by configuring a default route controlled by a route map. You can also specify other filtering options configurable under a route map.
Chapter 36 Configuring IP Unicast Routing Configuring ISO CLNS Routing Step 9 Command Purpose set-overload-bit [on-startup {seconds | wait-for-bgp}] (Optional) Set an overload bit (a hippity bit) to allow other routers to ignore the router in their shortest path first (SPF) calculations if the router is having problems. • (Optional) on-startup—sets the overload bit only on startup.
Chapter 36 Configuring IP Unicast Routing Configuring ISO CLNS Routing Step 14 Command Purpose prc-interval prc-max-wait [prc-initial-wait prc-second-wait] (Optional) Sets IS-IS partial route computation (PRC) throttling timers. • prc-max-wait—the maximum interval (in seconds) between two consecutive PRC calculations. The range is 1 to 120; the default is 5. • prc-initial-wait—the initial PRC calculation delay (in milliseconds) after a topology change.
Chapter 36 Configuring IP Unicast Routing Configuring ISO CLNS Routing frequently and IS-IS adjacencies are failing unnecessarily. You can raise the hello multiplier and lower the hello interval correspondingly to make the hello protocol more reliable without increasing the time required to detect a link failure. • Other time intervals: – Complete sequence number PDU (CSNP) interval. CSNPs are sent by the designated router to maintain database synchronization – Retransmission interval.
Chapter 36 Configuring IP Unicast Routing Configuring ISO CLNS Routing Command Purpose Step 7 isis retransmit-interval seconds (Optional) Configure the number of seconds between retransmission of IS-IS LSPs for point-to-point links. The value you specify should be an integer greater than the expected round-trip delay between any two routers on the network. The range is from 0 to 65535. The default is 5 seconds.
Chapter 36 Configuring IP Unicast Routing Configuring Multi-VRF CE Table 36-13 lists the privileged EXEC commands for clearing and displaying ISO CLNS and IS-IS routing. For explanations of the display fields, see the Cisco IOS Apollo Domain, Banyan VINES, DECnet, ISO CLNS and XNS Command Reference, Release 12.2, use the Cisco IOS command reference master index, or search online.
Chapter 36 Configuring IP Unicast Routing Configuring Multi-VRF CE The Catalyst 3560 switch supports multiple VPN routing/forwarding (multi-VRF) instances in customer edge (CE) devices (multi-VRF CE) when the switch is running the IP services image. If you try to configure it on a switch running the IP base image, you see an error message. Multi-VRF CE allows a service provider to support two or more VPNs with overlapping IP addresses.
Chapter 36 Configuring IP Unicast Routing Configuring Multi-VRF CE • Provider routers or core routers are any routers in the service provider network that do not attach to CE devices. With multi-VRF CE, multiple customers can share one CE, and only one physical link is used between the CE and the PE. The shared CE maintains separate VRF tables for each customer and switches or routes packets for each customer based on its own routing table.
Chapter 36 Configuring IP Unicast Routing Configuring Multi-VRF CE To configure VRF, you create a VRF table and specify the Layer 3 interface associated with the VRF. Then configure the routing protocols in the VPN and between the CE and the PE. BGP is the preferred routing protocol used to distribute VPN routing information across the provider’s backbone. The multi-VRF CE network has three major components: • VPN route target communities—lists of all other members of a VPN community.
Chapter 36 Configuring IP Unicast Routing Configuring Multi-VRF CE • A customer can use multiple VLANs as long as they do not overlap with those of other customers. A customer’s VLANs are mapped to a specific routing table ID that is used to identify the appropriate routing tables stored on the switch. • A Catalyst 3560 switch supports one global network and up to 26 VRFs. • Most routing protocols (BGP, OSPF, RIP, and static routing) can be used between the CE and the PE.
Chapter 36 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 5 route-target {export | import | both} route-target-ext-community Create a list of import, export, or import and export route target communities for the specified VRF. Enter either an AS system number and an arbitrary number (xxx:y) or an IP address and an arbitrary number (A.B.C.D:y). The route-target-ext-community should be the same as the route-distinguisher entered in Step 4.
Chapter 36 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 9 ip vrf forwarding vrf-name Associate the VRF with the Layer 3 interface. Step 10 ip address ip-address mask Configure IP address for the Layer 3 interface. Step 11 ip pim sparse-dense mode Enable PIM on the VRF-associated Layer 3 interface. Step 12 end Return to privileged EXEC mode. Step 13 show ip vrf [brief | detail | interfaces] [vrf-name] Verify the configuration.
Chapter 36 Configuring IP Unicast Routing Configuring Multi-VRF CE User Interface for PING Beginning in privileged EXEC mode, follow these steps to configure VRF-aware services for ping. For complete syntax and usage information for the commands, refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2. Command Purpose ping vrf vrf-name ip-host Display the ARP table in the specified VRF.
Chapter 36 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 6 standby 1 ip ip address Enable HSRP and configure the virtual IP address. Step 7 end Return to privileged EXEC mode. User Interface for uRPF uRPF can be configured on an interface assigned to a VRF, and source lookup is done in the VRF table. Beginning in privileged EXEC mode, follow these steps to configure VRF-aware services for uRPF.
Chapter 36 Configuring IP Unicast Routing Configuring Multi-VRF CE User Interface for Traceroute Beginning in privileged EXEC mode, follow these steps to configure VRF-aware services for traceroute. For complete syntax and usage information for the commands, refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2. Command Purpose traceroute vrf vrf-name ipaddress Specify the name of a VPN VRF in which to find the destination address.
Chapter 36 Configuring IP Unicast Routing Configuring Multi-VRF CE Note To configure an EIGRP routing process to run within a VRF instance, you must configure an autonomous-system number by entering the autonomous-system autonomous-system-number address-family configuration mode command. Beginning in privileged EXEC mode, follow these steps to configure OSPF in the VPN: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 36 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 10 show ip bgp [ipv4] [neighbors] Verify BGP configuration. Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no router bgp autonomous-system-number global configuration command to delete the BGP routing process. Use the command with keywords to delete routing characteristics.
Chapter 36 Configuring IP Unicast Routing Configuring Multi-VRF CE Switch(config)# ip vrf v11 Switch(config-vrf)# rd 800:1 Switch(config-vrf)# route-target Switch(config-vrf)# route-target Switch(config-vrf)# exit Switch(config)# ip vrf v12 Switch(config-vrf)# rd 800:2 Switch(config-vrf)# route-target Switch(config-vrf)# route-target Switch(config-vrf)# exit export 800:1 import 800:1 export 800:2 import 800:2 Configure the loopback and physical interfaces on Switch A.
Chapter 36 Configuring IP Unicast Routing Configuring Multi-VRF CE Switch(config-if)# exit Configure OSPF routing in VPN1 and VPN2. Switch(config)# router Switch(config-router)# Switch(config-router)# Switch(config-router)# Switch(config)# router Switch(config-router)# Switch(config-router)# Switch(config-router)# ospf 1 vrf vl1 redistribute bgp 800 subnets network 208.0.0.0 0.0.0.255 area 0 exit ospf 2 vrf vl2 redistribute bgp 800 subnets network 118.0.0.0 0.0.0.
Chapter 36 Configuring IP Unicast Routing Configuring Multi-VRF CE Switch(config-router)# network 118.0.0.0 0.0.0.255 area 0 Switch(config-router)# end Configuring the PE Switch B When used on switch B (the PE router), these commands configure only the connections to the CE device, Switch A. Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 36 Configuring IP Unicast Routing Configuring Protocol-Independent Features Displaying Multi-VRF CE Status You can use the privileged EXEC commands in Table 36-15 to display information about multi-VRF CE configuration and status. Table 36-15 Commands for Displaying Multi-VRF CE Information Command Purpose show ip protocols vrf vrf-name Display routing protocol information associated with a VRF.
Chapter 36 Configuring IP Unicast Routing Configuring Protocol-Independent Features cache entries are frequently invalidated because of routing changes, which can cause traffic to be process switched using the routing table, instead of fast switched using the route cache. CEF use the Forwarding Information Base (FIB) lookup table to perform destination-based switching of IP packets. The two main components in CEF are the distributed FIB and the distributed adjacency tables.
Chapter 36 Configuring IP Unicast Routing Configuring Protocol-Independent Features Configuring the Number of Equal-Cost Routing Paths When a router has two or more routes to the same network with the same metrics, these routes can be thought of as having an equal cost. The term parallel path is another way to see occurrences of equal-cost routes in a routing table. If a router has two or more equal-cost paths to a network, it can use them concurrently.
Chapter 36 Configuring IP Unicast Routing Configuring Protocol-Independent Features The switch retains static routes until you remove them. However, you can override static routes with dynamic routing information by assigning administrative distance values. Each dynamic routing protocol has a default administrative distance, as listed in Table 36-16.
Chapter 36 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to define a static route to a network as the static default route: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip default-network network number Specify a default network. Step 3 end Return to privileged EXEC mode. Step 4 show ip route Display the selected default route in the gateway of last resort display.
Chapter 36 Configuring IP Unicast Routing Configuring Protocol-Independent Features You can also identify route-map statements as permit or deny. If the statement is marked as a deny, the packets meeting the match criteria are sent back through the normal forwarding channels (destination-based routing). If the statement is marked as permit, set clauses are applied to packets meeting the match criteria. Packets that do not meet the match criteria are forwarded through the normal routing channel.
Chapter 36 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 9 match interface type number [...type number] Match the specified next hop route out one of the specified interfaces. Step 10 match ip route-source {access-list-number | access-list-name} [...access-list-number | ...access-list-name] Match the address specified by the specified advertised access lists.
Chapter 36 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 21 set weight Set the BGP weight for the routing table. The value can be from 1 to 65535. Step 22 end Return to privileged EXEC mode. Step 23 show route-map Display all route maps configured or only the one specified to verify configuration. Step 24 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 36 Configuring IP Unicast Routing Configuring Protocol-Independent Features Configuring Policy-Based Routing You can use policy-based routing (PBR) to configure a defined policy for traffic flows. By using PBR, you can have more control over routing by reducing the reliance on routes derived from routing protocols.
Chapter 36 Configuring IP Unicast Routing Configuring Protocol-Independent Features • You can apply a policy route map to an EtherChannel port channel in Layer 3 mode, but you cannot apply a policy route map to a physical interface that is a member of the EtherChannel. If you try to do so, the command is rejected. When a policy route map is applied to a physical interface, that interface cannot become a member of an EtherChannel. • You can define a maximum of 246 IP policy route maps on the switch.
Chapter 36 Configuring IP Unicast Routing Configuring Protocol-Independent Features Packets that are generated by the switch, or local packets, are not normally policy-routed. When you globally enable local PBR on the switch, all packets that originate on the switch are subject to local PBR. Local PBR is disabled by default. Note To enable PBR, the switch must be running the IP services image.
Chapter 36 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 8 ip route-cache policy (Optional) Enable fast-switching PBR. You must first enable PBR before enabling fast-switching PBR. Step 9 exit Return to global configuration mode. Step 10 ip local policy route-map map-tag (Optional) Enable local PBR to perform policy-based routing on packets originating at the switch. This applies to packets generated by the switch and not to incoming packets.
Chapter 36 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 3 passive-interface interface-id Suppress sending routing updates through the specified Layer 3 interface. Step 4 passive-interface default (Optional) Set all interfaces as passive by default. Step 5 no passive-interface interface type (Optional) Activate only those interfaces that need to have adjacencies sent.
Chapter 36 Configuring IP Unicast Routing Configuring Protocol-Independent Features Filtering Sources of Routing Information Because some routing information might be more accurate than others, you can use filtering to prioritize information coming from different sources. An administrative distance is a rating of the trustworthiness of a routing information source, such as a router or group of routers. In a large network, some routing protocols can be more reliable than others.
Chapter 36 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Beginning in privileged EXEC mode, follow these steps to manage authentication keys: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 key chain name-of-chain Identify a key chain, and enter key chain configuration mode. Step 3 key number Identify the key number. The range is 0 to 2147483647. Step 4 key-string text Identify the key string.
Chapter 36 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Table 36-17 Commands to Clear IP Routes or Display Route Status Command Purpose show ip route supernets-only Display supernets. show ip cache Display the routing table used to switch IP traffic. show route-map [map-name] Display all route maps configured or only the one specified.
Chapter 36 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Catalyst 3560 Switch Software Configuration Guide 36-102 OL-8553-06
CH A P T E R 37 Configuring IPv6 Unicast Routing This chapter describes how to configure IPv6 unicast routing on the Catalyst 3560 switch. For information about configuring IPv6 Multicast Listener Discovery (MLD) snooping, see Chapter 38, “Configuring IPv6 MLD Snooping.” For information on configuring IPv6 access control lists (ACLs), see Chapter 39, “Configuring IPv6 ACLs.” For information about configuring IPv4 unicast routing, see Chapter 36, “Configuring IP Unicast Routing.
Chapter 37 Configuring IPv6 Unicast Routing Understanding IPv6 • Use the Search field to locate the Cisco IOS software documentation. For example, if you want information about static routes, you can enter Implementing Static Routes for IPv6 in the search field to get this document about static routes: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-stat_routes_ps6441_TSD_Pro ducts_Configuration_Guide_Chapter.html This section describes IPv6 implementation on the switch.
Chapter 37 Configuring IPv6 Unicast Routing Understanding IPv6 • Neighbor Discovery, page 37-4 • Default Router Preference, page 37-4 • IPv6 Stateless Autoconfiguration and Duplicate Address Detection, page 37-5 • IPv6 Applications, page 37-5 • Dual IPv4 and IPv6 Protocol Stacks, page 37-5 • DHCP for IPv6 Address Assignment, page 37-6 • Static Routes for IPv6, page 37-6 • RIP for IPv6, page 37-6 • OSPF for IPv6, page 37-6 (only on switches running the IP services image) • EIGRP for IPv6
Chapter 37 Configuring IPv6 Unicast Routing Understanding IPv6 DNS for IPv6 IPv6 supports Domain Name System (DNS) record types in the DNS name-to-address and address-to-name lookup processes. The DNS AAAA resource record types support IPv6 addresses and are equivalent to an A address record in IPv4. The switch supports DNS resolution for IPv4 and IPv6. Path MTU Discovery for IPv6 Unicast The switch supports advertising the system maximum transmission unit (MTU) to IPv6 nodes and path MTU discovery.
