Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Release 12.2(25)SG Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xxiii Audience xxiii Organization xxiii Related Documentation xxv Conventions xxvi Commands in Task Tables xxvii Obtaining Documentation xxvii Cisco.
Contents Layer 3 Software Features 1-5 CEF 1-6 HSRP 1-6 IP Routing Protocols 1-6 Multicast Services 1-8 Policy-Based Routing 1-9 Unidirectional Link Routing 1-9 VRF-lite 1-9 Management Features 1-9 Cisco Network Assistant and Embedded CiscoView Dynamic Host Control Protocol 1-10 Forced 10/100 Autonegotiation 1-10 Intelligent Power Management 1-10 NetFlow Statistics 1-11 Secure Shell 1-11 Simple Network Management Protocol 1-11 SPAN and RSPAN 1-11 1-10 Security Features 1-12 Network Admission Control (NAC
Contents CHAPTER 3 Configuring the Switch for the First Time Default Switch Configuration 3-1 3-1 Configuring DHCP-Based Autoconfiguration 3-2 Understanding DHCP-Based Autoconfiguration DHCP Client Request Process 3-3 Configuring the DHCP Server 3-4 Configuring the TFTP Server 3-4 Configuring the DNS Server 3-5 Configuring the Relay Device 3-5 Obtaining Configuration Files 3-6 Example Configuration 3-7 3-2 Configuring the Switch 3-8 Using Configuration Mode to Configure Your Switch 3-9 Verifying the
Contents Deploying 10-Gigabit Ethernet and a Gigabit Ethernet SFP Ports Configuring Optional Interface Features 4-7 Configuring Ethernet Interface Speed and Duplex Mode Configuring Jumbo Frame Support 4-10 Interacting with the Baby Giants Feature 4-13 Understanding Online Insertion and Removal 5 Checking Port Status and Connectivity Checking Module Status 4-15 5-1 5-1 Checking Interfaces Status 5-2 Displaying MAC Addresses 5-3 Checking Cable Status Using TDR Overview 5-4 Running the TDR Test 5-4
Contents CHAPTER 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Understanding Cisco IOS NSF-Awareness Support Understanding Supervisor Engine Redundancy Overview 6-3 RPR Operation 6-4 SSO Operation 6-4 6-1 6-2 6-3 Understanding Supervisor Engine Redundancy Synchronization 6-6 RPR Supervisor Engine Configuration Synchronization 6-6 SSO Supervisor Engine Configuration Synchronization 6-7 Supervisor Engine Redundancy Guidelines and Restrictions Configuring Supervisor Engine Redundancy 6-8
Contents Network Assistant-Related Features and Their Defaults 9-4 Overview of the CLI Commands 9-4 Installing Network Assistant 9-5 Getting Started with Network Assistant 9-5 Launching the Network Assistant 9-6 Connecting Network Assistant to a Device 9-7 Using Community Mode to Manage a Network 9-8 Converting a Cluster into a Community 9-11 Using Cluster Mode to Manage a Network of Switches 9-12 Configuring Network Assistant in Community or Cluster Mode 9-15 Configuring Embedded CiscoView Support 9-21
Contents Configuring Ethernet Interfaces for Layer 2 Switching 11-5 Configuring an Ethernet Interface as a Layer 2 Trunk 11-6 Configuring an Interface as a Layer 2 Access Port 11-8 Clearing Layer 2 Configuration 11-9 CHAPTER 12 Configuring SmartPort Macros 12-1 Understanding SmartPort Macros 12-1 Configuring Smart-Port Macros 12-2 Default SmartPort Macro Configuration 12-2 SmartPort Macro Configuration Guidelines 12-4 Creating and Applying SmartPort Macros 12-4 Displaying SmartPort Macros CHAPTER
Contents CHAPTER 14 Configuring STP Features 14-1 Overview of Root Guard 14-2 Enabling Root Guard 14-2 Overview of Loop Guard 14-3 Enabling Loop Guard 14-4 Overview of PortFast 14-5 Enabling PortFast 14-6 Overview of BPDU Guard Enabling BPDU Guard 14-7 14-7 Overview of PortFast BPDU Filtering Enabling PortFast BPDU Filtering Overview of UplinkFast Enabling UplinkFast 14-11 Enabling BackboneFast 15 14-8 14-10 Overview of BackboneFast CHAPTER 14-8 14-12 14-15 Understanding and Co
Contents Understanding Port-Channel Interfaces 16-2 Understanding How EtherChannels Are Configured Understanding Load Balancing 16-5 16-2 EtherChannel Configuration Guidelines and Restrictions 16-5 Configuring EtherChannel 16-6 Configuring Layer 3 EtherChannels 16-6 Configuring Layer 2 EtherChannels 16-9 Configuring the LACP System Priority and System ID 16-11 Configuring EtherChannel Load Balancing 16-12 Removing an Interface from an EtherChannel 16-13 Removing an EtherChannel 16-14 CHAPTER 17 Conf
Contents CHAPTER 18 Configuring 802.1Q and Layer 2 Protocol Tunneling Understanding 802.1Q Tunneling 18-1 18-1 Configuring 802.1Q Tunneling 18-4 802.1Q Tunneling Configuration Guidelines 18-4 802.1Q Tunneling and Other Features 18-5 Configuring an 802.
Contents Logical Layer 3 VLAN Interfaces 22-2 Physical Layer 3 Interfaces 22-2 Configuration Guidelines 22-3 Configuring Logical Layer 3 VLAN Interfaces CHAPTER 23 Configuring Physical Layer 3 Interfaces 22-4 Configuring Cisco Express Forwarding 23-1 Overview of CEF 23-1 Benefits of CEF 23-1 Forwarding Information Base Adjacency Tables 23-2 22-3 23-2 Catalyst 4500 Series Switch Implementation of CEF Hardware and Software Switching 23-4 Load Balancing 23-6 Software Interfaces 23-6 CEF Configurat
Contents Configuration Examples 24-21 PIM Dense Mode Example 24-21 PIM Sparse Mode Example 24-21 BSR Configuration Example 24-21 CHAPTER 25 Configuring Policy-Based Routing 25-1 Overview of Policy-Based Routing 25-1 Understanding PBR 25-2 Understanding PBR Flow Switching 25-2 Using Policy-Based Routing 25-2 Policy-Based Routing Configuration Task List Enabling PBR 25-3 Enabling Local PBR 25-5 Unsupported Commands 25-5 Policy-Based Routing Configuration Examples Equal Access Example 25-5 Differing Next
Contents Classification 27-6 Policing and Marking 27-10 Mapping Tables 27-14 Queueing and Scheduling 27-14 Packet Modification 27-16 Per Port Per VLAN QoS 27-16 QoS and Software Processed Packets 27-16 Configuring Auto-QoS 27-17 Generated Auto-QoS Configuration 27-17 Effects of Auto-QoS on the Configuration 27-18 Configuration Guidelines 27-18 Enabling Auto-QoS for VoIP 27-19 Displaying Auto-QoS Information 27-20 Auto-QoS Configuration Example 27-21 Configuring QoS 27-23 Default QoS Configuration 27-23 C
Contents CHAPTER 29 Understanding and Configuring 802.1X Port-Based Authentication 29-1 Understanding 802.1X Port-Based Authentication 29-1 Device Roles 29-2 802.1x and Network Access Control 29-3 Authentication Initiation and Message Exchange 29-3 Ports in Authorized and Unauthorized States 29-4 Using 802.1X with VLAN Assignment 29-5 Using 802.1X Authentication for Guest VLANs 29-6 Using 802.1X with Authentication Failed VLAN Assignment 29-7 Using 802.1X with Port Security 29-8 Using 802.
Contents Configuring Port Security on an Interface Configuring Trunk Port Security 30-7 Configuring Port Security Aging 30-9 Displaying Port Security Settings CHAPTER 31 30-4 30-11 Configuring DHCP Snooping and IP Source Guard 31-1 Overview of DHCP Snooping 31-1 Overview of the DHCP Snooping Database Agent 31-2 Configuring DHCP Snooping on the Switch 31-3 Default Configuration for DHCP Snooping 31-3 Enabling DHCP Snooping 31-4 Enabling DHCP Snooping on Aggregration Switch 31-5 Enabling DHCP Snoopi
Contents Performing Validation Checks CHAPTER 33 32-18 Configuring Network Security with ACLs Understanding ACLs 33-1 ACL Overview 33-2 Supported Features That Use ACLs Router ACLs 33-3 Port ACLs 33-4 VLAN Maps 33-5 Hardware and Software ACL Support TCAM Programming and ACLs 33-1 33-2 33-5 33-6 Layer 4 Operators in ACLs 33-7 Restrictions for Layer 4 Operations 33-8 Configuration Guidelines for Layer 4 Operations How ACL Processing Impacts CPU 33-9 Configuring Unicast MAC Address Filtering Configur
Contents PVLAN Trunks 34-2 PVLANs and VLAN ACL/QoS 34-2 How to Configure PVLANs 34-3 PVLAN Configuration Guidelines and Restrictions 34-3 Configuring a VLAN as a PVLAN 34-5 Associating a Secondary VLAN with a Primary VLAN 34-6 Configuring a Layer 2 Interface as a PVLAN Promiscuous Port 34-7 Configuring a Layer 2 Interface as a PVLAN Host Port 34-8 Configuring a Layer 2 Interface as a PVLAN Trunk Port 34-9 Permitting Routing of Secondary VLAN Ingress Traffic 34-11 CHAPTER 35 Port Unicast and Multicast
Contents Configuration Scenario 37-10 Verifying a SPAN Configuration CPU Port Sniffing 37-10 Encapsulation Configuration Ingress Packets 37-10 37-12 37-12 Access List Filtering 37-13 ACL Configuration Guidelines 37-13 Configuring Access List Filtering 37-14 Packet Type Filtering 37-14 Configuration Example 37-15 Configuring RSPAN 37-16 RSPAN Configuration Guidelines 37-16 Creating an RSPAN Session 37-17 Creating an RSPAN Destination Session 37-18 Creating an RSPAN Destination Session and Enabling
Contents Sample NetFlow Enabling Schemes 38-14 Sample NetFlow Aggregation Configurations 38-14 Sample NetFlow Minimum Prefix Mask Router-Based Aggregation Schemes CHAPTER 39 APPENDIX A Diagnostics on the Catalyst 4500 Switch 17 Online Diagnostics 17 Power-On-Self-Test Diagnostics 19 Sample POST Results 20 Power-On-Self-Test Results for Supervisor Engine V-10GE Causes of Failure and Troubleshooting 28 Acronyms and Abbreviations 38-16 23 A-1 INDEX Software Configuration Guide—Release 12.
Contents Software Configuration Guide—Release 12.
Preface This preface describes who should read this document, how it is organized, and its conventions. The preface also tells you how to obtain Cisco documents, as well as how to obtain technical assistance. Audience This guide is for experienced network administrators who are responsible for configuring and maintaining Catalyst 4500 series switches.
Preface Organization Chapter Title Description Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS Describes how to configure VLANs, VTP, and VMPS.
Preface Related Documentation Chapter Title Description Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication Describes how to configure 802.1X port-based authentication Chapter 30 Configuring Port Security and Trunk Port Security Describes how to configure port security and trunk port security.
Preface Conventions – Security Configuration Guide – Security Command Reference – Switching Services Configuration Guide – Switching Services Command Reference – Voice, Video, and Fax Applications Configuration Guide – Voice, Video, and Fax Applications Command Reference – Cisco IOS IP Configuration Guide – Cisco IOS IP Command Reference The Cisco IOS configuration guides and command references are at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.
Preface Obtaining Documentation Cautions use the following conventions: Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. Commands in Task Tables Commands listed in task tables show only the relevant information for completing the task and not all available options for the command. For a complete description of a command, refer to the command in the Catalyst 4500 Series Switch Cisco IOS Command Reference.
Preface Documentation Feedback Cisco Marketplace: http://www.cisco.com/go/marketplace/ Ordering Documentation Beginning June 30, 2005, registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the Cisco Marketplace at this URL: http://www.cisco.com/go/marketplace/ Cisco will continue to support documentation orders using the Ordering tool: • Registered Cisco.com users (Cisco direct customers) can order documentation from the Ordering tool: http://www.cisco.
Preface Obtaining Technical Assistance http://www.cisco.com/go/psirt If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL: http://www.cisco.com/en/US/products/products_psirt_rss_feed.html Reporting Security Problems in Cisco Products Cisco is committed to delivering secure products.
Preface Obtaining Technical Assistance Cisco Technical Support & Documentation Website The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL: http://www.cisco.com/techsupport Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password.
Preface Obtaining Additional Publications and Information Definitions of Service Request Severity To ensure that all service requests are reported in a standard format, Cisco has established severity definitions. Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Preface Obtaining Additional Publications and Information • Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL: http://www.cisco.com/ipj • Networking products offered by Cisco Systems, as well as customer support services, can be obtained at this URL: http://www.cisco.com/en/US/products/index.
C H A P T E R 1 Product Overview This chapter provides an overview of Catalyst 4500 series switches and includes the following major sections: Note • Layer 2 Software Features, page 1-1 • Layer 3 Software Features, page 1-5 • Management Features, page 1-9 • Security Features, page 1-12 For more information about the chassis, modules, and software features supported by the Catalyst 4500 series switch, refer to the Release Notes for the Catalyst 4500 Series Switch, Cisco IOS Release 12.
Chapter 1 Product Overview Layer 2 Software Features 802.1Q and Layer 2 Protocol Tunneling 802.1Q tunneling is a Q-in-Q technique that expands the VLAN space by retagging the tagged packets that enter the service provider infrastructure. 802.1Q tunneling allows service providers to assign a VLAN to each customer without losing the original customer VLAN IDs inside the tunnel. All data traffic that enters the tunnel is encapsulated with the tunnel VLAN ID.
Chapter 1 Product Overview Layer 2 Software Features MST allows you to build multiple spanning trees over trunks. You can group and associate VLANs to spanning tree instances. Each instance can have a topology independent of other spanning tree instances. This new architecture provides multiple forwarding paths for data traffic and enables load balancing. Network fault tolerance is improved because a failure in one instance (forwarding path) does not affect other instances (forwarding paths).
Chapter 1 Product Overview Layer 2 Software Features • Spanning tree BackboneFast—BackboneFast reduces the time needed for the spanning tree to converge after a topology change caused by an indirect link failure. BackboneFast decreases spanning-tree convergence time for any switch that experiences an indirect link failure. • Spanning tree root guard—Root guard forces a port to become a designated port so that no switch on the other end of the link can become a root switch.
Chapter 1 Product Overview Layer 3 Software Features VLANs A VLAN configures switches and routers according to logical, rather than physical, topologies. Using VLANs, a network administrator can combine any collection of LAN segments within an internetwork into an autonomous user group, such that the segments appear as a single LAN in the network. VLANs logically segment the network into different broadcast domains so that packets are switched only between ports within the VLAN.
Chapter 1 Product Overview Layer 3 Software Features • Policy-Based Routing, page 1-9 • Unidirectional Link Routing, page 1-9 • VRF-lite, page 1-9 CEF Cisco Express Forwarding (CEF) is an advanced Layer 3 IP-switching technology. CEF optimizes network performance and scalability in networks with large and dynamic traffic patterns, such as the Internet, and on networks that use intensive web-based applications or interactive sessions.
Chapter 1 Product Overview Layer 3 Software Features interfaces and their metrics is used in OSPF LSAs. As routers accumulate link-state information, they use the shortest path first (SPF) algorithm to calculate the shortest path to each node. Additional OSPF features include equal-cost multipath routing and routing based on the upper-layer type of service (ToS) requests. OSPF employs the concept of an area, which is a group of contiguous OSPF networks and hosts.
Chapter 1 Product Overview Layer 3 Software Features EIGRP saves bandwidth by sending routing updates only when routing information changes. The updates contain information only about the link that changed, not the entire routing table. EIGRP also takes into consideration the available bandwidth when determining the rate at which it transmits updates. Note Layer 3 switching does not support the Next Hop Resolution Protocol (NHRP).
Chapter 1 Product Overview Management Features • Protocol Independent Multicast (PIM)—PIM is protocol-independent because it can leverage whichever unicast routing protocol is used to populate the unicast routing table, including EIGRP, OSPF, BGP, or static route. PIM also uses a unicast routing table to perform the Reverse Path Forwarding (RPF) check function instead of building a completely independent multicast routing table.
Chapter 1 Product Overview Management Features • NetFlow Statistics, page 1-11 • Secure Shell, page 1-11 • Simple Network Management Protocol, page 1-11 • SPAN and RSPAN, page 1-11 Cisco Network Assistant and Embedded CiscoView Web-based tools to configure the Catalyst 4500 series switch. Cisco Network Assistant manages standalone devices, clusters of devices, or federations of devices from anywhere in your intranet.
Chapter 1 Product Overview Management Features NetFlow Statistics NetFlow Statistics is a global traffic monitoring feature that allows flow-level monitoring of all IPv4-routed traffic through the switch. Both routed and switched IP flows are supported. For more information on NetFlow statistics, see Chapter 38, “Configuring NetFlow.
Chapter 1 Product Overview Security Features Remote SPAN (RSPAN) is an extension of SPAN, where source ports and destination ports are distributed across multiple switches, allowing remote monitoring of multiple switches across the network. The traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated for that RSPAN session on all participating switches. For information on RSPAN, see Chapter 37, “Configuring SPAN and RSPAN.
Chapter 1 Product Overview Security Features 802.1X Identity-Based Network Security This security feature consists of the following: • 802.1X protocol—This feature provides a means for a host that is connected to a switch port to be authenticated before it is given access to the switch services. • 802.1X with VLAN assignment—This feature enables you to enable non-802.1X-capable hosts to access networks that use 802.1X authentication. • 802.
Chapter 1 Product Overview Security Features For information on flood blocking, see Chapter 35, “Port Unicast and Multicast Flood Blocking.” IP Source Guard Similar to DHCP snooping, this feature is enabled on an untrusted 12 port that is configured for DHCP snooping. Initially all IP traffic on the port is blocked except for the DHCP packets, which are captured by the DHCP snooping process.
Chapter 1 Product Overview Security Features Storm Control Broadcast suppression is used to prevent LANs from being disrupted by a broadcast storm on one or more switch ports. A LAN broadcast storm occurs when broadcast packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation or in the network configuration can cause a broadcast storm.
Chapter 1 Product Overview Security Features Software Configuration Guide—Release 12.
C H A P T E R 2 Command-Line Interfaces This chapter describes the CLIs you use to configure the Catalyst 4500 series switch.
Chapter 2 Command-Line Interfaces Accessing the Switch CLI To access the switch through the console interface, perform this task: Command Purpose Step 1 Switch> enable From the user EXEC prompt (>), enter enable to change to enable mode (also known as privileged mode or privileged EXEC mode). Step 2 Password: password At the password prompt, enter the system password. The prompt (#) appears, indicating that you have accessed the CLI in enabled mode.
Chapter 2 Command-Line Interfaces Performing Command-Line Processing This example shows how to open a Telnet session to the switch: unix_host% telnet Switch_1 Trying 172.20.52.40... Connected to 172.20.52.40. Escape character is '^]'. User Access Verification Password:< > Switch_1> enable Password: Switch_1# Performing Command-Line Processing Switch commands are not case sensitive.
Chapter 2 Command-Line Interfaces Understanding Cisco IOS Command Modes Table 2-2 History Substitution Commands (continued) Command Purpose Ctrl-N or the Down Arrow key1 Returns to more recent commands in the history buffer after commands have been recalled with Ctrl-P or the Up Arrow key. Repeat the key sequence to recall more recent commands. Switch# show history Lists the last several commands you have entered in EXEC mode. 1.
Chapter 2 Command-Line Interfaces Getting a List of Commands and Syntax Table 2-3 Frequently Used Cisco IOS Command Modes Mode What You Use It For How to Access Prompt User EXEC To connect to remote devices, change terminal settings on a temporary basis, perform basic tests, and display system information. Log in. Switch> From user EXEC mode, enter the enable command and the enable password (if a password has been configured). Switch# Privileged EXEC (enable) To set operating parameters.
Chapter 2 Command-Line Interfaces ROMMOM Command-Line Interface To list keywords or arguments, enter a question mark in place of a keyword or argument. Include a space before the question mark. This form of help is called command syntax help, because it reminds you which keywords or arguments are applicable based on the command, keywords, and arguments you have already entered.
C H A P T E R 3 Configuring the Switch for the First Time This chapter describes how to initially configure a Catalyst 4500 series switch. The information presented here supplements the administration information and procedures in these publications: • Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fun_c/index.
Chapter 3 Configuring the Switch for the First Time Configuring DHCP-Based Autoconfiguration Table 3-1 Default Switch Configuration (continued) Feature Default Settings System clock No value for system clock time Passwords No passwords are configured for normal mode or enable mode (press the Return key) Switch prompt Switch> Interfaces Enabled, with speed and flow control autonegotiated, and without IP addresses Configuring DHCP-Based Autoconfiguration These sections describe how to configure
Chapter 3 Configuring the Switch for the First Time Configuring DHCP-Based Autoconfiguration server feature on your switch for various lease options associated with IP addresses. If you are using DHCP to relay the configuration file location on the network, you might also need to configure a Trivial File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server. DHCP-based autoconfiguration replaces the BOOTP client functionality on your switch.
Chapter 3 Configuring the Switch for the First Time Configuring DHCP-Based Autoconfiguration Configuring the DHCP Server A switch can act as both the DHCP client and the DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch. You should configure the DHCP server, or the DHCP server feature running on your switch, with reserved leases that are bound to each switch by the switch hardware address.
Chapter 3 Configuring the Switch for the First Time Configuring DHCP-Based Autoconfiguration filename (if any) and the following files: network-confg, cisconet.cfg, hostname.confg, or hostname.cfg, where hostname is the current hostname of the switch and router-confg and ciscortr.cfg. The TFTP server addresses used include the specified TFTP server address (if any) and the broadcast address (255.255.255.255).
Chapter 3 Configuring the Switch for the First Time Configuring DHCP-Based Autoconfiguration Figure 3-2 Relay Device Used in Autoconfiguration Switch (DHCP client) Cisco router (Relay) 10.0.0.2 10.0.0.1 DHCP server 20.0.0.3 TFTP server 20.0.0.4 DNS server 49068 20.0.0.2 20.0.0.
Chapter 3 Configuring the Switch for the First Time Configuring DHCP-Based Autoconfiguration If the switch cannot read the network-confg, cisconet.cfg, or the hostname file, it reads the router-confg file. If the switch cannot read the router-confg file, it reads the ciscortr.cfg file.
Chapter 3 Configuring the Switch for the First Time Configuring the Switch DNS Server Configuration The DNS server maps the TFTP server name maritsu to IP address 10.0.0.3. TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method. This file contains the host name to be assigned to the switch based on its IP address.
Chapter 3 Configuring the Switch for the First Time Configuring the Switch Using Configuration Mode to Configure Your Switch To configure your switch from configuration mode, perform this procedure: Step 1 Connect a console terminal to the console interface of your supervisor engine. Step 2 After a few seconds, you will see the user EXEC prompt (Switch>). Now, you may want to enter privileged EXEC mode, also known as enable mode.
Chapter 3 Configuring the Switch for the First Time Configuring the Switch hostname Switch <...output truncated...> ! line con 0 transport input none line vty 0 4 exec-timeout 0 0 password lab login transport input lat pad dsipcon mop telnet rlogin udptn nasi ! end Switch# Saving the Running Configuration Settings to Your Start-Up File Caution This command saves the configuration settings that you created in configuration mode.
Chapter 3 Configuring the Switch for the First Time Configuring the Switch <...output truncated...> ! line con 0 exec-timeout 0 0 transport input none line vty 0 4 exec-timeout 0 0 password lab login transport input lat pad dsipcon mop telnet rlogin udptn nasi ! end Switch# Configuring a Default Gateway Note The switch uses the default gateway only when it is not configured with a routing protocol.
Chapter 3 Configuring the Switch for the First Time Configuring the Switch To configure a static route, perform this task: Command Purpose Step 1 Switch(config)# ip route dest_IP_address mask {forwarding_IP | vlan vlan_ID} Configures a static route to the remote network. Step 2 Switch# show running-config Verifies that the static route is displayed correctly. This example shows how to use the ip route command to configure a static route to a workstation at IP address 171.10.5.
Chapter 3 Configuring the Switch for the First Time Controlling Access to Privileged EXEC Commands ip default-gateway 172.20.52.35 ip classless ip route 171.20.5.3 255.255.255.
Chapter 3 Configuring the Switch for the First Time Controlling Access to Privileged EXEC Commands Using the enable password and enable secret Commands To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a TFTP server, you can use either the enable password or enable secret command. Both commands configure an encrypted password that you must enter to access the enable mode (the default) or any other privilege level that you specify.
Chapter 3 Configuring the Switch for the First Time Controlling Access to Privileged EXEC Commands For information on how to display the password or access level configuration, see the “Displaying the Password, Access Level, and Privilege Level Configuration” section on page 3-17.
Chapter 3 Configuring the Switch for the First Time Controlling Access to Privileged EXEC Commands Encryption occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and Border Gateway Protocol (BGP) neighbor passwords.
Chapter 3 Configuring the Switch for the First Time Controlling Access to Privileged EXEC Commands Changing the Default Privilege Level for Lines To change the default privilege level for a given line or a group of lines, perform this task: Command Purpose Switch(config-line)# privilege level level Changes the default privilege level for the line.
Chapter 3 Configuring the Switch for the First Time Recovering a Lost Enable Password This example shows how to display the privilege level configuration: Switch# show privilege Current privilege level is 15 Switch# Recovering a Lost Enable Password Note For more information on the configuration register which is preconfigured in NVRAM, see “Configuring the Software Configuration Register” section on page 3-19.
Chapter 3 Configuring the Switch for the First Time Modifying the Supervisor Engine Startup Configuration Understanding the ROM Monitor The ROM monitor (ROMMON) is invoked at switch bootup, reset, or when a fatal exception occurs. The switch enters ROMMON mode if the switch does not find a valid software image, if the NVRAM configuration is corrupted, or if the configuration register is set to enter ROMMON mode.
Chapter 3 Configuring the Switch for the First Time Modifying the Supervisor Engine Startup Configuration Table 3-3 Software Configuration Register Bits Bit Number1 Hexadecimal Meaning 00 to 03 0x0000 to 0x000F Boot field (see Table 3-4) 04 0x0010 Unused 05 0x0020 Bit two of console line speed 06 0x0040 Causes system software to ignore NVRAM contents 07 0x0080 OEM2 bit enabled 08 0x0100 Unused 09 0x0200 Unused 10 0x0400 IP broadcast with all zeros 11 to 12 0x0800 to 0x1000 Bit
Chapter 3 Configuring the Switch for the First Time Modifying the Supervisor Engine Startup Configuration When the boot field is set to either 00 or 01 (0-0-0-0 or 0-0-0-1), the system ignores any boot instructions in the system configuration file and the following occurs: Caution • When the boot field is set to 00, you must boot up the operating system manually by issuing the boot command at the system bootstrap or ROMMON prompt.
Chapter 3 Configuring the Switch for the First Time Modifying the Supervisor Engine Startup Configuration Step 2 Enter the configure terminal command at the EXEC mode prompt (#), as follows: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 3 Configuring the Switch for the First Time Modifying the Supervisor Engine Startup Configuration cisco Catalyst 4000 (MPC8240) processor (revision 3) with 262144K bytes of memory. Processor board ID Ask SN 12345 Last reset from Reload Bridging software. 49 FastEthernet/IEEE 802.3 interface(s) 20 Gigabit Ethernet/IEEE 802.3 interface(s) 271K bytes of non-volatile configuration memory.
Chapter 3 Configuring the Switch for the First Time Modifying the Supervisor Engine Startup Configuration Configuring Flash Memory To configure your switch to boot from Flash memory, perform the following procedure. (Refer to the appropriate hardware installation and maintenance publication for complete instructions on installing the hardware.) Step 1 Copy a system image to Flash memory using TFTP or other protocols.
Chapter 3 Configuring the Switch for the First Time Resetting a Switch to Factory Default Settings Resetting a Switch to Factory Default Settings Manufacturing and repair centers can use the erase /all non-default command to do the following: • Clear the non-volatile configurations and states of the local supervisor engine (NVRAM and flashes). • Set the factory default parameters on the Catalyst 4500 series switch before it is ready to ship to a customer.
Chapter 3 Configuring the Switch for the First Time Resetting a Switch to Factory Default Settings Software Configuration Guide—Release 12.
C H A P T E R 4 Configuring Interfaces This chapter describes how to configure interfaces for the Catalyst 4500 series switches. It also provides guidelines, procedures, and configuration examples.
Chapter 4 Configuring Interfaces Using the interface Command • Slot number—The slot in which the interface module is installed. Slots are numbered starting with 1, from top to bottom. • Interface number—The interface number on the module. The interface numbers always begin with 1. When you are facing the front of the switch, the interfaces are numbered from left to right. You can identify interfaces by physically checking the slot/interface location on the switch.
Chapter 4 Configuring Interfaces Using the interface Command Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overr
Chapter 4 Configuring Interfaces Configuring a Range of Interfaces Step 5 Follow each interface command with the interface configuration commands your particular interface requires. The commands you enter define the protocols and applications that will run on the interface. The commands are collected and applied to the interface command until you enter another interface command or press Ctrl-Z to exit interface configuration mode and return to privileged EXEC mode.
