Catalyst 3750 Switch Software Configuration Guide Cisco IOS Release 12.2(55)SE August 2010 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface xlix Audience Purpose xlix xlix Conventions l Related Publications l Obtaining Documentation, Obtaining Support, and Security Guidelines CHAPTER 1 Overview 1-1 Features 1-1 Ease-of-Deployment and Ease-of-Use Features Performance Features 1-4 Management Options 1-5 Manageability Features 1-6 Availability and Redundancy Features 1-8 VLAN Features 1-9 Security Features 1-10 QoS and CoS Features 1-13 Layer 3 Features 1-14 Power over Ethernet Features 1-15 Monitoring Features 1-15 D
Contents Understanding no and default Forms of Commands Understanding CLI Error Messages Using Configuration Logging 2-4 2-5 2-5 Using Command History 2-6 Changing the Command History Buffer Size 2-6 Recalling Commands 2-6 Disabling the Command History Feature 2-7 Using Editing Features 2-7 Enabling and Disabling Editing Features 2-7 Editing Commands through Keystrokes 2-8 Editing Command Lines that Wrap 2-9 Searching and Filtering Output of show and more Commands 2-10 Accessing the CLI 2-10 Accessin
Contents Modifying the Startup Configuration 3-19 Default Boot Configuration 3-20 Automatically Downloading a Configuration File 3-20 Specifying the Filename to Read and Write the System Configuration Booting Manually 3-21 Booting a Specific Software Image 3-22 Controlling Environment Variables 3-23 3-20 Scheduling a Reload of the Software Image 3-24 Configuring a Scheduled Reload 3-25 Displaying Scheduled Reload Information 3-26 CHAPTER 4 Configuring Cisco IOS Configuration Engine 4-1 Understanding
Contents Member Priority Values 5-7 Stack Offline Configuration 5-7 Effects of Adding a Provisioned Switch to a Stack 5-8 Effects of Replacing a Provisioned Switch in a Stack 5-9 Effects of Removing a Provisioned Switch from a Stack 5-9 Hardware Compatibility and SDM Mismatch Mode in Switch Stacks 5-9 Stack Software Compatibility Recommendations 5-10 Stack Protocol Version Compatibility 5-10 Major Version Number Incompatibility Among Switches 5-10 Minor Version Number Incompatibility Among Switches 5-10 Un
Contents Hardware Loopback 5-29 Hardware Loopback Example: LINK OK event 5-29 Hardware Loop Example: LINK NOT OK Event 5-30 Finding a Disconnected Cable 5-31 Fixing a Bad Connection Between StackWise Ports 5-32 CHAPTER 6 Clustering Switches 6-1 Understanding Switch Clusters 6-1 Cluster Command Switch Characteristics 6-3 Standby Cluster Command Switch Characteristics 6-3 Candidate Switch and Cluster Member Switch Characteristics 6-4 Planning a Switch Cluster 6-5 Automatic Discovery of Cluster Candida
Contents Configuring NTP Authentication 7-5 Configuring NTP Associations 7-6 Configuring NTP Broadcast Service 7-7 Configuring NTP Access Restrictions 7-8 Configuring the Source IP Address for NTP Packets 7-10 Displaying the NTP Configuration 7-11 Configuring Time and Date Manually 7-11 Setting the System Clock 7-11 Displaying the Time and Date Configuration 7-12 Configuring the Time Zone 7-12 Configuring Summer Time (Daylight Saving Time) 7-13 Configuring a System Name and Prompt 7-14 Default System Name
Contents CHAPTER 8 Configuring SDM Templates 8-1 Understanding the SDM Templates 8-1 Dual IPv4 and IPv6 SDM Templates 8-2 SDM Templates and Switch Stacks 8-3 Configuring the Switch SDM Template 8-4 Default SDM Template 8-4 SDM Template Configuration Guidelines Setting the SDM Template 8-6 Displaying the SDM Templates CHAPTER 9 8-5 8-8 Configuring Switch-Based Authentication 9-1 Preventing Unauthorized Access to Your Switch 9-1 Protecting Access to Privileged EXEC Commands 9-2 Default Password
Contents Change-of-Authorization Requests 9-21 CoA Request Response Code 9-22 CoA Request Commands 9-23 Stacking Guidelines for Session Termination 9-26 Configuring RADIUS 9-27 Default RADIUS Configuration 9-27 Identifying the RADIUS Server Host 9-28 Configuring RADIUS Login Authentication 9-30 Defining AAA Server Groups 9-32 Configuring RADIUS Authorization for User Privileged Access and Network Services 9-34 Starting RADIUS Accounting 9-35 Establishing a Session with a Router if the AAA Server is Unreach
Contents CipherSuites 9-52 Configuring Secure HTTP Servers and Clients 9-53 Default SSL Configuration 9-53 SSL Configuration Guidelines 9-53 Configuring a CA Trustpoint 9-54 Configuring the Secure HTTP Server 9-55 Configuring the Secure HTTP Client 9-56 Displaying Secure HTTP Server and Client Status 9-57 Configuring the Switch for Secure Copy Protocol Information About Secure Copy 9-58 CHAPTER 10 9-57 Configuring IEEE 802.1x Port-Based Authentication 10-1 Understanding IEEE 802.