Chapter 37 Configuring IPv6 Unicast Routing Understanding IPv6 IPv6 Stateless Autoconfiguration and Duplicate Address Detection The switch uses stateless autoconfiguration to manage link, subnet, and site addressing changes, such as management of host and mobile IP addresses. A host autonomously configures its own link-local address, and booting nodes send router solicitations to request router advertisements for configuring interfaces.
Chapter 37 Configuring IPv6 Unicast Routing Understanding IPv6 The dual IPv4 and IPv6 templates allow the switch to be used in dual stack environments. • If you try to configure IPv6 without first selecting a dual IPv4 and IPv6 template, a warning message appears. • In IPv4-only environments, the switch routes IPv4 packets and applies IPv4 QoS and ACLs in hardware. IPv6 packets are not supported.
Chapter 37 Configuring IPv6 Unicast Routing Understanding IPv6 EIGRP for IPv6 The switch running the IP services image supports Enhanced Interior Gateway Routing Protocol (EIGRP) for IPv6. It is configured on the interfaces on which it runs and does not require a global IPv6 address. Before running, an instance of EIGRP IPv6 requires an implicit or explicit router ID. An implicit router ID is derived from a local IPv4 address, so any IPv4 node always has an available router ID.
Chapter 37 Configuring IPv6 Unicast Routing Understanding IPv6 For information about syslog over IPv6, including configuration procedures, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. HTTP(S) Over IPv6 The HTTP client sends requests to both IPv4 and IPv6 HTTP servers, which respond to requests from both IPv4 and IPv6 HTTP clients.
Chapter 37 Configuring IPv6 Unicast Routing Configuring IPv6 • The switch cannot forward SNAP-encapsulated IPv6 packets. There is a similar limitation for IPv4 SNAP-encapsulated packets, but the packets are dropped at the switch and are not forwarded. Note • The switch routes IPv6-to-IPv4 and IPv4-to-IPv6 packets in hardware, but the switch cannot be an IPv6-to-IPv4 or IPv4-to-IPv6 tunnel endpoint. • Bridged IPv6 packets with hop-by-hop extension headers are forwarded in software.
Chapter 37 Configuring IPv6 Unicast Routing Configuring IPv6 Default IPv6 Configuration Table 37-1 shows the default IPv6 configuration. Table 37-1 Default IPv6 Configuration Feature Default Setting SDM template Default IPv6 routing Disabled globally and on all interfaces. CEFv6 or dCEFv6 Disabled (IPv4 CEF and dCEF are enabled by default). Note IPv6 addresses When IPv6 routing is enabled, CEFv6 and dCEF6 are automatically enabled. None configured.
Chapter 37 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these steps to assign an IPv6 address to a Layer 3 interface and enable IPv6 routing: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 sdm prefer dual-ipv4-and-ipv6 {default | routing | vlan} Select an SDM template that supports IPv4 and IPv6. • default—Set the switch to the default template to balance system resources.
Chapter 37 Configuring IPv6 Unicast Routing Configuring IPv6 without arguments. To disable IPv6 processing on an interface that has not been explicitly configured with an IPv6 address, use the no ipv6 enable interface configuration command. To globally disable IPv6 routing, use the no ipv6 unicast-routing global configuration command. This example shows how to enable IPv6 with both a link-local address and a global address based on the IPv6 prefix 2001:0DB8:c18:1::/64.
Chapter 37 Configuring IPv6 Unicast Routing Configuring IPv6 Use the no ipv6 nd router-preference interface configuration command to disable an IPv6 DRP. This example shows how to configure a DRP of high for the router on an interface.
Chapter 37 Configuring IPv6 Unicast Routing Configuring IPv6 To disable IPv4 routing, use the no ip routing global configuration command. To disable IPv6 routing, use the no ipv6 unicast-routing global configuration command. To remove an IPv4 address from an interface, use the no ip address ip-address mask interface configuration command.
Chapter 37 Configuring IPv6 Unicast Routing Configuring IPv6 Enabling DHCPv6 Server Function Beginning in privileged EXEC mode, follow these steps to enable the DHCPv6 server function on an interface. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 dhcp pool poolname Enter DHCP pool configuration mode, and define the name for the IPv6 DHCP pool. The pool name can be a symbolic string (such as Engineering) or an integer (such as 0).
Chapter 37 Configuring IPv6 Unicast Routing Configuring IPv6 Step 10 Command Purpose ipv6 dhcp server [poolname | automatic] [rapid-commit] [preference value] [allow-hint] Enable DHCPv6 server function on an interface. • poolname—(Optional) User-defined name for the IPv6 DHCP pool. The pool name can be a symbolic string (such as Engineering) or an integer (such as 0). • automatic—(Optional) Enables the system to automatically determine which pool to use when allocating addresses for a client.
Chapter 37 Configuring IPv6 Unicast Routing Configuring IPv6 Switch(config-dhcpv6-vs)# suboption 1 address 1000:235D::1 Switch(config-dhcpv6-vs)# suboption 2 ascii "IP-Phone" Switch(config-dhcpv6-vs)# end Enabling DHCPv6 Client Function Beginning in privileged EXEC mode, follow these steps to enable DHCPv6 client function on an interface. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 37 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these steps to change the ICMP rate-limiting parameters: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 icmp error-interval interval [bucketsize] Configure the interval and bucket size for IPv6 ICMP error messages: • interval—The interval (in milliseconds) between tokens being added to the bucket. The range is from 0 to 2147483647 milliseconds.
Chapter 37 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these steps to configure an IPv6 static route: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 route ipv6-prefix/prefix length {ipv6-address | interface-id [ipv6-address]} [administrative distance] Configure a static IPv6 route. • ipv6-prefix—The IPv6 network that is the destination of the static route.
Chapter 37 Configuring IPv6 Unicast Routing Configuring IPv6 Step 4 Command Purpose show ipv6 static [ipv6-address | ipv6-prefix/prefix length] [interface interface-id] [recursive] [detail] Verify your entries by displaying the contents of the IPv6 routing table. or • interface interface-id—(Optional) Display only those static routes with the specified interface as an egress interface. • recursive—(Optional) Display only recursive static routes.
Chapter 37 Configuring IPv6 Unicast Routing Configuring IPv6 Step 7 Command Purpose ipv6 rip name default-information {only | originate} (Optional) Originate the IPv6 default route (::/0) into the RIP routing process updates sent from the specified interface. Note To avoid routing loops after the IPv6 default route (::/0) is originated from any interface, the routing process ignores all default routes received on any interface.
Chapter 37 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these required and optional steps to configure IPv6 OSPF: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 router ospf process-id Enable OSPF router configuration mode for the process. The process ID is the number administratively assigned when enabling the OSPF for IPv6 routing process. It is locally assigned and can be a positive integer from 1 to 65535.
Chapter 37 Configuring IPv6 Unicast Routing Configuring IPv6 To disable an OSPF routing process, use the no ipv6 router ospf process-id global configuration command. To disable the OSPF routing process for an interface, use the no ipv6 ospf process-id area area-id interface configuration command. For more information about configuring OSPF routing for IPv6, see the “Implementing OSPF for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
Chapter 37 Configuring IPv6 Unicast Routing Configuring IPv6 Enabling HSRP Version 2 Beginning in privileged EXEC mode, follow these steps to enable HSRP version 2 on a Layer 3 interface. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the Layer 3 interface on which you want to specify the standby version. Step 3 standby version {1 | 2} Enter 2 to change the HSRP version. The default is 1.
Chapter 37 Configuring IPv6 Unicast Routing Displaying IPv6 Step 4 Command Purpose standby [group-number] preempt [delay {minimum seconds | reload seconds | sync seconds}] Configure the router to preempt, which means that when the local router has a higher priority than the active router, it assumes control as the active router. • (Optional) group-number—The group number to which the command applies.
Chapter 37 Configuring IPv6 Unicast Routing Displaying IPv6 Table 37-2 shows the privileged EXEC commands for monitoring IPv6 on the switch. Table 37-2 Commands for Monitoring IPv6 Command Purpose show ipv6 access-list Display a summary of access lists. show ipv6 cef Display Cisco Express Forwarding for IPv6. show ipv6 interface interface-id Display IPv6 interface status and configuration. show ipv6 mtu Display IPv6 MTU per destination cache.
Chapter 37 Configuring IPv6 Unicast Routing Displaying IPv6 This is an example of the output from the show ipv6 interface privileged EXEC command: Switch# show ipv6 interface Vlan1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::20B:46FF:FE2F:D940 Global unicast address(es): 3FFE:C000:0:1:20B:46FF:FE2F:D940, subnet is 3FFE:C000:0:1::/64 [EUI] Joined group address(es): FF02::1 FF02::2 FF02::1:FF2F:D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP
Chapter 37 Configuring IPv6 Unicast Routing Displaying IPv6 This is an example of the output from the show ipv6 rip privileged EXEC command: Switch# show ipv6 rip RIP process "fer", port 521, multicast-group FF02::9, pid 190 Administrative distance is 120.
Chapter 37 Configuring IPv6 Unicast Routing Displaying IPv6 0 group query, 0 group report, 0 group reduce 1 router solicit, 0 router advert, 0 redirects 0 neighbor solicit, 0 neighbor advert Sent: 10112 output, 0 rate-limited unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port parameter: 0 error, 0 header, 0 option 0 hopcount expired, 0 reassembly timeout,0 too big 0 echo request, 0 echo reply 0 group query, 0 group report, 0 group reduce 0 router solicit, 9944 router advert, 0 redirects 84 neighbo
Chapter 37 Configuring IPv6 Unicast Routing Displaying IPv6 Catalyst 3560 Switch Software Configuration Guide 37-30 OL-8553-06
CH A P T E R 38 Configuring IPv6 MLD Snooping You can use Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP version 6 (IPv6) multicast data to clients and routers in a switched network on the Catalyst 3560 switch. Note To use IPv6, you must configure the dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch. You select the template by entering the sdm prefer dual-ipv4-and-ipv6 {default} global configuration command.
Chapter 38 Configuring IPv6 MLD Snooping Understanding MLD Snooping The switch supports two versions of MLD snooping: • MLDv1 snooping detects MLDv1 control packets and sets up traffic bridging based on IPv6 destination multicast addresses. • MLDv2 basic snooping (MBSS) uses MLDv2 control packets to set up traffic forwarding based on IPv6 destination multicast addresses.
Chapter 38 Configuring IPv6 MLD Snooping Understanding MLD Snooping When MLD snooping is disabled, all MLD queries are flooded in the ingress VLAN. When MLD snooping is enabled, received MLD queries are flooded in the ingress VLAN, and a copy of the query is sent to the CPU for processing. From the received query, MLD snooping builds the IPv6 multicast address database.
Chapter 38 Configuring IPv6 MLD Snooping Understanding MLD Snooping MLD Reports The processing of MLDv1 join messages is essentially the same as with IGMPv2. When no IPv6 multicast routers are detected in a VLAN, reports are not processed or forwarded from the switch. When IPv6 multicast routers are detected and an MLDv1 report is received, an IPv6 multicast group address and an IPv6 multicast MAC address are entered in the VLAN MLD database.
Chapter 38 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping configuration command. The default is to send two queries. The switch also generates MLDv1 global Done messages with valid link-local IPv6 source addresses when the switch becomes the STP root in the VLAN or when it is configured by the user. This is same as done in IGMP snooping.
Chapter 38 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping MLD Snooping Configuration Guidelines When configuring MLD snooping, consider these guidelines: • You can configure MLD snooping characteristics at any time, but you must globally enable MLD snooping by using the ipv6 mld snooping global configuration command for the configuration to take effect.
Chapter 38 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 mld snooping Globally enable MLD snooping on the switch. Step 3 ipv6 mld snooping vlan vlan-id Enable MLD snooping on the VLAN.The VLAN ID range is 1 to 1001 and 1006 to 4094. MLD snooping must be globally enabled for VLAN snooping to be enabled. Note Step 4 end Return to privileged EXEC mode.
Chapter 38 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Switch(config)# end Configuring a Multicast Router Port Although MLD snooping learns about router ports through MLD queries and PIMv6 queries, you can also use the command-line interface (CLI) to add a multicast router port to a VLAN. To add a multicast router port (add a static connection to a multicast router), use the ipv6 mld snooping vlan mrouter global configuration command on the switch.
Chapter 38 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 mld snooping vlan vlan-id immediate-leave Enable MLD Immediate Leave on the VLAN interface. Step 3 end Return to privileged EXEC mode. Step 4 show ipv6 mld snooping vlan vlan-id Verify that Immediate Leave is enabled on the VLAN interface.
Chapter 38 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Command Purpose Step 6 ipv6 mld snooping last-listener-query-interval interval (Optional) Set the maximum response time that the switch waits after sending out a MASQ before deleting a port from the multicast group. The range is 100 to 32,768 thousands of a second. The default is 1000 (1 second).
Chapter 38 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information Beginning in privileged EXEC mode, follow these steps to disable MLD listener message suppression: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no ipv6 mld snooping listener-message-suppression Disable MLD message suppression. Step 3 end Return to privileged EXEC mode. Step 4 show ipv6 mld snooping Verify that IPv6 MLD snooping report suppression is disabled.
Chapter 38 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information Table 38-2 Command Commands for Displaying MLD Snooping Information (continued) Purpose show ipv6 mld snooping multicast-address [vlan Display all IPv6 multicast address information or specific IPv6 vlan-id] [count | dynamic | user] multicast address information for the switch or a VLAN. • Enter count to show the group count on the switch or in a VLAN.
CH A P T E R 39 Configuring IPv6 ACLs This chapter includes information about configuring IPv6 ACLs on the Catalyst 3560 switch. You can filter IP version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces similarly to the way that you create and apply IP version 4(IPv4) named ACLs. You can also create and apply input router ACLs to filter Layer 3 management traffic.
Chapter 39 Configuring IPv6 ACLs Understanding IPv6 ACLs Understanding IPv6 ACLs A switch image supports two types of IPv6 ACLs: • IPv6 router ACLs – Supported on outbound or inbound traffic on Layer 3 interfaces, which can be routed ports, switch virtual interfaces (SVIs), or Layer 3 EtherChannels. – Applied to only IPv6 packets that are routed. • IPv6 port ACLs – Supported on inbound traffic on Layer 2 interfaces only. – Applied to all IPv6 packets entering the interface.