Chapter 4 Configuring Interfaces Defining and Using Interface-Range Macros This example shows how to reenable all Fast Ethernet interfaces 5/1 to 5/5: Switch(config)# interface range fastethernet 5/1 - 5 Switch(config-if-range)# no shutdown Switch(config-if-range)# *Oct 6 08:24:35: %LINK-3-UPDOWN: Interface FastEthernet5/1, changed state to up *Oct 6 08:24:35: %LINK-3-UPDOWN: Interface FastEthernet5/2, changed state to up *Oct 6 08:24:35: %LINK-3-UPDOWN: Interface FastEthernet5/3, changed state to up *Oct
Chapter 4 Configuring Interfaces Deploying 10-Gigabit Ethernet and a Gigabit Ethernet SFP Ports To define an interface-range macro, perform this task: Command Purpose Switch(config)# define interface-range macro_name {vlan vlan_ID - vlan_ID} | {{fastethernet | gigabitethernet} slot/interface - interface} [, {vlan vlan_ID - vlan_ID} {{fastethernet | gigabitethernet} slot/interface - interface}] Defines the interface-range macro and saves it in the running configuration file.
Chapter 4 Configuring Interfaces Configuring Optional Interface Features When deploying a Catalyst 4510R chassis, one of three configurations is supported: • Enable the dual 10 -Gigabit Ethernet ports (X2 optics) only. • Enable the four Gigabit Ethernet ports (SFP optics) only.
Chapter 4 Configuring Interfaces Configuring Optional Interface Features You can configure the interface speed and duplex mode parameters to auto and allow the Catalyst 4500 series switch to negotiate the interface speed and duplex mode between interfaces. If you decide to configure the interface speed and duplex commands manually, consider the following: Caution • If you enter the no speed command, the switch automatically configures both interface speed and duplex to auto.
Chapter 4 Configuring Interfaces Configuring Optional Interface Features To turn off the port speed autonegotiation for Gigabit Ethernet interface 1/1, perform this task: Command Purpose Step 1 Switch(config)# interface gigabitethernet1/1 Specifies the interface to be configured. Step 2 Switch(config-if)# speed nonegotiate Disables autonegotiation on the interface. To restore autonegotiation, enter the no speed nonegotiate command in the interface configuration mode.
Chapter 4 Configuring Interfaces Configuring Optional Interface Features Full-duplex, 100Mb/s ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:54, output never, output hang never Last clearing of "show interface" counters never Input queue: 50/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 50 packets input, 11300 bytes, 0 no buffer Received 50 b
Chapter 4 Configuring Interfaces Configuring Optional Interface Features Each of the last three modules has two non-blocking ports that can support jumbo frames. Other ports are over-subscribed ports and cannot support jumbo frames. Understanding Jumbo Frame Support These sections describe jumbo frame support: • Jumbo Frame Support Overview, page 4-11 • Ethernet Ports, page 4-11 • VLAN Interfaces, page 4-12 Jumbo Frame Support Overview A jumbo frame is a frame larger than the default Ethernet size.
Chapter 4 Configuring Interfaces Configuring Optional Interface Features Layer 3 and Layer 2 EtherChannels With Release Cisco IOS Release 12.2(25)EW and later releases, you can configure all the interfaces in an EtherChannel provided that they have the same MTU. Changing the MTU of an EtherChannel changes the MTU of all member ports. If the MTU of a member port cannot be changed to the new value, that port is suspended (administratively shut down).
Chapter 4 Configuring Interfaces Understanding Online Insertion and Removal This example shows how to verify the configuration: switch# show interface gigabitethernet 1/2 GigabitEthernet1/2 is administratively down, line protocol is down Hardware is C6k 1000Mb 802.3, address is 0030.9629.9f88 (bia 0030.9629.9f88) MTU 9216 bytes, BW 1000000 Kbit, DLY 10 usec, <...Output Truncated...> switch# Interacting with the Baby Giants Feature The baby giants feature, introduced in Cisco IOS Release 12.
Chapter 4 Configuring Interfaces Monitoring and Maintaining the Interface Monitoring Interface and Controller Status The Cisco IOS software for the Catalyst 4500 series switch contains commands that you can enter at the EXEC prompt to display information about the interface, including the version of the software and the hardware, the controller status, and statistics about the interfaces. The following table lists some of the interface monitoring commands.
Chapter 4 Configuring Interfaces Monitoring and Maintaining the Interface Shutting Down and Restarting an Interface You can disable an interface, which disables all functions on the specified interface and marks the interface as unavailable on all monitoring command displays. This information is communicated to other network servers through all dynamic routing protocols. The interface will not be mentioned in any routing updates.
Chapter 4 Configuring Interfaces Monitoring and Maintaining the Interface • logging event link-status use-global - This is the default link status logging event configuration on the interface; its configuration should follow the switch global link status logging event setting. The interface trunk status logging event can be configured in the same configuration states.
Chapter 4 Configuring Interfaces Monitoring and Maintaining the Interface Result The following example displays a summary of the operating states for the interface logging event under different combinations of global and interface logging settings: global setting -------------on off on off on off interface setting actual logging state -----------------------------------on on on on off off off off default(use-global) on default(use-global) off The following example displays the configuration and logging
Chapter 4 Configuring Interfaces Monitoring and Maintaining the Interface 3d00h: %DTP-5-TRUNKPORTON: Port Gi1/4 has become dot1q trunk 3d00h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/4, changed state to up Software Configuration Guide—Release 12.
C H A P T E R 5 Checking Port Status and Connectivity This chapter describes how to check switch port status and connectivity on the Catalyst 4500 series switch.
Chapter 5 Checking Port Status and Connectivity Checking Interfaces Status This example shows how to check module status for all modules on your switch: Switch# show module all Mod Ports Card Type Model Serial No.
Chapter 5 Checking Port Status and Connectivity Displaying MAC Addresses Displaying MAC Addresses In addition to displaying the MAC address range for a module using the show module command, you can display the MAC address table information of a specific MAC address or a specific interface in the switch using the show mac-address-table address and show mac-address-table interface commands.
Chapter 5 Checking Port Status and Connectivity Checking Cable Status Using TDR Overview With TDR, you can check the status of copper cables on the 48-port 10/100/1000 BASE-T modules for the Catalyst 4500 series switch (WS-X4548-GB-RJ45, WS-X4548-GB-RJ45V, WS-X4524-GB-RJ45V, WS-X4013+TS, WS-C4948, and WS-C4948-10GE). TDR detects a cable fault by sending a signal through the cable and reading the signal that is reflected back.
Chapter 5 Checking Port Status and Connectivity Using Telnet Guidelines The following guidelines apply to the use of TDR: • If you connect a port undergoing a TDR test to an Auto-MDIX enabled port, the TDR result might be invalid. On certain linecards such as WS-X4148-RJ45V, Auto-MDIX is always enabled. In those instances, the port on the WS-X4148-RJ45V should be administratively down before the start of the TDR test.
Chapter 5 Checking Port Status and Connectivity Changing the Logout Timer Changing the Logout Timer The logout timer automatically disconnects a user from the switch when the user is idle for longer than the specified time. To set the logout timer, perform this task: Command Purpose Switch# logoutwarning number Changes the logout timer value (a timeout value of 0 prevents idle sessions from being disconnected automatically). Use the no keyword to return to the default value.
Chapter 5 Checking Port Status and Connectivity Using Ping This example shows how to disconnect an active console port session and an active Telnet session: Switch> disconnect console Console session disconnected. Console> (enable) disconnect tim-nt.bigcorp.com Telnet session from tim-nt.bigcorp.com disconnected. (1) Switch# show users Session User Location -------- ---------------- ------------------------telnet jake jake-mac.bigcorp.com * telnet suzy suzy-pc.bigcorp.
Chapter 5 Checking Port Status and Connectivity Using IP Traceroute This example shows how to ping a remote host from normal executive mode: Switch# ping labsparc labsparc is alive Switch> ping 72.16.10.3 12.16.10.3 is alive Switch# This example shows how to enter a ping command in privileged EXEC mode specifying the number of packets, the packet size, and the timeout period: Switch# ping Target IP Address []: 12.20.5.
Chapter 5 Checking Port Status and Connectivity Using Layer 2 Traceroute Running IP Traceroute To trace the path that packets take through the network, perform this task in EXEC or privileged EXEC mode: Command Purpose Switch# trace [ protocol] [destination ] Runs IP traceroute to trace the path that packets take through the network. This example shows use the trace command to display the route a packet takes through the network to reach its destination: Switch# trace ip ABA.NYC.
Chapter 5 Checking Port Status and Connectivity Using Layer 2 Traceroute For more information about enabling CDP, see Chapter 19, “Understanding and Configuring CDP.” Note • All switches in the physical path must have IP connectivity. When a switch is reachable from another switch, you can test connectivity by using the ping command in privileged EXEC mode. • The maximum number of hops identified in the path is ten.
Chapter 5 Checking Port Status and Connectivity Configuring ICMP Command Purpose Switch# traceroute mac ip {source-mac-address } {destination-mac-address} Runs IP traceroute to trace the path that packets take through the network. These examples show how to use the traceroute mac and traceroute mac ip commands to display the physical path a packet takes through the network to reach its destination: Switch# traceroute mac 0000.0201.0601 0000.0201.0201 Source 0000.0201.
Chapter 5 Checking Port Status and Connectivity Configuring ICMP To enable the generation of ICMP Protocol Unreachable and Host Unreachable messages, enter the following command in interface configuration mode: Command Purpose Switch (config-if)# [no] ip unreachables Enables ICMP destination unreachable messages. Use the no keyword to disable the ICMP destination unreachable messages.
Chapter 5 Checking Port Status and Connectivity Configuring ICMP Enabling ICMP Mask Reply Messages Occasionally, network devices must know the subnet mask for a particular subnetwork in the internetwork. To obtain this information, devices can send ICMP Mask Request messages. These messages are responded to by ICMP Mask Reply messages from devices that have the requested information. The Cisco IOS software can respond to ICMP Mask Request messages if the ICMP Mask Reply function is enabled.
Chapter 5 Checking Port Status and Connectivity Configuring ICMP Software Configuration Guide—Release 12.
C H A P T E R 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Catalyst 4500 series switches allow a redundant supervisor engine to take over if the active supervisor engine fails. In software, supervisor engine redundancy is enabled by running the redundant supervisor engine in route processor redundancy (RPR) or stateful switchover (SSO) operating mode. Note The minimum ROMMON requirement for running SSO is Release 12.1(20r)EW1 or Release 12.2(20r)EW1.
Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Understanding Cisco IOS NSF-Awareness Support Understanding Cisco IOS NSF-Awareness Support Cisco IOS Nonstop Forwarding (NSF) has two primary components: NSF-capability—NSF works with SSO to minimize the amount of time that a Layer 3 network is unavailable following a supervisor engine switchover by continuing to forward IP packets.
Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Understanding Supervisor Engine Redundancy Table 6-1 lists the supervisor engines and Catalyst 4500 series switches that support NSF-awareness: Table 6-1 NSF-Aware Capable Supervisor Engine and Catalyst 4500 Series Switch Matrix NSF-Aware Capable Supervisor Engine Switch Support Supervisor Engine III (WS-X4014) Catalyst 4506 series switch and Catalyst 4503 series switch Supervisor Engine IV (WS-X4515) Catalyst 4507R series switch,
Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Understanding Supervisor Engine Redundancy When power is first applied to a switch, the supervisor engine that boots first becomes the active supervisor engine and remains active until a switchover occurs. A switchover will occur when one or more of the following events take place: • The active supervisor engine fails (due to either hardware or software function) or is removed. • A user forces a switchover.
Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Understanding Supervisor Engine Redundancy Because the redundant supervisor engine recognizes the hardware link status of every link, ports that were active before the switchover will remain active, including the uplink ports. However, because uplink ports are physically on the supervisor engine, they will be disconnected if the supervisor engine is removed.
Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Understanding Supervisor Engine Redundancy Synchronization SSO is compatible with the following list of features. However, the protocol database for these features is not synchronized between the redundant and active supervisor engines: • 802.
Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Supervisor Engine Redundancy Guidelines and Restrictions SSO Supervisor Engine Configuration Synchronization When a redundant supervisor engine runs in SSO mode, the following events trigger synchronization of the configuration information: • When the active supervisor detects the redundant supervisor engine, synchronization of the persistent and running configuration takes place, allowing the redundant supervisor engine to arrive at a
Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Configuring Supervisor Engine Redundancy • Starting with Cisco IOS Release 12.2, if an unsupported condition is detected (such as when the active supervisor engine is running Release 12.2(20)EW and the redundant supervisor engine is running Release 12.1(20)EW), the redundant supervisor engine will be reset multiple times and then be placed in ROMMON mode.
Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Configuring Supervisor Engine Redundancy This example shows how to configure the system for SSO and display the redundancy facility information: Switch> enable Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Configuring Supervisor Engine Redundancy Redundancy Mode Redundancy Mode Split Mode Manual Swact Communications (Operational) = Stateful Switchover (Configured) = Stateful Switchover = Disabled = Enabled = Up client count = 21 client_notification_TMR keep_alive TMR keep_alive count keep_alive threshold RF debug mask Switch# = = = = = 240000 milliseconds 9000 milliseconds 0 18 0x0 This example shows how to change the system configur
Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Performing a Manual Switchover Note Configuration changes made to the redundant supervisor engine through SNMP are not synchronized to the redundant supervisor engine. For information on how to handle this situation, see the “Supervisor Engine Redundancy Guidelines and Restrictions” section on page 6-7. Note The auto-sync command controls the synchronization of the config-reg, bootvar, and startup/private configuration files only.
Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Performing a Software Upgrade To perform a manual switchover, perform this task on the active supervisor engine: Step 1 Command Purpose Switch# show redundancy Verifies that the peer state is in the STANDBY HOT state. See the example of the show redundancy states command on page 6-10. Step 2 Switch# redundancy force-switchover Launches switchover from the active supervisor engine to the redundant supervisor engine.
Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Performing a Software Upgrade To perform a software upgrade, perform this task: Step 1 Command Purpose Switch# copy source_device:source_filename slot0:target_filename Copies the new Cisco IOS software image to bootflash on both supervisor engines.
Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Manipulating Bootflash on the Redundant Supervisor Engine This example shows how to perform a software upgrade: Switch# config terminal Switch(config)# config-register 0x2 Switch(config)# boot system flash slot0:cat4000-i5s-mz.122-20.
Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Manipulating Bootflash on the Redundant Supervisor Engine Command Purpose Switch# format slaveslot0:target_filename Formats the slot0: device on the redundant supervisor engine. or: Switch# format slavebootflash:target_filename Formats the bootflash: device on the redundant supervisor engine.
Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Manipulating Bootflash on the Redundant Supervisor Engine Software Configuration Guide—Release 12.
C H A P T E R 7 Environmental Monitoring and Power Management Note Before reading this chapter, read the "Preparing for Installation” section of the Catalyst 4500 Series Installation Guide. It is important to ensure that your installation site has enough power and cooling to accommodate the additional electrical load and heat introduced by PoE. This chapter describes power management and environmental monitoring features in the Catalyst 4500 series switches.
Chapter 7 Environmental Monitoring and Power Management Understanding Environmental Monitoring Using CLI Commands to Monitor your Environment Use the show environment CLI command to monitor the system. This section gives a basic overview of the command and keywords you will need. Enter the show environment [alarm | status | temperature] command to display system status information. Keyword descriptions are listed in Table 7-1.
Chapter 7 Environmental Monitoring and Power Management Power Management Table 7-2 Alarms for Supervisor Engine and Switching Modules Event 1 Supervisor engine temperature sensor exceeds major threshold2 Alarm Type Supervisor LED Color Description and Action Major Red Syslog message. If the over-temperature condition is not corrected, the system shuts down after 5 min.
Chapter 7 Environmental Monitoring and Power Management Power Management These power supplies are incompatible with Catalyst 4500 series switches. Since Power over Ethernet (PoE) is not supported on the Catalyst 4948 switch, only a limited wattage is needed. (For information on PoE, see Chapter 8, “Configuring Power over Ethernet.”) When you insert power supplies in your switch, the EEPROM on the power supplies can be read by the system software even if the supply is not powered on.
Chapter 7 Environmental Monitoring and Power Management Power Management – 1400 W DC Service Provider—Uses up to three lines (12.5 A, 15 A, 15 A) of DC input and delivers varying amounts of system power ranging from 400 W to 1400 W depending on the lines powered. See “Special Considerations for the 1400 W DC SP Triple Input Power Supply” section on page 7-14 for more information.
Chapter 7 Environmental Monitoring and Power Management Power Management Note On the Catalyst 4510R switch, the 1000 W AC power supply is not enough to support redundant mode for all possible configurations. It is able to support redundant mode for limited configurations that require less than 1000 W. Note The 1400 W DC power supply supports combined mode for data power. It does not support combined mode for PoE power. Selecting a Power Management Mode By default, a switch is set to redundant mode.
Chapter 7 Environmental Monitoring and Power Management Power Management If you attempt to insert additional modules into your switch and exceed the power supply, the switch immediately places the newly inserted module into reset mode, and the switch displays these error messages: Module has been inserted Insufficient power supplies operating.
Chapter 7 Environmental Monitoring and Power Management Power Management M MAC addresses Hw Fw Sw Status --+--------------------------------+---+------------+----------------+--------1 005c.9d1a.f9d0 to 005c.9d1a.f9df 0.5 12.1(11br)EW 12.1(20020313:00 Ok 2 0010.7bab.9920 to 0010.7bab.9925 0.2 Ok 3 0050.7356.2b36 to 0050.7356.2b47 1.0 Ok 5 0001.64fe.a930 to 0001.64fe.a95f 0.0 PwrDeny 6 0050.0f10.28b0 to 0050.0f10.28df 1.
Chapter 7 Environmental Monitoring and Power Management Power Management The following example shows how to display the current power redundancy mode. The power supplies needed by system: 1 indicates that the switch is in redundant mode. Switch# show power supplies Power supplies needed by system:1 Switch# Configuring Combined Mode on a Catalyst 4500 Series Switch If your switch configuration requires more power than a single power supply can provide, set the power management mode to combined mode.
Chapter 7 Environmental Monitoring and Power Management Power Management The following example shows how to display the current power redundancy mode. The power supplies needed by system: 2 indicates that the switch is in combined mode. Switch# show power supplies Power supplies needed by system:2 Switch# Insufficient Inline Power Handling for Supervisor Engine II-TS When the Supervisor Engine II+TS is used with the 1400 W DC power supply (PWR-C45-1400DC), and only one 12.
Chapter 7 Environmental Monitoring and Power Management Power Management Mod Model ---- ----------------1 WS-X4013+TS 2 WS-X4506-GB-T 3 WS-X4424-GB-RJ45 -Fan Tray ----------------------Total Watts Used of System Power (12V) currently out of reset in reset --------- ------------ -------180 180 180 60 60 20 90 90 50 30 ----------- -----------------360 330 250 Watts used of Chassis Inline Power (-50V) Inline Power Admin Inline Power Oper Mod Model PS Device PS Device Efficiency ---- ----------------- -----
Chapter 7 Environmental Monitoring and Power Management Power Management Available Power for Catalyst 4500 Series Switches Power Supplies Table 7-3 lists the power available for use in the various Catalyst 4500 series switches power supplies. When your switch is configured to combined mode, the total available power in not the mathematical sum of the individual power supplies. The power supplies have a sharing ratio predetermined by the hardware.
Chapter 7 Environmental Monitoring and Power Management Power Management Keep in mind the following guidelines when using a 1400 W DC power supply with your Catalyst 4500 series switch: • The 1400 W DC power supply works with a variety of DC sources. The DC input can vary from 300 W to 7500 W. Refer to the power supply documentation for additional information. • The supervisor engine cannot detect the DC source plugged into the 1400 W DC power supply.
Chapter 7 Environmental Monitoring and Power Management Power Management Special Considerations for the 1400 W DC SP Triple Input Power Supply Unlike the 1400 W DC power supply, the 1400 W DC SP power supply has sub-modules (multiple inputs) that can be powered on or off. With Release 12.
Chapter 7 Environmental Monitoring and Power Management Power Management Power Summary (in Watts) ---------------------System Power (12V) Inline Power (-50V) Backplane Power (3.3V) ---------------------Total Switch# show power Maximum Used Available -----------140 1360 0 1850 0 40 -----------140 (not to exceed Total Maximum Available = 2100) • As with other power supplies, the two power supplies must be of the same type (4200 W AC or 1400 W DC).
Chapter 7 Environmental Monitoring and Power Management Power Management Table 7-5 Power Output in Combined Mode (continued) Power Supply 12 V 3.
Chapter 7 Environmental Monitoring and Power Management Power Management To choose a 1+1 redundancy configuration, you must change the system configuration from the default 2+1 redundancy mode to 1+1 redundancy mode by using the power supplies required 1 command. The power supplies required 1 command sets the power redundancy to 1+1 redundancy mode. In the 1+1 redundancy mode, the nonredundant power available to the system is the power of the single weakest power supply.
Chapter 7 Environmental Monitoring and Power Management Power Management The following configuration requires more power than a single 400 W power supply can provide: • WS-X4014 supervisor engine—110 W • Two WS-X4148-RJ modules in slots 2 and 3—65 W each (130 W total) • Two WS-X4448-GB-LX modules in slots 4 and 5—90 W each (180 W total) • Fan tray—25 W This configuration requires 445 W and cannot be used in 1+1 redundancy mode for a 400 W power supply.
Chapter 7 Environmental Monitoring and Power Management Power Management The following example shows how to display the current power status of system components and the power redundancy mode. The Power supplies needed by system: 1 indicates that the switch is in 1+1 redundancy mode: Switch# show power supplies Power supplies needed by system:1 Switch# The following example shows the show module command output for a system with inadequate power for all installed modules.
Chapter 7 Environmental Monitoring and Power Management Power Management This example shows how to power down module 6: Switch# configure terminal Enter configuration commands, one per line. Switch(config)# no hw-module module 6 power Switch(config)# end Switch# End with CNTL/Z. Software Configuration Guide—Release 12.
C H A P T E R 8 Configuring Power over Ethernet Note Before reading this chapter, read "Preparing for Installation” section of the Catalyst 4500 Series Installation Guide. It is important to ensure that your installation site has enough power and cooling to accommodate the additional electrical load and heat introduced by PoE. This chapter describes how to configure Power over Ethernet (PoE) on the Catalyst 4500 series switch.
Chapter 8 Configuring Power over Ethernet Power Management Modes If your switch has a module capable of providing PoE to end stations, you can set each interface on the module to automatically detect and apply PoE if the end station requires power. The Catalyst 4500 series switch has three PoE modes: • auto—PoE interface. The supervisor engine directs the switching module to power up the interface only if the switching module discovers the phone and the switch has enough power.
Chapter 8 Configuring Power over Ethernet If you set a non-PoE-capable interface to automatically detect and apply power, an error message indicates that the configuration is not valid. The following example shows how to set the Fast Ethernet interface 4/1 to automatically detect PoE and send power through that interface: Switch# configure terminal Enter configuration commands, one per line.
Chapter 8 Note Configuring Power over Ethernet When manually configuring the consumption for powered devices, you need to account for the power loss over the cable between the switch and the powered device. To change the power consumption for the entire switch, perform this task: Step 1 Command Purpose Switch(config)# [no] power inline consumption default milli-watts Sets the PoE consumption (in milliwatts) of all powered devices connected to the switch.
Chapter 8 Configuring Power over Ethernet This example shows how to set the PoE consumption to 5000 milliwatts for Fast Ethernet interface 4/1 regardless what is mandated by the 802.3af class of the discovered device, or by any CDP packet received from the powered device: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 8 Configuring Power over Ethernet When you use PoE modules with type 1/2 shielded twisted pair (STP) cable configurations (90 and 125 meters), the modules perform the same as with Category 5 cable for the IEEE 802.3af standard at 10 and 100 Mbps.
Chapter 8 Configuring Power over Ethernet This example shows how to display the operational status for all interfaces on module 3.
Chapter 8 Configuring Power over Ethernet The 802.3af-compliant PoE modules can consume up to 20 W of PoE to power FPGAs and other hardware components on the module. Be sure to add at least 20 W to your PoE requirements for each 802.3af-compliant PoE module to ensure that the system has adequate power for the PDs connected to the switch. The example below displays the PoE consumption for an 802.3af-compliant module using the show power module command.
Chapter 8 Configuring Power over Ethernet Switch# show power detail Power Supply -----PS1 PS2 Model No ---------------PWR-C45-1300ACV none Type --------AC 1300W -- Status ----------good -- Fan Sensor ------good -- Inline Status ------good -- Power supplies needed by system : 1 Power supplies currently available : 1 Power Summary (in Watts) ---------------------System Power (12V) Inline Power (-50V) Backplane Power (3.
Chapter 8 Switch# show power inline g1/1 Module 1 Inline Power Supply: Available:158(w) Interface Admin Oper Gi1/1 on Used:128(w) Configuring Power over Ethernet Remaining:30(w) Power(Watts) Device Class From PS To Device --------- ------ ---------- ---------- ---------- ------------------- ----auto 10.3 10.3 CNU Platform 3 Interface AdminPowerMax AdminConsumption (Watts) (Watts) ---------- --------------- -------------------Gi1/1 15.4 15.
Chapter 8 Configuring Power over Ethernet Gi2/3 Gi2/4 Gi2/5 Gi2/6 Gi2/7 Gi2/8 Gi2/9 Gi2/10 Gi2/11 Gi2/12 Gi2/13 Gi2/14 Gi2/15 Gi2/16 Gi2/17 Gi2/18 Interface 10.2 10.2 0.0 0.0 0.0 0.0 10.2 10.2 10.2 10.2 10.2 10.2 10.2 10.2 0.0 0.
Chapter 8 Configuring Power over Ethernet Software Configuration Guide—Release 12.
C H A P T E R 9 Configuring Switches with Web-Based Tools This chapter describes how to install Network Assistant on the workstation and configure the Catalyst 4500 (or 4900) series switch to communicate with Network Assistant. (Heretofore, the term Catalyst 4500 series switch will be used to refer to both switch types.) It also describes how to create communities and clusters.
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant Note • Installing Network Assistant, page 9-5 • Getting Started with Network Assistant, page 9-5 • Launching the Network Assistant, page 9-6 • Connecting Network Assistant to a Device, page 9-7 • Using Community Mode to Manage a Network, page 9-8 • Converting a Cluster into a Community, page 9-11 • Using Cluster Mode to Manage a Network of Switches, page 9-12 • Configuring Network Assistant in
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant Table 1 Hardware Supported for Network Assistant 3.
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant Network Assistant-Related Features and Their Defaults Table 2 lists the Network Assistant-related configuration parameters on a Catalyst 4500 series switch.
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant 1. This command is used strictly for clustering. Installing Network Assistant To install Network Assistant on your workstation, follow these steps: Step 1 Go to this Web address: http://www.cisco.com/go/NetworkAssistant/ You must be a registered Cisco.com user as a guest, but you need no access privileges. Step 2 Click on Download Software.
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant Step 3 Command Purpose Switch(config-if)# ip address ip_address address_mask (Optional) Assigns an IP address to the Catalyst 4500 series Note This step is mandatory if the switch is part of community or is a cluster command switch. This step is optional if the switch is a cluster member candidate. Step 4 Switch(config-if)# end Returns to privileged EXEC mode.
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant In disconnect mode, Network Assistant is not connected to any device, and it cannot manage a standalone device or the command device of a cluster. Its menu bar and tool bar support only tasks that customize the Network Assistant itself. The feature bar, which usually lists device features, is empty. Online Help is available in disconnect mode.
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant Note For information on how to use Network Assistant, refer to Getting Started with Cisco Network Assistant, available at the URL: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cna/v2_0/gsg/index.
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant • Cisco Discovery Protocol (CDP) version 2 is enabled (the default) - if you want the device to be autodiscovered. • It has HTTP (or HTTPS) enabled. Note A cluster member can be added to a community, but the reverse is not possible. If the cluster commander is added to a community, the other member devices of the cluster are not added automatically.
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant Note You can connect to a cluster only via an IP address. When you select a name it is always for the community. Hostnames You do not need to assign a hostname to a starting device or a community member. However, Cisco recommends it and Network Assistant does not assign one by default.
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant b. In the Communities window, select the name of the community to which you would like to add a device, and click Modify. c. To add a single device manually, enter the IP address for the desired device in the Modify Community window, and click Add. d. To discover candidate devices, enter the IP address for the starting device, and click Discover. e.
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant Note If a device has more than one interface with an IP address and subnet mask, you see more than one interface listed when you click in the cell. You can choose a different interface from the one originally shown. Step 4 In the IP Address column, enter an IP address for each device that does not have one.
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant Clustering Overview A switch cluster is a set of up to 16 connected, cluster-capable Catalyst switches that are managed as a single entity. The switches in the cluster use the switch clustering technology so that you can configure and troubleshoot a group of different Catalyst 4500 series switch platforms through a single IP address.
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant You can configure the Catalyst 4500 series switch to support an appropriate number of VTY lines with the line vty configuration command. For example, the line vty 6 15 command configures the switch to include 9 VTY lines. Note If your existing VTY lines have non-default configurations, you might want to apply those configurations to the new VTY lines.
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant Note CISCO-CLUSTER_MIB is not supported. Configuring Network Assistant in Community or Cluster Mode This section provides a detailed explanation of the CLI used to configure Network Assistant to work in a community or cluster. Network Assistant communicates with a Catalyst 4500 series switch by sending Cisco IOS commands over an HTTP (or HTTPS) connection.
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant Command Purpose Step 16 Switch(config-line)# login Allows login to the console port. Step 17 Switch(config-line)# line vty x y Creates additional VTY lines for CNA to access the switch. Step 18 Switch(config-line)# password password Specifies a password for the switch. Step 19 Switch(config-line)# login Allows login to the switch.
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant vtp mode transparent ! ! ! ! ! power redundancy-mode redundant no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 2 ! interface GigabitEthernet1/1 switchport access vlan 2 ! interface GigabitEthernet1/2 ! interface GigabitEthernet1/3 ! interface GigabitEthernet1/4 ! interface GigabitEthernet1/5 ! interface GigabitEthernet1/6 ! interface
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant ! ! ! line con 0 password cna login stopbits 1 line vty 0 4 password cna login line vty 5 15 password cna login ! ! end Switch# Configuring Network Assistant in a Networked Switch in Cluster Mode To configure Network Assistant on a networked switch in cluster mode, perform this task on the switch: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode.