Contents Support on Multiple-Authentication Ports 10-26 Authentication Results 10-26 Feature Interactions 10-26 802.1x Authentication with Voice VLAN Ports 10-27 802.1x Authentication with Port Security 10-28 802.1x Authentication with Wake-on-LAN 10-29 802.1x Authentication with MAC Authentication Bypass 10-29 802.1x User Distribution 10-31 802.1x User Distribution Configuration Guidelines 10-31 Network Admission Control Layer 2 802.
Contents Configuring a Guest VLAN 10-54 Configuring a Restricted VLAN 10-55 Configuring the Inaccessible Authentication Bypass Feature 10-57 Configuring 802.1x Authentication with WoL 10-59 Configuring MAC Authentication Bypass 10-60 Configuring 802.1x User Distribution 10-61 Configuring NAC Layer 2 802.1x Validation 10-62 Configuring an Authenticator and a Supplicant Switch with NEAT 10-63 Configuring NEAT with Auto Smartports Macros 10-64 Configuring 802.
Contents Web-Based Authentication Configuration Task List 11-10 Configuring the Authentication Rule and Interfaces 11-10 Configuring AAA Authentication 11-11 Configuring Switch-to-RADIUS-Server Communication 11-11 Configuring the HTTP Server 11-13 Customizing the Authentication Proxy Web Pages 11-13 Specifying a Redirection URL for Successful Login 11-15 Configuring an AAA Fail Policy 11-15 Configuring the Web-Based Authentication Parameters 11-16 Configuring a Web Authentication Local Banner 11-16 Removin
Contents Setting the Interface Speed and Duplex Parameters 12-19 Configuring IEEE 802.
Contents Interaction with Other Features 13-19 Configuring a Trunk Port 13-21 Defining the Allowed VLANs on a Trunk 13-22 Changing the Pruning-Eligible List 13-23 Configuring the Native VLAN for Untagged Traffic Configuring Trunk Ports for Load Sharing 13-24 Load Sharing Using STP Port Priorities 13-25 Load Sharing Using STP Path Cost 13-26 13-24 Configuring VMPS 13-28 Understanding VMPS 13-28 Dynamic-Access Port VLAN Membership 13-29 Default VMPS Client Configuration 13-29 VMPS Configuration Guidelines
Contents Configuring VTP Mode 14-11 Configuring a VTP Version 3 Password 14-13 Configuring a VTP Version 3 Primary Server 14-13 Enabling the VTP Version 14-14 Enabling VTP Pruning 14-15 Configuring VTP on a Per-Port Basis 14-15 Adding a VTP Client Switch to a VTP Domain 14-16 Monitoring VTP CHAPTER 15 14-17 Configuring Voice VLAN 15-1 Understanding Voice VLAN 15-1 Cisco IP Phone Voice Traffic 15-2 Cisco IP Phone Data Traffic 15-3 Configuring Voice VLAN 15-3 Default Voice VLAN Configuration 15-3 Voice
Contents Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface Monitoring Private VLANs CHAPTER 17 16-14 16-15 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling 17-1 17-1 Configuring IEEE 802.1Q Tunneling 17-4 Default IEEE 802.1Q Tunneling Configuration 17-4 IEEE 802.1Q Tunneling Configuration Guidelines 17-4 Native VLANs 17-4 System MTU 17-5 IEEE 802.1Q Tunneling and Other Features 17-6 Configuring an IEEE 802.