Chapter 39 Configuring IPv6 ACLs Configuring IPv6 ACLs • If the switch runs out of TCAM space, packets associated with the ACL label are forwarded to the CPU, and the ACLs are applied in software. • Routed or bridged packets with hop-by-hop options have IPv6 ACLs applied in software. • Logging is supported for router ACLs, but not for port ACLs. IPv6 ACL Limitations With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs.
Chapter 39 Configuring IPv6 ACLs Configuring IPv6 ACLs Step 3 Apply the IPv6 ACL to an interface. For router ACLs, you must also configure an IPv6 address on the Layer 3 interface to which the ACL is applied.
Chapter 39 Configuring IPv6 ACLs Configuring IPv6 ACLs Command Step 3a Purpose deny | permit protocol Enter deny or permit to specify whether to deny or permit the packet if {source-ipv6-prefix/prefix-length conditions are matched.
Chapter 39 Configuring IPv6 ACLs Configuring IPv6 ACLs Command Step 3b Purpose deny | permit tcp (Optional) Define a TCP access list and the access conditions. {source-ipv6-prefix/prefix-length Enter tcp for Transmission Control Protocol. The parameters are the same as | any | host source-ipv6-address} those described in Step 3a, with these additional optional parameters: [operator [port-number]] • ack—Acknowledgment bit set.
Chapter 39 Configuring IPv6 ACLs Configuring IPv6 ACLs Use the no deny | permit IPv6 access-list configuration commands with keywords to remove the deny or permit conditions from the specified access list. This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000.
Chapter 39 Configuring IPv6 ACLs Displaying IPv6 ACLs Displaying IPv6 ACLs You can display information about all configured access lists, all IPv6 access lists, or a specific access list by using one or more of the privileged EXEC commands in Table 39-1. Table 39-1 Commands for Displaying IPv6 Access List Information Command Purpose show access-lists Display all access lists configured on the switch.
CH A P T E R 40 Configuring HSRP This chapter describes how to use Hot Standby Router Protocol (HSRP) on the Catalyst 3560 switch to provide routing redundancy for routing IP traffic not dependent on the availability of any single router. To use HSRP for IPv6, see Chapter 37, “Configuring IPv6 Unicast Routing.” You can also use a version of HSRP in Layer 2 mode to configure a redundant command switch to take over cluster management if the cluster command switch fails.
Chapter 40 Configuring HSRP Understanding HSRP Note Routers in an HSRP group can be any router interface that supports HSRP, including Catalyst 3560 routed ports and switch virtual interfaces (SVIs). HSRP provides high network availability by providing redundancy for IP traffic from hosts on networks.
Chapter 40 Configuring HSRP Understanding HSRP Figure 40-1 Typical HSRP Configuration Host B 172.20.130.5 172.20.128.1 Virtual router Standby router 172.20.128.3 172.20.128.2 Router A Router B 172.20.128.55 172.20.128.32 Host C Host A 204345 Active router HSRP Versions Cisco IOS Release 12.2(46)SE and later support these Hot Standby Redundancy Protocol (HSRP) versions: • HSRPv1—Version 1 of the HSRP, the default version of HSRP.
Chapter 40 Configuring HSRP Configuring HSRP Multiple HSRP The switch supports Multiple HSRP (MHSRP), an extension of HSRP that allows load sharing between two or more HSRP groups. You can configure MHSRP to achieve load balancing and to use two or more standby groups (and paths) from a host network to a server network. In Figure 40-2, half the clients are configured for Router A, and half the clients are configured for Router B.
Chapter 40 Configuring HSRP Configuring HSRP • Configuring MHSRP, page 40-10 • Configuring HSRP Authentication and Timers, page 40-10 • Enabling HSRP Support for ICMP Redirect Messages, page 40-12 • Configuring HSRP Groups and Clustering, page 40-12 • Troubleshooting HSRP, page 40-12 Default HSRP Configuration Table 40-1 shows the default HSRP configuration.
Chapter 40 Configuring HSRP Configuring HSRP • In the configuration procedures, the specified interface must be a Layer 3 interface: – Routed port: a physical port configured as a Layer 3 port by entering the no switchport interface configuration command. – SVI: a VLAN interface created by using the interface vlan vlan_id global configuration command and by default a Layer 3 interface.
Chapter 40 Configuring HSRP Configuring HSRP Step 3 Command Purpose standby version {1 | 2} (Optional) Configure the HSRP version on the interface. • 1— Select HSRPv1. • 2— Select HSRPv2. If you do not enter this command or do not specify a keyword, the interface runs the default HSRP version, HSRP v1. Step 4 standby [group-number] ip [ip-address [secondary]] Create (or enable) the HSRP group using its number and virtual IP address.
Chapter 40 Configuring HSRP Configuring HSRP When configuring HSRP priority, follow these guidelines: • Assigning a priority allows you to select the active and standby routers. If preemption is enabled, the router with the highest priority becomes the active router. If priorities are equal, the current active router does not change. • The highest number (1 to 255) represents the highest priority (most likely to become the active router).
Chapter 40 Configuring HSRP Configuring HSRP Command Step 4 Purpose standby [group-number] [priority Configure the router to preempt, which means that when the local router has priority] preempt [delay delay] a higher priority than the active router, it assumes control as the active router. • (Optional) group-number—The group number to which the command applies. • (Optional) priority—Enter to set or change the group priority. The range is 1 to 255; the default is 100.
Chapter 40 Configuring HSRP Configuring HSRP Configuring MHSRP To enable MHSRP and load balancing, you configure two routers as active routers for their groups, with virtual routers as standby routers. This example shows how to enable the MHSRP configuration shown in Figure 40-2. You need to enter the standby preempt interface configuration command on each HSRP interface so that if a router fails and comes back up, the preemption occurs and restores load balancing.
Chapter 40 Configuring HSRP Configuring HSRP Beginning in privileged EXEC mode, use one or more of these steps to configure HSRP authentication and timers on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the HSRP interface on which you want to set authentication.
Chapter 40 Configuring HSRP Configuring HSRP Enabling HSRP Support for ICMP Redirect Messages In releases earlier than Cisco IOS Release 12.2(18)SE, ICMP (Internet Control Message Protocol) redirect messages were automatically disabled on interfaces configured with HSRP. ICMP is a network layer Internet protocol that provides message packets to report errors and other information relevant to IP processing. ICMP provides diagnostic functions, such as sending and directing error packets to the host.
Chapter 40 Configuring HSRP Displaying HSRP Configurations Displaying HSRP Configurations From privileged EXEC mode, use this command to display HSRP settings: show standby [interface-id [group]] [brief] [detail] You can display HSRP information for the whole switch, for a specific interface, for an HSRP group, or for an HSRP group on an interface. You can also specify whether to display a concise overview of HSRP information or detailed HSRP information. The default display is detail.
Chapter 40 Configuring HSRP Displaying HSRP Configurations Catalyst 3560 Switch Software Configuration Guide 40-14 OL-8553-06
CH A P T E R 41 Configuring Cisco IOS IP SLAs Operations This chapter describes how to use Cisco IOS IP Service Level Agreements (SLAs) on the Catalyst 3560 switch. Cisco IP SLAs is a part of Cisco IOS software that allows Cisco customers to analyze IP service levels for IP applications and services by using active traffic monitoring—the generation of traffic in a continuous, reliable, and predictable manner—for measuring network performance.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs Depending on the specific Cisco IOS IP SLAs operation, various network performance statistics are monitored within the Cisco device and stored in both command-line interface (CLI) and Simple Network Management Protocol (SNMP) MIBs.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs Using Cisco IOS IP SLAs to Measure Network Performance You can use IP SLAs to monitor the performance between any area in the network—core, distribution, and edge—without deploying a physical probe. It uses generated traffic to measure network performance between two networking devices. Figure 41-1 shows how IP SLAs begins when the source device sends a generated packet to the destination device.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs IP SLAs Responder and IP SLAs Control Protocol The IP SLAs responder is a component embedded in the destination Cisco device that allows the system to anticipate and respond to IP SLAs request packets. The responder provides accurate measurements without the need for dedicated probes.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs Cisco IOS IP SLAs Responder Time Stamping Source router T2 T1 Target router Responder T3 T4 =T3-T2 RTT (Round-trip time) = T4 (Time stamp 4) - T1 (Time stamp 1) - 121380 Figure 41-2 An additional benefit of the two time stamps at the target device is the ability to track one-way delay, jitter, and directional packet loss. Because much network behavior is asynchronous, it is critical to have these statistics.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations • One-way mean opinion score (MOS) • One-way latency An IP SLAs threshold violation can also trigger another IP SLAs operation for further analysis. For example, the frequency could be increased or an ICMP path echo or ICMP path jitter operation could be initiated for troubleshooting. Determining the type of threshold and the level to set can be complex, and depends on the type of IP service being used in the network.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations For detailed descriptions and configuration procedures, see the Cisco IOS IP SLAs Configuration Guide, Release 12.4T at this URL: http://www.cisco.com/en/US/docs/ios/ipsla/configuration/guide/12_4t/sla_12_4t_book.html Note that not all of the IP SLAs commands or operations described in this guide are supported on the switch.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Configuring the IP SLAs Responder The IP SLAs responder is available only on Cisco IOS software-based devices, including some Layer 2 switches that do not support full IP SLAs functionality, such as the Catalyst 2960 or the Cisco ME 2400 or IE 3000 switch.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations In addition to monitoring jitter, the IP SLAs UDP jitter operation can be used as a multipurpose data gathering operation. The packets IP SLAs generates carry packet sending and receiving sequence information and sending and receiving time stamps from the source and the operational target.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Command Step 3 Purpose udp-jitter {destination-ip-address Configure the IP SLAs operation as a UDP jitter operation, and enter UDP | destination-hostname} jitter configuration mode. destination-port [source-ip • destination-ip-address | destination-hostname—Specify the destination IP {ip-address | hostname}] address or hostname.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Command Purpose Step 7 end Return to privileged EXEC mode. Step 8 show ip sla configuration [operation-number] (Optional) Display configuration values, including all defaults for all IP SLAs operations or a specified operation. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Note This operation does not require the IP SLAs responder to be enabled. Beginning in privileged EXEC mode, follow these steps to configure an ICMP echo operation on the source device: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip sla operation-number Create an IP SLAs operation and enter IP SLAs configuration mode.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Monitoring IP SLAs Operations Command Purpose Step 8 show ip sla configuration [operation-number] (Optional) Display configuration values including all defaults for all IP SLAs operations or a specified operation. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the IP SLAs operation, enter the no ip sla operation-number global configuration command.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Monitoring IP SLAs Operations Table 41-1 Monitoring IP SLAs Operations Command Purpose show ip sla application Display global information about Cisco IOS IP SLAs. show ip sla authentication Display IP SLAs authentication information. show ip sla configuration [entry-number] Display configuration values including all defaults for all IP SLAs operations or a specific operation.
CH A P T E R 42 Configuring Enhanced Object Tracking This chapter describes how to configure enhanced object tracking on the Catalyst 3560 switch. This feature provides a more complete alternative to the Hot Standby Routing Protocol (HSRP) tracking mechanism. which allows you to track the line-protocol state of an interface. If the line protocol state of an interface goes down, the HSRP priority of the interface is reduced and another HSRP device with a higher priority becomes active.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring Enhanced Object Tracking Features These sections describe configuring enhanced object tracking: • Default Configuration, page 42-2 • Tracking Interface Line-Protocol or IP Routing State, page 42-2 • Configuring a Tracked List, page 42-3 • Configuring HSRP Object Tracking, page 42-7 • Configuring Other Tracking Characteristics, page 42-8 • Configuring IP SLAs Object Tracking, page 42-9 •
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Command Purpose Step 6 delay {up seconds [down seconds] (Optional) Specify a period of time in seconds to delay communicating state | [up seconds] down seconds} changes of a tracked object. The range is from 1 to 180 seconds. Step 7 end Return to privileged EXEC mode. Step 8 show track object-number Verify that the specified objects are being tracked.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Beginning in privileged EXEC mode, follow these steps to configure a tracked list of objects with a Boolean expression: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 track track-number list boolean {and | or} Configure a tracked list object, and enter tracking configuration mode. The track-number can be from 1 to 500.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Beginning in privileged EXEC mode, follow these steps to configure a tracked list of objects by using a weight threshold and to configure a weight for each object: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 track track-number list threshold weight Configure a tracked list object and enter tracking configuration mode. The track-number can be from 1 to 500.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Beginning in privileged EXEC mode, follow these steps to configure a tracked list of objects by using a percentage threshold: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 track track-number list threshold percentage Configure a tracked list object and enter tracking configuration mode. The track-number can be from 1 to 500.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring HSRP Object Tracking Beginning in privileged EXEC mode, follow these steps to configure a standby HSRP group to track an object and change the HSRP priority based on the object state: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Step 6 Command Purpose standby [group-number] track object-number [decrement [priority-decrement]] Configure HSRP to track an object and change the hot standby priority based on the state of the object. • (Optional) group-number—Enter the group number to which the tracking applies. • object-number—Enter a number representing the object to be tracked. The range is from 1 to 500; the default is 1.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring IP SLAs Object Tracking Cisco IOS IP Service Level Agreements (IP SLAs) is a network performance measurement and diagnostics tool that uses active monitoring by generating traffic to measure network performance. Cisco IP SLAs operations collects real-time metrics that you can use for network troubleshooting, design, and analysis.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Latest operation return code: over threshold Latest RTT (millisecs) 4 Tracked by: HSRP Ethernet0/1 3 This example output shows whether a route is reachable: Switch(config)# track 3 500 reachability Switch(config)# end Switch# show track 3 Track 3 Response Time Reporter 1 reachability Reachability is Up 1 change, last change 00:00:47 Latest operation return code: over threshold Latest RTT (millisecs) 4 Tracked b
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Command Purpose Step 3 description string Add a description to the interface. Step 4 ip address ip-address mask [secondary] Set the primary or secondary IP address for the interface. Step 5 exit Return to global configuration mode.
Chapter 42 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking Step 11 show track object-number Display tracking information to verify the configuration. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. Configuring a Routing Policy and Default Route Beginning in privileged EXEC mode, follow these steps to configure a routing policy for backup static routing by using object tracking.
Chapter 42 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking Table 42-1 Commands for Displaying Tracking Information (continued) Command Purpose show track brief Display a single line of tracking information output. show track interface [brief] Display information about tracked interface objects. show track ip [object-number] [brief] route Display information about tracked IP-route objects. show track resolution Display the resolution of tracked parameters.