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant Command Purpose Step 16 Switch(config-line)# exec-timeout x y Configures an automatic session logout if no keyboard input or output is displayed on the terminal. Step 17 Switch(config-line)# password password Specifies a password for the console port. Step 18 Switch(config-line)# login Allows login to the console port.
Chapter 9 Configuring Switches with Web-Based Tools Configuring and Using the Network Assistant enable password cna ! no aaa new-model ip subnet-zero ! vtp domain cnadoc vtp mode transparent cluster run cluster enable cnadoccluster 0 ! ! ! ! ! power redundancy-mode redundant no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 2 ! interface GigabitEthernet1/1 switchport access vlan 2 ! interface GigabitEthernet1/2 ! interface Gigabi
Chapter 9 Configuring Switches with Web-Based Tools Configuring Embedded CiscoView Support interface Vlan1 no ip address ! interface Vlan2 ip address 123.123.123.1 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 123.123.123.2 ip http server no ip http secure-server ! ! ! line con 0 Switch# Configuring Embedded CiscoView Support The Catalyst 4500 series switch supports CiscoView web-based administration through the Catalyst Web Interface (CWI) tool.
Chapter 9 Configuring Switches with Web-Based Tools Configuring Embedded CiscoView Support Step 1 Command Purpose Router# dir device_name Displays the contents of the device. If you are installing Embedded CiscoView for the first time, or if the CiscoView directory is empty, skip to Step 5. Step 2 Switch# delete device_name:cv/* Removes existing files from the CiscoView directory. Step 3 Switch# squeeze device_name: Recovers the space in the file system.
Chapter 9 Configuring Switches with Web-Based Tools Configuring Embedded CiscoView Support Delete bootflash:cv/Cat4000IOS-4.0.sgz? [confirm]y Delete bootflash:cv/Cat4000IOS-4.0_ace.html? [confirm]y Delete bootflash:cv/Cat4000IOS-4.0_error.html? [confirm]y Delete bootflash:cv/Cat4000IOS-4.0_install.html? [confirm]y Delete bootflash:cv/Cat4000IOS-4.0_jks.jar? [confirm]y Delete bootflash:cv/Cat4000IOS-4.0_nos.jar? [confirm]y Delete bootflash:cv/applet.html? [confirm]y Delete bootflash:cv/cisco.
Chapter 9 Configuring Switches with Web-Based Tools Configuring Embedded CiscoView Support 5 6 7 8 9 10 11 12 13 14 15 16 17 -rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw-rw- 9630880 1173 10511956 2031616 1956591 7263 410 2743 20450 20782 12388 529 2523 Feb Mar Mar Mar Mar Mar Mar Mar Mar Mar Mar Mar Mar 27 19 26 26 26 26 26 26 26 26 26 26 26 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 01:25:16 05:50:26 04:24:12 05:33:12 05:36:11 05:36:19 05:36:19 05:36:19 05:36:19 05:36:19 05:36:19 05:
Chapter 9 Configuring Switches with Web-Based Tools Configuring Embedded CiscoView Support The following example shows how to display the Embedded CiscoView file and version information: Switch# show ciscoview package File source: CVFILE SIZE(in bytes) -----------------------------------------------Cat4000IOS-5.1.sgz 1956591 Cat4000IOS-5.1_ace.html 7263 Cat4000IOS-5.1_error.html 410 Cat4000IOS-5.1_install.html 2743 Cat4000IOS-5.1_jks.jar 20450 Cat4000IOS-5.1_nos.jar 20782 applet.html 12388 cisco.
Chapter 9 Configuring Switches with Web-Based Tools Configuring Embedded CiscoView Support Software Configuration Guide—Release 12.
C H A P T E R 10 Understanding and Configuring VLANs, VTP, and VMPS This chapter describes VLANs on Catalyst 4500 series switches. It also describes how to enable the VLAN Trunking Protocol (VTP) and to configure the Catalyst 4500 series switch as a VMPS client.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLANs You can define one or many virtual bridges within a switch. Each virtual bridge you create in the switch defines a new broadcast domain (VLAN). Traffic cannot pass directly to another VLAN (between broadcast domains) within the switch or between two switches. To interconnect two different VLANs, you must use routers or Layer 3 switches.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLANs VLAN Configuration Guidelines and Restrictions Follow these guidelines and restrictions when creating and modifying VLANs in your network: • Before creating a VLAN, put the Catalyst 4500 series switch in VTP server mode or VTP transparent mode. If the Catalyst 4500 series switch is a VTP server, you must define a VTP domain. For information on configuring VTP, see Chapter 27, “Understanding and Configuring VTP.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLANs Configurable Normal-Range VLAN Parameters Note Ethernet VLANs 1 and 1006 through 4094 use only default values. You can configure the following parameters for VLANs 2 through 1001: • VLAN name • VLAN type • VLAN state (active or suspended) • SAID • STP type for VLANs VLAN Default Configuration Table 10-2 shows the default VLAN configuration values.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLANs Note VLANs support a number of parameters that are not discussed in detail in this section. For complete information, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference. Note The VLAN configuration is stored in the vlan.dat file, which is stored in nonvolatile memory. You can cause inconsistency in the VLAN database if you manually delete the vlan.dat file.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLANs To create a VLAN, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch(config)# vlan vlan_ID Switch(config-vlan)# Adds an Ethernet VLAN. Note You cannot delete the default VLANs for these media types: Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005. When you delete a VLAN, any LAN interfaces configured as access ports assigned to that VLAN become inactive.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLANs Configuring VLANs in VLAN Database Mode When the switch is in VTP server or transparent mode, you can configure VLANs in the VLAN database mode. When you configure VLANs in VLAN database mode, the VLAN configuration is saved in the vlan.dat file, not the running-config or startup-config files. To display the VLAN configuration, enter the show running-config vlan command. User-configurable VLANs have unique IDs from 1 to 4094.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Trunking Protocol Assigning a Layer 2 LAN Interface to a VLAN A VLAN created in a management domain remains unused until you assign one or more LAN interfaces to the VLAN. Note Make sure you assign LAN interfaces to a VLAN of the proper type. Assign Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet interfaces to Ethernet-type VLANs.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Trunking Protocol Understanding the VTP Domain A VTP domain is made up of one or more interconnected network devices that share the same VTP domain name. A network device can be configured to be in only one VTP domain. You make global VLAN configuration changes for the domain using either the command-line interface (CLI) or Simple Network Management Protocol (SNMP).
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Trunking Protocol The following global configuration information is distributed in VTP advertisements: • VLAN IDs (ISL and 802.1Q) • Emulated LAN names (for ATM LANE) • 802.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Trunking Protocol Figure 10-2 shows a switched network without VTP pruning enabled. Interface 1 on Switch 1 and Interface 2 on Switch 4 are assigned to the Red VLAN. A broadcast is sent from the host connected to Switch 1. Switch 1 floods the broadcast and every network device in the network receives it, even though Switches 3, 5, and 6 have no interfaces in the Red VLAN.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Trunking Protocol To configure VTP pruning on a trunking LAN interface, use the switchport trunk pruning vlan command. VTP pruning operates when a LAN interface is trunking. You can set VLAN pruning eligibility regardless of whether VTP pruning is enabled or disabled for the VTP domain, whether any given VLAN exists, and regardless of whether the LAN interface is currently trunking.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Trunking Protocol Configuring VTP The following sections describe how to configure VTP: • Configuring VTP Global Parameters, page 10-13 • Configuring the Switch as a VTP Server, page 10-14 • Configuring the Switch as a VTP Client, page 10-15 • Disabling VTP (VTP Transparent Mode), page 10-16 • Displaying VTP Statistics, page 10-16 Configuring VTP Global Parameters The following sections describe configuring the VTP global paramet
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Trunking Protocol This example shows how to enable VTP pruning in the management domain: Switch# vtp pruning Pruning switched ON This example shows how to verify the configuration: Switch# show vtp status | include Pruning VTP Pruning Mode : Enabled Switch# Enabling VTP Version 2 By default, VTP version 2 is disabled on VTP version 2-capable network devices.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Trunking Protocol This example shows how to configure the switch as a VTP server: Switch# configuration terminal Switch(config)# vtp mode server Setting device to VTP SERVER mode.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Trunking Protocol VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49 0x80 Configuration last modified by 0.0.0.0 at 8-12-99 15:04:49 Switch# Disabling VTP (VTP Transparent Mode) To disable VTP on the Catalyst 4500 series switch, perform this task: Command Purpose Step 1 Switch# configuration terminal Enters configuration mode.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server This example shows how to display VTP statistics: Switch# show vtp counters VTP statistics: Summary advertisements received Subset advertisements received Request advertisements received Summary advertisements transmitted Subset advertisements transmitted Request advertisements transmitted Number of config revision errors Number of config digest errors Number of V1 summary errors : : : : : : : : : 7 5 0 997 13 3
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server VMPS uses a UDP port to listen to VQP requests from clients, so, it is not necessary for VMPS clients to know if the VMPS resides on a local or remote device on the network. Upon receiving a valid request from a VMPS client, a VMPS server searches its database for an entry of a MAC-address to VLAN mapping.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server If a VLAN is already assigned to this port, VMPS verifies the requesting MAC address against this port: • If the VLAN associated with this MAC address in the database does not match the current VLAN assigned on the port, and a fallback VLAN name is configured, VMPS sends the fallback VLAN name to the client.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server Illegal VMPS Client Requests Two examples of illegal VMPS client requests are as follows: • When a MAC-address mapping is not present in the VMPS database and “no fall back” VLAN is configured on the VMPS. • When a port is already assigned a VLAN (and the VMPS mode is not “multiple”) but a second VMPS client request is received on the VMPS for a different MAC-address.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server Default VMPS Client Configuration Table 10-4 shows the default VMPS and dynamic port configuration on client switches.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server Switch# show vmps VQP Client Status: -------------------VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.179 (primary, current) 172.20.128.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server Voice Ports If a VVID (voice VLAN ID) is configured on a dynamic access port, the port can belong to both an access VLAN and a voice VLAN.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server Configuring the Retry Interval You can set the number of times that the VMPS client attempts to contact the VMPS before querying the next server. To configure the retry interval, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch(config)# vmps retry count Specifies the retry count for the VPQ queries. Default is 3. Range is from 1 to 10.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server VMPS domain server The IP address of the configured VLAN membership policy servers. The switch currently sends queries to the one marked “current.” The one marked “primary” is the primary server. VMPS Action The result of the most-recent reconfirmation attempt.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server Dynamic Port VLAN Membership Configuration Example Figure 10-4 on page 10-26 shows a network with a VMPS servers and VMPS client switches with dynamic ports. In this example, these assumptions apply: • The VMPS server and the VMPS client are separate switches. • The Catalyst 4000 family Switch 1 (running CatOS) is the primary VMPS server.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server Two topologies are possible. Figure 10-5 illustrates a topology with one end station attached directly to a Catalyst 4500 series switch operating as a VMPS client. Figure 10-6 illustrates a topology with an end station attached to a Cisco IP Phone, which is attached to a Catalyst 4500 series switch.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server VQP Client Status: -------------------VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.26.152 172.20.26.150 (primary, current Step 2 Configure port Fa0/1 on Switch 2 as a dynamic port. a. Return to global configuration mode: switch# configure terminal b. Enter interface configuration mode: switch(config)# interface fa2/1 c.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server VMPS Database Configuration File Example This example shows a sample VMPS database configuration file as it appears on a VMPS server. A VMPS database configuration file is an ASCII text file that is stored on a TFTP server accessible to the switch that functions as the VMPS server. !vmps domain ! The VMPS domain must be defined. !vmps mode { open | secure } ! The default mode is open.
Chapter 10 Understanding and Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server vmps-port-policies vlan-name Green device 198.92.30.32 port Fa0/9 vmps-port-policies vlan-name Purple device 198.4.254.22 port Fa0/10 port-group “Executive Row” Software Configuration Guide—Release 12.
C H A P T E R 11 Configuring Layer 2 Ethernet Interfaces This chapter describes how to use the command-line interface (CLI) to configure Fast Ethernet and Gigabit Ethernet interfaces for Layer 2 switching on Catalyst 4500 series switches. It also provides guidelines, procedures, and configuration examples. The configuration tasks in this chapter apply to Fast Ethernet and Gigabit Ethernet interfaces on any module, including the uplink ports on the supervisor engine.
Chapter 11 Configuring Layer 2 Ethernet Interfaces Overview of Layer 2 Ethernet Switching Note With release 12.1(13)EW, the Catalyst 4500 series switches can handle packets of 1600 bytes, rather than treat them as “oversized” and discard them. This size is larger than the usual IEEE Ethernet Maximum Transmission Unit (MTU) (1518 bytes) and 802.1q MTU (1522 bytes). The ability to handle larger packets is required to support two nested 802.1q headers and Multiprotocol Label Switching (MPLS) on a network.
Chapter 11 Configuring Layer 2 Ethernet Interfaces Overview of Layer 2 Ethernet Switching Understanding VLAN Trunks A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch. Trunks carry the traffic of multiple VLANs over a single link and allow you to extend VLANs across an entire network.
Chapter 11 Configuring Layer 2 Ethernet Interfaces Default Layer 2 Ethernet Interface Configuration Layer 2 Interface Modes Table 11-2 lists the Layer 2 interface modes and describes how they function on Ethernet interfaces. Table 11-2 Note Layer 2 Interface Modes Mode Purpose switchport mode access Puts the interface into permanent nontrunking mode and negotiates to convert the link into a nontrunking link.
Chapter 11 Configuring Layer 2 Ethernet Interfaces Layer 2 Interface Configuration Guidelines and Restrictions Table 11-3 Layer 2 Ethernet Interface Default Configuration (continued) Feature Default Value Native VLAN (for 802.
Chapter 11 Configuring Layer 2 Ethernet Interfaces Configuring Ethernet Interfaces for Layer 2 Switching Configuring an Ethernet Interface as a Layer 2 Trunk Note The default for Layer 2 interfaces is switchport mode dynamic auto. If the neighboring interface supports trunking and is configured to trunk mode or dynamic desirable mode, the link becomes a Layer 2 trunk. By default, trunks negotiate encapsulation. If the neighboring interface supports ISL and 802.
Chapter 11 Configuring Layer 2 Ethernet Interfaces Configuring Ethernet Interfaces for Layer 2 Switching Command Purpose Step 11 Switch# show running-config interface {fastethernet | gigabitethernet | tengigabitethernet} slot/port Displays the running configuration of the interface. Step 12 Switch# show interfaces [fastethernet | gigabitethernet | tengigabitethernet] slot/port switchport Displays the switch port configuration of the interface.
Chapter 11 Configuring Layer 2 Ethernet Interfaces Configuring Ethernet Interfaces for Layer 2 Switching Port Vlans allowed and active in management domain Fa5/8 1-6,10,20,50,100,152,200,300,303-305,349-351,400,500,521,524,570,801-8 02,850,917,999,1002-1005 Port Vlans in spanning tree forwarding state and not pruned Fa5/8 1-6,10,20,50,100,152,200,300,303-305,349-351,400,500,521,524,570,801-8 02,850,917,999,1002-1005 Switch# Configuring an Interface as a Layer 2 Access Port Note If you assign an interfa
Chapter 11 Configuring Layer 2 Ethernet Interfaces Configuring Ethernet Interfaces for Layer 2 Switching Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch# exit switchport mode access switchport access vlan 200 no shutdown end This example shows how to verify the running configuration: Switch# show running-config interface fastethernet 5/6 Building configuration...
Chapter 11 Configuring Layer 2 Ethernet Interfaces Configuring Ethernet Interfaces for Layer 2 Switching This example shows how to verify that the Layer 2 configuration was cleared: Switch# show running-config interface fastethernet 5/6 Building configuration...
C H A P T E R 12 Configuring SmartPort Macros This chapter describes how to configure and apply SmartPort macros on your switch. Note For complete syntax and usage information for the switch commands used in this chapter, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm.
Chapter 12 Configuring SmartPort Macros Configuring Smart-Port Macros Configuring Smart-Port Macros You can create a new SmartPort macro or use an existing macro as a template to create a new macro that is specific to your application. After you create the macro, you can apply it to an interface or a range of interfaces.
Chapter 12 Configuring SmartPort Macros Configuring Smart-Port Macros # Recommended value for voice vlan (VVID) should not be 1 switchport voice vlan $VVID # Enable port security limiting port to a 3 MAC # addressess -- One for desktop and two for phone switchport port-security switchport port-security maximum 3 # Ensure port-security age is greater than one minute # and use inactivity timer switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging ty
Chapter 12 Configuring SmartPort Macros Configuring Smart-Port Macros spanning-tree portfast spanning-tree bpduguard enable SmartPort Macro Configuration Guidelines Follow these guidelines when configuring macros on your switch: • Do not use exit or end commands when creating a macro. This action could cause commands that follow exit or end to execute in a different command mode. • When creating a macro, all CLI commands should be interface configuration mode commands.
Chapter 12 Configuring SmartPort Macros Configuring Smart-Port Macros Command Purpose interface-id Enters interface configuration mode and specifies the interface on which to apply the macro. Step 3 Switch(config)# interface Step 4 Switch(config-if)# macro { apply | trace} macro-name [keyword] [value] [keyword] [value] [keyword] [value] Applies each command defined in the macro to the interface.
Chapter 12 Configuring SmartPort Macros Configuring Smart-Port Macros switchport port-security # Ensure port-security age is greater than one minute # and use inactivity timer # “Port-security maximum 1” is the default and will not # Show up in the config switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity # Configure port as an edge network port spanning-tree portfast spanning-tree bpduguard enable Switch# show parser macro des
Chapter 12 Configuring SmartPort Macros Configuring Smart-Port Macros Fa2/9 cisco-phone -------------------------------------------------------------- cisco-switch This example shows how to use the system-defined macro cisco-switch to assign a value of 38 to the native VLAN on the Fast Ethernet interface 2/9. Note This macro requires the $NVID keyword, which is the native VLANs of the port.
Chapter 12 Configuring SmartPort Macros Displaying SmartPort Macros switchport trunk encapsulation dot1q # Define unique Native VLAN on trunk ports # Recommended value for native vlan (NVID) should not be 1 switchport trunk native vlan $NVID [native_vlan_id] # Update the allowed VLAN range (VRANGE) such that it # includes data, voice and native VLANs # switchport trunk allowed vlan $VRANGE [vlan_range] # Hardcode trunk and disable negotiation to # speed up convergence # Hardcode speed and duplex to route
C H A P T E R 13 Understanding and Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on a Catalyst 4500 series switch. It also provides guidelines, procedures, and configuration examples.
Chapter 13 Understanding and Configuring STP Overview of STP A spanning tree defines a tree with a root switch and a loop-free path from the root to all switches in the Layer 2 network. A spanning tree forces redundant data paths into a standby (blocked) state. If a network segment in the spanning tree fails and a redundant path exists, the spanning tree algorithm recalculates the spanning tree topology and activates the standby path.
Chapter 13 Understanding and Configuring STP Overview of STP STP MAC Address Allocation A Catalyst 4500 series switch chassis has either 64 or 1024 MAC addresses available to support software features like STP. Enter the show module command to view the MAC address range on your chassis. Release 12.1(12c)EW and later releases support chassis with 64 or 1024 MAC addresses. For chassis with 64 MAC addresses, STP uses the extended system ID plus a MAC address to make the bridge ID unique for each VLAN.
Chapter 13 Understanding and Configuring STP Overview of STP Election of the Root Bridge For each VLAN, the switch with the highest bridge priority (the lowest numerical priority value) is elected as the root bridge. If all switches are configured with the default priority value (32,768), the switch with the lowest MAC address in the VLAN becomes the root bridge. The spanning tree root bridge is the logical center of the spanning tree topology in a switched network.
Chapter 13 Understanding and Configuring STP Overview of STP Figure 13-1 Spanning Tree Topology DP A DP RP DP RP B D DP DP DP RP C S5688 DP RP = Root Port DP = Designated Port For example, assume that one port on Switch B is a fiber-optic link, and another port on Switch B (an unshielded twisted-pair [UTP] link) is the root port. Network traffic might be more efficient over the high-speed fiber-optic link.
Chapter 13 Understanding and Configuring STP Default STP Configuration STP and IEEE 802.1Q Trunks 802.1Q VLAN trunks impose some limitations on the spanning tree strategy for a network. In a network of Cisco switches connected through 802.1Q trunks, the switches maintain one instance of spanning tree for each VLAN allowed on the trunks. However, non-Cisco 802.1Q switches maintain only one instance of spanning tree for all VLANs allowed on the trunks.
Chapter 13 Understanding and Configuring STP Configuring STP Table 13-4 Spanning Tree Default Configuration Values (continued) Feature Default Value Spanning tree VLAN port cost (configurable on a per-VLAN basis—used on interfaces configured as Layer 2 trunk ports) • 10-Gigabit Ethernet: 2 • Gigabit Ethernet: 4 • Fast Ethernet: 19 Hello time 2 sec Forward delay time 15 sec Maximum aging time 20 sec Configuring STP The following sections describe how to configure spanning tree on VLANs: No
Chapter 13 Understanding and Configuring STP Configuring STP To enable a spanning tree on a per-VLAN basis, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch(config)# spanning-tree vlan vlan_ID Enables spanning tree for VLAN vlan_id. The vlan_ID value can range from 1 to 4094. Step 3 Switch(config)# end Exits configuration mode. Step 4 Switch# show spanning-tree vlan vlan_ID Verifies that spanning tree is enabled.
Chapter 13 Understanding and Configuring STP Configuring STP To enable the extended system ID, perform this task: Step 1 Command Purpose Switch(config)# spanning-tree extend system-id Enables the extended system ID. Disables the extended system ID. Note You cannot disable the extended system ID on chassis that support 64 MAC addresses or when you have configured extended range VLANs (see “Table 13-4Spanning Tree Default Configuration Values” section on page 13-6).
Chapter 13 Understanding and Configuring STP Configuring STP Use the diameter keyword to specify the Layer 2 network diameter (the maximum number of bridge hops between any two end stations in the network). When you specify the network diameter, a switch automatically picks an optimal hello time, forward delay time, and maximum age time for a network of that diameter. This can significantly reduce the spanning tree convergence time.
Chapter 13 Understanding and Configuring STP Configuring STP Port 324 (FastEthernet6/4) of VLAN1 is blocking Port path cost 19, Port priority 128, Port Identifier 129.68. Designated root has priority 32768, address 0001.6445.4400 Designated bridge has priority 32768, address 0001.6445.4400 Designated port id is 129.
Chapter 13 Understanding and Configuring STP Configuring STP Configuring a Secondary Root Switch When you configure a switch as the secondary root, the spanning tree bridge priority is modified from the default value (32,768) to 16,384. This means that the switch is likely to become the root bridge for the specified VLANs if the primary root bridge fails (assuming the other switches in the network use the default bridge priority of 32,768).
Chapter 13 Understanding and Configuring STP Configuring STP Configuring STP Port Priority In the event of a loop, a spanning tree considers port priority when selecting an interface to put into the forwarding state. You can assign higher priority values to interfaces that you want a spanning tree to select first and lower priority values to interfaces that you want a spanning tree to select last.
Chapter 13 Understanding and Configuring STP Configuring STP This example shows how to display the details of the interface configuration when the interface is configured as an access port: Switch# show spanning-tree interface fastethernet 3/1 detail Port 129 (FastEthernet3/1) of VLAN0001 is forwarding Port path cost 19, Port priority 128, Port Identifier 128.129. Designated root has priority 32768, address 0003.6b10.e800 Designated bridge has priority 32768, address 0003.6b10.
Chapter 13 Understanding and Configuring STP Configuring STP This example shows how to configure the spanning tree VLAN port priority of a Fast Ethernet interface: Switch# configure terminal Switch(config)# interface fastethernet 5/8 Switch(config-if)# spanning-tree vlan 200 port-priority 64 Switch(config-if)# end Switch# This example shows how to verify the configuration of VLAN 200 on the interface when it is configured as a trunk port: Switch# show spanning-tree vlan 200 <...output truncated...
Chapter 13 Understanding and Configuring STP Configuring STP This example shows how to change the spanning tree port cost of a Fast Ethernet interface: Switch# configure terminal Switch(config)# interface fastethernet 5/8 Switch(config-if)# spanning-tree cost 18 Switch(config-if)# end Switch# This example shows how to verify the configuration of the interface when it is configured as an access port: Switch# show spanning-tree interface fastethernet 5/8 Port 264 (FastEthernet5/8) of VLAN200 is forwarding
Chapter 13 Understanding and Configuring STP Configuring STP To configure the spanning tree bridge priority of a VLAN, perform this task: Step 1 Command Purpose Switch(config)# [no] spanning-tree vlan vlan_ID priority bridge_priority Configures the bridge priority of a VLAN. The bridge_priority value can be from 1 to 65,535. You can use the no keyword to restore the defaults. Step 2 Switch(config)# end Exits configuration mode.
Chapter 13 Understanding and Configuring STP Configuring STP This example shows how to verify the configuration: Switch# show spanning-tree vlan 200 bridge brief Hello Max Fwd Vlan Bridge ID Time Age Delay ---------------- -------------------- ---- ---- ----VLAN200 49152 0050.3e8d.64c8 7 20 15 Switch# Protocol -------ieee Configuring the Maximum Aging Time for a VLAN Note Exercise care when configuring aging time.
Chapter 13 Understanding and Configuring STP Configuring STP To configure the spanning tree forward delay time for a VLAN, perform this task: Step 1 Command Purpose Switch(config)# [no] spanning-tree vlan vlan_ID forward-time forward_time Configures the forward time of a VLAN. The forward_time value can be from 4 to 30 seconds. You can use the no keyword to restore the defaults. Step 2 Switch(config)# end Exits configuration mode.
Chapter 13 Understanding and Configuring STP Configuring STP This example shows how to disable spanning tree on VLAN 200: Switch# configure terminal Switch(config)# no spanning-tree vlan 200 Switch(config)# end Switch# This example shows how to verify the configuration: Switch# show spanning-tree vlan 200 Spanning tree instance for VLAN 200 does not exist.
Chapter 13 Understanding and Configuring STP Configuring STP The following example shows how to verify the configuration: Switch# show spanning-tree summary totals Switch is in rapid-pvst mode Root bridge for:VLAN0001 Extended system ID is disabled Portfast Default is disabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is disabled Pathcost method used is short Nam
Chapter 13 Understanding and Configuring STP Configuring STP Software Configuration Guide—Release 12.
C H A P T E R 14 Configuring STP Features This chapter describes the Spanning Tree Protocol (STP) features supported on the Catalyst 4500 series switches. It also provides guidelines, procedures, and configuration examples.
Chapter 14 Configuring STP Features Overview of Root Guard Overview of Root Guard Spanning Tree root guard forces an interface to become a designated port, to protect the current root status and prevent surrounding switches from becoming the root switch. When you enable root guard on a per-port basis, it is automatically applied to all of the active VLANs to which that port belongs.
Chapter 14 Configuring STP Features Overview of Loop Guard VLAN1002 VLAN1003 VLAN1003 VLAN1004 VLAN1004 VLAN1005 VLAN1005 FastEthernet3/2 FastEthernet3/1 FastEthernet3/2 FastEthernet3/1 FastEthernet3/2 FastEthernet3/1 FastEthernet3/2 Port Port Port Port Port Port Port Type Type Type Type Type Type Type Inconsistent Inconsistent Inconsistent Inconsistent Inconsistent Inconsistent Inconsistent Number of inconsistent ports (segments) in the system :10 Overview of Loop Guard Loop guard helps prevent bri
Chapter 14 Configuring STP Features Enabling Loop Guard Follow these guidelines when using loop guard: • Do not enable loop guard on PortFast-enabled or dynamic VLAN ports. • Do not enable loop guard if root guard is enabled. Loop guard interacts with other features as follows: • Loop guard does not affect the functionality of UplinkFast or BackboneFast. • Enabling loop guard on ports that are not connected to a point-to-point link will not work.
Chapter 14 Configuring STP Features Overview of PortFast This example shows how to verify the previous configuration of port 4/4: Switch# show spanning-tree interface fastethernet 4/4 detail Port 196 (FastEthernet4/4) of VLAN0010 is forwarding Port path cost 1000, Port priority 160, Port Identifier 160.196. Designated root has priority 32768, address 00d0.00b8.140a Designated bridge has priority 32768, address 00d0.00b8.140a Designated port id is 160.
Chapter 14 Configuring STP Features Enabling PortFast Note Because the purpose of PortFast is to minimize the time that access ports must wait for spanning tree to converge, it is most effective when used on access ports. If you enable PortFast on a port connecting to another switch, you risk creating a spanning tree loop. Enabling PortFast Caution Use PortFast only when connecting a single end station to a Layer 2 access port. Otherwise, you might create a network loop.
Chapter 14 Configuring STP Features Overview of BPDU Guard Overview of BPDU Guard Spanning Tree BPDU guard shuts down PortFast-configured interfaces that receive BPDUs, rather than putting them into the spanning tree blocking state. In a valid configuration, PortFast-configured interfaces do not receive BPDUs. Reception of a BPDU by a PortFast-configured interface signals an invalid configuration, such as connection of an unauthorized device.
Chapter 14 Configuring STP Features Overview of PortFast BPDU Filtering Overview of PortFast BPDU Filtering Cisco IOS Release 12.2(25)EW and later support PortFast BPDU filtering, which allows the administrator to prevent the system from sending or even receiving BPDUs on specified ports. When configured globally, PortFast BPDU filtering applies to all operational PortFast ports. Ports in an operational PortFast state are supposed to be connected to hosts that typically drop BPDUs.