Chapter 42 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking Catalyst 3560 Switch Software Configuration Guide 42-14 OL-8553-06
CH A P T E R 43 Configuring Web Cache Services By Using WCCP This chapter describes how to configure your Catalyst 3560 switch to redirect traffic to wide-area application engines (such as the Cisco Cache Engine 550) by using the Web Cache Communication Protocol (WCCP). This software release supports only WCCP version 2 (WCCPv2).
Chapter 43 Configuring Web Cache Services By Using WCCP Understanding WCCP WCCP enables supported Cisco routers and switches to transparently redirect content requests. With transparent redirection, users do not have to configure their browsers to use a web proxy. Instead, they can use the target URL to request content, and their requests are automatically redirected to an application engine.
Chapter 43 Configuring Web Cache Services By Using WCCP Understanding WCCP WCCP Negotiation In the exchange of WCCP protocol messages, the designated application engine and the WCCP-enabled switch negotiate these items: • Forwarding method (the method by which the switch forwards packets to the application engine). The switch rewrites the Layer 2 header by replacing the packet destination MAC address with the target application engine MAC address. It then forwards the packet to the application engine.
Chapter 43 Configuring Web Cache Services By Using WCCP Understanding WCCP You can configure up to 8 service groups on a switch or switch stack and up to 32 cache engines per service group. WCCP maintains the priority of the service group in the group definition. WCCP uses the priority to configure the service groups in the switch hardware.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP Configuring WCCP These sections describe how to configure WCCP on your switch: • Default WCCP Configuration, page 43-5 • WCCP Configuration Guidelines, page 43-5 • Enabling the Web Cache Service, page 43-6 (required) Default WCCP Configuration Table 43-1 shows the default WCCP configuration. Table 43-1 Default WCCP Configuration Feature Default Setting WCCP enable state WCCP services are disabled.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP • You cannot configure WCCP and a private VLAN (PVLAN) on the same switch interface. Enabling the Web Cache Service For WCCP packet redirection to operate, you must configure the switch interface connected to the client to redirect inbound packets. This procedure shows how to configure these features on routed ports. To configure these features on SVIs, see the configuration examples that follow the procedure.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP Command Purpose Step 6 no shutdown Enable the interface. Step 7 exit Return to global configuration mode. Repeat Steps 3 through 7 for each application engine and web server. Step 8 interface interface-id Specify the interface connected to the client, and enter interface configuration mode. Step 9 no switchport Enter Layer 3 mode. Step 10 ip address ip-address subnet-mask Configure the IP address and subnet mask.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP Switch(config-if)# ip address 175.20.30.20 255.255.255.0 Switch(config-if)# no shutdown Switch(config-if)# ip wccp web-cache redirect in Switch(config-if)# exit Switch(config)# interface gigabitethernet0/4 Switch(config-if)# no switchport Switch(config-if)# ip address 175.20.40.30 255.255.255.
Chapter 43 Configuring Web Cache Services By Using WCCP Monitoring and Maintaining WCCP Switch(config-if)# ip wccp web-cache redirect in Switch(config-if)# exit Switch(config)# interface range gigabitethernet0/3 - 6 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 301 Switch(config-if-range)# exit Monitoring and Maintaining WCCP To monitor and maintain WCCP, use one or more of the privileged EXEC commands in Table 43-2: Table 43-2 Commands for Monitoring an
Chapter 43 Configuring Web Cache Services By Using WCCP Monitoring and Maintaining WCCP Catalyst 3560 Switch Software Configuration Guide 43-10 OL-8553-06
CH A P T E R 44 Configuring IP Multicast Routing This chapter describes how to configure IP multicast routing on the Catalyst 3560 switch. IP multicasting is a more efficient way to use network resources, especially for bandwidth-intensive services such as audio and video. IP multicast routing enables a host (source) to send packets to a group of hosts (receivers) anywhere within the IP network by using a special form of IP address called the IP multicast group address.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing The Cisco IOS software supports these protocols to implement IP multicast routing: • Internet Group Management Protocol (IGMP) is used among hosts on a LAN and the routers (and multilayer switches) on that LAN to track the multicast groups of which hosts are members.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding IGMP To participate in IP multicasting, multicast hosts, routers, and multilayer switches must have the IGMP operating. This protocol defines the querier and host roles: • A querier is a network device that sends query messages to discover which network devices are members of a given multicast group.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding PIM PIM is called protocol-independent: regardless of the unicast routing protocols used to populate the unicast routing table, PIM uses this information to perform multicast forwarding instead of maintaining a separate multicast routing table. PIM is defined in RFC 2362, Protocol-Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing When a new receiver on a previously pruned branch of the tree joins a multicast group, the PIM DM device detects the new receiver and immediately sends a graft message up the distribution tree toward the source.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing The PIM stub feature is enforced in the IP base image. If you upgrade to a higher software version, the PIM stub configuration remains until you reconfigure the interfaces. In Figure 44-2, Switch A routed uplink port 25 is connected to the router and PIM stub routing is enabled on the VLAN 100 interfaces and on Host 3.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Mapping agents periodically multicast the contents of their Group-to-RP mapping caches. Thus, all routers and switches automatically discover which RP to use for the groups that they support.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing 3. If the RPF check fails, the packet is discarded. Some multicast routing protocols, such as DVMRP, maintain a separate multicast routing table and use it for the RPF check. However, PIM uses the unicast routing table to perform the RPF check. Figure 44-3 shows port 2 receiving a multicast packet from source 151.10.3.21.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Cisco routers and multilayer switches run PIM and can forward multicast packets to and receive from a DVMRP neighbor. It is also possible to propagate DVMRP routes into and through a PIM cloud. The software propagates DVMRP routes and builds a separate database for these routes on each router and multilayer switch, but PIM uses this routing information to make the packet-forwarding decision.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing • Using Auto-RP and a BSR, page 44-33 (required for non-Cisco PIMv2 devices to interoperate with Cisco PIM v1 devices)) • Monitoring the RP Mapping Information, page 44-33 (optional) • Troubleshooting PIMv1 and PIMv2 Interoperability Problems, page 44-34 (optional) Default Multicast Routing Configuration Table 44-2 shows the default multicast routing configuration.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing a proprietary Cisco protocol. PIMv2 is a standards track protocol in the IETF. We recommend that you use PIMv2. The BSR mechanism interoperates with Auto-RP on Cisco routers and multilayer switches. For more information, see the “Auto-RP and BSR Configuration Guidelines” section on page 44-11. When PIMv2 devices interoperate with PIMv1 devices, Auto-RP should have already been deployed.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing You can configure an interface to be in PIM dense mode, sparse mode, or sparse-dense mode. The switch populates its multicast routing table and forwards multicast packets it receives from its directly connected LANs according to the mode setting. You must enable PIM in one of these modes for an interface to perform IP multicast routing. Enabling PIM on an interface also enables IGMP operation on that interface.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 5 Command Purpose ip pim {dense-mode | sparse-mode | sparse-dense-mode} Enable a PIM mode on the interface. By default, no mode is configured. The keywords have these meanings: • dense-mode—Enables dense mode of operation. • sparse-mode—Enables sparse mode of operation. If you configure sparse mode, you must also configure an RP. For more information, see the “Configuring a Rendezvous Point” section on page 44-23.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing How SSM Differs from Internet Standard Multicast The current IP multicast infrastructure in the Internet and many enterprise intranets is based on the PIM-SM protocol and Multicast Source Discovery Protocol (MSDP). These protocols have the limitations of the Internet Standard Multicast (ISM) service model.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing • No MSDP source-active (SA) messages within the SSM range are accepted, generated, or forwarded. IGMPv3 Host Signalling In IGMPv3, hosts signal membership to last hop routers of multicast groups. Hosts can signal group membership with filtering capabilities with respect to sources.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing State Maintenance Limitations In PIM-SSM, the last hop router continues to periodically send (S, G) join messages if appropriate (S, G) subscriptions are on the interfaces. Therefore, as long as receivers send (S, G) subscriptions, the shortest path tree (SPT) state from the receivers to the source is maintained, even if the source does not send traffic for longer periods of time (or even never).
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing • Configuration Guidelines, page 44-17 • SSM Mapping Overview, page 44-17 • Configuring SSM Mapping, page 44-19 • Monitoring SSM Mapping, page 44-21 Configuration Guidelines These are the SSM mapping configuration guidelines: • Before you configure SSM mapping, enable IP multicast routing, enable PIM sparse mode, and configure SSM.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing SSM mapping enables the last hop router to determine the source addresses either by a statically configured table on the router or through a DNS server. When the statically configured table or the DNS mapping changes, the router leaves the current sources associated with the joined groups. Go to this URL for additional information on SSM mapping: http://www.cisco.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing switchover mechanism. One video source is active, and the other backup video source is passive. The passive source waits until an active source failure is detected before sending the video traffic for the TV channel. Thus, the server-side switchover mechanism ensures that only one of the servers is actively sending video traffic for the TV channel.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Go to this URL to see SSM mapping configuration examples: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a6d6f.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to configure static traffic forwarding with SSM mapping: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface type number Select an interface on which to statically forward traffic for a multicast group using SSM mapping, and enter interface configuration mode.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring PIM Stub Routing The PIM Stub routing feature supports multicast routing between the distribution layer and the access layer. It supports two types of PIM interfaces, uplink PIM interfaces, and PIM passive interfaces. A routed interface configured with the PIM passive mode does not pass or forward PIM control traffic, it only passes and forwards IGMP traffic.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Switch(config)# interface vlan100 Switch(config-if)# ip pim passive Switch(config-if)# exit Switch(config)# interface GigabitEthernet0/20 Switch(config-if)# ip pim passive Switch(config-if)# exit Switch(config)# interface vlan100 Switch(config-if)# ip address 100.1.1.1 255.255.255.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Senders of multicast traffic announce their existence through register messages received from the source first-hop router (designated router) and forwarded to the RP. Receivers of multicast packets use RPs to join a multicast group by using explicit join messages. RPs are not members of the multicast group; rather, they serve as a meeting place for multicast sources and group members.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing To remove an RP address, use the no ip pim rp-address ip-address [access-list-number] [override] global configuration command. This example shows how to configure the address of the RP to 147.106.6.22 for multicast group 225.2.2.2 only: Switch(config)# access-list 1 permit 225.2.2.2 0.0.0.0 Switch(config)# ip pim rp-address 147.106.6.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to deploy Auto-RP in an existing sparse-mode cloud. This procedure is optional. Step 1 Command Purpose show running-config Verify that a default RP is already configured on all PIM devices and the RP in the sparse-mode network. It was previously configured with the ip pim rp-address global configuration command.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 5 Command Purpose ip pim send-rp-discovery scope ttl Find a switch whose connectivity is not likely to be interrupted, and assign it the role of RP-mapping agent. For scope ttl, specify the time-to-live value in hops to limit the RP discovery packets. All devices within the hop count from the source device receive the Auto-RP discovery messages.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Filtering Incoming RP Announcement Messages You can add configuration commands to the mapping agents to prevent a maliciously configured router from masquerading as a candidate RP and causing problems. Beginning in privileged EXEC mode, follow these steps to filter incoming RP announcement messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows a sample configuration on an Auto-RP mapping agent that is used to prevent candidate RP announcements from being accepted from unauthorized candidate RPs: Switch(config)# Switch(config)# Switch(config)# Switch(config)# Switch(config)# ip pim rp-announce-filter rp-list 10 group-list 20 access-list 10 permit host 172.16.5.1 access-list 10 permit host 172.16.2.1 access-list 20 deny 239.0.0.0 0.0.255.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing To remove the PIM border, use the no ip pim bsr-border interface configuration command. Figure 44-5 Constraining PIMv2 BSR Messages PIMv2 sparse-mode network Configure the ip pim bsr-border command on this interface. BSR messages BSR messages Layer 3 switch BSR Layer 3 switch Neighboring PIMv2 domain 101243 Neighboring PIMv2 domain Configure the ip pim bsr-border command on this interface.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing To remove the boundary, use the no ip multicast boundary interface configuration command. This example shows a portion of an IP multicast boundary configuration that denies Auto-RP information: Switch(config)# access-list 1 deny 224.0.1.39 Switch(config)# access-list 1 deny 224.0.1.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Candidate RPs You can configure one or more candidate RPs. Similar to BSRs, the RPs should also have good connectivity to other devices and be in the backbone portion of the network. An RP can serve the entire IP multicast address space or a portion of it. Candidate RPs send candidate RP advertisements to the BSR.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows how to configure the switch to advertise itself as a candidate RP to the BSR in its PIM domain. Standard access list number 4 specifies the group prefix associated with the RP that has the address identified by a port. That RP is responsible for the groups with the prefix 239. Switch(config)# ip pim rp-candidate gigabitethernet0/2 group-list 4 Switch(config)# access-list 4 permit 239.0.0.0 0.255.255.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced PIM Features Troubleshooting PIMv1 and PIMv2 Interoperability Problems When debugging interoperability problems between PIMv1 and PIMv2, check these in the order shown: 1. Verify RP mapping with the show ip pim rp-hash privileged EXEC command, making sure that all systems agree on the same RP for the same group. 2. Verify interoperability between different versions of DRs and RPs.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced PIM Features This process describes the move from a shared tree to a source tree: 1. A receiver joins a group; leaf Router C sends a join message toward the RP. 2. The RP puts a link to Router C in its outgoing interface list. 3. A source sends data; Router A encapsulates the data in a register message and sends it to the RP. 4. The RP forwards the data down the shared tree to Router C and sends a join message toward the source.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced PIM Features Beginning in privileged EXEC mode, follow these steps to configure a traffic rate threshold that must be reached before multicast routing is switched from the source tree to the shortest-path tree. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features With PIM DM operation, the DR has meaning only if IGMPv1 is in use. IGMPv1 does not have an IGMP querier election process, so the elected DR functions as the IGMP querier. With PIM SM operation, the DR is the device that is directly connected to the multicast source. It sends PIM register messages to notify the RP that multicast traffic from a source needs to be forwarded down the shared tree.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features Default IGMP Configuration Table 44-4 shows the default IGMP configuration. Table 44-4 Default IGMP Configuration Feature Default Setting Multilayer switch as a member of a multicast group No group memberships are defined. Access to multicast groups All groups are allowed on an interface. IGMP version Version 2 on all interfaces. IGMP host-query message interval 60 seconds on all interfaces.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features This example shows how to enable the switch to join multicast group 255.2.2.2: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ip igmp join-group 255.2.2.2 Controlling Access to IP Multicast Groups The switch sends IGMP host-query messages to find which multicast groups have members on attached local networks. The switch then forwards to these group members all packets addressed to the multicast group.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features Changing the IGMP Version By default, the switch uses IGMP Version 2, which provides features such as the IGMP query timeout and the maximum query response time. All systems on the subnet must support the same version. The switch does not automatically detect Version 1 systems and switch to Version 1.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features Beginning in privileged EXEC mode, follow these steps to modify the host-query interval. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features Changing the Maximum Query Response Time for IGMPv2 If you are using IGMPv2, you can change the maximum query response time advertised in IGMP queries. The maximum query response time enables the switch to quickly detect that there are no more directly connected group members on a LAN. Decreasing the value enables the switch to prune groups faster.
Chapter 44 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show ip igmp interface [interface-id] Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the switch as a member of the group, use the no ip igmp static-group group-address interface configuration command.
Chapter 44 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Step 3 Command Purpose ip cgmp [proxy] Enable CGMP on the interface. By default, CGMP is disabled on all interfaces. Enabling CGMP triggers a CGMP join message. Enable CGMP only on Layer 3 interfaces connected to Layer 2 Catalyst switches. (Optional) When you enter the proxy keyword, the CGMP proxy function is enabled.
Chapter 44 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Enabling sdr Listener Support By default, the switch does not listen to session directory advertisements. Beginning in privileged EXEC mode, follow these steps to enable the switch to join the default session directory group (224.2.127.254) on the interface and listen to session directory advertisements. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 44 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features administratively-scoped boundary on a routed interface, multicast traffic whose multicast group addresses fall in this range can not enter or exit this interface, thereby providing a firewall for multicast traffic in this address range. Note Multicast boundaries and TTL thresholds control the scoping of multicast domains; however, TTL thresholds are not supported by the switch.
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to set up an administratively-scoped boundary. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list, repeating the command as many times as necessary.
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Configuring DVMRP Interoperability Cisco multicast routers and multilayer switches using PIM can interoperate with non-Cisco multicast routers that use the DVMRP. PIM devices dynamically discover DVMRP multicast routers on attached networks by listening to DVMR probe messages.
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Command Step 4 Purpose ip dvmrp metric metric [list Configure the metric associated with a set of destinations for DVMRP access-list-number] [[protocol process-id] reports. | [dvmrp]] • For metric, the range is 0 to 32. A value of 0 means that the route is not advertised. A value of 32 is equivalent to infinity (unreachable).
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Configuring a DVMRP Tunnel The software supports DVMRP tunnels to the MBONE. You can configure a DVMRP tunnel on a router or multilayer switch if the other end is running DVMRP. The software then sends and receives multicast packets through the tunnel. This strategy enables a PIM domain to connect to the DVMRP router when all routers on the path do not support multicast routing.
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Step 9 Command Purpose ip dvmrp accept-filter access-list-number [distance] neighbor-list access-list-number Configure an acceptance filter for incoming DVMRP reports. By default, all destination reports are accepted with a distance of 0. Reports from all neighbors are accepted. • For access-list-number, specify the access list number created in Step 2.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to advertise network 0.0.0.0 to DVMRP neighbors on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface that is connected to the DVMRP router, and enter interface configuration mode.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features These sections contain this configuration information: • Enabling DVMRP Unicast Routing, page 44-53 (optional) • Rejecting a DVMRP Nonpruning Neighbor, page 44-54 (optional) • Controlling Route Exchanges, page 44-55 (optional) For information on basic DVMRP features, see the “Configuring Basic DVMRP Interoperability Features” section on page 44-47.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Rejecting a DVMRP Nonpruning Neighbor By default, Cisco devices accept all DVMRP neighbors as peers, regardless of their DVMRP capability. However, some non-Cisco devices run old versions of DVMRP that cannot prune, so they continuously receive forwarded packets, wasting bandwidth. Figure 44-8 shows this scenario.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 44-9 Router Rejects Nonpruning DVMRP Neighbor Source router or RP RP Router A Multicast traffic gets to receiver, not to leaf DVMRP device Router B Receiver Layer 3 switch 101245 Configure the ip dvmrp reject-non-pruners command on this interface. Leaf nonpruning DVMRP device Note that the ip dvmrp reject-non-pruners interface configuration command prevents peering with neighbors only.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features • Configuring a DVMRP Summary Address, page 44-57 (optional) • Disabling DVMRP Autosummarization, page 44-59 (optional) • Adding a Metric Offset to the DVMRP Route, page 44-59 (optional) Limiting the Number of DVMRP Routes Advertised By default, only 7000 DVMRP routes are advertised over an interface enabled to run DVMRP (that is, a DVMRP tunnel, an interface where a DVMRP neighbor has been discovered,
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features To return to the default setting use the no ip dvmrp routehog-notification global configuration command. Use the show ip igmp interface privileged EXEC command to display a running count of routes. When the count is exceeded, *** ALERT *** is appended to the line.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 44-10 Only Connected Unicast Routes Are Advertised by Default interface tunnel 0 ip unnumbered fa0/1 DVMRP Report 151.16.0.0/16 m = 39 172.34.15.0/24 m = 42 202.13.3.0/24 m = 40 176.32.10.0/24 m=1 176.32.15.0/24 m=1 interface fastethernet 0/1 ip addr 176.32.10.1 255.255.255.0 ip pim dense-mode DVMRP router interface fastethernet 0/2 ip addr 176.32.15.1 255.255.255.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Disabling DVMRP Autosummarization By default, the software automatically performs some level of DVMRP summarization. Disable this function if you want to advertise all routes, not just a summary. In some special cases, you can use the neighboring DVMRP router with all subnet information to better control the flow of multicast traffic in the DVMRP network.
Chapter 44 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Step 3 Command Purpose ip dvmrp metric-offset [in | out] increment Change the metric added to DVMRP routes advertised in incoming reports. The keywords have these meanings: • (Optional) in—Specifies that the increment value is added to incoming DVMRP reports and is reported in mrinfo replies.
Chapter 44 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Table 44-5 Commands for Clearing Caches, Tables, and Databases (continued) Command Purpose clear ip igmp group [group-name | group-address | interface] Delete entries from the IGMP cache. clear ip mroute {* | group [source]} Delete entries from the IP multicast routing table. clear ip pim auto-rp rp-address Clear the auto-RP cache.
Chapter 44 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Table 44-6 Commands for Displaying System and Network Statistics (continued) Command Purpose show ip pim rp [group-name | group-address] Display the RP routers associated with a sparse-mode multicast group. This command is available in all software images.
CH A P T E R 45 Configuring MSDP This chapter describes how to configure the Multicast Source Discovery Protocol (MSDP) on the Catalyst 3560 switch. The MSDP connects multiple Protocol-Independent Multicast sparse-mode (PIM-SM) domains. MSDP is not fully supported in this software release because of a lack of support for Multicast Border Gateway Protocol (MBGP), which works closely with MSDP. However, it is possible to create default peers that MSDP can operate with if MBGP is not running.
Chapter 45 Configuring MSDP Understanding MSDP MSDP depends heavily on the Border Gateway Protocol (BGP) or MBGP for interdomain operation. We recommend that you run MSDP in RPs in your domain that are RPs for sources sending to global groups to be announced to the Internet. MSDP Operation Figure 45-1 shows MSDP operating between two MSDP peers. PIM uses MSDP as the standard mechanism to register a source with the RP of a domain. When MSDP is configured, this sequence occurs.
Chapter 45 Configuring MSDP Configuring MSDP Figure 45-1 MSDP Running Between RP Peers MSDP peer RP + MSDP peer MSDP SA M SD P SA Peer RPF flooding MSDP SA TCP connection BGP MSDP peer Receiver 49885 Register Multicast (S,G) Join PIM DR Source PIM sparse-mode domain MSDP Benefits MSDP has these benefits: • It breaks up the shared multicast distribution tree. You can make the shared tree local to your domain.
Chapter 45 Configuring MSDP Configuring MSDP • Controlling Source Information that Your Switch Originates, page 45-8 (optional) • Controlling Source Information that Your Switch Forwards, page 45-11 (optional) • Controlling Source Information that Your Switch Receives, page 45-13 (optional) • Configuring an MSDP Mesh Group, page 45-15 (optional) • Shutting Down an MSDP Peer, page 45-15 (optional) • Including a Bordering PIM Dense-Mode Region in MSDP, page 45-16 (optional) • Configuring an Or
Chapter 45 Configuring MSDP Configuring MSDP Figure 45-2 Default MSDP Peer Network Router C Default MSDP peer ISP C PIM domain SA SA SA 10.1.1.1 Default MSDP peer Default MSDP peer ISP A PIM domain Customer PIM domain 86515 Switch B Router A Beginning in privileged EXEC mode, follow these steps to specify a default MSDP peer. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 45 Configuring MSDP Configuring MSDP Step 3 Step 4 Command Purpose ip prefix-list name [description string] | seq number {permit | deny} network length (Optional) Create a prefix list using the name specified in Step 2. ip msdp description {peer-name | peer-address} text • (Optional) For description string, enter a description of up to 80 characters to describe this prefix list. • For seq number, enter the sequence number of the entry. The range is 1 to 4294967294.
Chapter 45 Configuring MSDP Configuring MSDP Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp cache-sa-state [list access-list-number] Enable the caching of source/group pairs (create an SA state). Those pairs that pass the access list are cached. For list access-list-number, the range is 100 to 199.
Chapter 45 Configuring MSDP Configuring MSDP Requesting Source Information from an MSDP Peer Local RPs can send SA requests and get immediate responses for all active sources for a given group. By default, the switch does not send any SA request messages to its MSDP peers when a new member joins a group and wants to receive multicast traffic. The new member waits to receive the next periodic SA message.
Chapter 45 Configuring MSDP Configuring MSDP Redistributing Sources SA messages originate on RPs to which sources have registered. By default, any source that registers with an RP is advertised. The A flag is set in the RP when a source is registered, which means the source is advertised in an SA unless it is filtered. Beginning in privileged EXEC mode, follow these steps to further restrict which registered sources are advertised. This procedure is optional.
Chapter 45 Configuring MSDP Configuring MSDP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] Create an IP standard access list, repeating the command as many times as necessary. or or access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended access list, repeating the command as many times as necessary.
Chapter 45 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to configure one of these options. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp filter-sa-request ip-address | name Filter all SA request messages from the specified MSDP peer.
Chapter 45 Configuring MSDP Configuring MSDP Using a Filter By creating a filter, you can perform one of these actions: • Filter all source/group pairs • Specify an IP extended access list to pass only certain source/group pairs • Filter based on match criteria in a route map Beginning in privileged EXEC mode, follow these steps to apply a filter. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 45 Configuring MSDP Configuring MSDP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the filter, use the no ip msdp sa-filter out {ip-address | name} [list access-list-number] [route-map map-tag] global configuration command. This example shows how to allow only (S,G) pairs that pass access list 100 to be forwarded in an SA message to the peer named switch.cisco.
Chapter 45 Configuring MSDP Configuring MSDP You can perform one of these actions: • Filter all incoming SA messages from an MSDP peer • Specify an IP extended access list to pass certain source/group pairs • Filter based on match criteria in a route map Beginning in privileged EXEC mode, follow these steps to apply a filter. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 45 Configuring MSDP Configuring MSDP To remove the filter, use the no ip msdp sa-filter in {ip-address | name} [list access-list-number] [route-map map-tag] global configuration command. This example shows how to filter all SA messages from the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet0/1 Switch(config)# ip msdp sa-filter in switch.cisco.
Chapter 45 Configuring MSDP Configuring MSDP Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp shutdown {peer-name | peer address} Administratively shut down the specified MSDP peer without losing configuration information. For peer-name | peer address, enter the IP address or name of the MSDP peer to shut down. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries.
Chapter 45 Configuring MSDP Configuring MSDP Note that the ip msdp originator-id global configuration command also identifies an interface to be used as the RP address. If both the ip msdp border sa-address and the ip msdp originator-id global configuration commands are configured, the address derived from the ip msdp originator-id command specifies the RP address.
Chapter 45 Configuring MSDP Monitoring and Maintaining MSDP Monitoring and Maintaining MSDP To monitor MSDP SA messages, peers, state, or peer status, use one or more of the privileged EXEC commands in Table 45-1: Table 45-1 Commands for Monitoring and Maintaining MSDP Command Purpose debug ip msdp [peer-address | name] [detail] [routes] Debugs an MSDP activity. debug ip msdp resets Debugs MSDP peer reset reasons.
CH A P T E R 46 Configuring Fallback Bridging This chapter describes how to configure fallback bridging (VLAN bridging) on the Catalyst 3560 switch. With fallback bridging, you can forward non-IP packets that the switch does not route between VLAN bridge domains and routed ports. Note To use this feature, the switch must be running the IP services image (formerly known as the enhanced multilayer image [EMI]).
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Fallback bridging does not allow the spanning trees from the VLANs being bridged to collapse. Each VLAN has its own spanning-tree instance and a separate spanning tree, called the VLAN-bridge spanning tree, which runs on top of the bridge group to prevent loops. The switch creates a VLAN-bridge spanning-tree instance when a bridge group is created.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging • Creating a Bridge Group, page 46-3 (required) • Adjusting Spanning-Tree Parameters, page 46-5 (optional) Default Fallback Bridging Configuration Table 46-1 shows the default fallback bridging configuration. Table 46-1 Default Fallback Bridging Configuration Feature Default Setting Bridge groups None are defined or assigned to a port. No VLAN-bridge STP is defined.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Beginning in privileged EXEC mode, follow these steps to create a bridge group and to assign an interface to it. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 bridge bridge-group protocol vlan-bridge Assign a bridge group number, and specify the VLAN-bridge spanning-tree protocol to run in the bridge group. The ibm and dec keywords are not supported.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Switch(config-if)# exit Adjusting Spanning-Tree Parameters You might need to adjust certain spanning-tree parameters if the default values are not suitable. You configure parameters affecting the entire spanning tree by using variations of the bridge global configuration command. You configure interface-specific parameters by using variations of the bridge-group interface configuration command.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging To return to the default setting, use the no bridge bridge-group priority global configuration command. To change the priority on a port, use the bridge-group priority interface configuration command (described in the next section). This example shows how to set the switch priority to 100 for bridge group 10: Switch(config)# bridge 10 priority 100 Changing the Interface Priority You can change the priority for a port.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Step 3 Command Purpose bridge-group bridge-group path-cost cost Assign the path cost of a port. • For bridge-group, specify the bridge group number. The range is 1 to 255. • For cost, enter a number from 0 to 65535. The higher the value, the higher the cost. – For 10 Mb/s, the default path cost is 100. – For 100 Mb/s, the default path cost is 19. – For 1000 Mb/s, the default path cost is 4.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Command Purpose Step 4 show running-config Verify your entry. Step 5 copy running-config startup-config (Optional) Save your entry in the configuration file. To return to the default setting, use the no bridge bridge-group hello-time global configuration command.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Changing the Maximum-Idle Interval If a switch does not receive BPDUs from the root switch within a specified interval, it recomputes the spanning-tree topology. Beginning in privileged EXEC mode, follow these steps to change the maximum-idle interval (maximum aging time). This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 46 Configuring Fallback Bridging Monitoring and Maintaining Fallback Bridging This example shows how to disable spanning tree on a port in bridge group 10: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# bridge group 10 spanning-disabled Monitoring and Maintaining Fallback Bridging To monitor and maintain the network, use one or more of the privileged EXEC commands in Table 46-2: Table 46-2 Commands for Monitoring and Maintaining Fallback Bridging Command Purpose clear bridge
CH A P T E R 47 Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the Catalyst 3560 switch. Depending on the nature of the problem, you can use the command-line interface (CLI), the device manager, or Network Assistant to identify and solve problems. Additional troubleshooting information, such as LED descriptions, is provided in the hardware installation guide.