Chapter 14 Configuring STP Features Enabling PortFast BPDU Filtering This example shows how to verify the BPDU configuration in PVST+ mode: Switch# show spanning-tree summary totals Root bridge for:VLAN0010 EtherChannel misconfiguration guard is enabled Extended system ID is disabled Portfast is enabled by default PortFast BPDU Guard is disabled by default Portfast BPDU Filter is enabled by default Loopguard is disabled by default UplinkFast is disabled BackboneFast is disabled Pathcost method used is lon
Chapter 14 Configuring STP Features Overview of UplinkFast Overview of UplinkFast Note UplinkFast is most useful in wiring-closet switches. This feature might not be useful for other types of applications. Spanning Tree UplinkFast provides fast convergence after a direct link failure and uses uplink groups to achieve load balancing between redundant Layer 2 links.
Chapter 14 Configuring STP Features Enabling UplinkFast Enabling UplinkFast UplinkFast increases the bridge priority to 49,152 and adds 3000 to the spanning tree port cost of all interfaces on the switch, making it unlikely that the switch will become the root switch. The max_update_rate value represents the number of multicast packets transmitted per second (the default is 150 packets per second [pps]). UplinkFast cannot be enabled on VLANs that have been configured for bridge priority.
Chapter 14 Configuring STP Features Overview of BackboneFast VLAN15 VLAN1002 VLAN1003 VLAN1004 VLAN1005 Switch# Gi5/7(fwd) Gi5/7(fwd) Gi5/7(fwd) Gi5/7(fwd) Overview of BackboneFast BackboneFast is a complementary technology to UplinkFast. Whereas UplinkFast is designed to quickly respond to failures on links directly connected to leaf-node switches, it does not help with indirect failures in the backbone core. BackboneFast optimizes based on the Max Age setting.
Chapter 14 Configuring STP Features Overview of BackboneFast Figure 14-4 BackboneFast Before Indirect Link Failure Switch A (Root) Switch B L1 L2 L3 Switch C 11241 Blocked port Next, assume that L1 fails. Switch A and Switch B, the switches directly connected to this segment, instantly know that the link is down. The blocking interface on Switch C must enter the forwarding state for the network to recover by itself.
Chapter 14 Configuring STP Features Overview of BackboneFast Figure 14-5 BackboneFast after Indirect Link Failure Switch A (Root) Switch B L1 Link failure L3 BackboneFast transitions port through listening and learning states to forwarding state Switch C 11244 L2 If a new switch is introduced into a shared-medium topology as shown in Figure 14-6, BackboneFast is not activated, because the inferior BPDUs did not come from the recognized designated bridge (Switch B).
Chapter 14 Configuring STP Features Enabling BackboneFast Enabling BackboneFast Note For BackboneFast to work, you must enable it on all switches in the network. BackboneFast is supported for use with third-party switches but it is not supported on Token Ring VLANs. To enable BackboneFast, perform this task: Step 1 Command Purpose Switch(config)# [no] spanning-tree backbonefast Enables BackboneFast. You can use the no keyword to disable BackboneFast.
Chapter 14 Configuring STP Features Enabling BackboneFast 5 vlans 0 0 0 BackboneFast statistics ----------------------Number of transition via backboneFast (all VLANs) Number of inferior BPDUs received (all VLANs) Number of RLQ request PDUs received (all VLANs) Number of RLQ response PDUs received (all VLANs) Number of RLQ request PDUs sent (all VLANs) Number of RLQ response PDUs sent (all VLANs) Switch# 11 11 :0 :0 :0 :0 :0 :0 This example shows how to display the total lines of the spanning tre
C H A P T E R 15 Understanding and Configuring Multiple Spanning Trees This chapter describes how to configure the IEEE 802.1s Multiple Spanning Tree (MST) protocol on the Catalyst 4500 series switch. MST is a new IEEE standard derived from Cisco's proprietary Multi-Instance Spanning-Tree Protocol (MISTP) implementation. With MST, you can map a single spanning-tree instance to several VLANs.
Chapter 15 Understanding and Configuring Multiple Spanning Trees Overview of MST IEEE 802.1s MST MST extends the IEEE 802.1w rapid spanning tree (RST) algorithm to multiple spanning trees. This extension provides both rapid convergence and load balancing in a VLAN environment. MST converges faster than Per VLAN Spanning Tree Plus (PVST+) and is backward compatible with 802.1D STP, 802.1w (Rapid Spanning Tree Protocol [RSTP]), and the Cisco PVST+ architecture.
Chapter 15 Understanding and Configuring Multiple Spanning Trees Overview of MST – MST switches operate as if MAC reduction is enabled. – For private VLANs (PVLANs), you must map a secondary VLAN to the same instance as the primary. IEEE 802.1w RSTP RSTP, specified in 802.1w, supersedes STP specified in 802.1D, but remains compatible with STP. You configure RSTP when you configure the MST feature. For more information, see the “Configuring MST” section on page 15-9.
Chapter 15 Understanding and Configuring Multiple Spanning Trees Overview of MST RSTP Port States The port state controls the forwarding and learning processes and provides the values of discarding, learning, and forwarding. Table 15-1 shows the STP port states and RSTP port states.
Chapter 15 Understanding and Configuring Multiple Spanning Trees Overview of MST To STP running in the SST region, an MST region appears as a single SST or pseudobridge, which operates as follows: • Although the values for root identifiers and root path costs match for all BPDUs in all pseudobridges, a pseudobridge differs from a single SST bridge as follows: – The pseudobridge BPDUs have different bridge identifiers.
Chapter 15 Understanding and Configuring Multiple Spanning Trees Overview of MST MST BPDUs contain the MST configuration ID and the checksum. An MST bridge accepts an MST BPDU only if the MST BPDU configuration ID and the checksum match its own MST region configuration ID and checksum. If either value is different, the MST BPDU is considered to be an SST BPDU.
Chapter 15 Understanding and Configuring Multiple Spanning Trees Overview of MST IST Master The IST master of an MST region is the bridge with the lowest bridge identifier and the least path cost to the CST root. If an MST bridge is the root bridge for CST, then it is the IST master of that MST region. If the CST root is outside the MST region, then one of the MST bridges at the boundary is selected as the IST master.
Chapter 15 Understanding and Configuring Multiple Spanning Trees MST Configuration Restrictions and Guidelines MST-to-PVST+ Interoperability Keep these guidelines in mind when you configure MST switches (in the same region) to interact with PVST+ switches: • Configure the root for all VLANs inside the MST region as shown in this example: Switch# show spanning-tree mst interface gigabitethernet 1/1 GigabitEthernet1/1 of MST00 is root forwarding Edge port: no (trunk) port guard : none Link type: point-to-
Chapter 15 Understanding and Configuring Multiple Spanning Trees Configuring MST Configuring MST The following sections describe how to configure MST: • Enabling MST, page 15-9 • Configuring MST Instance Parameters, page 15-11 • Configuring MST Instance Port Parameters, page 15-12 • Restarting Protocol Migration, page 15-12 • Displaying MST Configurations, page 15-13 Enabling MST To enable and configure MST on a Catalyst 4006 switch with Supervisor Engine III, perform this task: Command Purpose
Chapter 15 Understanding and Configuring Multiple Spanning Trees Configuring MST Switch(config-mst)# show current Current MST configuration Name [] Revision 0 Instance Vlans mapped -------- --------------------------------------------------------------------0 1-4094 ------------------------------------------------------------------------------Switch(config-mst)# name cisco Switch(config-mst)# revision 2 Switch(config-mst)# instance 1 vlan 1 Switch(config-mst)# instance 2 vlan 1-1000 Switch(config-mst)# s
Chapter 15 Understanding and Configuring Multiple Spanning Trees Configuring MST Configuring MST Instance Parameters To configure MST instance parameters, perform this task: Command Purpose Step 1 Switch(config)# spanning-tree mst X priority Y Configures the priority for an MST instance. Step 2 Switch(config)# spanning-tree mst X root [primary | secondary] Configures the bridge as root for an MST instance. Step 3 Switch(config)# Ctrl-Z Exits configuration mode.
Chapter 15 Understanding and Configuring Multiple Spanning Trees Configuring MST Configuring MST Instance Port Parameters To configure MST instance port parameters, perform this task: Command Purpose Step 1 Switch(config-if)# spanning-tree mst x cost y Configures the MST instance port cost. Step 2 Switch(config-if)# spanning-tree mst x port-priority y Configures the MST instance port priority. Step 3 Switch(config-if)# Ctrl-Z Exits configuration mode.
Chapter 15 Understanding and Configuring Multiple Spanning Trees Configuring MST Displaying MST Configurations To display MST configurations, perform this task: Command Purpose Step 1 Switch# show spanning-tree mst configuration Displays the active region configuration information. Step 2 Switch# show spanning-tree mst [detail] Displays detailed MST protocol information. Step 3 Switch# show spanning-tree mst instance-id [detail] Displays information about a specific MST instance.
Chapter 15 Understanding and Configuring Multiple Spanning Trees Configuring MST Switch# show spanning-tree mst 1 ###### MST01 vlans mapped: 1-10 Bridge address 00d0.00b8.1400 priority Root this switch for MST01 Interface ---------------Fa4/4 Fa4/5 Fa4/48 Role ---Back Desg Boun Sts --BLK FWD FWD Cost --------1000 200000 200000 Prio.Nbr -------240.196 128.197 128.
Chapter 15 Understanding and Configuring Multiple Spanning Trees Configuring MST FastEthernet4/48 of MST01 is boundary forwarding Port info port id 128.240 priority 128 cost 200000 Designated root address 00d0.00b8.1400 priority 32769 cost 0 Designated bridge address 00d0.00b8.1400 priority 32769 port id 128.
Chapter 15 Understanding and Configuring Multiple Spanning Trees Configuring MST Software Configuration Guide—Release 12.
C H A P T E R 16 Understanding and Configuring EtherChannel This chapter describes how to use the command-line interface (CLI) to configure EtherChannel on the Catalyst 4500 series switch Layer 2 or Layer 3 interfaces. It also provides guidelines, procedures, and configuration examples.
Chapter 16 Understanding and Configuring EtherChannel Overview of EtherChannel Note The network device to which a Catalyst 4500 series switch is connected may impose its own limits on the number of interfaces in an EtherChannel. If a segment within an EtherChannel fails, traffic previously carried over the failed link switches to the remaining segments within the EtherChannel. Once the segment fails, an SNMP trap is sent, identifying the switch, the EtherChannel, and the failed link.
Chapter 16 Understanding and Configuring EtherChannel Overview of EtherChannel Table 16-1 EtherChannel Modes Mode Description on Mode that forces the LAN port to channel unconditionally. In the on mode, a usable EtherChannel exists only when a LAN port group in the on mode is connected to another LAN port group in the on mode. Because ports configured in the on mode do not negotiate, there is no negotiation traffic between the ports.
Chapter 16 Understanding and Configuring EtherChannel Overview of EtherChannel The protocol learns the capabilities of LAN port groups dynamically and informs the other LAN ports. Once LACP identifies correctly matched Ethernet links, it facilitates grouping the links into an EtherChannel. The EtherChannel is then added to the spanning tree as a single bridge port.
Chapter 16 Understanding and Configuring EtherChannel EtherChannel Configuration Guidelines and Restrictions Understanding Load Balancing EtherChannel can balance the traffic load across the links in the channel. It does this by reducing part of the binary pattern formed from the addresses or ports in the frame to a numerical value that selects one of the links in the channel.
Chapter 16 Understanding and Configuring EtherChannel Configuring EtherChannel • After you configure an EtherChannel, any configuration that you apply to the port-channel interface affects the EtherChannel; any configuration that you apply to the physical interfaces affects only the interface where you apply the configuration. • You cannot configure a 802.1X port in an EtherChannel.
Chapter 16 Understanding and Configuring EtherChannel Configuring EtherChannel To create a port-channel interface for a Layer 3 EtherChannel, perform this task: Command Purpose Step 1 Switch(config)# interface port-channel port_channel_number Creates the port-channel interface. The value for port_channel_number can range from 1 to 64 Step 2 Switch(config-if)# ip address ip_address mask Assigns an IP address and subnet mask to the EtherChannel.
Chapter 16 Understanding and Configuring EtherChannel Configuring EtherChannel Command Purpose Step 5 Switch(config-if)# end Exits configuration mode. Step 6 Switch# show running-config interface port-channel port_channel_number Verifies the configuration.
Chapter 16 Understanding and Configuring EtherChannel Configuring EtherChannel Partner's information: Port Fa5/4 Partner Name JAB031301 Partner Device ID 0050.0f10.230c Partner Port 2/45 Partner Group Age Flags Cap.
Chapter 16 Understanding and Configuring EtherChannel Configuring EtherChannel To configure Layer 2 Ethernet interfaces as Layer 2 EtherChannels, perform this task for each interface: Command Purpose Step 1 Switch(config)# interface {fastethernet | gigabitethernet | tengigabitethernet} slot/port Selects a physical interface to configure.
Chapter 16 Understanding and Configuring EtherChannel Configuring EtherChannel Switch# show interfaces fastethernet 5/6 etherchannel Port state = EC-Enbld Up In-Bndl Usr-Config Channel group = 1 Mode = Desirable Gcchange = 0 Port-channel = Po1 GC = 0x00010001 Port indx = 0 Load = 0x55 Flags: S - Device is sending Slow hello. C - Device is in Consistent state. A - Device is in Auto mode. P - Device learns on physical port. d - PAgP is down. Timers: H - Hello timer is running. Q - Quit timer is running.
Chapter 16 Understanding and Configuring EtherChannel Configuring EtherChannel To configure the LACP system priority and system ID, perform this task: Command Purpose Router(config)# lacp system-priority priority_value (Optional for LACP) Valid values are 1 through 65535. Higher numbers have lower priority. The default is 32768. Router(config)# no system port-priority Reverts to the default. Step 2 Router(config)# end Exits configuration mode.
Chapter 16 Understanding and Configuring EtherChannel Configuring EtherChannel Command Purpose Step 2 Switch(config)# end Exits configuration mode. Step 3 Switch# show etherchannel load-balance Verifies the configuration.
Chapter 16 Understanding and Configuring EtherChannel Configuring EtherChannel Removing an EtherChannel If you remove an EtherChannel, the member ports are shut down and removed from the Channel group. Note You must remove an EtherChannel before changing a port from Layer 2 to Layer 3, or Layer 3 to Layer 2. To remove an EtherChannel, perform this task: Command Purpose Step 1 Switch(config)# no interface port-channel port_channel_number Removes the port-channel interface.
C H A P T E R 17 Configuring IGMP Snooping and Filtering This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on the Catalyst 4500 series switch. It provides guidelines, procedures, and configuration examples.
Chapter 17 Configuring IGMP Snooping and Filtering Overview of IGMP Snooping In contrast to IGMPv1 and IGMPv2, IGMPv3 snooping provides immediate-leave processing by default. It provides Explicit Host Tracking (EHT) and allows network administrators to deploy SSM functionality on Layer 2 devices that truly support IGMPv3. (See Explicit Host Tracking, page 17-3.) In subnets where IGMP is configured, IGMP snooping manages multicast traffic at Layer 2.
Chapter 17 Configuring IGMP Snooping and Filtering Overview of IGMP Snooping Immediate-Leave Processing IGMP snooping immediate-leave processing allows the switch to remove an interface from the forwarding-table entry without first sending out IGMP group-specific queries to the interface. The VLAN interface is pruned from the multicast tree for the multicast group specified in the original IGMP leave message.
Chapter 17 Configuring IGMP Snooping and Filtering Configuring IGMP Snooping To determine whether or not EHT is enabled on a VLAN, use the show ip igmp snoop vlan command. Configuring IGMP Snooping Note When configuring IGMP, configure the VLAN in the VLAN database mode. (See Chapter 10, “Understanding and Configuring VLANs, VTP, and VMPS”.) IGMP snooping allows switches to examine IGMP packets and make forwarding decisions based on their content.
Chapter 17 Configuring IGMP Snooping and Filtering Configuring IGMP Snooping Enabling IGMP Snooping To enable IGMP snooping globally, perform this task: Command Purpose Step 1 Switch(config)# [no] ip igmp snooping Enables IGMP snooping. Step 2 Switch(config)# end Exits configuration mode. Step 3 Switch# show ip igmp snooping | include Verifies the configuration. Use the no keyword to disable IGMP snooping.
Chapter 17 Configuring IGMP Snooping and Filtering Configuring IGMP Snooping This example shows how to enable IGMP snooping on VLAN 2 and verify the configuration: Switch# configure terminal Switch(config)# ip igmp snooping vlan 2 Switch(config)# end Switch# show ip igmp snooping vlan 2 Global IGMP Snooping configuration: ----------------------------------IGMP snooping : Enabled IGMPv3 snooping : Enabled Report suppression : Enabled TCN solicit query : Disabled TCN flood query count : 2 Vlan 2: -------IG
Chapter 17 Configuring IGMP Snooping and Filtering Configuring IGMP Snooping This example shows how to configure IP IGMP snooping to learn from CGMP self-join packets: Switch(config)# ip igmp snooping vlan 1 mrouter learn cgmp Switch(config)# end Switch# Configuring a Multicast Router Port Statical To configure a static connection to a multicast router, enter the ip igmp snooping mrouter command on the switch.
Chapter 17 Configuring IGMP Snooping and Filtering Configuring IGMP Snooping This example shows how to enable IGMP immediate-leave processing on interface VLAN 200 and to verify the configuration: Switch(config)# ip igmp snooping vlan 200 immediate-leave Configuring immediate leave on vlan 200 Switch(config)# end Switch# show ip igmp interface vlan 200 | include immediate leave Immediate leave : Disabled Switch(config)# Configuring Explicit Host Tracking For IGMPv3, EHT is enabled by default and can be
Chapter 17 Configuring IGMP Snooping and Filtering Configuring IGMP Snooping Suppressing Multicast Flooding An IGMP snooping-enabled switch will flood multicast traffic to all ports in a VLAN when a spanning-tree Topology Change Notification (TCN) is received. Multicast flooding suppression enables a switch to stop sending such traffic. To support flooding suppression, a new interface command and two new global commands are introduced in release 12.1(11b)EW.
Chapter 17 Configuring IGMP Snooping and Filtering Configuring IGMP Snooping While in “multicast flooding mode,” IP multicast traffic is delivered to all ports in the VLAN, and not restricted to those ports on which multicast group members have been detected. Starting with 12.1(11b)EW, you can manually prevent IP multicast traffic from being flooded to a switchport by using the no ip igmp snooping tcn flood command on that port. For trunk ports, the configuration will apply to all VLANs.
Chapter 17 Configuring IGMP Snooping and Filtering Displaying IGMP Snooping Information This example shows how to modify the switch to stop flooding multicast traffic after four queries: Switch(config)# ip igmp snooping tcn flood query count 4 Switch(config)# end Switch# When a spanning tree root switch receives a topology change in an IGMP snooping-enabled VLAN, the switch issues a query solicitation that causes an IOS router to send out one or more general queries.
Chapter 17 Configuring IGMP Snooping and Filtering Displaying IGMP Snooping Information Displaying Querier Information To display querier information, perform this task: Command Purpose Switch# show ip igmp snooping querier [vlan vlan_ID] Displays multicast router interfaces. This example shows how to display the IGMP snooping querier information for all VLANs on the switch: Switch# show ip igmp snooping querier Vlan IP Address IGMP Version Port --------------------------------------------------2 10.
Chapter 17 Configuring IGMP Snooping and Filtering Displaying IGMP Snooping Information 40.40.40.5/224.10.10.10Fa2/1 20.20.20.20 00:39:42 00:09:17 40.40.40.6/224.10.10.10 Fa2/1 20.20.20.20 00:09:47 00:09:17 Switch# clear ip igmp snooping membership vlan 20 This example shows how to display host membership for interface gi4/1: Switch# show ip igmp snooping membership interface gi4/1 #channels: 5 #hosts : 1 Source/Group Interface Reporter Uptime Last-Join Last-Leave 40.40.40.2/224.10.10.10 Gi4/1 20.20.20.
Chapter 17 Configuring IGMP Snooping and Filtering Displaying IGMP Snooping Information This example shows how to display the host types and ports of a group in VLAN 1: Switch# show ip igmp snooping groups vlan 10 226.6.6.7 Vlan Group Version Ports --------------------------------------------------------10 226.6.6.7 v3 Fa7/13, Fa7/14 Switch> This example shows how to display the current state of a group with respect to a source IP address: Switch# show ip igmp snooping groups vlan 10 226.6.6.
Chapter 17 Configuring IGMP Snooping and Filtering Displaying IGMP Snooping Information To display multicast router interfaces, perform this task: Command Purpose Switch# show ip igmp snooping mrouter vlan vlan_ID Displays multicast router interfaces.
Chapter 17 Configuring IGMP Snooping and Filtering Configuring IGMP Filtering This example shows how to display IGMP snooping information on VLAN 5: Switch#show ip igmp snooping vlan 5 Global IGMP Snooping configuration: ----------------------------------IGMP snooping :Enabled IGMPv3 snooping support :Full Report suppression :Enabled TCN solicit query :Disabled TCN flood query count :2 Vlan 5: -------IGMP snooping Immediate leave Explicit Host Tracking Multicast router learning mode CGMP interoperability
Chapter 17 Configuring IGMP Snooping and Filtering Configuring IGMP Filtering Default IGMP Filtering Configuration Table 17-2 shows the default IGMP filtering configuration. Table 17-2 Default IGMP Filtering Settings Feature Default Setting IGMP filters No filtering IGMP maximum number of IGMP groups No limit IGMP profiles None defined Configuring IGMP Profiles To configure an IGMP profile and to enter IGMP profile configuration mode, use the ip igmp profile global configuration command.
Chapter 17 Configuring IGMP Snooping and Filtering Configuring IGMP Filtering Command Purpose Step 6 Switch# show ip igmp profile profile number Verifies the profile configuration. Step 7 Switch# copy running-config startup-config (Optional) Saves your entries in the configuration file. To delete a profile, use the no ip igmp profile profile number global configuration command.
Chapter 17 Configuring IGMP Snooping and Filtering Configuring IGMP Filtering To remove a profile from an interface, use the no ip igmp filter command. This example shows how to apply IGMP profile 4 to an interface and to verify the configuration: Switch# config t Switch(config)# interface fastethernet2/12 Switch(config-if)# ip igmp filter 4 Switch(config-if)# end Switch# show running-config interface fastethernet2/12 Building configuration...
Chapter 17 Configuring IGMP Snooping and Filtering Displaying IGMP Filtering Configuration To remove the maximum group limitation and return to the default of no maximum, use the no ip igmp max-groups command. This example shows how to limit the number of IGMP groups that an interface can join to 25. Switch# config t Switch(config)# interface fastethernet2/12 Switch(config-if)# ip igmp max-groups 25 Switch(config-if)# end Switch# show running-config interface fastethernet2/12 Building configuration...
Chapter 17 Configuring IGMP Snooping and Filtering Displaying IGMP Filtering Configuration This is an example of the show running-config privileged EXEC command when an interface is specified with IGMP maximum groups configured and IGMP profile 4 has been applied to the interface. Switch# show running-config interface fastethernet2/12 Building configuration...
Chapter 17 Configuring IGMP Snooping and Filtering Displaying IGMP Filtering Configuration Software Configuration Guide—Release 12.
C H A P T E R 18 Configuring 802.1Q and Layer 2 Protocol Tunneling Virtual private networks (VPNs) provide enterprise-scale connectivity on a shared infrastructure, often Ethernet-based, with the same security, prioritization, reliability, and manageability requirements of private networks.
Chapter 18 Configuring 802.1Q and Layer 2 Protocol Tunneling Understanding 802.1Q Tunneling A port configured to support 802.1Q tunneling is called a tunnel port. When you configure tunneling, you assign a tunnel port to a VLAN ID that is dedicated to tunneling. Each customer requires a separate Service Provider VLAN ID, but that Service Provider VLAN ID supports VLANs of all the customers. Customer traffic tagged in the normal way with appropriate VLAN IDs comes from an 802.
Chapter 18 Configuring 802.1Q and Layer 2 Protocol Tunneling Understanding 802.1Q Tunneling Figure 18-2 Original (Normal), 802.1Q, and Double-Tagged Ethernet Packet Formats Source address Destination Length/ address EtherType SA Len/Etype DA SA Etype DA SA Etype Data Tag Tag FCS Len/Etype Etype Tag Original Ethernet frame Data Len/Etype FCS IEE 802.
Chapter 18 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring 802.1Q Tunneling Configuring 802.1Q Tunneling These sections describe 802.1Q tunneling configuration: Note • 802.1Q Tunneling Configuration Guidelines, page 18-4 • 802.1Q Tunneling and Other Features, page 18-5 • Configuring an 802.1Q Tunneling Port, page 18-6 By default, 802.1Q tunneling is disabled because the default switch port mode is dynamic auto. Tagging of 802.1Q native VLAN packets on all 802.
Chapter 18 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring 802.1Q Tunneling Figure 18-3 Potential Problem with 802.1Q Tunneling and Native VLANs Tag not added for VLAN 40 Switch 4 Customer A VLANs 30-40 Native VLAN 40 Tag removed Service provider Tunnel port VLANs 5-50 Packet tagged for VLAN 30 Switch 1 Customer A Native VLAN 40 Q Tunnel port Access VLAN 40 Switch 3 VLAN 40 Tunnel port Access VLAN 30 802.
Chapter 18 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring 802.1Q Tunneling • EtherChannel port groups are compatible with tunnel ports as long as the 802.1Q configuration is consistent within an EtherChannel port group. • Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), and UniDirectional Link Detection (UDLD) are supported on 802.1Q tunnel ports. • Dynamic Trunking Protocol (DTP) is not compatible with 802.
Chapter 18 Configuring 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling This example shows how to configure an interface as a tunnel port, enable tagging of native VLAN packets, and verify the configuration. In this configuration, the VLAN ID for the customer connected to Gigabit Ethernet interface 2/7 is VLAN 22. Switch(config)# interface gigabitethernet2/7 Switch(config-if)# switchport access vlan 22 % Access VLAN does not exist.
Chapter 18 Configuring 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling Customer A’s Site 1 will build a spanning tree on the switches at that site without considering convergence parameters based on Customer A’s switch in Site 2. Figure 18-5 shows one possible spanning tree topology.
Chapter 18 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling You can enable Layer 2 protocol tunneling (by protocol) on the access ports or tunnel ports that are connected to the customer in the edge switches of the Service Provider network. The Service Provider edge switches connected to the customer switch perform the tunneling process. Edge-switch tunnel ports are connected to customer 802.1Q trunk ports.
Chapter 18 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Layer 2 Protocol Tunneling Configuration Guidelines These are some configuration guidelines and operating characteristics of Layer 2 protocol tunneling: • The switch supports tunneling of CDP, STP, including multiple STP (MSTP), and VTP. Protocol tunneling is disabled by default but can be enabled for the individual protocols on 802.1Q tunnel ports or on access ports.
Chapter 18 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Command Purpose Step 3 Switch(config-if)# switchport mode access or switchport mode dot1q-tunnel Configures the interface as an access port or as an 802.1Q tunnel port. Step 4 Switch(config-if)# l2protocol-tunnel [cdp | stp | vtp] Enables protocol tunneling for the desired protocol. If no keyword is entered, tunneling is enabled for all three Layer 2 protocols.
Chapter 18 Configuring 802.
C H A P T E R 19 Understanding and Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on the Catalyst 4500 series switch. It also provides guidelines, procedures, and configuration examples. This chapter includes the following major sections: • Overview of CDP, page 19-1 • Configuring CDP, page 19-2 Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.
Chapter 19 Understanding and Configuring CDP Configuring CDP Configuring CDP The following sections describe how to configure CDP: • Enabling CDP Globally, page 19-2 • Displaying the CDP Global Configuration, page 19-2 • Enabling CDP on an Interface, page 19-3 • Displaying the CDP Interface Configuration, page 19-3 • Monitoring and Maintaining CDP, page 19-3 Enabling CDP Globally To enable CDP globally, perform this task: Command Purpose Switch(config)# [no] cdp run Enables CDP globally.
Chapter 19 Understanding and Configuring CDP Configuring CDP Enabling CDP on an Interface To enable CDP on an interface, perform this task: Command Purpose Switch(config-if)# [no] cdp enable Enables CDP on an interface. Use the no keyword to disable CDP on an interface.
Chapter 19 Understanding and Configuring CDP Configuring CDP Command Purpose Switch# show cdp entry entry_name [protocol | version] Displays information about a specific neighbor. The display can be limited to protocol or version information. Switch# show cdp interface [type/number] Displays information about interfaces on which CDP is enabled. Switch# show cdp neighbors [type/number] [detail] Displays information about neighboring equipment.
C H A P T E R 20 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) and Unidirectional Ethernet on the Catalyst 4500 series switch. It also provides guidelines, procedures, and configuration examples.
Chapter 20 Configuring UDLD Default UDLD Configuration The switch periodically transmits UDLD packets to neighbor devices on interfaces with UDLD enabled. If the packets are echoed back within a specific time frame and they are lacking a specific acknowledgment (echo), the link is flagged as unidirectional and the interface is shut down. Devices on both ends of the link must support UDLD in order for the protocol to successfully identify and disable unidirectional links.
Chapter 20 Configuring UDLD Configuring UDLD on the Switch Enabling UDLD Globally To enable UDLD globally on all fiber-optic interfaces on the switch, perform this task: Command Purpose Switch(config)# [no] udld enable Enables UDLD globally on fiber-optic interfaces on the switch. Use the no keyword to globally disable UDLD on fiber-optic interfaces. Note This command configures only fiber-optic interfaces. An individual interface configuration overrides the setting of this command.