Chapter 47 Troubleshooting Recovering from a Software Failure • Troubleshooting Tables, page 47-24 Recovering from a Software Failure Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity. This procedure uses the Xmodem Protocol to recover from a corrupt or wrong image file.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password switch: flash_init Step 8 If you had set the console port speed to anything other than 9600, it has been reset to that particular speed. Change the emulation software line speed to match that of the switch console port. Step 9 Load any helper files: switch: load_helper Step 10 Start the file transfer by using the Xmodem Protocol. switch: copy xmodem: flash:image_filename.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password Step 4 Reconnect the power cord to the switch and, within 15 seconds, press the Mode button while the System LED is still flashing green. Continue pressing the Mode button until the System LED turns briefly amber and then solid green; then release the Mode button. Several lines of information about the software appear with instructions, informing you if the password recovery procedure has been disabled or not.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password Step 5 Rename the configuration file to config.text.old. This file contains the password definition. switch: rename flash:config.text flash:config.text.old Step 6 Boot up the system: switch: boot You are prompted to start the setup program.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password Procedure with Password Recovery Disabled If the password-recovery mechanism is disabled, this message appears: The password-recovery mechanism has been triggered, but is currently disabled. Access to the boot loader prompt through the password-recovery mechanism is disallowed at this point.
Chapter 47 Troubleshooting Recovering from a Command Switch Failure Step 6 Enter global configuration mode: Switch# configure terminal Step 7 Change the password: Switch (config)# enable secret password The secret password can be from 1 to 25 alphanumeric characters, can start with a number, is case sensitive, and allows spaces but ignores leading spaces.
Chapter 47 Troubleshooting Recovering from a Command Switch Failure You can prepare for a command switch failure by assigning an IP address to a member switch or another switch that is command-capable, making a note of the command-switch password, and cabling your cluster to provide redundant connectivity between the member switches and the replacement command switch.
Chapter 47 Troubleshooting Recovering from a Command Switch Failure Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system Would you like to enter basic management setup? [yes/no]: Step 10 Enter Y at the first prompt.
Chapter 47 Troubleshooting Recovering from a Command Switch Failure Replacing a Failed Command Switch with Another Switch To replace a failed command switch with a switch that is command-capable but not part of the cluster, follow these steps: Step 1 Insert the new switch in place of the failed command switch, and duplicate its connections to the cluster members. Step 2 Start a CLI session on the new command switch.
Chapter 47 Troubleshooting Recovering from Lost Cluster Member Connectivity Step 10 When prompted, assign a name to the cluster, and press Return. The cluster name can be 1 to 31 alphanumeric characters, dashes, or underscores. Step 11 When the initial configuration displays, verify that the addresses are correct. Step 12 If the displayed information is correct, enter Y, and press Return. If this information is not correct, enter N, press Return, and begin again at Step 9.
Chapter 47 Troubleshooting Troubleshooting Power over Ethernet Switch Ports Troubleshooting Power over Ethernet Switch Ports These sections describe how to troubleshoot Power over Ethernet (PoE) ports. Disabled Port Caused by Power Loss If a powered device (such as a Cisco IP Phone 7910) that is connected to a PoE switch port and is powered by an AC power source loses power from the AC power source, the device might enter an error-disabled state.
Chapter 47 Troubleshooting Monitoring SFP Module Status error-disabled state. After the elapsed interval, the switch brings the interface out of the error-disabled state and retries the operation. For more information about the errdisable recovery command, see the command reference for this release. If the module is identified as a Cisco SFP module, but the system is unable to read vendor-data information to verify its accuracy, an SFP module error message is generated.
Chapter 47 Troubleshooting Using Ping • Destination unreachable—If the default gateway cannot reach the specified network, a destination-unreachable message is returned. • Network or host unreachable—If there is no entry in the route table for the host or network, a network or host unreachable message is returned. Executing Ping If you attempt to ping a host in a different IP subnetwork, you must define a static route to the network or have IP routing configured to route between those subnets.
Chapter 47 Troubleshooting Using Layer 2 Traceroute To end a ping session, enter the escape sequence (Ctrl-^ X by default). Simultaneously press and release the Ctrl, Shift, and 6 keys and then press the X key.
Chapter 47 Troubleshooting Using IP Traceroute • If the source or destination MAC address belongs to multiple VLANs, you must specify the VLAN to which both the source and destination MAC addresses belong. If the VLAN is not specified, the path is not identified, and an error message appears. • The traceroute mac ip command output shows the Layer 2 path when the specified source and destination IP addresses belong to the same subnet.
Chapter 47 Troubleshooting Using IP Traceroute The traceroute privileged EXEC command uses the Time To Live (TTL) field in the IP header to cause routers and servers to generate specific return messages. Traceroute starts by sending a User Datagram Protocol (UDP) datagram to the destination host with the TTL field set to 1. If a router finds a TTL value of 1 or 0, it drops the datagram and sends an Internet Control Message Protocol (ICMP) time-to-live-exceeded message to the sender.
Chapter 47 Troubleshooting Using TDR Table 47-2 Traceroute Output Display Characters Character Description * The probe timed out. ? Unknown packet type. A Administratively unreachable. Usually, this output means that an access list is blocking traffic. H Host unreachable. N Network unreachable. P Protocol unreachable. Q Source quench. U Port unreachable. To end a trace in progress, enter the escape sequence (Ctrl-^ X by default).
Chapter 47 Troubleshooting Using Debug Commands Running TDR and Displaying the Results To run TDR, enter the test cable-diagnostics tdr interface interface-id privileged EXEC command: To display the results, enter the show cable-diagnostics tdr interface interface-id privileged EXEC command. For a description of the fields in the display, see the command reference for this release.
Chapter 47 Troubleshooting Using the show platform forward Command To display the state of each debugging option, enter this command in privileged EXEC mode: Switch# show debugging Enabling All-System Diagnostics Beginning in privileged EXEC mode, enter this command to enable all-system diagnostics: Switch# debug all Caution Because debugging output takes priority over other network traffic, and because the debug all privileged EXEC command generates more output than any other debug command, it can se
Chapter 47 Troubleshooting Using the show platform forward Command Most of the information in the output from the command is useful mainly for technical support personnel, who have access to detailed information about the switch application-specific integrated circuits (ASICs). However, packet forwarding information can also be helpful in troubleshooting.
Chapter 47 Troubleshooting Using the show platform forward Command Egress:Asic 3, switch 1 Output Packets: -----------------------------------------Packet 1 Lookup Key-Used OutptACL 50_0D020202_0D010101-00_40000014_000A0000 Port interface-id Vlan SrcMac 0005 0001.0001.0001 Index-Hit A-Data 01FFE 03000000 DstMac Cos 0009.43A8.
Chapter 47 Troubleshooting Using the crashinfo Files Using the crashinfo Files The crashinfo files save information that helps Cisco technical support representatives to debug problems that caused the Cisco IOS image to fail (crash). The switch writes the crash information to the console at the time of the failure. The switch creates two types of crashinfo files: • Basic crashinfo file—The switch automatically creates this file the next time you boot up the Cisco IOS image after the failure.
Chapter 47 Troubleshooting Troubleshooting Tables Troubleshooting Tables These tables are a condensed version of troubleshooting documents on Cisco.com. • “Troubleshooting CPU Utilization” on page -24 • “Troubleshooting Power over Ethernet (PoE)” on page -26 • “Troubleshooting Stackwise” on page -29 Troubleshooting CPU Utilization This section lists some possible symptoms that could be caused by the CPU being too busy and shows how to verify a CPU utilization problem.
Chapter 47 Troubleshooting Troubleshooting Tables This example shows normal CPU utilization. The output shows that utilization for the last 5 seconds is 8%/0%, which has this meaning: \ Table 47-3 • The total CPU utilization is 8 percent, including both time running Cisco IOS processes and time spent handling interrupts • The time spent handling interrupts is zero percent.
Chapter 47 Troubleshooting Troubleshooting Tables Troubleshooting Power over Ethernet (PoE) Figure 47-1 Power Over Ethernet Troubleshooting Scenarios Symptom or problem Possible cause and solution No PoE on only one port. Verify that the powered device works on another PoE port. Trouble is on only one switch port.
Chapter 47 Troubleshooting Troubleshooting Tables Figure 47-1 Power Over Ethernet Troubleshooting Scenarios (continued) Symptom or problem Possible cause and solution No PoE on all ports or a group of ports. If there is a continuous, intermittent, or reoccuring alarm related to power, replace the power supply if possible it is a field-replacable unit. Otherwise, replace the switch. Trouble is on all switch ports.
Chapter 47 Troubleshooting Troubleshooting Tables Figure 47-1 Power Over Ethernet Troubleshooting Scenarios (continued) Symptom or problem Possible cause and solution Cisco IP Phone disconnects or resets. Verify all electrical connections from the switch to the powered device. Any unreliable connection results in power interruptions and irregular powered device functioning such as erratic powered device disconnects and reloads.
Chapter 47 Troubleshooting Troubleshooting Tables Troubleshooting Stackwise Table 47-4 Switch Stack Troubleshooting Scenarios Symptom/problem How to Verify Problem Possible Cause/Solution General troubleshooting of switch stack issues Review this document. Use the Troubleshooting Switch Stacks document for problem solutions and tutorial information. Switch cannot join stack Enter the show switch privileged EXEC command.
Chapter 47 Troubleshooting Troubleshooting Tables Table 47-4 Switch Stack Troubleshooting Scenarios (continued) Symptom/problem How to Verify Problem Slow traffic throughput on stack Test the switch interface. ring Possible Cause/Solution Defective StackWise switch interface. Note The only solution is to replace the switch. Problems with stack master Review the rules of stack master election. Current stack master is rebooted or election.
CH A P T E R 48 Configuring Online Diagnostics This chapter describes how to configure the online diagnostics on the Catalyst 3560 switches. Note For complete syntax and usage information for the commands used in this chapter, see the switch command reference at this URL: http://www.cisco.com/en/US/products/hw/switches/ps5528/prod_command_reference_list.
Chapter 48 Configuring Online Diagnostics Configuring Health-Monitoring Diagnostics Beginning in global configuration mode, use this command to schedule online diagnostics: Command Purpose diagnostic schedule test {test_id | test_id_range | all | basic Schedule on-demand diagnostic tests for a specific date and | non-disruptive} {daily hh:mm | on mm dd yyyy hh:mm} | time, how many times to run the test (iterations), and what action to take when errors are found.
Chapter 48 Configuring Online Diagnostics Running Online Diagnostic Tests Running Online Diagnostic Tests After you configure online diagnostics, you can start diagnostic tests or display the test results. You can also see which tests are configured for each switch and what diagnostic tests have already run.
Chapter 48 Configuring Online Diagnostics Displaying Online Diagnostic Tests and Test Results This example shows how to display the online diagnostics that are configured on a switch: Switch# show diagnostic content Diagnostics test suite attributes: B/* - Basic ondemand test / NA P/V/* - Per port test / Per device test / NA D/N/* - Disruptive test / Non-disruptive test / NA S/* - Only applicable to standby unit / NA X/* - Not a health monitoring test / NA F/* - Fixed monitoring interval test / NA E/* -
A P P E N D I X A Supported MIBs This appendix lists the supported management information base (MIBs) for this release on the Catalyst 3560 switch. It contains these sections: • MIB List, page A-1 • Using FTP to Access the MIB Files, page A-3 • BRIDGE-MIB MIB List Note The BRIDGE-MIB supports the context of a single VLAN. By default, SNMP messages using the configured community string always provide information for VLAN 1.
Appendix A Supported MIBs MIB List • CISCO-IETF-IP-FORWARDING-MIB • CISCO-IGMP-FILTER-MIB • CISCO-IMAGE-MIB • CISCO IP-STAT-MIB • CISCO-L2L3-INTERFACE-CONFIG-MIB • CISCO-LAG-MIB • CISCO-MAC-AUTH-BYPASS • CISCO-MAC-NOTIFICATION-MIB • CISCO-MEMORY-POOL-MIB • CISCO-NAC-NAD-MIB • CISCO-PAE-MIB • CISCO-PAGP-MIB • CISCO-PING-MIB • CISCO-PORT-QOS-MIB (only the packet counters are supported; the octet counters are not supported) • CISCO-POWER-ETHERNET-EXT-MIB • CISCO-PRODUCTS-MIB
Appendix A Supported MIBs Using FTP to Access the MIB Files Note • OLD-CISCO-CHASSIS-MIB • OLD-CISCO-FLASH-MIB • OLD-CISCO-INTERFACES-MIB • OLD-CISCO-IP-MIB • OLD-CISCO-SYS-MIB • OLD-CISCO-TCP-MIB • OLD-CISCO-TS-MIB • PIM-MIB • RFC1213-MIB (Functionality is as per the agent capabilities specified in the CISCO-RFC1213-CAPABILITY.my.
Appendix A Supported MIBs Using FTP to Access the MIB Files Step 5 At the ftp> prompt, change directories to /pub/mibs/v1 and /pub/mibs/v2. Step 6 Use the get MIB_filename command to obtain a copy of the MIB file.