Chapter 20 Configuring UDLD Configuring UDLD on the Switch Disabling UDLD on Fiber-Optic Interfaces To disable UDLD on individual fiber-optic interfaces, perform this task: Step 1 Command Purpose Switch(config-if)# udld disable Disables UDLD on a fiber-optic interface. Note This command is not supported on nonfiber-optic interfaces. Use the no keyword to revert to the udld enable global configuration command setting. Step 2 Switch# show udld interface Verifies the configuration.
C H A P T E R 21 Configuring Unidirectional Ethernet This chapter describes how to configure Unidirectional Ethernet on the Catalyst 4500 series switch and contains these sections: Note • Overview of Unidirectional Ethernet, page 21-1 • Configuring Unidirectional Ethernet, page 21-1 For complete syntax and usage information for the switch commands used in this chapter, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.
Chapter 21 Configuring Unidirectional Ethernet Configuring Unidirectional Ethernet To enable Unidirectional Ethernet, perform this task: Command Purpose Step 1 Switch(config)# interface {vlan vlan_ID | {fastethernet | gigabitethernet | tengigabitethernet} slot/interface | Port-channel number} Selects the interface to configure. Step 2 Switch(config-if)# [no] unidirectional {send-only | receive-only} Enables Unidirectional Ethernet. Use the no keyword to disable Unidirectional Ethernet.
Chapter 21 Configuring Unidirectional Ethernet Configuring Unidirectional Ethernet This example shows how to disable Unidirectional Ethernet on Gigabit Ethernet interface 1/1: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 21 Configuring Unidirectional Ethernet Configuring Unidirectional Ethernet Software Configuration Guide—Release 12.
C H A P T E R 22 Configuring Layer 3 Interfaces This chapter describes the Layer 3 interfaces on a Catalyst 4500 series switch. It also provides guidelines, procedures, and configuration examples.
Chapter 22 Configuring Layer 3 Interfaces Overview of Layer 3 Interfaces Logical Layer 3 VLAN Interfaces The logical Layer 3 VLAN interfaces provide logical routing interfaces to VLANs on Layer 2 switches. A traditional network requires a physical interface from a router to a switch to perform inter-VLAN routing. The Catalyst 4500 series switch supports inter-VLAN routing by integrating the routing and bridging functions on a single Catalyst 4500 series switch.
Chapter 22 Configuring Layer 3 Interfaces Configuration Guidelines Configuration Guidelines A Catalyst 4500 series switch supports AppleTalk routing and IPX routing. For AppleTalk routing and IPX routing information, refer to “Configuring AppleTalk” and “Configuring Novell IPX” in the Cisco IOS AppleTalk and Novell IPX Configuration Guide at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/atipx_c/index.
Chapter 22 Configuring Layer 3 Interfaces Configuring Physical Layer 3 Interfaces This example uses the show interfaces command to display the interface IP address configuration and status of Layer 3 VLAN interface vlan 2: Switch# show interfaces vlan 2 Vlan2 is up, line protocol is down Hardware is Ethernet SVI, address is 00D.588F.B604 (bia 00D.588F.B604) Internet address is 172.20.52.
Chapter 22 Configuring Layer 3 Interfaces Configuring Physical Layer 3 Interfaces To configure physical Layer 3 interfaces, perform this task: Command Purpose Step 1 Switch(config)#ip routing Enables IP routing (Required only if disabled.) Step 2 Switch(config)# interface {fastethernet | gigabitethernet | tengigabitethernet} slot/port} | {port-channel port_channel_number} Selects an interface to configure.
Chapter 22 Configuring Layer 3 Interfaces Configuring Physical Layer 3 Interfaces Software Configuration Guide—Release 12.
C H A P T E R 23 Configuring Cisco Express Forwarding This chapter describes Cisco Express Forwarding (CEF) on the Catalyst 4500 series switch. It also provides guidelines, procedures, and examples to configure this feature.
Chapter 23 Configuring Cisco Express Forwarding Overview of CEF CEF provides the following benefits: • Improves performance over the caching schemes of multilayer switches, which often flush the entire cache when information changes in the routing tables. • Provides load balancing that distributes packets across multiple links based on Layer 3 routing information. If a network device discovers multiple paths to a destination, the routing table is updated with multiple entries for that destination.
Chapter 23 Configuring Cisco Express Forwarding Catalyst 4500 Series Switch Implementation of CEF Adjacency Types That Require Special Handling In addition to adjacencies for next-hop interfaces (host-route adjacencies), other types of adjacencies are used to expedite switching when certain exception conditions exist. When the prefix is defined, prefixes requiring exception processing are cached with one of the special adjacencies listed in Table 23-1.
Chapter 23 Configuring Cisco Express Forwarding Catalyst 4500 Series Switch Implementation of CEF Figure 23-1 Logical L2/L3 Switch Components Integrated Switching Engine (ASIC) L3 physical interface Gig 1/1 Logical Router L3 logical interfaces VLAN2 L2 switchports 68402 VLAN1 The Integrated Switching Engine performs inter-VLAN routing on logical Layer 3 interfaces with the ASIC hardware.
Chapter 23 Configuring Cisco Express Forwarding Catalyst 4500 Series Switch Implementation of CEF Figure 23-2 Hardware and Software Switching Components CPU Subsystem Integrated Switching Engine L3 physical interface Gig 1/1 Router L3 interfaces VLAN1 GRE tunnel VLAN2 GRE tunnel 68127 L2 switchports The Integrated Switching Engine performs inter-VLAN routing in hardware. The CPU subsystem software supports Layer 3 interfaces to VLANs that use Subnetwork Access Protocol (SNAP) encapsulation.
Chapter 23 Configuring Cisco Express Forwarding CEF Configuration Restrictions Load Balancing The Catalyst 4500 series switch supports load balancing for routing packets in the Integrated Switching Engine hardware. Load balancing is always enabled. It works when multiple routes for the same network with different next-hop addresses are configured. These routes can be configured either statically or through a routing protocol such as OSPF or EIGRP.
Chapter 23 Configuring Cisco Express Forwarding Configuring CEF Configuring Load Balancing for CEF CEF load balancing is based on a combination of source and destination packet information; it allows you to optimize resources by distributing traffic over multiple paths for transferring data to a destination. You can configure load balancing on a per-destination basis. Load-balancing decisions are made on the outbound interface.
Chapter 23 Configuring Cisco Express Forwarding Monitoring and Maintaining CEF For more information on load sharing, refer to the Configuring Cisco Express Forwarding module of the Cisco IOS documentation at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fwitch_c/swprt1/ xcfcefc.htm Note The include-ports option does not apply to software-switched traffic on the Catalyst 4500 series switches. Viewing CEF Information You can view the collected CEF information.
Chapter 23 Configuring Cisco Express Forwarding Monitoring and Maintaining CEF This example shows how to display IP unicast statistics for Part 3/1: Switch# show interface fastethernet 3/1 counters detail Port Fa3/1 InBytes 7263539133 InUcastPkts 5998222 InMcastPkts 6412307 InBcastPkts 156 Port Fa3/1 OutBytes 7560137031 OutUcastPkts 5079852 OutMcastPkts 12140475 OutBcastPkts 38 Port Fa3/1 InPkts 64 11274 OutPkts 64 168536 InPkts 65-127 7650482 OutPkts 65-127 12395769 Port Fa3/1 InPkts 128-
Chapter 23 Configuring Cisco Express Forwarding Monitoring and Maintaining CEF Software Configuration Guide—Release 12.
C H A P T E R 24 Understanding and Configuring IP Multicast This chapter describes IP multicast routing on the Catalyst 4500 series switch. It also provides procedures and examples to configure IP multicast routing. Note For complete syntax and usage information for the switch commands used in this chapter, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm.
Chapter 24 Understanding and Configuring IP Multicast Overview of IP Multicast At the other end of the IP communication spectrum is an IP broadcast, where a source host sends packets to all hosts on a network segment. The destination address of an IP broadcast packet has the host portion of the destination IP address set to all ones and the network portion set to the address of the subnet.
Chapter 24 Understanding and Configuring IP Multicast Overview of IP Multicast Figure 24-1 IP Multicast Routing Protocols Host A Catalyst 4500 series switch Router Internet IGMP and IGMP Snooping PIM 94150 Host B Internet Group Management Protocol IGMP messages are used by IP multicast hosts to send their local Layer 3 switch or router a request to join a specific multicast group and begin receiving multicast traffic.
Chapter 24 Understanding and Configuring IP Multicast Overview of IP Multicast IGMP Snooping and CGMP IGMP snooping is used for multicasting in a Layer 2 switching environment. With IGMP snooping, a Layer 3 switch or router examines Layer 3 information in the IGMP packets in transit between hosts and a router. When the switch receives the IGMP Host Report from a host for a particular multicast group, the switch adds the host's port number to the associated multicast table entry.
Chapter 24 Understanding and Configuring IP Multicast Overview of IP Multicast Figure 24-2 Logical View of Layer 2 and Layer 3 Forwarding in Hardware Integrated Switching Engine (ASIC) L3 physical interface Gig 1/1 Logical Router L3 logical interfaces VLAN1 VLAN2 68402 L2 switchports This section contains the following subsections: • CEF, MFIB, and Layer 2 Forwarding, page 24-5 • IP Multicast Tables, page 24-7 • Hardware and Software Forwarding, page 24-8 • Non-Reverse Path Forwarding Traffic
Chapter 24 Understanding and Configuring IP Multicast Overview of IP Multicast The Catalyst 4500 series switch performs Layer 3 routing and Layer 2 bridging at the same time. There can be multiple Layer 2 switchports on any VLAN interface. To determine the set of output switchports on which to forward a multicast packet, the Supervisor Engine III combines Layer 3 MFIB information with Layer 2 forwarding information and stores it in the hardware MET for packet replication.
Chapter 24 Understanding and Configuring IP Multicast Overview of IP Multicast If VLAN 1 contains 1/1 and 1/2, VLAN 2 contains 2/1 and 2/2, and VLAN 3 contains 3/1 and 3/2, the MET chain for this route would contain these switchports: (1/1,1/2,2/1,2/2,3/1, and 3/2). If IGMP snooping is on, the packet should not be forwarded to all output switchports on VLAN 2. The packet should be forwarded only to switchports where IGMP snooping has determined that there is either a group member or router.
Chapter 24 Understanding and Configuring IP Multicast Overview of IP Multicast Output interface lists are stored in the multicast expansion table (MET). The MET has room for up to 32,000 output interface lists. The MET resources are shared by both Layer 3 multicast routes and by Layer 2 multicast entries. The actual number of output interface lists available in hardware depends on the specific configuration.
Chapter 24 Understanding and Configuring IP Multicast Overview of IP Multicast Hardware routes occur when the Integrated Switching Engine hardware forwards all replicas of a packet. Software routes occur when the CPU subsystem software forwards all replicas of a packet. Partial routes occur when the Integrated Switching Engine forwards some of the replicas in hardware and the CPU subsystem forwards some of the replicas in software.
Chapter 24 Understanding and Configuring IP Multicast Overview of IP Multicast Figure 24-6 Redundant Multicast Router Configuration in a Stub Network Router A Router B Network A Multicast Traffic Non-RPF Traffic 68331 Network B In this kind of topology, only Router A, the PIM designated router (PIM DR), forwards data to the common VLAN. Router B receives the forwarded multicast traffic, but must drop this traffic because it has arrived on the wrong interface and fails the RPF check.
Chapter 24 Understanding and Configuring IP Multicast Overview of IP Multicast Multicast Forwarding Information Base The Multicast Forwarding Information Base (MFIB) subsystem supports IP multicast routing in the Integrated Switching Engine hardware on the Catalyst 4500 series switch. The MFIB logically resides between the IP multicast routing protocols in the CPU subsystem software (PIM, IGMP, MSDP, MBGP, and DVMRP) and the platform-specific code that manages IP multicast routing in hardware.
Chapter 24 Understanding and Configuring IP Multicast Configuring IP Multicast Routing Note When PIM-SM routing is in use, the MFIB route might include an interface like in this example: PimTunnel [1.2.3.4]. This is a virtual interface that the MFIB subsystem creates to indicate that packets are being tunnelled to the specified destination address. A PimTunnel interface cannot be displayed with the normal show interface command.
Chapter 24 Understanding and Configuring IP Multicast Configuring IP Multicast Routing Default Configuration in IP MUlticast Routing Table 24-1 shows the IP multicast default configuration.
Chapter 24 Understanding and Configuring IP Multicast Configuring IP Multicast Routing When the switch populates the multicast routing table, dense-mode interfaces are always added to the table. Sparse-mode interfaces are added to the table only when periodic join messages are received from downstream routers, or when there is a directly connected member on the interface. When forwarding from a LAN, sparse-mode operation occurs if there is an RP known for the group.
Chapter 24 Understanding and Configuring IP Multicast Monitoring and Maintaining IP Multicast Routing When an interface is treated in dense mode, it is populated in a multicast routing table’s outgoing interface list when either of the following is true: • When there are members or DVMRP neighbors on the interface • When there are PIM neighbors and the group has not been pruned When an interface is treated in sparse mode, it is populated in a multicast routing table’s outgoing interface list when eith
Chapter 24 Understanding and Configuring IP Multicast Monitoring and Maintaining IP Multicast Routing Displaying the Multicast Routing Table The following is sample output from the show ip mroute command for a router operating in dense mode. This command displays the contents of the IP multicast FIB table for the multicast group named cbone-audio.
Chapter 24 Understanding and Configuring IP Multicast Monitoring and Maintaining IP Multicast Routing (*, 224.2.127.253), 00:58:18/00:02:00, RP 171.69.10.13, flags: SJC (*, 224.1.127.255), 00:58:21/00:02:03, RP 171.69.10.13, flags: SJC (*, 224.2.127.254), 2d16h/00:00:00, RP 171.69.10.13, flags: SJCL (128.9.160.67/32, 224.2.127.254), 00:02:46/00:00:12, flags: CLJT (129.48.244.217/32, 224.2.127.254), 00:02:15/00:00:40, flags: CLJT (130.207.8.33/32, 224.2.127.254), 00:00:25/00:02:32, flags: CLJT (131.243.2.
Chapter 24 Understanding and Configuring IP Multicast Monitoring and Maintaining IP Multicast Routing Group: 224.2.201.241, Source count: 36, Group pkt count: 54152 RP-tree: 7/0/108/0 Source: 13.242.36.83/32, 99/0/123/0 Source: 36.29.1.3/32, 71/0/110/0 Source: 128.9.160.96/32, 505/1/106/0 Source: 128.32.163.170/32, 661/1/88/0 Source: 128.115.31.26/32, 192/0/118/0 Source: 128.146.111.45/32, 500/0/87/0 Source: 128.183.33.134/32, 248/0/119/0 Source: 128.195.7.62/32, 527/0/118/0 Source: 128.223.32.
Chapter 24 Understanding and Configuring IP Multicast Monitoring and Maintaining IP Multicast Routing The following is sample output from the show ip mfib command. IP Multicast Forwarding Information Base Entry Flags: C - Directly Connected, S - Signal, IC - Internal Copy Interface Flags: A - Accept, F - Forward, S - Signal, NP - Not platform switched Packets: Fast/Partial/Slow Bytes: Fast/Partial/Slow: (171.69.10.13, 224.0.1.
Chapter 24 Understanding and Configuring IP Multicast Monitoring and Maintaining IP Multicast Routing Displaying PIM Statistics The following is sample output from the show ip pim interface command: Switch# show ip pim interface Address Interface Mode 198.92.37.6 198.92.36.129 10.1.37.2 Ethernet0 Ethernet1 Tunnel0 Dense Dense Dense Neighbor Count 2 2 1 Query Interval 30 30 30 DR 198.92.37.33 198.92.36.131 0.0.0.
Chapter 24 Understanding and Configuring IP Multicast Configuration Examples Configuration Examples The following sections provide IP multicast routing configuration examples: • PIM Dense Mode Example, page 24-21 • PIM Sparse Mode Example, page 24-21 • BSR Configuration Example, page 24-21 PIM Dense Mode Example This example is a configuration of dense-mode PIM on an Ethernet interface: ip multicast-routing interface ethernet 0 ip pim dense-mode PIM Sparse Mode Example This example is a configurati
Chapter 24 Understanding and Configuring IP Multicast Configuration Examples Software Configuration Guide—Release 12.
C H A P T E R 25 Configuring Policy-Based Routing This chapter describes the tasks for configuring policy-based routing (PBR) on a router and includes these major sections: • Overview of Policy-Based Routing, page 25-1 • Policy-Based Routing Configuration Task List, page 25-3 • Policy-Based Routing Configuration Examples, page 25-5 Note For a complete description of the PBR commands in this chapter, refer to the Cisco IOS Quality of Service Solutions Command Reference at: http://www.cisco.
Chapter 25 Configuring Policy-Based Routing Overview of Policy-Based Routing PBR allows you to perform the following tasks: • Classify traffic based on extended access list criteria. Access lists, then establish the match criteria. • Route packets to specific traffic-engineered paths. Policies can be based on IP address, port numbers, or protocols. For a simple policy, you can use any one of these descriptors; for a complicated policy, you can use all of them.
Chapter 25 Configuring Policy-Based Routing Policy-Based Routing Configuration Task List Policy-Based Routing Configuration Task List To configure PBR, perform the tasks described in the following sections. The task in the first section is required; the tasks in the remaining sections are optional. See the end of this chapter for the section “Policy-Based Routing Configuration Examples.
Chapter 25 Configuring Policy-Based Routing Policy-Based Routing Configuration Task List Command Purpose Step 3 Specifies the action or actions to take on the packets that match the criteria. You can specify any or all of the following: Switch(config-route-map)# set ip next-hop ip-address [... ip-address] • Specifies the next hop for which to route the packet (the next hop must be adjacent). This behavior is identical to a next hop specified in the normal routing table.
Chapter 25 Configuring Policy-Based Routing Policy-Based Routing Configuration Examples Enabling Local PBR Packets that are generated by the router are not normally policy-routed. To enable local PBR for such packets, indicate which route map the router should use by performing this task: Command Purpose Switch(config)# ip local policy route-map map-tag Identifies the route map to use for local PBR. All packets originating on the router will then be subject to local PBR.
Chapter 25 Configuring Policy-Based Routing Policy-Based Routing Configuration Examples ! route-map equal-access permit 10 match ip address 1 set ip default next-hop 6.6.6.6 route-map equal-access permit 20 match ip address 2 set ip default next-hop 7.7.7.7 route-map equal-access permit 30 set default interface null0 Note If the packets you want to drop do not match either of the first two route-map clauses, then change set default interface null0 to set interface null0.
C H A P T E R 26 Configuring VRF-lite Virtual Private Networks (VPNs) provide a secure way for customers to share bandwidth over an ISP backbone network. A VPN is a collection of sites sharing a common routing table. A customer site is connected to the service provider network by one or more interfaces, and the service provider associates each interface with a VPN routing table. A VPN routing table is called a VPN routing/forwarding (VRF) table.
Chapter 26 Configuring VRF-lite Understanding VRF-lite Understanding VRF-lite VRF-lite is a feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs. VRF-lite uses input interfaces to distinguish routes for different VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF.
Chapter 26 Configuring VRF-lite Default VRF-lite Configuration This is the packet-forwarding process in a VRF-lite CE-enabled network as shown in Figure 26-1: • When the CE receives a packet from a VPN, it looks up the routing table based on the input interface. When a route is found, the CE forwards the packet to the PE. • When the ingress PE receives a packet from the CE, it performs a VRF lookup.
Chapter 26 Configuring VRF-lite VRF-lite Configuration Guidelines VRF-lite Configuration Guidelines Consider these points when configuring VRF in your network: • A switch with VRF-lite is shared by multiple customers, and all customers have their own routing tables. • Because customers use different VRF tables, the same IP addresses can be reused. Overlapped IP addresses are allowed in different VPNs. • VRF-lite lets multiple customers share the same physical link between the PE and the CE.
Chapter 26 Configuring VRF-lite Configuring VRFs Configuring VRFs To configure one or more VRFs, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch(config)# ip routing Enables IP routing. Step 3 Switch(config)# ip vrf vrf-name Names the VRF, and enter VRF configuration mode. Step 4 Switch(config-vrf)# rd route-distinguisher Creates a VRF table by specifying a route distinguisher.
Chapter 26 Configuring VRF-lite Configuring BGP PE to CE Routing Sessions To configure OSPF in the VPN, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch(config)# router ospf process-id vrf vrf-name Enables OSPF routing, specifies a VPN forwarding table, and enters router configuration mode. Step 3 Switch(config-router)# log-adjacency-changes (Optional) Logs changes in the adjacency state. This is the default state.
Chapter 26 Configuring VRF-lite VRF-lite Configuration Example Command Purpose [ipv4] [neighbors] Verifies BGP configuration. Step 10 Switch# show ip bgp Step 11 Switch# copy running-config startup-config (Optional) Saves your entries in the configuration file. Use the no router bgp autonomous-system-number global configuration command to delete the BGP routing process. Use the command with keywords to delete routing characteristics.
Chapter 26 Configuring VRF-lite VRF-lite Configuration Example Configuring Switch S8 On switch S8, enable routing and configure VRF. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 26 Configuring VRF-lite VRF-lite Configuration Example Switch(config)# interface Vlan118 Switch(config-if)# ip vrf forwarding v12 Switch(config-if)# ip address 118.0.0.8 255.255.255.0 Switch(config-if)# exit Switch(config)# interface Vlan208 Switch(config-if)# ip vrf forwarding v11 Switch(config-if)# ip address 208.0.0.8 255.255.255.
Chapter 26 Configuring VRF-lite VRF-lite Configuration Example Configuring Switch S11 Configure S11 to connect to CE: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ip routing Switch(config)# interface Gigabit Ethernet 0/3 Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Switch(config-if)# no ip address Switch(config-if)# exit Switch(config)# interface Vlan118 Switch(config-if)# ip address 118.0.0.
Chapter 26 Configuring VRF-lite Displaying VRF-lite Status Router(config)# router bgp 100 Router(config-router)# address-family ipv4 vrf v2 Router(config-router-af)# neighbor 83.0.0.8 remote-as 800 Router(config-router-af)# neighbor 83.0.0.8 activate Router(config-router-af)# network 3.3.2.0 mask 255.255.255.0 Router(config-router-af)# exit Router(config-router)# address-family ipv4 vrf vl Router(config-router-af)# neighbor 83.0.0.8 remote-as 800 Router(config-router-af)# neighbor 83.0.0.
Chapter 26 Configuring VRF-lite Displaying VRF-lite Status Software Configuration Guide—Release 12.
C H A P T E R 27 Configuring Quality of Service This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on a Catalyst 4500 series switch. It also describes how to specify different QoS configurations on different VLANs on a given interface (per-port per-VLAN QoS).
Chapter 27 Configuring Quality of Service Overview of QoS • Packet Modification, page 27-16 • Per Port Per VLAN QoS, page 27-16 • QoS and Software Processed Packets, page 27-16 Prioritization QoS implementation is based on the DiffServ architecture, an emerging standard from the Internet Engineering Task Force (IETF). This architecture specifies that each packet is classified upon entry into the network.
Chapter 27 Configuring Quality of Service Overview of QoS Figure 27-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 header IP header Data Layer 2 ISL Frame ISL header (26 bytes) FCS (4 bytes) Encapsulated frame ... 3 bits used for CoS Layer 2 802.
Chapter 27 Configuring Quality of Service Overview of QoS Layer 2 802.1Q frame headers have a 2-byte Tag Control Information field that carries the CoS value in the three most significant bits, which are called the User Priority bits. Other frame types cannot carry Layer 2 CoS values. On interfaces configured as Layer 2 ISL trunks, all traffic is in ISL frames. On interfaces configured as Layer 2 802.1Q trunks, all traffic is in 802.1Q frames except for traffic in the native VLAN.
Chapter 27 Configuring Quality of Service Overview of QoS Table 27-1 IP Precedence and DSCP Values (continued) 3-bit IP Precedence 6 MSb1 of ToS 2 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 0 0 1 1 0 0 1 1 0 1 0 1 0 1 0 1 3 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 1 1 1 1 0 0 1 1 0 0 1 1 0 1 0 1 0 1 0 1 8 7 6 3-bit IP Precedence 6 MSb1 of ToS 16 17 18 19 20 21 22 23 6 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 0 0 1 1 0 0 1
Chapter 27 Configuring Quality of Service Overview of QoS • Scheduling services the four egress (transmit) queues based on the sharing and shaping configuration of the egress (transmit) port. Sharing and shaping configurations are described in the “Queueing and Scheduling” section on page 27-14. Figure 27-2 Basic QoS Model Classification Generate DSCP Policing In profile or out of profile Compare traffic rate to the configured policer and determine if the packet is in profile or out of profile.
Chapter 27 Configuring Quality of Service Overview of QoS • Perform the classification based on a configured IP standard or extended ACL, which examines various fields in the IP header. If no ACL is configured, the packet is assigned the default DSCP based on the trust state of the ingress port; otherwise, the policy map specifies the DSCP to assign to the incoming frame. Note It is not possible to classify traffic based on the markings performed by an input QoS policy.
Chapter 27 Configuring Quality of Service Overview of QoS Figure 27-3 Classification Flowchart Start Read interface configuration for classification.
Chapter 27 Configuring Quality of Service Overview of QoS Classification Based on QoS ACLs A packet can be classified for QoS using multiple match criteria, and the classification can specify whether the packet should match all of the specified match criteria or at least one of the match criteria. To define a QoS classifier, you can provide the match criteria using the match statements in a class map.
Chapter 27 Configuring Quality of Service Overview of QoS You create a class map by using the class-map global configuration command. When you enter the class-map command, the switch enters the class-map configuration mode. In this mode, you define the match criteria for the traffic by using the match class-map configuration command. You create and name a policy map by using the policy-map global configuration command. When you enter this command, the switch enters the policy-map configuration mode.
Chapter 27 Configuring Quality of Service Overview of QoS When configuring policing and policers, keep these items in mind: • For IP packets, only the length of the IP payload (the total length field in the IP header) is used by the policer for policing computation. The Layer 2 header and trailer length are not taken into account. For example, for a 64-byte Ethernet II IP packet, only 46 bytes are taken into account for policing (64 bytes - 14 byte Ethernet Header - 4 bytes Ethernet CRC).
Chapter 27 Configuring Quality of Service Overview of QoS Figure 27-4 Policing and Marking Flowchart Start QoS Policy attached to the port? Port QoS VLANbased? Yes No Yes QoS Policy No attached to the VLAN to which the packet belongs? QoS Policy attached to the VLAN to which the packet belongs? Yes Yes Use QoS policy on the VLAN No No Use QoS policy on the port Any more QoS ACLs in the policy? Yes Packet match a "permit" ACB in the ACL? No Yes No Any more QoSv ACLs in the policy? Yes
Chapter 27 Configuring Quality of Service Overview of QoS Internal DSCP Values The following sections describe the internal DSCP values: • Internal DSCP Sources, page 27-13 • Egress ToS and CoS Sources, page 27-13 Internal DSCP Sources During processing, QoS represents the priority of all traffic (including non-IP traffic) with an internal DSCP value.
Chapter 27 Configuring Quality of Service Overview of QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an internal DSCP value: • During classification, QoS uses configurable mapping tables to derive the internal DSCP (a 6-bit value) from received CoS. These maps include the CoS-to-DSCP map.
Chapter 27 Configuring Quality of Service Overview of QoS Sharing Link Bandwidth Among Transmit Queues The four transmit queues for a transmit port share the available link bandwidth of that transmit port. You can set the link bandwidth to be shared differently among the transmit queues using bandwidth command in interface transmit queue configuration mode. With this command, you assign the minimum guaranteed bandwidth for each transmit queue. By default, all queues are scheduled in a round robin manner.
Chapter 27 Configuring Quality of Service Overview of QoS Packet Modification A packet is classified, policed, and queued to provide QoS. Packet modifications can occur during this process: • For IP packets, classification involves assigning a DSCP to the packet. However, the packet is not modified at this stage; only an indication of the assigned DSCP is carried along.
Chapter 27 Configuring Quality of Service Configuring Auto-QoS The internal IP DSCP is used to determine the transmit queue to which the packet is enqueued on the transmission interface. See “Configuring Transmit Queues” on page 48 for details on how to configure the DSCP to transmit queues. The internal IP DSCP is also used to determine the transmit CoS marking if the packet is transmitted with a IEEE 802.1q or ISL tag on a trunk interface.
Chapter 27 Configuring Quality of Service Configuring Auto-QoS interface is set to trust the cos label received in the packet, if the interface is configured as Layer 2. (The classification is set to trust DSCP if the interface is configured as Layer 3.) When a Cisco IP phone is absent, the ingress classification is set to not trust the cos label in the packet. For information about the trusted boundary feature, see the “Configuring a Trusted Boundary to Ensure Port Security” section on page 27-26.
Chapter 27 Configuring Quality of Service Configuring Auto-QoS • To take advantage of the auto-QoS defaults, do not configure any standard-QoS commands before entering the auto-QoS commands. If necessary, you can fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoS configuration is completed. • You can enable auto-QoS on static, dynamic-access, voice VLAN access, and trunk ports. • By default, the CDP is enabled on all interfaces.
Chapter 27 Configuring Quality of Service Configuring Auto-QoS This example shows how to enable auto-QoS and to trust the cos/dscp labels in incoming packets when the switch or router connected to Gigabit Ethernet interface 1/1 is a trusted device: Switch(config)# interface gigabitethernet1/1 Switch(config-if)# auto qos voip trust This example shows how to display the QoS commands that are automatically generated when auto-QoS is enabled: Switch# debug auto qos AutoQoS debugging is on Switch# configure
Chapter 27 Configuring Quality of Service Configuring Auto-QoS Auto-QoS Configuration Example This section describes how you could implement auto-QoS in a network, as shown in Figure 27-5.