A P P E N D I X B Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the Catalyst 3560 switch flash file system, how to copy configuration files, and how to archive (upload and download) software images to a switch. Note For complete syntax and usage information for the commands used in this chapter, see the switch command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown in this example.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Setting the Default File System Table B-1 show file systems Field Descriptions Field Value Size(b) Amount of memory in the file system in bytes. Free(b) Amount of free memory in the file system in bytes. Type Type of file system. flash—The file system is for a flash memory device. nvram—The file system is for a NVRAM device.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System To display information about files on a file system, use one of the privileged EXEC commands in Table B-2: Table B-2 Commands for Displaying Information About Files Command Description dir [/all] [filesystem:][filename] Display a list of files on a file system. show file systems Display more information about each of the files on a file system.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Use the /recursive keyword to delete the named directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Use the /recursive keyword for deleting a directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System This example shows how to create a tar file. This command writes the contents of the new-configs directory on the local flash device to a file named saved.tar on the TFTP server at 172.20.10.30: Switch# archive tar /create tftp:172.20.10.30/saved.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • For the RCP, the syntax is rcp:[[//username@location]/directory]/tar-filename.tar • For the TFTP, the syntax is tftp:[[//location]/directory]/tar-filename.tar The tar-filename.tar is the tar file from which to extract files. For flash:/file-url [dir/file...], specify the location on the local flash file system into which the tar file is extracted. Use the dir/file...
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files You can copy (upload) configuration files from the switch to a file server by using TFTP, FTP, or RCP. You might perform this task to back up a current configuration file to a server before changing its contents so that you can later restore the original configuration file from the server. The protocol you use depends on which type of server you are using.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Configuration File Types and Location n Startup configuration files are used during system startup to configure the software. Running configuration files contain the current configuration of the software. The two configuration files can be different. For example, you might want to change the configuration for a short time period rather than permanently.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Make sure that the /etc/services file contains this line: tftp 69/udp Note You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files. To restart the daemon, either stop the inetd process and restart it, or enter a fastboot command (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x).
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading the Configuration File By Using TFTP To upload a configuration file from a switch to a TFTP server for storage, follow these steps: Step 1 Verify that the TFTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File B y Using TFTP” section on page B-10.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files If the server has a directory structure, the configuration file is written to or copied from the directory associated with the username on the server. For example, if the configuration file resides in the home directory of a user on the server, specify that user's name as the remote username. For more information, see the documentation for your FTP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 copy Using FTP, copy the configuration file from a network ftp:[[[//[username[:password]@]location]/directory] server to the running configuration or to the startup /filename] system:running-config configuration file.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 3 Command Purpose configure terminal Enter global configuration mode. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username. Step 5 ip ftp password password (Optional) Change the default password.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: • The username specified in the copy command if a username is specified.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using RCP” section on page B-16.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using RCP” section on page B-16.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Clearing the Startup Configuration File To clear the contents of your startup configuration, use the erase nvram: or the erase startup-config privileged EXEC command. Caution You cannot restore the startup configuration file after it has been deleted.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files You use the archive config privileged EXEC command to save configurations in the configuration archive by using a standard location and filename prefix that is automatically appended with an incremental version number (and optional timestamp) as each consecutive file is saved. You can specify how many versions of the running configuration are kept in the archive.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Configuration Guidelines Follow these guidelines when configuring and performing configuration replacement and rollback: • Make sure that the switch has free memory larger than the combined size of the two configuration files (the running configuration and the saved replacement configuration). Otherwise, the configuration replacement operation fails.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 5 Command Purpose time-period minutes (Optional) Set the time increment for automatically saving an archive file of the running configuration in the configuration archive. minutes—Specify how often, in minutes, to automatically save an archive file of the running configuration in the configuration archive. Step 6 end Return to privileged EXEC mode.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 6 Command Purpose configure confirm (Optional) Confirm replacement of the running configuration with a saved configuration file. Note Step 7 copy running-config startup-config Use this command only if the time seconds keyword and argument of the configure replace command are specified. (Optional) Save your entries in the configuration file.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management. The image is stored on the system board flash memory (flash:). You can use the show version privileged EXEC command to see the software version that is currently running on your switch.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Table B-3 info File Description (continued) Field Description total_image_file_size Specifies the size of all the images (the Cisco IOS image and the web management files) in the tar file, which is an approximate measure of how much flash memory is required to hold them image_feature Describes the core functionality of the image image_min_dram Specifies the minimum amount of DR
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images • Ensure that the switch has a route to the TFTP server. The switch and the TFTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the TFTP server by using the ping command. • Ensure that the image to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation).
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 3 Step 4 Command Purpose archive download-sw /allow-feature-upgrade /overwrite /reload tftp:[[//location]/directory]/image-name.tar Download the image file from the TFTP server to the switch, and overwrite the current image. archive download-sw /leave-old-sw /reload tftp:[[//location]/directory]/image-name.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Caution For the download and upload algorithms to operate properly, do not rename image names. Uploading an Image File By Using TFTP You can upload an image from the switch to a TFTP server. You can later download this image to the switch or to another switch of the same type.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images These sections contain this configuration information: • Preparing to Download or Upload an Image File By Using FTP, page B-29 • Downloading an Image File By Using FTP, page B-30 • Uploading an Image File By Using FTP, page B-31 Preparing to Download or Upload an Image File By Using FTP You can copy images files to or from an FTP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images • When you upload an image file to the FTP server, it must be properly configured to accept the write request from the user on the switch. For more information, see the documentation for your FTP server. Downloading an Image File By Using FTP You can download a new image file and overwrite the current image or keep the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Step 8 Purpose archive download-sw /leave-old-sw /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and keep the current image. /image-name.tar • The /leave-old-sw option keeps the old software version after a download.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Beginning in privileged EXEC mode, follow these steps to upload an image to an FTP server: Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using FTP” section on page B-13. Step 2 Log into the switch through the console port or a Telnet session.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command, we recommend using the archive download-sw and archive upload-sw privileged EXEC commands to download and upload software image files.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images operations. The new username is stored in NVRAM. If you are accessing the switch through a Telnet session and you have a valid username, this username is used, and there is no need to set the RCP username. Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify a username only for that operation.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 6 Step 7 Command Purpose archive download-sw /allow-feature-upgrade /overwrite /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Download the image file from the RCP server to the switch, and overwrite the current image. archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-na me.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images If you specify the /leave-old-sw, the existing files are not removed. If there is not enough room to install the new image an keep the running image, the download process stops, and an error message is displayed. The algorithm installs the downloaded image onto the system board flash device (flash:).
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 archive upload-sw rcp:[[[//[username@]location]/directory]/image-na me.tar] Upload the currently running switch image to the RCP server. • For //username, specify the username; for the RCP copy request to execute, an account must be defined on the network server for the remote username.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Catalyst 3560 Switch Software Configuration Guide B-38 OL-8553-06
A P P E N D I X C Unsupported Commands in Cisco IOS Release 12.2(50)SE This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Catalyst 3560 switch prompt but are not supported in this release, either because they are not tested or because of switch hardware limitations. This is not a complete list.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(50)SE Access Control Lists • SNMP, page C-16 • SNMPv3, page C-17 • Spanning Tree, page C-17 • VLAN, page C-17 • VTP, page C-17 Access Control Lists Unsupported Privileged EXEC Commands access-enable [host] [timeout minutes] access-template [access-list-number | name] [dynamic-name] [source] [destination] [timeout minutes] clear access-template [access-list-number | name] [dynamic-name] [source] [destination].
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(50)SE QoS QoS Unsupported Global Configuration Command priority-list Unsupported Interface Configuration Commands priority-group rate-limit Unsupported Policy-Map Configuration Command class class-default where class-default is the class-map-name.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
INDEX ACEs A and QoS AAA down policy, NAC Layer 2 IP validation abbreviating commands ABRs 4 10 defined IP 10 access-class command 19 2 Ethernet 24 AC (command switch) 7 2 2 ACLs ACEs access control entries 2 any keyword See ACEs 12 applying access control entry (ACE) 3 access-denied response, VMPS on bridged packets 28 38 on multicast packets access groups on routed packets applying IPv4 ACLs to interfaces 20 39 on switched packets 38 Layer 2 20 time ranges to 16 La
Index ACLs (continued) ACLs (continued) IP resequencing entries creating router 7 fragments and QoS guidelines implicit deny 9, 13, 15 implicit masks creating 20 creating named support for 19 time ranges 7 numbers 8 terminal lines, setting on unsupported features 18 21 16 types supported 14 7 9 support in hardware 7 matching criteria 43 9 matching criteria applying to interfaces 2 unsupported features, IPv4 6 unsupported features, IPv6 3 using router ACLs with VLAN map
Index addresses (continued) area routing static IS-IS adding and removing defined ISO IGRP 24 configuring 28, 8 Address Resolution Protocol defined See ARP address resolution 99 managing 30 ASBRs 89 advertisements RIP 28 24 51 asymmetrical links, and IEEE 802.
Index authentication manager Auto Smartports macros CLI commands built-in macros 8 compatibility with older 802.1x CLI commands overview configuration guidelines 8 to 9 default configuration 7 authoritative time source, described defined 2 authorization with RADIUS with TACACS+ authorized ports with IEEE 802.
Index BGP Boolean expressions in tracked lists aggregate addresses booting 57 aggregate routes, configuring CIDR boot loader, function of 57 boot process 57 clear commands manually 60 community filtering default configuration described enabling 43 path selection 2 error-disabled state 47 filtering 59 7 2 3 RSTP format 51 12 BPDU filtering 58 routing domain confederation 58 routing session with multi-VRF CE show commands 2 BPDU resetting sessions route reflectors 18 See
Index broadcast storm-control command broadcast storms CGMP 4 as IGMP snooping learning method 1, 13 clearing cached group entries C cables, monitoring for unidirectional links joining multicast group 3 switch support of 4 CIDR 3 requirements See also command switch, cluster standby group, and member switch Catalyst 6000 switches 9 4 57 CipherSuites 3 60 9 server support only automatic discovery 44 Cisco 7960 IP Phone 1 Cisco Discovery Protocol See CDP authentication compatibilit
Index class maps for QoS configuring described clusters, switch (continued) compatibility 46 described 7 displaying 1 LRE profile considerations 78 class of service through CLI clearing interfaces planning abbreviating commands command modes 5 4 automatic discovery 4 automatic recovery 10 CLI 5 editing features 15 host names enabling and disabling keystroke editing wrapped lines error messages 7 7 13 IP addresses 13 LRE profiles 14 passwords 9 RADIUS 5 filtering command
Index CNS (continued) community strings embedded agents described configuring 14, 8 for cluster switches 5 enabling automated configuration enabling configuration agent enabling event agent management functions 6 in clusters 14 overview 9 SNMP 7 4 14 community VLANs 5 Coarse Wave Division Multiplexer 2, 3 compatibility, feature See CWDM SFPs config.
Index configuration files (continued) specifying the filename critical authentication, IEEE 802.
Index default configuration (continued) IGMP default configuration (continued) TACACS+ 38 IGMP filtering UDLD 24 13 4 IGMP snooping 7, 5, 6 VLAN, Layer 2 Ethernet interfaces IGMP throttling 24 VLANs 8 29 initial switch information 3 VMPS IP addressing, IP routing 4 voice VLAN IP multicast routing IP SLAs VTP 10 IP source guard 16 3 6 WCCP 6 5 default gateway 14, 11 89 IPv6 10 default networks IS-IS 63 default router preference Layer 2 interfaces See DRP 15 Layer 2
Index DHCP (continued) DHCP option 82 (continued) enabling packet format, suboption relay agent server 10 10 DHCP-based autoconfiguration 5 default configuration 3 described 7 relay device 6 server-side 10 TFTP server enabling 22 20 support for 7 5 DHCP snooping lease options accepting untrusted packets form edge switch for IP address information and private VLANs 6 for receiving the configuration file 3, 12 13 binding database 6 See DHCP snooping binding database 3 relat
Index DHCP snooping binding database (continued) deleting and DHCP-based autoconfiguration binding file bindings default configuration 14 described in IPv6 14 6 displaying 15 binding entries status and statistics enabling overview 15 setting up 16 5 DNS-based SSM mapping 15 17 4 support for 15 7 16 displaying the configuration 15 database agent entry DNS 18, 20 domain names 14 6 renewing database 15 resetting DNS 15 VTP 8 Domain Name System delay value See DNS 14
Index DRP DVMRP (continued) configuring described IPv6 adding a metric offset 4 advertising all 12 59 DSCP-to-CoS map for QoS 18 changing the threshold for syslog messages 64 DSCP-to-DSCP-mutation map for QoS DSCP transparency deleting 65 61 favoring one over another 8, 17 DUAL finite state machine, EIGRP dual IPv4 and IPv6 templates limiting unicast route advertisements 34 routing table 2, 5, 6 IPv4 and IPv6 support for 6 SDM templates supporting 50 displaying neighbor informat
Index dynamic ARP inspection (continued) default configuration dynamic routing ISO CLNS 5 denial-of-service attacks, preventing described 61 Dynamic Trunking Protocol 10 See DTP 1 DHCP snooping binding database 2 displaying ARP ACLs E 14 configuration and operating state log buffer statistics 14 EBGP 14 14 enabling and disabling 14 keystrokes used error-disabled state for exceeding rate limit 4 wrapped lines 2 7 7 9 EIGRP interface trust states 3 authentication log buffer clea
Index enhanced object tracking EtherChannel (continued) backup static routing commands defined described 1 18 interaction with other features IP routing state modes 2 network monitoring with IP SLAs routing policy, configuring Layer 3 interface 11 load balancing 12 static route primary interface tracked lists 19 3 7, 16 logical interfaces, described 10 3 PAgP 3 enhanced object tracking static routing aggregate-port learners 10 environmental variables, embedded event manager enviro
Index examples fallback bridging (continued) network configuration expedite queue for QoS Express Setup default configuration 17 described 76 See also getting started guide extended crashinfo file flooding packets overview configuration guidelines forward-delay interval 15 hello BPDU interval 1 interface priority 9 8 7 6 keepalive messages 17 2 maximum-idle interval 4, 14 extended universal identifier path cost See EUI 9 6 VLAN-bridge spanning-tree priority Extensible Authentic
Index files (continued) flowcharts tar QoS classification creating 6 QoS egress queueing and scheduling 6 displaying the contents of extracting QoS ingress queueing and scheduling 7 QoS policing and marking 7 image file format file system configuring displaying available file systems displaying file information described 2 10 20 20 forward-delay time 3 MSTP 1 network file system names setting the default STP 5 23 21 Forwarding Information Base 3 filtering See FIB in a VLAN 2
Index GUIs HSRP (continued) See device manager and Network Assistant bject tracking overview priority H 7 1 8 routing redundancy hardware limitations and Layer 3 interfaces support for ICMP redirect messages 26 timers hello time MSTP STP 3 HSRP for IPv6 8 configuration guidelines configuring described 8 See also clusters, cluster standby group, and standby command switch 20 hierarchical policy maps 12 10 tracking 22 help, for the command line 12 configuring 33 24 guidelines 5
Index ICMP Router Discovery Protocol IGMP (continued) See IRDP ICMPv6 controlling access to groups 4 IDS appliances and ingress RSPAN and ingress SPAN deleting cache entries 61 fast switching 13 61 42 flooded multicast traffic See STP controlling the length of time disabling on an interface 1 IEEE 802.