Chapter 27 Configuring Quality of Service Configuring Auto-QoS To configure the switch at the edge of the QoS domain to prioritize the VoIP traffic over all other traffic, perform this task: Command Purpose Step 1 Switch# debug auto qos Enables debugging for auto-QoS. When debugging is enabled, the switch displays the QoS configuration that is automatically generated when auto-QoS is enabled. Step 2 Switch# configure terminal Enters global configuration mode.
Chapter 27 Configuring Quality of Service Configuring QoS Configuring QoS Before configuring QoS, you must have a thorough understanding of these items: • The types of applications used and the traffic patterns on your network. • Traffic characteristics and needs of your network. Is the traffic bursty? Do you need to reserve bandwidth for voice and video streams? • Bandwidth requirements and speed of the network. • Location of congestion points in the network.
Chapter 27 Configuring Quality of Service Configuring QoS Table 27-3 QoS Default Configuration (continued) Feature Default Value CoS to DSCP map (DSCP set from CoS values) CoS 0 = DSCP 0 CoS 1 = DSCP 8 CoS 2 = DSCP 16 CoS 3 = DSCP 24 CoS 4 = DSCP 32 CoS 5 = DSCP 40 CoS 6 = DSCP 48 CoS 7 = DSCP 56 DSCP to CoS map (CoS set from DSCP values) DSCP 0–7 = CoS 0 DSCP 8–15 = CoS 1 DSCP 16–23 = CoS 2 DSCP 24–31 = CoS 3 DSCP 32–39 = CoS 4 DSCP 40–47 = CoS 5 DSCP 48–55 = CoS 6 DSCP 56–63 = CoS 7 Marked-down
Chapter 27 Configuring Quality of Service Configuring QoS Configuration Guidelines Before beginning the QoS configuration, you should be aware of this information: Note • If you have EtherChannel ports configured on your switch, you must configure QoS classification and policing on the EtherChannel. The transmit queue configuration must be configured on the individual physical ports that comprise the EtherChannel.
Chapter 27 Configuring Quality of Service Configuring QoS Configuring a Trusted Boundary to Ensure Port Security In a typical network, you connect a Cisco IP phone to a switch port as discussed in Chapter 28, “Configuring Voice Interfaces.” Traffic sent from the telephone to the switch is typically marked with a tag that uses the 802.1Q header. The header contains the VLAN information and the class of service (CoS) 3-bit field, which determines the priority of the packet.
Chapter 27 Configuring Quality of Service Configuring QoS Enabling Dynamic Buffer Limiting To enable DBL globally on the switch, perform this task: Command Purpose Step 1 Switch(config)# qos dbl Enables DBL on the switch. Step 2 Switch(config)# end Exits configuration mode. Step 3 Switch# show qos dbl Verifies the configuration. Use the no qos dbl command to disable AQM.
Chapter 27 Configuring Quality of Service Configuring QoS In effect, if you apply a single aggregate policer to ports and VLANs in different directions, then you have created the equivalent of four aggregate policers; one for all ports sharing the policer in input direction, one for all ports sharing the policer in output direction, one for all VLANs sharing the policer in input direction and one for all VLANs sharing the policer in output direction.
Chapter 27 Configuring Quality of Service Configuring QoS This example shows how to create a named aggregate policer with a 10 Mbps rate limit and a 1-MB burst size that transmits conforming traffic and marks down out-of-profile traffic.
Chapter 27 Configuring Quality of Service Configuring QoS • policy-map—Enter the policy-map command to define the following for each class of traffic: – Internal DSCP source – Aggregate or individual policing and marking • service-policy—Enter the service-policy command to attach a policy map to an interface.
Chapter 27 Configuring Quality of Service Configuring QoS Note Any Input or Output policy that uses a class map with the match ip precedence or match ip dscp class-map commands, requires that the port on which the packet is received, be configured to trust dscp. If the incoming port trust state is not set to trust dscp, the IP packet DSCP/IP-precedence is not used for matching the traffic; instead the receiving port’s default DSCP is used.
Chapter 27 Configuring Quality of Service Configuring QoS Creating a Policy Map To create a policy map, perform this task: Command Purpose Switch(config)# [no] policy-map policy_name Creates a policy map with a user-specified name. Use the no keyword to delete the policy map.
Chapter 27 Configuring Quality of Service Configuring QoS When configuring the policy-map class DBL state, note the following: • Any class that uses a named aggregate policer must have the same DBL configuration to work.
Chapter 27 Configuring Quality of Service Configuring QoS • The valid range of values for the burst parameter is as follows: – Minimum—1 kilobyte – Maximum—512 megabytes • Bursts can be entered in bytes, or you can use the following abbreviation: – k to denote 1000 bytes – m to denote 1000000 bytes – g to denote 1000000000 bytes Note • You can also use a decimal point. For example, a burst of 1,100,000 bytes can be entered as 1.1m.
Chapter 27 Configuring Quality of Service Configuring QoS This example shows how to verify the configuration: Switch# show policy-map ipp5-policy show policy ipp5-policy Policy Map ipp5-policy class ipp5 set ip precedence 6 dbl police 2000000000 2000000 conform-action transmit exceed-action policed-dscp-transmit Switch# Attaching a Policy Map to an Interface To attach a policy map to an interface, perform this task: Command Step 1 Purpose Switch(config)# interface {vlan vlan_ID | {fastethernet | gigabi
Chapter 27 Configuring Quality of Service Configuring QoS Configuring User Based Rate Limiting User Based Rate Limiting (UBRL) adopts microflow policing capability to dynamically learn traffic flows and rate limit each unique flow to an individual rate. UBRL is available on Supervisor Engine V-10GE with the built-in NetFlow support. UBRL can be applied to ingress traffic on routed interfaces with source or destination flow masks. It can support up to 85,000 individual flows and 511 rates.
Chapter 27 Configuring Quality of Service Configuring QoS Switch# show class-map c1 Class Map match-all c1 (id 2) Match flow ip source-address Example 2 This example shows how to create a flow-based class map associated with a destination address: Switch(config)# class-map match-all c1 Switch(config-cmap)# match flow ip destination-address Switch(config-cmap)# end Switch# Switch# show class-map c1 Class Map match-all c1 (id 2) Match flow ip destination-address Example 3 Assume there are two active flows
Chapter 27 Configuring Quality of Service Configuring QoS Example 4 Assume there are two active flows on the Fast Ethernet interface 6/1 with destination addresses of 192.168.20.20 and 192.168.20.21. The following example shows how to maintain each flow to 1 Mbps with an allowed burst value of 9000 bytes: Switch# conf terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 27 Configuring Quality of Service Configuring QoS Switch(config)# policy-map p1 Switch(config-pmap)# class c1 Switch(config-pmap-c)# police 1000000 9000 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface fastEthernet 6/1 Switch(config-if)# service-policy input p1 Switch(config-if)# end Switch# write memory Switch# show policy-map interface FastEthernet6/1 class-map c1 match flow ip source-address ip destination-address ip protocol l4 source-port l4 destination-port ! p
Chapter 27 Configuring Quality of Service Configuring QoS You can configure hierarchical policers with the service-policy policy-map config command. A policy map is termed flow based if the class map it uses matches any of the flow-based match criteria (such as match flow ip source-address). Each child policy map inherits all the match access-group commands of the parent. Note You can configure only flow based policy maps as child policy maps. A parent policy map cannot be a flow-based policy map.
Chapter 27 Configuring Quality of Service Configuring QoS The following example shows how to verify the configuration: Switch# show policy-map flow-policy Policy Map flow-policy Class flow-class police 2000000 bps 10000 byte conform-action transmit exceed-action drop Switch# show policy-map aggregate-policy Policy Map aggregate-policy Class aggregate-class police 50000000 bps 40000 byte conform-action transmit exceed-action drop service-policy flow-policy Switch# show policy-map interface FastEthernet6/1
Chapter 27 Configuring Quality of Service Configuring QoS Command Purpose Step 5 Switch(config-if)# end Exits configuration interface mode. Step 6 Switch# show policy-map interface interface_name Verifies the configuration. Example 1 Figure 27-6 displays a sample topology for configuring PVQoS. The trunk port gi3/1 is comprised of multiple VLANs (101 and 102). Within a port, you can create your own service policy per VLAN.
Chapter 27 Configuring Quality of Service Configuring QoS Police 100m 16k conform transmit exceed drop Interface Gigabit 3/1 Switchport Switchport trunk encapsulation dot1q Switchport trunk allowed vlan 101-102 Vlan range 101 Service-policy input P31_QoS Service-policy output P31_QoS Vlan range 102 Service-policy input P32_QoS Service-policy output P32_QoS Example 2 Let us assume that interface Gigabit Ethernet 6/1 is a trunk port and belongs to VLANs 20, 300-301, and 400.
Chapter 27 Configuring Quality of Service Configuring QoS Class-map: class-default (match-any) 0 packets Match: any 0 packets police: Per-interface Conform: 0 bytes Exceed: 0 bytes GigabitEthernet6/1 vlan 300 Service-policy output: p2 Class-map: class-default (match-any) 0 packets Match: any 0 packets police: Per-interface Conform: 0 bytes Exceed: 0 bytes GigabitEthernet6/1 vlan 301 Service-policy output: p2 Class-map: class-default (match-any) 0 packets Match: any 0 packets police: Per-interface Conform
Chapter 27 Configuring Quality of Service Configuring QoS This example shows how to disable QoS on interface VLAN 5: Switch# configure terminal Enter configuration commands, one per line. Switch(config)# interface vlan 5 Switch(config-if)# no qos Switch(config-if)# end Switch# End with CNTL/Z. This example shows how to verify the configuration: Switch# show qos | begin QoS is disabled QoS is disabled on the following interfaces: Vl5 <...Output Truncated...
Chapter 27 Configuring Quality of Service Configuring QoS This example shows how to verify the configuration: Switch# show qos | begin QoS is vlan-based QoS is vlan-based on the following interfaces: Fa5/42 Switch# Note When a layer 2 interface is configured with VLAN-based QoS, and if a packet is received on the port for a VLAN on which there is no QoS policy, then the QoS policy attached to the port, if any is used. This applies for both Input and Output QoS policies.
Chapter 27 Configuring Quality of Service Configuring QoS Configuring the CoS Value for an Interface QoS assigns the CoS value specified with this command to untagged frames from ingress interfaces configured as trusted and to all frames from ingress interfaces configured as untrusted.
Chapter 27 Configuring Quality of Service Configuring QoS This example shows how to configure the DSCP 5 as the default on Fast Ethernet interface 5/24: Switch# configure terminal Enter configuration commands, one per line. Switch(config)# interface fastethernet 5/24 Switch(config-if)# qos dscp 5 Switch(config-if)# end Switch# End with CNTL/Z.
Chapter 27 Configuring Quality of Service Configuring QoS Command Purpose Step 2 Switch(config)# end Exits configuration mode. Step 3 Switch# show qos maps dscp tx-queues Verifies the configuration. This example shows how to map DSCP values to transit queue 2. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# qos map dscp 50 to tx-queue 2 Switch(config)# end Switch# This example shows how to verify the configuration.
Chapter 27 Configuring Quality of Service Configuring QoS This example shows how to configure the bandwidth of 1 Mbps on transmit queue 2. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 27 Configuring Quality of Service Configuring QoS This example shows how to configure transmit queue 3 to high priority. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet 1/1 Switch(config-if-tx-queue)# tx-queue 3 Switch(config-if-tx-queue)# priority high Switch(config-if)# end Switch# Configuring DSCP Maps The following sections describes how to configure the DSCP maps.
Chapter 27 Configuring Quality of Service Configuring QoS This example shows how to modify and display the CoS-to-DSCP map: Switch# configure terminal Switch(config)# qos map cos 0 to dscp 20 Switch(config)# end Switch# show qos maps cos dscp CoS-DSCP Mapping Table: CoS: 0 1 2 3 4 5 6 7 -------------------------------DSCP: 20 8 16 24 32 40 48 56 Switch(config)# Configuring the Policed-DSCP Map You use the policed-DSCP map to mark down a DSCP value to a new value as the result of a policing and marking a
Chapter 27 Configuring Quality of Service Configuring QoS Note In the above policed-DSCP map, the marked-down DSCP values are shown in the body of the matrix. The d1 column specifies the most-significant digit of the original DSCP; the d2 row specifies the least-significant digit of the original DSCP. The intersection of the d1 and d2 values provides the marked-down value. For example, an original DSCP value of 53 corresponds to a marked-down DSCP value of 0.
Chapter 27 Configuring Quality of Service Configuring QoS Dscp-cos map: d1 : d2 0 1 2 3 4 5 6 7 8 9 --------------------------------------0 : 00 00 00 00 00 00 00 00 00 01 1 : 01 01 01 01 01 01 00 02 02 02 2 : 02 02 02 02 00 03 03 03 03 03 3 : 03 03 00 04 04 04 04 04 04 04 4 : 00 05 05 05 05 05 05 05 00 06 5 : 00 06 06 06 06 06 07 07 07 07 6 : 07 07 07 07 Note In the above DSCP-to-CoS map, the CoS values are shown in the body of the matrix.
C H A P T E R 28 Configuring Voice Interfaces This chapter describes how to configure voice interfaces for the Catalyst 4500 series switches.
Chapter 28 Configuring Voice Interfaces Configuring a Port to Connect to a Cisco 7960 IP Phone Figure 28-1 Cisco 7960 IP Phone Connected to a Catalyst 4500 Series Switch IP Phone PC 105247 Catalyst 4500 Series Switch IP Configuring a Port to Connect to a Cisco 7960 IP Phone Because a Cisco 7960 IP phone also supports connection to a PC or another device, an interface connecting a Catalyst 4500 series switch to a Cisco 7960 IP phone can carry a mix of voice and data traffic.
Chapter 28 Configuring Voice Interfaces Configuring Voice Ports for Voice and Data Traffic To configure a port to receive voice and data traffic from a Cisco IP Phone on different VLANs, perform this task: Command Purpose Step 1 Switch# configure terminal Enters configuration mode. Step 2 Switch(config)# interface {fastethernet | gigabitethernet} slot/port Specifies the interface to configure. Step 3 Switch(config-if)# switchport mode access Configures the interface as an access port.
Chapter 28 Configuring Voice Interfaces Overriding the CoS Priority of Incoming Frames Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none Switch# Overriding the CoS Priority of Incoming Frames A PC or another data device can connect to a Cisco 7960 IP phone port. The PC can generate packets with an assigned CoS value.
C H A P T E R 29 Understanding and Configuring 802.1X Port-Based Authentication This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized client devices from gaining access to the network. This chapter includes the following major sections: Note • Understanding 802.1X Port-Based Authentication, page 29-1 • How to Configure 802.1X, page 29-13 • Displaying 802.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication • Authentication Initiation and Message Exchange, page 29-3 • Ports in Authorized and Unauthorized States, page 29-4 • Using 802.1X with VLAN Assignment, page 29-5 • Using 802.1X Authentication for Guest VLANs, page 29-6 • Using 802.1X with Authentication Failed VLAN Assignment, page 29-7 • Using 802.1X with Port Security, page 29-8 • Using 802.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication support EAP within the native frame format. When the switch receives frames from the authentication server, the frame header is removed from the server, leaving the EAP frame, which is then encapsulated for Ethernet and sent to the client. Cisco devices that are capable of functioning as an 802.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication Understanding 802.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication • auto—Enables 802.1X authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up or when an EAPOL-start frame is received.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication • If a guest VLAN is configured to handle non-responsive hosts, the type of VLAN configured as the guest VLAN must match the port type (that is, guest VLANs configured on access ports must be standard VLANs, and guest VLANs configured on private-VLAN host ports must be PVLANs.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Usage Guidelines for Using 802.1X Authentication with Guest VLANs on Windows-XP Hosts The usage guidelines for using 802.1X authentication with guest VLANs on Windows-XP hosts are as follows: • If the host fails to respond to the authenticator, the port attempts to connect three times (with a 30 second timeout between each attempt).
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication • EAP failure messages are not sent to the user. If the user failures authentication the port is moved to an authentication-failed VLAN and a EAP success message is sent to the user. Because the user is not notified of the authentication failure there may be confusion as to why there is restricted access to the network.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication These examples describe the interaction between 802.1X and port security on the switch: • When a client is authenticated, and the port security table is not full, the client’s MAC address is added to the port security list of secure hosts. The port then proceeds to come up normally.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Note The supplicant on the port detects that its session has been terminated and attempts to initiate a new session. Unless the authentication server treats this new session differently, the client may see only a brief interruption in network connectivity as the switch sets up a new session.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication article at the URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0703.asp, and set the SupplicantMode registry to 3 and the AuthMode registry to 1. The client uses EAP to authenticate itself with the RADIUS server. The switch relays EAP packets between the client and the RADIUS server.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Because RADIUS uses the unreliable transport protocol UDP, accounting messages may be lost due to poor network conditions.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X • When 802.1X is configured on a port, you cannot connect multiple IP-phones to a Catalyst 4500 series switch through a hub. • Because voice VLANs cannot be configured as private VLAN host ports, and because only private VLANs can be assigned to private VLAN host ports, VLAN assignment cannot assign a private VLAN to a port with a voice VLAN configured. Supported Topologies The 802.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X • Configuring RADIUS-Provided Session Timeouts, page 29-19 (optional) • Configuring 802.1X with Guest VLANs, page 29-20 (optional) • Configuring 802.1X with Authentication Failed VLAN Assignment, page 29-22 (optional) • Configuring 802.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X Table 29-1 Default 802.1X Configuration (continued) Feature Default Setting Client timeout period 30 sec When relaying a request from the authentication server to the client, the amount of time that the switch waits for a response before retransmitting the request to the client.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X Enabling 802.1X Authentication To enable 802.1X port-based authentication, you first must enable 802.1X globally on your switch, then enable AAA and specify the authentication method list. A method list describes the sequence and authentication methods that must be queried to authenticate a user.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X Command Purpose Step 10 Switch# show running-config Verifies your entries. Step 11 Switch# copy running-config startup-config (Optional) Saves your entries in the configuration file. To disable AAA, use the no aaa new-model global configuration command. To disable 802.1X AAA authentication, use the no aaa authentication dot1x {default | list-name} method1 [method2...] global configuration command.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X To configure the RADIUS server parameters on the switch, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch(config)# radius-server host {hostname | ip-address} auth-port port-number [acct-port port-number] key string Configures the RADIUS server parameters on the switch.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X Refer to the following Cisco IOS security documentation for information on how to configure AAA system accounting: • http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm • http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/index.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X Command Purpose Step 3 Switch(config)# clock timezone PST -8 Sets the time zone for the accounting event-time stamp field. Step 4 Switch(config)# clock calendar-valid Enables the date for the accounting event-time stamp field.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X Note When a port is put into a guest VLAN, it is automatically placed into multihost mode, and an unlimited number of hosts can connect through the port. Changing the multihost configuration does not effect a port in a guest VLAN. Except for an RSPAN VLAN or a voice VLAN, you can configure any active VLAN as an 802.1X guest VLAN.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X To enable the optional guest VLAN behavior and to configure a guest VLAN, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch# dot1x guest-vlan supplicant Enables the optional guest VLAN behavior globally on the switch.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X To configure 802.1X with authentication-failed VLAN assignment, follow these steps: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch(config)# interface interface-id Enters interface configuration mode and specifies the interface to be enabled for 802.1X authentication.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X Configuring 802.1X with Voice VLAN To enable 802.1X with voice VLAN feature, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch(config)# interface interface-id Enters interface configuration mode. Step 3 Switch(config-if)# switchport access vlan vlan-id Sets the VLAN for a switched interface in access mode.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X Command Purpose Step 3 Switch(config-if)# dot1x re-authentication Enables periodic reauthentication of the client, which is disabled by default. Step 4 Switch(config)# dot1x timeout reauth-period {seconds | server} Specifies the number of seconds between reauthentication attempts or have the switch use a RADIUS-provided session timeout. The range is 1 to 65,535; the default is 3600 seconds.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X Step 3 Command Purpose Switch(config)# dot1x timeout quiet-period seconds Sets the number of seconds that the switch remains in the quiet-period following a failed authentication exchange with the client. The range is 0 to 65,535 seconds; the default is 60. Step 4 Switch(config)# end Returns to privileged EXEC mode. Step 5 Switch# show dot1x all Verifies your entries.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X Setting the Switch-to-Client Frame-Retransmission Number In addition to changing the switch-to-client retransmission times, you can change the number of times that the switch sends EAP-Request/Identity and other EAP-Request frames to the client before restarting the authentication process.
Chapter 29 Understanding and Configuring 802.1X Port-Based Authentication Displaying 802.1X Statistics and Status To allow multiple hosts (clients) on an 802.1X-authorized port that has the dot1x port-control interface configuration command set to auto, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode.
C H A P T E R 30 Configuring Port Security and Trunk Port Security This chapter describes how to configure port security and trunk port security on the Catalyst 4500 series switch. It provides guidelines, procedures, and configuration examples. Note For complete syntax and usage information for the switch commands used in this chapter, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.
Chapter 30 Configuring Port Security and Trunk Port Security Overview of Port Security Note • You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices. • You can configure a number of addresses and allow the rest to be dynamically configured. If the port’s link goes down, all dynamically secured addresses are no longer secure. • You can configure MAC addresses to be sticky.
Chapter 30 Configuring Port Security and Trunk Port Security Default Port Security Configuration You can also customize the time to recover from the specified error disable cause (default is 300 seconds) by entering the errdisable recovery interval interval command. Port mode changes Generally, when a port mode changes, all dynamic addresses associated with that port are removed.
Chapter 30 Configuring Port Security and Trunk Port Security Configuring Port Security • A secure port and static MAC address configuration for an interface are mutually exclusive. • Port security cannot be enabled on dynamic access ports. • Port security cannot be enabled on Ether Channels.
Chapter 30 Configuring Port Security and Trunk Port Security Configuring Port Security Step 5 Command Purpose (continued) Switch(config-if)# switchport port-security violation {restrict | shutdown} (Optional) Sets the violation mode, the action to be taken when a security violation is detected, as one of these: • restrict—A port security violation restricts data and causes the SecurityViolation counter to increment and send an SNMP trap notification.
Chapter 30 Configuring Port Security and Trunk Port Security Configuring Port Security • To return the violation mode to the default condition (shutdown mode), use the no switchport port-security violation {restrict | shutdown} command. • To disable sticky learning on an interface, use the no switchport port-security mac-address sticky command. The interface converts the sticky secure MAC addresses to dynamic secure addresses.
Chapter 30 Configuring Port Security and Trunk Port Security Configuring Port Security -----------------------------------------------------------------------Vlan Mac Address Type Ports Remaining Age (mins) --------------------------------1 0000.0000.0001 SecureSticky Fa5/1 1 0000.0000.0002 SecureSticky Fa5/1 1 0000.0000.
Chapter 30 Configuring Port Security and Trunk Port Security Configuring Port Security You can configure various port security related parameters on a per-port per-VLAN basis. To configure port security related parameters on a per-VLAN per-port basis, perform this task: Command Purpose Step 1 Switch(config)# interface interface_id Enters interface configuration mode and specifies the physical interface to configure.
Chapter 30 Configuring Port Security and Trunk Port Security Configuring Port Security Switch# show port-security interface g1/1 address vlan 2-4 Secure Mac Address Table -----------------------------------------------------------------------Vlan Mac Address Type Ports Remaining Age (mins) --------------------------------2 0001.0001.0001 SecureConfigured Gi1/1 2 0001.0001.0002 SecureSticky Gi1/1 2 0001.0001.0003 SecureSticky Gi1/1 3 0001.0001.0001 SecureConfigured Gi1/1 3 0001.0001.
Chapter 30 Configuring Port Security and Trunk Port Security Configuring Port Security To configure port security aging, perform this task: Command Purpose Step 1 Switch(config)# interface interface_id Enters interface configuration mode for the port on which you want to enable port security aging. Step 2 Switch(config-if)# switchport port-security [aging {static | time aging_time | type {absolute | inactivity}] Sets the aging time for the secure port.
Chapter 30 Configuring Port Security and Trunk Port Security Displaying Port Security Settings Displaying Port Security Settings Use the show port-security command to display port-security settings for an interface or for the switch.
Chapter 30 Configuring Port Security and Trunk Port Security Displaying Port Security Settings Aging Type SecureStatic Address Aging Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Last Source Address Security Violation Count : : : : : : : : Absolute Disabled 1 1 0 1 0000.0001.
Chapter 30 Configuring Port Security and Trunk Port Security Displaying Port Security Settings This example shows how to display all secure MAC addresses configured on interface g1/1 with aging information for each address. Switch# show port-security interface g1/1 address Secure Mac Address Table -----------------------------------------------------------------------Vlan Mac Address Type Ports Remaining Age(mins) --------------------------------2 0001.0001.0001 SecureConfigured Gi1/1 2 0001.0001.
Chapter 30 Configuring Port Security and Trunk Port Security Displaying Port Security Settings Software Configuration Guide—Release 12.
C H A P T E R 31 Configuring DHCP Snooping and IP Source Guard This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping and IP Source Guard on Catalyst 4500 series switches. It provides guidelines, procedures, and configuration examples.
Chapter 31 Configuring DHCP Snooping and IP Source Guard Overview of DHCP Snooping Note In order to enable DHCP snooping on a VLAN, you must enable DHCP snooping on the switch. You can configure DHCP snooping for switches and VLANs. When you enable DHCP snooping on a switch, the interface acts as a Layer 2 bridge, intercepting and safeguarding DHCP messages going to a Layer 2 VLAN. When you enable DHCP snooping on a VLAN, the switch acts as a Layer 2 bridge within a VLAN domain.
Chapter 31 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on the Switch is possible because the lease time might indicate an expired time.) An entry from the file is also ignored if the interface referred to in the entry, no longer exists on the system or if it is a router port or a DHCP snooping-trusted interface. When a switch learns of new bindings or when it loses some bindings, the switch writes the modified set of entries from the snooping database to the file.
Chapter 31 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on the Switch Table 31-1 Default Configuration Values for DHCP Snooping Option Default Value/State DHCP snooping Disabled DHCP snooping information option Enabled DHCP snooping information option allow-untrusted Disabled DHCP snooping limit rate Infinite (functions as if rate limiting were disabled) DHCP snooping trust Untrusted DHCP snooping vlan Disabled If you want to change the default configuration valu
Chapter 31 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on the Switch This example shows how to enable DHCP snooping on VLANs 10 through 100: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 31 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on the Switch Enabling DHCP Snooping on Private VLAN DHCP snooping can be enabled on private VLANs, which provide isolation between Layer 2 ports within the same VLAN. If DHCP snooping is enabled (or disabled), the configuration is propagated to both the primary VLAN and its associated secondary VLANs.
Chapter 31 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on the Switch Configuration Examples for the Database Agent The following examples show how to use the above commands. Example 1: Enabling the Database Agent The following example shows how to configure the DHCP snooping database agent to store the bindings at a given location and to view the configuration and operating state: Switch# configure terminal Switch(config)# ip dhcp snooping database tftp://10.1.1.
Chapter 31 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on the Switch DHCP snooping bindings are keyed on the MAC address and VLAN combination. Therefore, if an entry in the remote file has an entry for a given MAC address and VLAN set, for which the switch already has a binding, the entry from the remote file is ignored when the file is read. This condition is referred to as the binding collision.
Chapter 31 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on the Switch Switch# renew ip dhcp snoop data tftp://10.1.1.1/directory/file Loading directory/file from 10.1.1.1 (via GigabitEthernet1/1): ! [OK - 457 bytes] Database downloaded successfully. Switch# 00:01:29: %DHCP_SNOOPING-6-AGENT_OPERATION_SUCCEEDED: DHCP snooping database Read succeeded.
Chapter 31 Configuring DHCP Snooping and IP Source Guard Displaying DHCP Snooping Information This example shows how to manually add a binding to the DHCP snooping database: Switch# show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------Switch# Switch# ip dhcp snooping binding 1.1.1 vlan 1 1.1.1.
Chapter 31 Configuring DHCP Snooping and IP Source Guard Overview of IP Source Guard Displaying the DHCP Snooping Configuration This example shows how to display the DHCP snooping configuration for a switch. Switch# show ip dhcp snooping Switch DHCP snooping is enabled.
Chapter 31 Configuring DHCP Snooping and IP Source Guard Configuring IP Source Guard on the Switch Note When IP source guard is enabled in IP and MAC filtering mode, the DHCP snooping option 82 must be enabled to ensure that the DHCP protocol works properly. Without option 82 data, the switch cannot locate the client host port to forward the DHCP server reply. Instead, the DHCP server reply is dropped, and the client cannot obtain an IP address.
Chapter 31 Configuring DHCP Snooping and IP Source Guard Displaying IP Source Guard Information Switch(config-if)# switchport trunk native vlan 10 Switch(config-if)# switchport trunk allowed vlan 11-20 Switch(config-if)# no ip dhcp snooping trust Switch(config-if)# ip verify source vlan dhcp-snooping Switch(config)# end Switch# sh ip verify source interface f6/1 Interface Filter-type Filter-mode IP-address Mac-address --------- ----------- ----------- --------------- ----------------Fa6/1 ip-mac active 10
Chapter 31 Configuring DHCP Snooping and IP Source Guard Displaying IP Source Binding Information • This example shows displayed PVACLs for a port with multiple bindings configured for an IP/MAC filtering: Interface --------fa6/4 fa6/4 fa6/4 • Filter-mode ----------active active active IP-address --------------10.0.0.2 11.0.0.1 deny-all Mac-address -------------aaaa.bbbb.cccc aaaa.bbbb.