Index IGMP filtering (continued) monitoring 28 support for 4 inaccessible authentication bypass initial configuration defaults IGMP groups configuring filtering 26 IGMP Immediate Leave enabling 10 10 to 11 3 interfaces auto-MDIX, configuring 21 configuration guidelines applying duplex and speed 26 configuration mode configuring procedure 25 configuring described 6 24 global configuration Immediate Leave 7, 6 7 flow control 20 management 4 monitoring 5 naming 8 querier 24
Index Internet Control Message Protocol See ICMP 24 IP information Internet Group Management Protocol See IGMP assigned manually Internet Protocol version 6 14 through DHCP-based autoconfiguration See IPv6 default configuration Inter-Switch Link 3 3 IP multicast routing See ISL addresses inter-VLAN routing all-hosts 12, 2 Intrusion Detection System 3 all-multicast-routers See IDS appliances 3 host group address range inventory management TLV 2, 6 IOS shell IP ACLs 3 administrat
Index IP multicast routing (continued) IP phones enabling and QoS multicast forwarding PIM mode automatic classification and queueing 12 configuring 13 group-to-RP mappings Auto-RP BSR 1 4 ensuring port security with QoS trusted boundary for QoS 6 IP precedence 7 MBONE described 2 in ACLs routing 62 enabling sdr listener support limiting sdr cache entry lifetime 11 12 IP routes, monitoring 45 limiting DVMRP routes advertised 100 IP routing 56 connecting interfaces with 45 SAP
Index IP SLAs (continued) IP traceroute SNMP support 2 supported metrics 2 threshold monitoring overview 16 11 address resolution ARP 9 IP source guard 89, 99 8 assigning IP addresses to Layer 3 interfaces and 802.
Index IP unicast routing (continued) IPv6 (continued) protocols distance-vector dynamic redistribution static routing 3 defined 8 features not supported forwarding ICMP 3 4 monitoring See also EIGRP neighbor discovery See also OSPF OSPF See also RIP path MTU discovery 26 extended, creating 19 10 14 standard, creating supported features 2 switch limitations 8 configuring definition ACLs support for limitations 3 matching criteria 3 2 11 12 62 61 63 71 system routing 2
Index ISL Kerberos (continued) and IPv6 KDC 3 and trunk ports operation 3 encapsulation 8, 16 trunking with IEEE 802.
Index Layer 3 interfaces LLDP-MED assigning IP addresses to configuring 5 assigning IPv4 and IPv6 addresses to assigning IPv6 addresses to TLVs 11 changing from Layer 2 mode types of 4 6 monitoring and maintaining 5, 78, 79 overview 3 Layer 3 packets, classification methods LDAP procedures 13 1, 2 supported TLVs 2 10 2 LLDP Media Endpoint Discovery 2 Leaking IGMP Reports See LLDP-MED 4 LEDs, switch load balancing See hardware installation guide local SPAN lightweight directo
Index MAC addresses (continued) default configuration macros See Auto Smartports macros 21 disabling learning on a VLAN discovering See Smartports macros 27 magic packet 28 displaying manageability features 27 displaying in the IP source binding table 19 dynamic management access browser session 20 removing CLI session 22 6 6 device manager 27 IP address association SNMP 8 static 6 6 out-of-band console port connection adding management address TLV 24 allowing CLI 24 25
Index maximum aging time MSTP monitoring (continued) 23 STP 21 maximum hop count, MSTP 49, 88 87 described 11 to 12 features 13 14 13 5 filters 3 interfaces automatic discovery 28 snooping member switch 4 15, 11 29 IP 2 address tables managing 15 passwords 13 routes 11 60 100 IP SLAs operations 3 13 IPv4 ACL configuration See also candidate switch, cluster standby group, and standby command switch messages, to users through banners metrics, in BGP 17 multicast routing
Index monitoring (continued) MSDP (continued) speed and duplex mode SSM mapping peers 19 configuring a default 21 traffic flowing among switches traffic suppression tunneling monitoring 1 shutting down VLANs VMPS caching 41 15 6 clearing cache entries 16 defined 32 18 2 filtering from a peer 16 mrouter Port 3 filtering incoming mrouter port 5 filtering to a peer MSDP 10 14 12 limiting data with TTL benefits of monitoring 3 clearing MSDP connections and statistics contro
Index MSTP (continued) MSTP (continued) neighbor type path cost MST region 25 CIST 20 port priority root switch 3 configuring 19 described 17 secondary root switch switch priority 16 2 hop-count mechanism 18 IST 21 CST 5 2 supported spanning-tree instances defined optional features supported 3 operations between regions default configuration overview 3 9 26 enabling the mode 2 described 2 enabling 10 preventing root switch selection 16 EtherChannel guard 7 described
Index multicast television application multicast VLAN 17 N 17 NAC Multicast VLAN Registration AAA down policy See MVR critical authentication multidomain authentication See MDA multioperations scheduling, IP SLAs multiple authentication 5 Layer 2 IEEE 802.
Index network configuration examples NTP increasing network performance large network associations 17 authenticating 21 long-distance, high-bandwidth transport providing network services defined 23 server aggregation and Linux server cluster peer 19 overview 17 source IP address, configuring stratum 1 network performance, measuring with IP SLAs services See NTP 2 synchronizing 2 4 nonhierarchical policy maps configuration guidelines described O 33 9 object tracking non-IP traff
Index options, management passwords (continued) 4 OSPF setting area parameters, configuring configuring enable 28 enable secret 26 default configuration metrics described MSTP 24 STP 6 interface parameters, configuring route summarization path MTU discovery 4 94 95 fast-switched policy-based routing 29 30 out-of-profile markdown 18 enabling 12 virtual links 27 20 defined 32 support for 8 PBR 31 32 router IDs 6 path cost 25 monitoring 6 VTP domain LSA group pacin
Index PIM (continued) policed-DSCP map for QoS sparse mode policers join messages and shared tree overview configuring 5 5 prune messages RPF lookups 5 configuration guidelines displaying 22 22 overview 5 48 for more than one traffic class 58 4 displaying 78 number of 34 types of 61 enabling for each matched traffic class described 8 stub routing support for 63 9 policing described 4 hierarchical 12 versions See hierarchical policy maps interoperability token-bucket a
Index port-based authentication (continued) configuration guidelines port-based authentication (continued) initiation and message exchange 31 configuring magic packet 802.
Index port-based authentication (continued) VLAN assignments voice aware 802.
Index private VLANs promiscuous ports across multiple switches and SDM template and SVIs configuring 4 defined 4 2 protected ports 5 benefits of 12 protocol-dependent modules, EIGRP 1 community ports See PIM 2, 3 configuration guidelines configuration tasks provider edge devices 6, 8 72 proxy ARP 6 configuring 9 10 default configuration 6 definition end station access to 3 with IP routing disabled IP addressing proxy reports 3 isolated port 11 3 disabling 2, 3 in VTP
Index QoS (continued) Q configuration guidelines QoS auto-QoS and MQC commands 1 25 standard QoS auto-QoS 33 configuring categorizing traffic 20 aggregate policers configuration and defaults display configuration guidelines 29 25 auto-QoS 58 20 default port CoS value described 20 DSCP maps disabling 27 DSCP transparency displaying generated commands 27 displaying the initial configuration effects on running configuration egress queue defaults enabling for VoIP ingress queue de
Index QoS (continued) QoS (continued) flowcharts policers classification configuring 6 egress queueing and scheduling ingress queueing and scheduling policing and marking implicit deny described 17 15 10 ingress queues 78 number of 34 9 policies, attaching to an interface allocating bandwidth described 68 buffer and bandwidth allocation, described configuring shared weights for SRR configuring the priority queue described 68 16 token bucket algorithm 48 78 hierarchical 67 8 hiera
Index rcommand command R 15 RCP RADIUS configuration files attributes downloading vendor-proprietary vendor-specific 31 overview 29 uploading 28 authentication authorization downloading multiple UDP ports default configuration 21, 29 20, 21 uploading displaying the configuration 32 configuring described 14 27 14, 34 recovery procedures 19 redirect URL 18 31 1 16, 17, 57 redundancy 31 suggested network environments EtherChannel 18 HSRP 10 3 1 STP tracking services access
Index remote SPAN RFC (continued) 2 report suppression, IGMP described 6 disabling 15, 11 2273-2275, SNMPv3 advertisements 14 resetting a UDLD-shutdown interface configuring 6 responder, IP SLAs enabling described for IPv6 8 response time, measuring with IP SLAs restricted VLAN described 6 hop counts 19 support for 18 22 22 12 RMON 18 default configuration NTP services displaying status 8 passwords and privilege levels 2 6 groups supported overview 17 TACACS+ 3 2 1 sta
Index route-map command RSPAN (continued) 96 route maps BGP source ports 5 transmitted traffic 51 policy-based routing VLAN-based 94 router ACLs 6 RSTP defined 2 active topology types of 4 BPDU route reflectors, BGP router ID, OSPF format 58 12 9 interoperability with IEEE 802.
Index SCP service-provider networks and SSH and customer VLANs 49 configuring 2 and IEEE 802.
Index Smartports macros SNMP (continued) applying Cisco-default macros applying global parameter values configuration guidelines default configuration defined SNAP location of 13 notifications 11 overview 1 5 1, 4 security levels 14 3 setting CPU threshold notification 12 status, displaying 1 SNMP trap manager, configuring 4 agent 15 18 system contact and location accessing MIB variables with 16 13 traps described 3 described disabling 7 differences from informs and IP SL
Index source-IP address based forwarding, EtherChannel source-MAC address forwarding, EtherChannel 7 SRR (continued) support for 7 Source-specific multicast 11 SSH See SSM configuring SPAN 39 cryptographic software image configuration guidelines default configuration destination ports 7 displaying status 23 described 10 overview configuration guidelines 8 7 45 configuring a secure HTTP client 47 configuring a secure HTTP server 46 cryptographic software image 13, 1 ports, restr
Index standby command switch static VLAN membership configuring statistics considerations 802.
Index STP (continued) STP (continued) configuring interface states forward-delay time hello time 21 20 maximum aging time path cost 17 root switch 14 secondary root switch spanning-tree mode switch priority learning 6 listening 6 overview 4 overview 11 26 using port priorities 24 loop guard 3 5 14 described 9 enabling 15 modes supported 22 EtherChannel guard 9 multicast addresses, effect of described 7 optional features supported disabling 14 overview enabling 14
Index STP (continued) switch clustering technology root switch See also clusters, switch configuring switch console port 15 effects of extended system ID election See SDM status, displaying superior BPDU switched packets, ACLs on 15 shutdown Port Fast-enabled port See SPAN switched ports 3 3 enabling 13 VLAN-bridge stratum, NTP switchport block unicast command switchport command 6 7 switch priority 28 MSTP 39 subdomains, private VLAN STP 1 21 19 switch software features 5 1
Index system message logging (continued) displaying the configuration enabling configuring 13 accounting 4 facility keywords, described level keywords, described limiting messages message format overview TACACS+ (continued) authentication key 13 authorization 9 16 default configuration 2 14 13 displaying the configuration 1 setting the display destination device synchronizing log messages syslog facility 5 8 identifying the server in clusters overview 7 UNIX syslog servers faciliti
Index TFTP traceroute, Layer 2 (continued) configuration files multicast traffic downloading multiple devices on a port 11 preparing the server uploading unicast traffic 10 12 configuration files in base directory configuring for autoconfiguration 7 7 image files 15 usage guidelines 15 traceroute command 17 See also IP traceroute configuring 27 downloading types 26 preparing the server uploading 3 3 tracked objects 25 by Boolean expression 28 limiting access by servers by th
Index troubleshooting trustpoints, CA connectivity problems CPU utilization 42 tunneling 13, 15, 16 defined 24 1 detecting unidirectional links 1 IEEE 802.
Index unicast MAC address filtering User Datagram Protocol 5 and adding static addresses and broadcast MAC addresses and CPU packets 2 username-based authentication 6 25 and router MAC addresses configuration guidelines unicast storm user EXEC mode 25 25 and multicast addresses described See UDP 25 25 V 25 25 version-dependent transparent mode 1 virtual IP address unicast storm control command unicast traffic, blocking 4 cluster standby group 8 command switch UniDirectional Lin
Index VLAN Management Policy Server VLANs (continued) See VMPS VLAN map entries, order of 30 VLAN maps described 2, 1 displaying 16 extended-range applying features 34 common uses for configuration guidelines configuring 7 illustrated 34 internal 30 1, 12 2 13 limiting source traffic with RSPAN 29 creating 31 limiting source traffic with SPAN defined 2 modifying denying access to a server example denying and permitting packets displaying multicast 35 examples of ACLs and VL
Index VMPS (continued) VRF-aware services (continued) reconfirmation interval, changing reconfirming membership retry count, changing HSRP 31 ping 31 32 voice aware 802.
Index VTP (continued) WCCP (continued) modes features unsupported 4 client 3, 11 forwarding method server 3, 9 Layer-2 header rewrite transitions transparent monitoring MD5 security 3 2 monitoring and maintaining 16 passwords 3 3 message exchange 3, 12 3 negotiation 8 pruning 9 3 packet redirection 3 disabling 14 packet-return method enabling 14 redirecting traffic received from a client examples 5 setting the password overview 4 unsupported WCCPv2 features support
Index Catalyst 3560 Switch Software Configuration Guide IN-56 OL-8553-06