Chapter 31 Configuring DHCP Snooping and IP Source Guard Displaying IP Source Binding Information Table 31-3 show ip source binding Command Output Field Description MAC Address Client hardware MAC address IP Address Client IP address assigned from the DHCP server Lease (seconds) IP address lease time Type Binding type; static bindings configured from CLI to dynamic binding learned from DHCP Snooping VLAN VLAN number of the client interface Interface Interface that connects to the DHCP client
Chapter 31 Configuring DHCP Snooping and IP Source Guard Displaying IP Source Binding Information Software Configuration Guide—Release 12.
C H A P T E R 32 Understanding and Configuring Dynamic ARP Inspection This chapter describes how to configure Dynamic ARP Inspection (DAI) on the Catalyst 4500 series switch.
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Overview of Dynamic ARP Inspection ARP Cache Poisoning You can attack hosts, switches, and routers connected to your Layer 2 network by “poisoning” their ARP caches. For example, a malicious user might intercept traffic intended for other hosts on the subnet by poisoning the ARP caches of systems connected to the subnet.
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Overview of Dynamic ARP Inspection Interface Trust State, Security Coverage and Network Configuration DAI associates a trust state with each interface on the system. Packets arriving on trusted interfaces bypass all DAI validation checks, while those arriving on untrusted interfaces go through the DAI validation process.
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Overview of Dynamic ARP Inspection Relative Priority of Static Bindings and DHCP Snooping Entries As mentioned previously, DAI populates its database of valid MAC address to IP address bindings through DHCP snooping. It also validates ARP packets against statically configured ARP ACLs. It is important to note that ARP ACLs have precedence over entries in the DHCP snooping database. ARP packets are first compared to user-configured ARP ACLs.
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection The rate limit configuration on a port channel is independent of the configuration on its physical ports. The rate limit is cumulative across all physical ports; that is, the rate of incoming packets on a port channel equals the sum of rates across all physical ports.
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection For information on how to configure dynamic ARP inspection when only one switch supports the feature, see the “Configuring ARP ACLs for Non-DHCP Environments” section on page 32-10. To configure dynamic ARP inspection, perform this task on both switches: Command Purpose Step 1 Switch# show cdp neighbors Verifies the connection between the switches.
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection This example shows how to configure dynamic ARP inspection on Switch A in VLAN 100. You would perform a similar procedure on Switch B.
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Gi3/39 Gi3/40 Gi3/41 Gi3/42 Gi3/43 Gi3/44 Gi3/45 Gi3/46 Gi3/47 Gi3/48 Untrusted Untrusted Untrusted Untrusted Untrusted Untrusted Untrusted Untrusted Untrusted Trusted 15 15 15 15 15 15 15 15 15 None 1 1 1 1 1 1 1 1 1 N/A SwitchA# show ip arp inspection vlan 100 Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled Vlan ---100 Configuration ------------
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Interface --------------Gi1/1 Gi1/2 Gi3/1 Gi3/2 Gi3/3 Gi3/4 Gi3/5 Gi3/6 Gi3/7 Gi3/8 Gi3/9 Gi3/10 Gi3/11 Gi3/12 Gi3/13 Gi3/14 Gi3/15 Gi3/16 Gi3/17 Gi3/18 Gi3/19 Gi3/20 Gi3/21 Gi3/22 Gi3/23 Gi3/24 Gi3/25 Gi3/26 Gi3/27 Gi3/28 Gi3/29 Gi3/30 Gi3/31 Gi3/32 Gi3/33 Gi3/34 Gi3/35 Gi3/36 Gi3/37 Gi3/38 Gi3/39 Gi3/40 Gi3/41 Gi3/42 Gi3/43 Gi3/44 Gi3/45 Gi3/46 Gi3/47 Gi3/48 Trust State ----------Untrusted Untrusted Untru
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Vlan ---100 ACL Logging ----------Deny DHCP Logging -----------Deny# SwitchB# show ip dhcp snooping binding MacAddress IpAddress Lease(sec) ------------------ --------------- ---------00:02:00:02:00:02 170.1.1.
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 3 Command Purpose Switch(config-arp)# permit ip host sender-ip mac host sender-mac [log] Permits ARP packets from the specified host (Host 2). • For sender-ip, enter the IP address of Host 2. • For sender-mac, enter the MAC address of Host 2. • (Optional) Specify log to log a packet in the log buffer when it matches the access control entry (ACE).
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 7 Command Purpose Switch(config-if)# no ip arp inspection trust Configures the Switch A interface that is connected to Switch B as untrusted. By default, all interfaces are untrusted. For untrusted interfaces, the switch intercepts all ARP requests and responses.
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Gi3/4 Gi3/5 Gi3/6 Gi3/7 Gi3/8 Gi3/9 Gi3/10 Gi3/11 Gi3/12 Gi3/13 Gi3/14 Gi3/15 Gi3/16 Gi3/17 Gi3/18 Gi3/19 Gi3/20 Gi3/21 Gi3/22 Gi3/23 Gi3/24 Gi3/25 Gi3/26 Gi3/27 Gi3/28 Gi3/29 Gi3/30 Gi3/31 Gi3/32 Gi3/33 Gi3/34 Gi3/35 Gi3/36 Gi3/37 Gi3/38 Gi3/39 Gi3/40 Gi3/41 Gi3/42 Gi3/43 Gi3/44 Gi3/45 Gi3/46 Gi3/47 Gi3/48 Untrusted Untrusted Untrusted Untrusted Untrusted Untrusted Untrusted Untrusted Untrusted Untrusted U
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Configuring the Log Buffer When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer.
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 3 Command Purpose Switch(config)# [no] ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {all | none | permit}} Controls the type of packets that are logged per VLAN. By default, all denied or all dropped packets are logged. The term logged means the entry is placed in the log buffer and a system message is generated.
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Limiting the Rate of Incoming ARP Packets The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack. When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the error-disabled state.
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection To return to the default rate-limit configuration, use the no ip arp inspection limit interface configuration command. To disable error recovery for dynamic ARP inspection, use the no errdisable recovery cause arp-inspection global configuration command.
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Gi3/41 Gi3/42 Gi3/43 Gi3/44 Gi3/45 Gi3/46 Gi3/47 Gi3/48 Untrusted Untrusted Untrusted Untrusted Untrusted Trusted Untrusted Untrusted 15 15 15 15 15 None 15 15 1 1 1 1 1 N/A 1 1 SwitchB# show errdisable recovery ErrDisable Reason Timer Status -----------------------------udld Disabled bpduguard Disabled security-violatio Disabled channel-misconfig Disabled vmps Disabled pagp-flap Disabled dtp-flap Disab
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection To perform specific checks on incoming ARP packets, perform this task. Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch(config)# ip arp inspection validate {[ src-mac] [ dst-mac] [ip]} Performs a specific check on incoming ARP packets. By default, no additional checks are performed.
Chapter 32 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Vlan ACL Logging DHCP Logging ------------------------100 Deny Deny SwitchB# 1w2d: %SW_DAI-4-INVALID_ARP: 9 Invalid ARPs (Req) on Gi3/31, vlan 100.([0002.0002.0002/170.1.1.2/0001.0001.0001/170.1.1.1/02:30:24 UTC Fri Feb 4 2005]) Software Configuration Guide—Release 12.
C H A P T E R 33 Configuring Network Security with ACLs This chapter describes how to use access control lists (ACLs) to configure network security on the Catalyst 4500 series switches. Note For complete syntax and usage information for the switch commands used in this chapter, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm.
Chapter 33 Configuring Network Security with ACLs Understanding ACLs ACL Overview An ACL is a collection of sequential permit and deny conditions that applies to packets. When a packet is received on an interface, the switch compares the fields in the packet against any applied ACLs to verify that the packet has the permissions required to be forwarded, based on the conditions specified in the access lists. It tests the packets against the conditions in an access list one-by-one.
Chapter 33 Configuring Network Security with ACLs Understanding ACLs You can apply only one IP access list and one MAC access list to a Layer 2 interface. • VLAN ACLs or VLAN maps control the access of all packets (bridged and routed). You can use VLAN maps to filter traffic between devices in the same VLAN. You do not need the enhanced image to create or apply VLAN maps. VLAN maps are configured to control access based on Layer 3 addresses for IP.
Chapter 33 Configuring Network Security with ACLs Understanding ACLs Figure 33-1 Using ACLs to Control Traffic to a Network Catalyst 4500 series switch Host A Si Host B Research & Development network = ACL denying traffic from Host B and permitting traffic from Host A = Packet 94152 Human Resources network Port ACLs You can also apply ACLs to Layer 2 interfaces on a switch. Port ACLs are supported on physical interfaces and EtherChannel interfaces.
Chapter 33 Configuring Network Security with ACLs Hardware and Software ACL Support VLAN Maps VLAN maps can control the access of all traffic in a VLAN. You can apply VLAN maps on the switch to all packets that are routed into or out of a VLAN or are bridged within a VLAN. Unlike router ACLs, VLAN maps are not defined by direction (input or output). You can configure VLAN maps to match Layer 3 addresses for IP traffic.
Chapter 33 Configuring Network Security with ACLs TCAM Programming and ACLs Note Packets that require logging are processed in software. A copy of the packets is sent to the CPU for logging while the actual packets are forwarded in hardware so that non-logged packet processing is not impacted.
Chapter 33 Configuring Network Security with ACLs Layer 4 Operators in ACLs Switch# show platform hardware acl statistics utilization brief Entries/Total(%) Masks/Total(%) ----------------- --------------Input Acl(PortAndVlan) 2016 / 4096 ( 49) 460 / 512 ( 89) Input Acl(PortOrVlan) 6 / 4096 ( 0) 4 / 512 ( 0) Input Qos(PortAndVlan) 0 / 4096 ( 0) 0 / 512 ( 0) Input Qos(PortOrVlan) 0 / 4096 ( 0) 0 / 512 ( 0) Output Acl(PortAndVlan) 0 / 4096 ( 0) 0 / 512 ( 0) Output Acl(PortOrVlan) 0 / 4096 ( 0) 0 / 512 ( 0)
Chapter 33 Configuring Network Security with ACLs Layer 4 Operators in ACLs Restrictions for Layer 4 Operations You can specify these operator types, each of which uses one Layer 4 operation in the hardware: • gt (greater than) • lt (less than) • neq (not equal) • range (inclusive range) We recommend that you not specify more than six different operations on the same ACL.
Chapter 33 Configuring Network Security with ACLs Layer 4 Operators in ACLs Access lists 101 and 102 use the following Layer 4 operations: • Access list 101 Layer 4 operations: 5 – gt 10 permit and gt 10 deny both use the same operation because they are identical and both operate on the destination port.
Chapter 33 Configuring Network Security with ACLs Layer 4 Operators in ACLs Access lists 104 and 105 are identical; established is shorthand for rst and ack.
Chapter 33 Configuring Network Security with ACLs Configuring Unicast MAC Address Filtering Configuring Unicast MAC Address Filtering To block all unicast traffic to or from a MAC address in a specified VLAN, perform this task: Command Purpose Switch(config)# mac-address-table static mac_address vlan vlan_ID drop Blocks all traffic to or from the configured unicast MAC address in the specified VLAN. To clear MAC address-based blocking, use the no form of this command without the drop keyword.
Chapter 33 Configuring Network Security with ACLs Configuring VLAN Maps You can use the no mac access-list extended name global configuration command to delete the entire ACL. You can also delete individual ACEs from named MAC extended ACLs. This example shows how to create and display an access list named mac1, denying only EtherType DECnet Phase IV traffic, but permitting all other types of traffic.
Chapter 33 Configuring Network Security with ACLs Configuring VLAN Maps Note You cannot apply a VLAN map to a VLAN on a switch that has ACLs applied to Layer 2 interfaces (port ACLs). VLAN Map Configuration Guidelines Keep the following guidelines in mind when configuring VLAN maps: • VLAN maps do not filter IPv4 ARP packets. • If there is no router ACL configured to deny traffic on a routed VLAN interface (input or output), and no VLAN map configured, all traffic is permitted.
Chapter 33 Configuring Network Security with ACLs Configuring VLAN Maps Command Purpose Step 6 Switch(config)# show running-config Displays the access list configuration. Step 7 Switch(config)# copy running-config startup-config (Optional) Saves your entries in the configuration file. You can use the no vlan access-map name global configuration command to delete a map.
Chapter 33 Configuring Network Security with ACLs Configuring VLAN Maps Example 2 In this example, the VLAN map is configured to drop IP packets and to forward MAC packets by default.
Chapter 33 Configuring Network Security with ACLs Configuring VLAN Maps Example 4 In this example, the VLAN map is configured to drop all packets (IP and non-IP). By applying access lists tcp-match and good-hosts, the VLAN map is configured to do the following: • Forward all TCP packets • Forward MAC packets from hosts 0000.0c00.0111 and 0000.0c00.
Chapter 33 Configuring Network Security with ACLs Configuring VLAN Maps Figure 33-3 Wiring Closet Configuration Catalyst 4500 series switch Si Switch B Switch A Switch C VLAN map: Deny HTTP from X to Y HTTP is dropped at entry point Host Y 10.1.1.34 94154 VLAN 1 VLAN 2 Packet Host X 10.1.1.32 For example, if you do not want HTTP traffic to be switched from Host X to Host Y, you could apply a VLAN map on Switch A to drop all HTTP traffic moving from Host X (IP address 10.1.1.
Chapter 33 Configuring Network Security with ACLs Configuring VLAN Maps Denying Access to a Server on Another VLAN Figure 33-4 shows how to restrict access to a server on another VLAN. In this example, server 10.1.1.100 in VLAN 10 has the following access restrictions: • Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access. • Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access. Figure 33-4 Deny Access to a Server on Another VLAN VLAN map 10.1.1.100 Subnet 10.1.2.
Chapter 33 Configuring Network Security with ACLs Displaying VLAN Access Map Information Displaying VLAN Access Map Information To display information about VLAN access maps or VLAN filters, perform one of these tasks. Command Purpose Switch# show vlan access-map [mapname] Show information about all VLAN access-maps or the specified access map. Switch# show vlan filter [access-map name | vlan vlan-id] Show information about all VLAN filters or about a specified VLAN or VLAN access map.
Chapter 33 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Guidelines for Using Router ACLs and VLAN Maps Use these guidelines when you need to use a router ACL and a VLAN map on the same VLAN. Because the switch hardware performs one lookup for each direction (input and output), you must merge a router ACL and a VLAN map when they are configured on the same VLAN. Merging the router ACL with the VLAN map can significantly increase the number of ACEs.
Chapter 33 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 33-5 Applying ACLs on Switched Packets Catalyst 4500 series switch VLAN 10 map Input router ACL Output router ACL VLAN 20 map Frame Host A (VLAN 10) Routing function VLAN 10 Packet VLAN 20 94156 Host C (VLAN 10) ACLs and Routed Packets Figure 33-6 shows how ACLs are applied on routed packets. For routed packets, the ACLs are applied in this order: 1. VLAN map for input VLAN 2. Input router ACL 3.
Chapter 33 Configuring Network Security with ACLs Configuring PACLs Figure 33-6 Applying ACLs on Routed Packets Catalyst 4500 series switch VLAN 10 map Input router ACL Output router ACL VLAN 20 map Frame Host B (VLAN 20) Host A (VLAN 10) VLAN 10 Packet VLAN 20 94157 Routing function Configuring PACLs This section describes how to configure PACLs, which are used to control filtering on Layer 2 interfaces.
Chapter 33 Configuring Network Security with ACLs Configuring PACLs PACL Configuration Guidelines Consider the following guidelines when configuring PACLs: • There can be at most one IP access list and MAC access list applied to the same Layer 2 interface per direction. • The IP access list filters only IP packets, whereas the MAC access list filters only non-IP packets. • The number of ACLs and ACEs that can be configured as part of a PACL are bounded by the hardware resources on the switch.
Chapter 33 Configuring Network Security with ACLs Configuring PACLs The following example shows how to configure the Extended Named IP ACL simple-ip-acl to permit all TCP traffic and implicitly deny all other IP traffic: Switch(config)# ip access-list extended simple-ip-acl Switch(config-ext-nacl)# permit tcp any any Switch(config-ext-nacl)# end The following example shows how to configure the Extended Named MACL simple-mac-acl to permit source host 000.000.
Chapter 33 Configuring Network Security with ACLs Configuring PACLs This example shows how to merge and apply features other than PACL on the interface: Switch# configure t Switch(config)# interface interface Switch(config-if)# access-group mode prefer port This example shows how to merge applicable ACL features before they are programmed into hardware: Switch# configure t Switch(config)# interface interface Switch(config-if)# access-group mode merge Applying ACLs to a Layer 2 Interface To apply IP and
Chapter 33 Configuring Network Security with ACLs Using PACL with VLAN Maps and Router ACLs This example shows that the IP access group simple-ip-acl is configured on the inbound direction of interface fa6/1: Switch# show ip interface fast 6/1 FastEthernet6/1 is up, line protocol is up Inbound access list is simple-ip-acl Outgoing access list is not set This example shows that MAC access group simple-mac-acl is configured on the inbound direction of interface fa6/1: Switch# show mac access-group interfa
Chapter 33 Configuring Network Security with ACLs Using PACL with VLAN Maps and Router ACLs Scenario 1: Host A is connected to an interface in VLAN 20, which has an SVI configured.
Chapter 33 Configuring Network Security with ACLs Using PACL with VLAN Maps and Router ACLs If the interface access group mode is prefer port, then only the input PACL is applied on the ingress traffic from Host A. If the mode is prefer vlan, then only the VACL is applied to the ingress traffic from Host A. If the mode is merge, the input PACL is first applied to the ingress traffic from Host A, and the VACL is applied on the traffic.
C H A P T E R 34 Configuring Private VLANs This chapter describes private VLANs (PVLANs) on Catalyst 4500 series switches. It also provides restrictions, procedures, and configuration examples.
Chapter 34 Configuring Private VLANs Overview of PVLANs Isolated and community VLANs are called secondary VLANs. You can extend PVLANs across multiple devices by trunking the primary, isolated, and community VLANs to other devices that support PVLANs. In a switched environment, you can assign an individual PVLAN and associated IP subnet to each individual or common group of end stations. The end stations need to communicate with a default gateway only to gain access outside the PVLAN.
Chapter 34 Configuring Private VLANs How to Configure PVLANs When a packet is transmitted out of a PVLAN host or trunk port, the packet logically belongs to the primary VLAN. This relationship applies even though the packet may be transmitted with the secondary VLAN tagging for PVLAN trunk ports. In this situation, the primary VLAN ACL and the primary VLAN QoS on output apply to the packet. How to Configure PVLANs To configure a PVLAN, follow this procedure: Step 1 Set VTP mode to transparent.
Chapter 34 Configuring Private VLANs How to Configure PVLANs • Use only PVLAN commands to assign ports to primary, isolated, or community VLANs. Layer 2 interfaces on primary, isolated, or community VLANs are inactive in PVLANs. Layer 2 trunk interfaces remain in the STP forwarding state. • You cannot configure Layer 3 VLAN interfaces for secondary VLANs. Layer 3 VLAN interfaces for isolated and community (secondary) VLANs are inactive while the VLAN is configured as an isolated or community VLAN.
Chapter 34 Configuring Private VLANs How to Configure PVLANs • You can apply different quality of service (QoS) configurations to primary, isolated, and community VLANs. (See Chapter 27, “Configuring Quality of Service.”) Cisco IOS ACLs applied to the Layer 3 VLAN interface of a primary VLAN automatically apply to the associated isolated and community VLANs. • On a PVLAN trunk port a secondary VLAN ACL is applied on ingress traffic and a primary VLAN ACL is applied on egress traffic.
Chapter 34 Configuring Private VLANs How to Configure PVLANs Primary Secondary Type Interfaces ------- --------- ----------------- -----------------------------------------202 primary This example shows how to configure VLAN 303 as a community VLAN and verify the configuration: Switch# configure terminal Switch(config)# vlan 303 Switch(config-vlan)# private-vlan community Switch(config-vlan)# end Switch# show vlan private-vlan Primary Secondary Type Interfaces ------- --------- ----------------- -------
Chapter 34 Configuring Private VLANs How to Configure PVLANs • Use the remove keyword with a secondary_vlan_list to clear the association between secondary VLANs and a primary VLAN. • The command does not take effect until you exit VLAN configuration submode.
Chapter 34 Configuring Private VLANs How to Configure PVLANs • Use the remove keyword with a secondary_vlan_list to clear the mapping between secondary VLANs and the PVLAN promiscuous port.
Chapter 34 Configuring Private VLANs How to Configure PVLANs This example shows how to configure interface FastEthernet 5/1 as a PVLAN host port and verify the configuration: Switch# configure terminal Switch(config)# interface fastethernet 5/1 Switch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association 202 440 Switch(config-if)# end Switch#show interfaces fastethernet 5/1 switchport Name: Fa5/1 Switchport: Enabled Administrative Mode: private-vlan host
Chapter 34 Configuring Private VLANs How to Configure PVLANs Step 5 Command Purpose Switch(config-if)# [no] switchport private-vlan association trunk primary_vlan_ID secondary_vlan_ID Configures association between primary VLANs and secondary VLANs the PVLAN trunk port with a PVLAN. Note Multiple PVLAN pairs can be specified using this command so that a PVLAN trunk port can carry multiple secondary VLANs.
Chapter 34 Configuring Private VLANs How to Configure PVLANs Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Voice VLAN: none Appliance trust: none Administrative Private Vlan Host Association: 202 (VLAN0202) 440 (VLAN0440) Promiscuous Mapping: none Trunk encapsulation : dot1q Trunk vlans: 202 (VLAN0202) 440 (VLAN0440) Operational private-vlan(s): 202 (VLAN0202) 440 (VLAN0440) Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL P
Chapter 34 Configuring Private VLANs How to Configure PVLANs This example shows how to permit routing of secondary VLAN ingress traffic from private VLANs 303 through 307, 309, and 440 and verify the configuration: Switch# configure terminal Switch(config)# interface vlan 202 Switch(config-if)# private-vlan mapping add 303-307,309,440 Switch(config-if)# end Switch# show interfaces private-vlan mapping Interface Secondary VLAN Type --------- -------------- ----------------vlan202 303 community vlan202 304
C H A P T E R 35 Port Unicast and Multicast Flood Blocking This chapter describes how to configure multicast and unicast flood blocking on the Catalyst 4500 series switch. This chapter contains these topics: Note • Overview of Flood Blocking, page 35-1 • Configuring Port Blocking, page 35-1 For complete syntax and usage information for the switch commands used in this chapter, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.
Chapter 35 Port Unicast and Multicast Flood Blocking Configuring Port Blocking Blocking Flooded Traffic on an Interface Note The interface can be a physical interface (for example, GigabitEthernet 1/1) or an EtherChannel group (such as port-channel 5). When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port channel group.
Chapter 35 Port Unicast and Multicast Flood Blocking Configuring Port Blocking Resuming Normal Forwarding on a Port To resume normal forwarding on a port, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch(config)# interface interface-id Enters interface configuration mode and enter the type and number of the switchport interface (GigabitEthernet1/1).
Chapter 35 Port Unicast and Multicast Flood Blocking Configuring Port Blocking Software Configuration Guide—Release 12.
C H A P T E R 36 Configuring Storm Control This chapter describes how to configure port-based traffic control on the Catalyst 4500 series switch. Note For complete syntax and usage information for the switch commands used in this chapter, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm.
Chapter 36 Configuring Storm Control Overview of Storm Control Hardware-based Storm Control Implementation Broadcast suppression uses filtering that measures broadcast activity in a subnet over a one-second interval and compares the measurement with a predefined threshold. If the threshold is reached, further broadcast activity is suppressed for the duration of the interval. Broadcast suppression is disabled by default.
Chapter 36 Configuring Storm Control Enabling Storm Control Enabling Storm Control To enable storm control, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch(config)# interface interface-id Enters interface configuration mode and enter the port to configure. Step 3 Switch(config-if)# storm-control broadcast level [high level] [lower level] Configures broadcast storm control.
Chapter 36 Configuring Storm Control Disabling Storm Control Disabling Storm Control To disable storm control, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch(config)# interface interface-id Enters interface configuration mode and enter the port to configure. Step 3 Switch(config-if)# no storm-control broadcast level Disables port storm control.
Chapter 36 Configuring Storm Control Displaying Storm Control Speed: Duplex: Trunk encap. type: Trunk mode: Channel: Broadcast suppression: Flowcontrol: VLAN Membership: Fast Start: Queuing: CoS rewrite: ToS rewrite: Inline power: SPAN: UDLD: Link Debounce: Link Debounce Time: Port Security: Dot1x: Maximum MTU: Media Type: 1000 full 802.
Chapter 36 Configuring Storm Control Multicast Storm Control Note Use the show storm-control command to display the configured thresholds and status of storm on an interface. Switch# show storm-control Interface --------Gi4/4 Switch Note Filter State ------------Forwarding Upper ------2.00% Lower ------2.00% Current ------N/A In the example shown above, “current” represents the percentage of traffic suppressed at a given instant, and the value is N/A for ports that perform suppression in hardware.
Chapter 36 Configuring Storm Control Multicast Storm Control The following example shows how to enable multicast suppression on ports that have broadcast suppression already enabled: Switch# configuration terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 36 Configuring Storm Control Multicast Storm Control Software Configuration Guide—Release 12.
C H A P T E R 37 Configuring SPAN and RSPAN This chapter describes how to configure the Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 4500 series switches. SPAN selects network traffic for analysis by a network analyzer, such as a SwitchProbe device or other Remote Monitoring (RMON) probe.
Chapter 37 Configuring SPAN and RSPAN Overview of SPAN and RSPAN For SPAN configuration, the source interfaces and the destination interface must be on the same switch. SPAN does not affect the switching of network traffic on source interfaces; copies of the packets received or transmitted by the source interfaces are sent to the destination interface.
Chapter 37 Configuring SPAN and RSPAN Overview of SPAN and RSPAN SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration and includes the following subsections: • SPAN Session, page 37-3 • Traffic Types, page 37-3 • Source Port, page 37-4 • Destination Port, page 37-5 • VLAN-Based SPAN, page 37-5 • SPAN Traffic, page 37-6 SPAN Session A local SPAN session associates a destination port with source ports.
Chapter 37 Configuring SPAN and RSPAN Overview of SPAN and RSPAN Some features that can cause a packet to be dropped during receive processing have no effect on SPAN; the destination port receives a copy of the packet even if the actual incoming packet is dropped. These features include IP standard and extended input access control lists (ACLs), IP standard and extended output ACLs for unicast and ingress QoS policing, VLAN maps, ingress QoS policing, and policy-based routing.
Chapter 37 Configuring SPAN and RSPAN Overview of SPAN and RSPAN Destination Port Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports and VLANs. A destination port has these characteristics: • A destination port must reside on the same switch as the source port (for a local SPAN session). • A destination port can be any Ethernet physical port.
Chapter 37 Configuring SPAN and RSPAN Configuring SPAN • You cannot use filter VLANs in the same session with VLAN sources. • You can monitor only Ethernet VLANs. SPAN Traffic You can use local SPAN to monitor all network traffic, including multicast and bridge protocol data unit (BPDU) packets, Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP) packets.
Chapter 37 Configuring SPAN and RSPAN Configuring SPAN Note • Configuration Scenario, page 37-10 • Verifying a SPAN Configuration, page 37-10 Entering SPAN configuration commands does not clear previously configured SPAN parameters. You must enter the no monitor session command to clear configured SPAN parameters. SPAN Configuration Guidelines and Restrictions Follow these guidelines and restrictions when configuring SPAN: • You must use a network analyzer to monitor interfaces.
Chapter 37 Configuring SPAN and RSPAN Configuring SPAN Configuring SPAN Sources To configure the source for a SPAN session, perform this task: Command Purpose Switch(config)# [no] monitor session {session_number} {source {interface | {vlan vlan_IDs | cpu [queue queue_ids] } [rx | tx | both] Specifies the SPAN session number (1 through 6), the source interfaces (FastEthernet or GigabitEthernet), VLANs (1 through 4094), whether or not traffic received or sent from the CPU is copied to t
Chapter 37 Configuring SPAN and RSPAN Configuring SPAN Configuring SPAN Destinations To configure the destination for a SPAN session, perform this task: Command Purpose Switch(config)# [no] monitor session destination interface [encapsulation {isl | dot1q}] [ingress [vlan vlan_IDs] [learning}] Specifies the SPAN session number (1 through 6) and the destination interfaces or VLANs.
Chapter 37 Configuring SPAN and RSPAN CPU Port Sniffing Configuration Scenario This example shows how to use the commands described in this chapter to completely configure and unconfigure a span session. Assume that you want to monitor bidirectional traffic from source interface Fast Ethernet 4/10, which is configured as a trunk interface carrying VLANs 1 through 4094. Moreover, you want to monitor only traffic in VLAN 57 on that trunk.
Chapter 37 Configuring SPAN and RSPAN CPU Port Sniffing To configure CPU source sniffing, perform this task: Command Purpose Switch(config)# [no] monitor session {session_number} {source {interface interface_list | {vlan vlan_IDs | cpu [queue queue_ids] } [rx | tx | both] Specifies that the CPU will cause traffic received by or sent from the CPU to be copied to the destination of the session. The queue identifier optionally allows sniffing-only traffic (received) on the specified CPU queue(s).
Chapter 37 Configuring SPAN and RSPAN Encapsulation Configuration Encapsulation Configuration When configuring a SPAN destination port, you can explicitly specify the encapsulation type used by the port. Packets sent out the port are tagged in accordance with the specified mode. (The encapsulation mode also controls how tagged packets are handled when the ingress packet option is enabled.) The Catalyst 4500 series switch supervisor engines support ISL encapsulation and 802.
Chapter 37 Configuring SPAN and RSPAN Access List Filtering This example shows how to configure a destination port with 802.1q encapsulation and ingress packets using native VLAN 7: Switch(config)# monitor session 1 destination interface fastethernet 5/48 encapsulation dot1q ingress vlan 7 With this configuration, traffic from SPAN sources associated with session 1 would be copied out of interface Fast Ethernet 5/48, with 802.1q encapsulation.
Chapter 37 Configuring SPAN and RSPAN Packet Type Filtering • No policing is allowed on traffic exiting SPAN ports. • Only IP ACLs are supported on SPAN sessions.
Chapter 37 Configuring SPAN and RSPAN Configuration Example There are two categories of packet filtering: packet-based (good, error) or address-based (unicast/multicast/broadcast). Packet-based filters can only be applied in the ingress direction. Packets are classified as broadcast, multicast, or unicast by the hardware based on the destination address. Note When filters of both types are configured, only packets that pass both filters are spanned.
Chapter 37 Configuring SPAN and RSPAN Configuring RSPAN Configuring RSPAN This section describes how to configure RSPAN on your switch and it contains this configuration information: • RSPAN Configuration Guidelines, page 37-16 • Creating an RSPAN Session, page 37-17 • Creating an RSPAN Destination Session, page 37-18 • Creating an RSPAN Destination Session and Enabling Ingress Traffic, page 37-19 • Removing Ports from an RSPAN Session, page 37-21 • Specifying VLANs to Monitor, page 37-22 •
Chapter 37 Configuring SPAN and RSPAN Configuring RSPAN Creating an RSPAN Session First create an RSPAN VLAN that does not exist for the RSPAN session in any of the switches that will participate in RSPAN. With VTP enabled in the network, you can create the RSPAN VLAN in one switch, and then VTP propagates it to the other switches in the VTP domain for VLAN-IDs that are lower than 1005.
Chapter 37 Configuring SPAN and RSPAN Configuring RSPAN Step 7 Command Purpose Switch(config)# monitor session session_number destination remote vlan vlan-ID Specifies the RSPAN session and the destination remote VLAN. For session_number, specifies the session number identified with this RSPAN session (1 through 6). For vlan-ID, specifies the RSPAN VLAN to carry the monitored traffic to the destination port. Step 8 Switch(config)# end Returns to privileged EXEC mode.
Chapter 37 Configuring SPAN and RSPAN Configuring RSPAN Step 3 Command Purpose Switch(config)# [no] monitor session destination interface [encapsulation {isl | dot1q}] [ingress [vlan vlan_IDs] [learning]] Specifies the RSPAN session and the destination interface. For session_number, specifies the session number identified with this RSPAN session (1 through 6). For interface, specifies the destination interface. For vlan_IDs, specifies the ingress VLAN, if necessary.
Chapter 37 Configuring SPAN and RSPAN Configuring RSPAN Step 3 Command Purpose Switch(config)# [monitor session session_number destination interface interface-id [encapsulation {dot1q [ingress vlan vlan id] | ISL [ingress]} | ingress vlan vlan id] [learning]] Specifies the RSPAN session, the destination port, the packet encapsulation, and the ingress VLAN. For session_number, specifies the session number identified with this RSPAN session (1 through 6).
Chapter 37 Configuring SPAN and RSPAN Configuring RSPAN Removing Ports from an RSPAN Session To remove a port as an RSPAN source for a session, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch(config)# [no] monitor session {session_number} {source {interface interface_list | {vlan vlan_IDs | cpu [queue queue_ids]} [rx | tx | both] Specifies the characteristics of the RSPAN source port (monitored port) to remove.
Chapter 37 Configuring SPAN and RSPAN Configuring RSPAN Specifying VLANs to Monitor VLAN monitoring is similar to port monitoring. To specify VLANs to monitor, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Switch(config)# no monitor session {session_number | all | local | remote} Clears any existing SPAN configuration for the session. For session_number, specifies the session number identified with this RSPAN session (1 through 6).
Chapter 37 Configuring SPAN and RSPAN Configuring RSPAN This example shows how to clear any existing configuration on RSPAN session 2, configure RSPAN session 2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination remote VLAN 902. The configuration is then modified to also monitor received traffic on all ports belonging to VLAN 10.
Chapter 37 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Step 4 Command Purpose Switch(config)# monitor session session_number filter vlan vlan-id [, | -] Limits the RSPAN source traffic to specific VLANs. For session_number, specifies the session number identified with this RSPAN session (1 through 6). For vlan-id, the range is 1 to 4094; do not enter leading zeros. (Optional) Use a comma (,) to specify a series of VLANs or use a hyphen (-) to specify a range of VLANs.
Chapter 37 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Source VLANs: RX Only: None TX Only: None Both: None Source RSPAN VLAN: None Destination Ports: None Encapsulation: DOT1Q Ingress:Enabled, default VLAN=5 Filter VLANs: None Dest RSPAN VLAN: None Ingress : Enabled, default VLAN=2 Learning : Disabled Software Configuration Guide—Release 12.
Chapter 37 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Software Configuration Guide—Release 12.
C H A P T E R 38 Configuring NetFlow This chapter describes how to configure NetFlow Statistics on the Catalyst 4500 series switches. It also provides guidelines, procedures, and configuration examples. Note To use the NetFlow feature, you must have the Supervisor Engine V-10GE (the functionality is embedded in the supervisor engine), or the NetFlow Services Card (WS-F4531) and either a Supervisor Engine IV or a Supervisor Engine V.
Chapter 38 Configuring NetFlow Overview of NetFlow Statistics Collection NetFlow exports flow information in UDP datagrams in one of two formats. The version 1 format was the initial released version, and version 5 is a later enhancement to add Border Gateway Protocol (BGP) autonomous system (AS) information and flow sequence numbers. In version 1 and version 5 format, the datagram consists of a header and one or more flow records.
Chapter 38 Configuring NetFlow Overview of NetFlow Statistics Collection Table 38-2 NDE Version 5 Flow Record Format Source IP address 4–7 dstaddr Destination IP address 8–11 nexthop 12–13 input X X Next hop router’s IP address A 1 A 1 Full Interface srcaddr Full 0–3 Destination Source Interface Description Destination Source Content Source Bytes Destination Flow masks: • X=Populated • A=Additional field X X X X X X X X A A A A X Ingress interface SNMP ifIndex X A
Chapter 38 Configuring NetFlow Overview of NetFlow Statistics Collection • source and destination IP addresses • IP protocol • source and destination port numbers Information Derived from Software Information available in a typical NetFlow record from software includes the following: • Input and output identifiers • Routing information, including next-hop address, origin and peer AS, source and destination prefix mask Assigning the Input and Output Interface and AS Numbers The following topics
Chapter 38 Configuring NetFlow Overview of NetFlow Statistics Collection Assigning the Input Interface and Input Related Inferred Fields Similarly, the input interface and the source AS number for the source IP address are determined by looking up the FIB entry in the default FIB table based on the source IP address.
Chapter 38 Configuring NetFlow Configuring NetFlow Statistics Collection The following example shows the CLI output for a specific VLAN: cat4k-sup4-2# sh vlan counters or show vlan id 22 count * Multicast counters include broadcast packets Vlan Id :22 L2 Unicast Packets :38 L2 Unicast Octets :2432 L3 Input Unicast Packets :14344621 L3 Input Unicast Octets :659852566 L3 Output Unicast Packets :8983050 L3 Output Unicast Octets :413220300 L3 Output Multicast Packets :0 L3 Output Multicast Octets :0 L3 Input
Chapter 38 Configuring NetFlow Configuring NetFlow Statistics Collection M MAC addresses Hw Fw Sw Status --+--------------------------------+---+------------+----------------+--------1 0001.6442.2c00 to 0001.6442.2c01 0.4 12.1(14r)EW( 12.1(20030513:00 Ok 2 0001.6442.2c02 to 0001.6442.2c03 0.4 12.1(14r)EW( 12.1(20030513:00 Ok 6 0050.3ed8.6780 to 0050.3ed8.67af 1.6 12.1(14r)EW( 12.1(20030513:00 Ok Mod Submodule Model Serial No.
Chapter 38 Configuring NetFlow Configuring NetFlow Statistics Collection Configuring Switched/Bridged IP Flows Netflow is defined as a collection of routed IP flows created and tracked for all routed IP traffic. In switching environments, considerable IP traffic is switched within a VLAN and hence is not routed. This traffic is termed switched/bridged IP traffic; the associated flow is termed switched/bridged IP flows. NetFlow hardware is capable of creating and tracking this type of flow.
Chapter 38 Configuring NetFlow Configuring NetFlow Statistics Collection Protocol -------SrcIf Fa1 Fa1 Switch# Total Flows Flows /Sec SrcIPaddress 150.1.1.1 13.1.1.1 Packets Bytes /Flow /Pkt DstIf Fa1 Fa1 Packets Active(Sec) Idle(Sec) /Sec /Flow /Flow DstIPaddress 13.1.1.1 150.1.1.
Chapter 38 Configuring NetFlow Configuring NetFlow Statistics Collection Configuring an Aggregation Cache Aggregation of NetFlow Statistics is typically performed by NetFlow collection tools on management workstations. By extending this support to the Catalyst 4500 series switch, you can do the following: • Reduce the required bandwidth between the switch and workstations, because fewer NDE packets are exported. • Reduce the number of collection workstations required.
Chapter 38 Configuring NetFlow Configuring NetFlow Statistics Collection Configuring a NetFlow Minimum Prefix Mask for Router-Based Aggregation The minimum prefix mask specifies the shortest subnet mask that will be used for aggregating flows within one of the IP-address based aggregation caches (e.g. source-prefix, destination-prefix, prefix).
Chapter 38 Configuring NetFlow Configuring NetFlow Statistics Collection Configuring the Minimum Mask of a Source-Prefix Aggregation Scheme To configure the minimum mask of a source-prefix aggregation scheme, perform this task: Command Purpose Step 1 Router(config)# ip flow-aggregation cache source-prefix Configures the source-prefix aggregation cache. Step 2 Router(config-flow-cache)# mask source minimum value Specifies the minimum value for the source mask.
Chapter 38 Configuring NetFlow NetFlow Statistics Collection Configuration Example NetFlow Statistics Collection Configuration Example The following example shows how to modify the configuration to enable NetFlow switching. It also shows how to export the flow statistics for further processing to UDP port 9991 on a workstation with the IP address of 40.0.0.2.
Chapter 38 Configuring NetFlow NetFlow Configuration Examples Gi6/2 Gi6/2 Gi6/2 Gi6/2 Gi6/2 Gi6/2 Gi5/48 Gi6/1 Gi6/1 Gi6/1 Gi6/1 Gi6/1 Gi6/1 Gi6/1 Gi6/1 Gi6/1 Gi6/1 Gi6/1 Switch# 30.20.1.10 30.20.1.11 30.20.1.14 30.20.1.15 30.20.1.12 30.20.1.13 171.69.23.149 30.10.1.12 30.10.1.13 30.10.1.14 30.10.1.15 30.10.1.10 30.10.1.11 30.10.1.20 30.10.1.16 30.10.1.17 30.10.1.18 30.10.1.19 Gi6/1 Gi6/1 Gi6/1 Gi6/1 Gi6/1 Gi6/1 Local Gi6/2 Gi6/2 Gi6/2 Gi6/2 Gi6/2 Gi6/2 Gi6/2 Gi6/2 Gi6/2 Gi6/2 Gi6/2 30.10.1.10 30.10.
Chapter 38 Configuring NetFlow NetFlow Configuration Examples Autonomous System Configuration This example shows how to configure an autonomous system aggregation cache with an inactive timeout of 200 seconds, a cache active timeout of 45 minutes, an export destination IP address of 10.42.42.
Chapter 38 Configuring NetFlow NetFlow Configuration Examples Switch(config-flow-cache)# cache timeout active 45 Switch(config-flow-cache)# export destination 10.42.42.
C H A P T E R 39 Diagnostics on the Catalyst 4500 Switch Diagnostics tests and verifies the functionality of the hardware components of your system (chassis, supervisor engines, modules, and ASICs), while your Catalyst 4500 series switch is connected to a live network. Diagnostics consists of packet switching tests that test hardware components and verify the data path and control signals. Diagnostic tests are non-disruptive (except POST) and run at different times.
Chapter 39 Diagnostics on the Catalyst 4500 Switch Troubleshooting with Online Diagnostics A faulty linecard will occur if any of the following conditions occurs. • All ports fail • All ports on a stub chip fail • Only one port fails For all of the above situations, the output of the show module command would display the status of the linecard as faulty: Switch# show mod Chassis Type : WS-C4006 Power consumed by backplane : 0 Watts Mod Ports Card Type Model Serial No.
Chapter 39 Diagnostics on the Catalyst 4500 Switch 1) linecard-online-diag --------------------> . The linecard passed online diagnostics either 1) when it was inserted into the chassis the last time or 2) when the switch was powered up (as reported by the "."). Further investigation is required. Step 2 Insert a different supervisor engine card and re-insert the linecard. If the linecard passes the test, it suggests that the supervisor engine card is defective.
Chapter 39 Diagnostics on the Catalyst 4500 Switch Sample POST Results For all the supervisor engines, POST performs CPU, traffic, system, system memory, and feature tests. For CPU tests, POST verifies appropriate activity of the supervisor SEEPROM, temperature sensor, and Ethernet-end-of-band channel (eobc), when used. The following example illustrates the output of a CPU subsystem test on all supervisor engines except the WS-X4013+TS: [..] Cpu Subsystem Tests ... seeprom: . temperature_sensor: . eobc: .
Chapter 39 Diagnostics on the Catalyst 4500 Switch The following example shows the output for a WS-X4516 supervisor engine: Switch# show diagnostic result module 2 detail module 2: Overall diagnostic result: PASS Test results: (. = Pass, F = Fail, U = Untested) ___________________________________________________________________________ 1) supervisor-bootup -----------------------> .
Chapter 39 Diagnostics on the Catalyst 4500 Switch Module 2 Passed ___________________________________________________________________________ 2) packet-memory-bootup --------------------> U Error code --------------------------> 0 (DIAG_SUCCESS) Total run count ---------------------> 0 Last test execution time ------------> n/a First test failure time -------------> n/a Last test failure time --------------> n/a Last test pass time -----------------> n/a Total failure count -----------------> 0 Consecut
Chapter 39 Diagnostics on the Catalyst 4500 Switch Potential false positives: 0 0 Ignored because of rx errors: 0 0 Ignored because of cdm fifo overrun: 0 0 Ignored because of oir: 0 0 Ignored because isl frames received: 0 0 Ignored during boot: 0 0 Ignored after writing hw stats: 0 0 Ignored on high gigaport: 0 Ongoing diag action mode: Normal Last 1000 Memory Test Failures: Last 1000 Packet Memory errors: First 1000 Packet Memory errors: _________________________________________________________________
Chapter 39 Last test execution time ------------> First test failure time -------------> Last test failure time --------------> Last test pass time -----------------> Total failure count -----------------> Consecutive failure count -----------> Diagnostics on the Catalyst 4500 Switch Jul 19 2005 13:28:16 n/a n/a Jul 19 2005 13:28:16 0 0 Power-On-Self-Test Results for ACTIVE Supervisor Power-on-self-test for Module 1: WS-X4516-10GE Port/Test Status: (.
Chapter 39 Diagnostics on the Catalyst 4500 Switch 2) packet-memory-bootup --------------------> U Error code --------------------------> 0 (DIAG_SUCCESS) Total run count ---------------------> 0 Last test execution time ------------> n/a First test failure time -------------> n/a Last test failure time --------------> n/a Last test pass time -----------------> n/a Total failure count -----------------> 0 Consecutive failure count -----------> 0 packet buffers on free list: 64557 bad: 0 used for ongoing t
Chapter 39 Diagnostics on the Catalyst 4500 Switch Ignored during boot: 0 0 Ignored after writing hw stats: 0 0 Ignored on high gigaport: 0 Ongoing diag action mode: Normal Last 1000 Memory Test Failures: Last 1000 Packet Memory errors: First 1000 Packet Memory errors: ___________________________________________________________________________ Switch# POST on Standby Supervisor Engine Ports 62 and 63 of the supervisor engine always remain Untested or U.
Chapter 39 Diagnostics on the Catalyst 4500 Switch Local 10GE Port 62: U Local 10GE Port 63: U Port Traffic: L2 Serdes 0: . 1: . 2: . 3: . 12: . 13: . 14: . 15: . 24: . 25: . 26: . 27: . 36: . 37: . 38: . 39: . 48: . 49: . 50: . 51: . Port Traffic: L2 Asic 0: . 1: . 2: . 3: 12: . 13: . 14: . 15: 24: . 25: . 26: . 27: 36: . 37: . 38: . 39: 48: . 49: . 50: . 51: Loopback ... 4: . 5: . 6: 16: . 17: . 18: 28: . 29: . 30: 40: . 41: . 42: . 7: . 8: . 19: . 20: . 31: . 32: . 43: . 44: Loopback ... . 4: .
Chapter 39 Diagnostics on the Catalyst 4500 Switch Last test failure time --------------> n/a Last test pass time -----------------> n/a Total failure count -----------------> 0 Consecutive failure count -----------> 0 packet buffers on free list: 64557 bad: 0 used for ongoing tests: 979 Packet memory errors: 0 0 Current alert level: green Per 5 seconds in the last minute: 0 0 0 0 0 0 0 0 0 0 0 0 Per minute in the last hour: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Chapter 39 Diagnostics on the Catalyst 4500 Switch To evaluate if the hardware failure is persistent, you can power cycle the supervisor engine to rerun the POST tests. You can also remove and reinsert the supervisor engine into the chassis to ensure that the seating is correct. Please call the Cisco Systems customer support team for more information. Software Configuration Guide—Release 12.
Chapter 39 Diagnostics on the Catalyst 4500 Switch Software Configuration Guide—Release 12.
A P P E N D I X A Acronyms and Abbreviations Table A-1 defines the acronyms and abbreviations used in this publication.
Appendix A Table A-1 Acronyms and Abbreviations Acronyms (continued) Acronym Expansion CHAP Challenge Handshake Authentication Protocol CIR committed information rate CIST Common and Internal Spanning Tree CLI command-line interface CLNS Connection-Less Network Service CMNS Connection-Mode Network Service COPS Common Open Policy Server COPS-DS Common Open Policy Server Differentiated Services CoS class of service CPLD Complex Programmable Logic Device CRC cyclic redundancy check
Appendix A Acronyms and Abbreviations Table A-1 Acronyms (continued) Acronym Expansion EAP Extensible Authentication Protocol EARL Enhanced Address Recognition Logic EEPROM electrically erasable programmable read-only memory EHSA enhanced high system availability EHT Explicit Host Tracking EIA Electronic Industries Association ELAN Emulated Local Area Network EOBC Ethernet out-of-band channel ESI end-system identifier FECN forward explicit congestion notification FM feature manage
Appendix A Table A-1 Acronyms and Abbreviations Acronyms (continued) Acronym Expansion LDA Local Director Acceleration LCP Link Control Protocol LEC LAN Emulation Client LECS LAN Emulation Configuration Server LEM link error monitor LER link error rate LES LAN Emulation Server LLC Logical Link Control LTL Local Target Logic MAC Media Access Control MACL MAC Access Control MD5 Message Digest 5 MFD multicast fast drop MIB Management Information Base MII media-independent int
Appendix A Acronyms and Abbreviations Table A-1 Acronyms (continued) Acronym Expansion OAM Operation, Administration, and Maintenance ODM order dependent merge OSI Open System Interconnection OSPF open shortest path first PACL Port Access Control List PAE port access entity PAgP Port Aggregation Protocol PBD packet buffer daughterboard PBR Policy Based Routing PC Personal Computer PCM pulse code modulation PCR peak cell rate PDP policy decision point PDU protocol data unit
Appendix A Table A-1 Acronyms and Abbreviations Acronyms (continued) Acronym Expansion RPF reverse path forwarding RPR Route Processor Redundancy RSPAN remote SPAN RST reset RSVP ReSerVation Protocol SAID Security Association Identifier SAP service access point SCM service connection manager SCP Switch-Module Configuration Protocol SDLC Synchronous Data Link Control SGBP Stack Group Bidding Protocol SIMM single in-line memory module SLB server load balancing SLCP Supervisor
Appendix A Acronyms and Abbreviations Table A-1 Acronyms (continued) Acronym Expansion TLV type-length-value TTL Time To Live TVX valid transmission UDLD UniDirectional Link Detection Protocol UDP User Datagram Protocol UNI User-Network Interface UTC Coordinated Universal Time VACL VLAN access control list VCC virtual channel circuit VCI virtual circuit identifier VCR Virtual Configuration Register VINES Virtual Network System VLAN virtual LAN VMPS VLAN Membership Policy Ser
Appendix A Acronyms and Abbreviations Software Configuration Guide—Release 12.
I N D EX Numerics A 10/100 autonegotiation feature, forced abbreviating commands 4-8 10-Gigabit Ethernet port access control entries deploy with Gigabit Ethernet SFP ports 802.10 SAID (default) 4-6 See ACEs access list filtering, SPAN enhancement 10-4 802.1Q trunks 2-5 37-13 access ports and Layer 2 protocol tunneling 13-6 tunneling configuring compatibility with other features defaults 18-5 access VLANs 11-6 configuring for 802.
Index limitations processing adding a switch (figure) 33-4 and MST 33-9 types supported acronyms, list of 15-2 configuring 33-2 A-1 active queue management 27-14 adding members to a community 14-15 link failure (figure) 14-13, 14-14 not supported MST 15-2 understanding 9-10 addresses 14-3 14-12 See also STP See MAC addresses BGP routing session with multi-VRF CE adjacency tables description 1-8 blocking packets 23-2 displaying statistics RSTP comparisons (table) See VTP adve
Index burst rate 27-50 burst size 27-28 See CEF Cisco Group Management Protocol See CGMP Cisco IOS NSF-awareness support C Cisco IP Phones configuring candidates automatic discovery sound quality requirements description 9-14 3-16 TACACS+ 3-15 See CoS clear cdp counters command CDP and trusted boundary configuration 27-26 19-2 displaying configuration enabling on interfaces maintaining 19-3 clear counters command 4-14 accessing cdp enable command 2-1 backing out one level 1-2, 19
Index CLI settings at startup 9-14 passwords configure terminal command 9-10 command-line processing command modes 2-5 console port 2-5 disconnecting user sessions monitoring user sessions 2-5 command switch, cluster requirements 5-6 5-6 copy running-config startup-config command 3-10 copy system:running-config nvram:startup-config command 3-24 9-13 common and internal spanning tree CoS See CIST configuring port value common spanning tree definition See CST figure community of sw
Index and support for 802.
Index dynamic ARP inspection ARP cache poisoning EAPOL frames 802.
Index port-channel interfaces 16-2 G port-channel load-balance command 16-12 ports, 802.1X authentication not supported in removing 29-15 gateway See default gateway 16-14 removing interfaces Gigabit Ethernet SFP ports 16-13 deploy with 10-Gigabit Ethernet explicit host tracking enabling global configuration mode 17-8 4-6 2-5 Guest-VLANs extended range VLANs configure with 802.
Index See MST Intelligent Power Management IEEE 802.1w interface command interface range command IEEE 802.
Index ip flow-aggregation cache destination-prefix command 38-11 ip pim command ip pim dense-mode command ip flow-aggregation cache prefix command 38-11 ip flow-aggregation cache source-prefix command ip flow-export command ip policy route-map command ip redirects command ip icmp rate-limit unreachable command 5-12 deleting entries ip igmp snooping tcn query solicit command 17-10 configuring 31-12 displaying through DHCP-based autoconfiguration ip load-sharing per-destination command ip loca
Index configuring MTU sizes for ports and linecards that support VLAN interfaces Layer 2 Traceroute 4-12 4-10 4-12 and ARP 5-10 and CDP 5-9 host-to-host paths 5-9 IP addresses and subnets K 5-10 MAC addresses and VLANs keyboard shortcuts multicast traffic 2-3 5-10 multiple devices on a port unicast traffic L configuring overview 27-3 11-6 11-3 Layer 3 packets LACP system ID classification methods 16-4 Layer 2 access ports configuration guidelines classification with CoS restr
Index building tables ACL information 11-2 convert dynamic to sticky secure displaying sticky 31-11 tunneling 30-2 MAC extended access lists macros M-record See SmartPort macros main-cpu command 18-12 33-19 VLAN maps 33-11 33-19 15-2 MST and multiple spanning trees 6-8 mapping boundary ports DSCP markdown values mapping tables described 27-48 configuration parameters mask source command 38-11 38-11, 38-12 match ip address command maximum aging time (STP) 25-3 enabling members
Index multicast packets blocking minimum mask, configuring source-prefix aggregation 35-2 multicast routers minimum mask, configuring displaying routing tables flood suppression checking for required hardware 17-9 configuration (example) suppression on WS-X4014 36-7 enabling Collection suppression on WS-X4016 36-6 exporting cache entries multiple forwarding paths statistics 1-3, 15-2 Multiple Spanning Tree 38-7 38-9 38-9 caveats on supervisor multiple VPN routing/forwarding 38-6 che
Index support understanding 1-8 non-IP traffic filtering passwords 33-11 non-RPF traffic description configuring enable password nonvolatile random-access memory 24-10 encrypting recovering lost enable password setting TACACS+ normal-range VLANs passwords in clusters See VLANs NSF-awareness support 6-2 9-10 25-2 overview O 25-1 route maps 25-2 when to use OIR 25-2 per-port and VLAN Access Control List 4-13 Online Diagnostics 25-5 25-3 features enabling 27-41 overview See
Index configuring power consumption for switch 8-4 power consumption for powered devices Intelligent Power Management overview 8-5 powering down a module power management modes show interface status default configuration disabling 7-19 enabling 8-6 29-2 29-17 police command 29-2, 29-10 29-16 29-27 enabling periodic re-authentication encapsulation 27-33 policed-DSCP map method lists 29-4 resetting to default values 27-10 policies 29-28 setting retransmission number See QoS policies
Index enabling power inline consumption command 14-8 overview power management 14-8 port priority configuring MST instances configuring STP 15-12 2+1 redundancy mode 7-16 combined mode dynamic VLAN membership 10-26 reconfirming PVLAN types secure 34-1 30-1 See also interfaces 7-8 7-1 7-16 7-5 Power-On-Self-Test Diagnostics 19 Power-On-Self-Test diagnostics 28 Power-On-Self-Test for Supervisor Engine V-10GE port security 23 power redundancy setting on Catalyst 4006 30-9 and QoS t
Index setting mode 34-12 basic model 13-4 burst size protocol timers provider edge devices auto-QoS description 27-18 auto-QoS 15-5 27-17 DSCP maps 31-11 PVID (port VLAN ID) 27-51 traffic shaping and 802.1X with voice VLAN ports 29-12 PVLANs 27-50 trusted boundary VLAN-based 802.
Index QoS mapping tables CoS-to-DSCP 27-51 DSCP-to-CoS 27-53 policed-DSCP 27-52 types configuring Rapid Spanning Tree See RSTP rcommand command configuring manual QoS marking description enabling periodic 27-5 QoS policers 29-24 configuring 27-10 6-8 guidelines and restrictions definition 27-5 described 27-5, 27-10 NSF-awareness support overview attaching to interfaces QoS transmit queues 6-8 6-6 redundancy(RPR) allocating bandwidth route processor redundancy 27-49 synchronizat
Index configuring port roles 13-9 selecting in MST 15-3 port states 15-2 15-4 root guard and MST 15-2 enabling S 14-2 overview 14-2 SAID routed packets ACLs See 802.
Index show cluster members command show configuration command show debugging command See SST 19-4 slot numbers, description 7-2 configuration guidelines 4-12, 4-14, 4-16 show interfaces status command configuring 5-2 show ip cache flow aggregation destination-prefix command 38-12 show ip cache flow aggregation prefix command 38-12 show ip cache flow aggregation source-prefix command 38-12 show ip cache flow command show ip cef command 6-12 3-19 23-5 interfaces 23-6 key data structures used
Index displaying status overview verifying 37-24 statistics 37-1 session limits displaying 802.1X 37-6 SPAN destination ports displaying PIM 802.
Index accessing the redundant configuring switchport trunk native vlan command 3-8 to 3-13 copying files to standby default configuration default gateways ROM monitor configuring 3-11 29-17 syslog messages 7-1 7-2 system startup configuration reviewing configuration 3-18 settings at startup 3-11 synchronizing configurations 3-10 3-20 system images 6-10 loading from Flash memory Supervisor Engine II-TS insufficient inline power handling modifying boot field 7-10, 8-11 SVIs specifyi
Index See TDR encapsulation time exceeded messages 11-3 specifying native VLAN 5-8 timer understanding See login timer 11-6 11-3 trusted boundary for QoS 27-26 trust states Token Ring media not supported (note) configuring 10-4, 10-10 TOS 27-46 tunneling description defined 27-4 trace command 18-1 Layer 2 protocol 5-9 traceroute 18-7 tunnel ports See IP traceroute 802.
Index MST and 15-3 router ACLs and overview 14-10 using (figure) User Based Rate Limiting configuring overview 33-5 VLANs allowed on trunk 27-36 11-6 configuration guidelines 27-36 user EXEC mode 33-20 configuring 2-5 user sessions 10-4 customer numbering in service-provider networks disconnecting monitoring default configuration 5-6 description 5-6 IDs (default) V 10-4 10-8 limiting source traffic with RSPAN Layer 4 port operations monitoring with RSPAN 33-7 name (default)
Index entering IP VMPS address reconfirmation interval monitoring 10-23 10-20 troubleshooting dynamic port VLAN membership 10-25 VMPS server 10-19 10-20 10-17 VTP advertisements description 10-9 multiple VTP domains 10-9 VTP modes 10-19 10-9 VTP pruning 10-18 enabling 10-19 10-13 overview voice interfaces configuring 10-15 description security modes 10-10 VTP servers 28-1 configuring Voice over IP 10-14 VTP statistics configuring 28-1 displaying voice ports 10-16 VTP versi