Contents Spanning-Tree Interoperability and Backward Compatibility STP and IEEE 802.1Q Trunks 18-11 VLAN-Bridge Spanning Tree 18-11 Spanning Tree and Switch Stacks 18-12 18-11 Configuring Spanning-Tree Features 18-12 Default Spanning-Tree Configuration 18-13 Spanning-Tree Configuration Guidelines 18-13 Changing the Spanning-Tree Mode.
Contents Synchronization of Port Roles 19-12 Bridge Protocol Data Unit Format and Processing 19-13 Processing Superior BPDU Information 19-14 Processing Inferior BPDU Information 19-14 Topology Changes 19-14 Configuring MSTP Features 19-15 Default MSTP Configuration 19-16 MSTP Configuration Guidelines 19-16 Specifying the MST Region Configuration and Enabling MSTP Configuring the Root Switch 19-19 Configuring a Secondary Root Switch 19-20 Configuring Port Priority 19-21 Configuring Path Cost 19-23 Configur
Contents Enabling Port Fast 20-13 Enabling BPDU Guard 20-14 Enabling BPDU Filtering 20-15 Enabling UplinkFast for Use with Redundant Links Enabling Cross-Stack UplinkFast 20-17 Enabling BackboneFast 20-17 Enabling EtherChannel Guard 20-18 Enabling Root Guard 20-18 Enabling Loop Guard 20-19 Displaying the Spanning-Tree Status CHAPTER 21 20-16 20-20 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Flex Links 21-1 VLAN Fle
Contents Default DHCP Snooping Configuration 22-10 DHCP Snooping Configuration Guidelines 22-10 Configuring the DHCP Relay Agent 22-11 Specifying the Packet Forwarding Address 22-12 Enabling DHCP Snooping and Option 82 22-13 Enabling DHCP Snooping on Private VLANs 22-15 Enabling the Cisco IOS DHCP Server Database 22-15 Enabling the DHCP Snooping Binding Database Agent 22-15 Displaying DHCP Snooping Information 22-16 Understanding IP Source Guard 22-18 Source IP Address Filtering 22-18 Source IP and MAC A
Contents CHAPTER 24 Limiting the Rate of Incoming ARP Packets Performing Validation Checks 23-12 Configuring the Log Buffer 23-13 23-11 Displaying Dynamic ARP Inspection Information 23-15 Configuring IGMP Snooping and MVR 24-1 Understanding IGMP Snooping 24-2 IGMP Versions 24-3 Joining a Multicast Group 24-3 Leaving a Multicast Group 24-5 Immediate Leave 24-6 IGMP Configurable-Leave Timer 24-6 IGMP Report Suppression 24-6 IGMP Snooping and Switch Stacks 24-7 Configuring IGMP Snooping 24-7 Default I
Contents Configuring IGMP Profiles 24-26 Applying IGMP Profiles 24-27 Setting the Maximum Number of IGMP Groups Configuring the IGMP Throttling Action 24-29 24-28 Displaying IGMP Filtering and Throttling Configuration CHAPTER 25 Configuring Port-Based Traffic Control 24-30 25-1 Configuring Storm Control 25-1 Understanding Storm Control 25-2 Default Storm Control Configuration 25-3 Configuring Storm Control and Threshold Levels Configuring Small-Frame Arrival Rate 25-5 25-3 Configuring Protected P
Contents Monitoring and Maintaining CDP CHAPTER 27 26-5 Configuring LLDP, LLDP-MED, and Wired Location Service 27-1 Understanding LLDP, LLDP-MED, and Wired Location Service LLDP 27-1 LLDP-MED 27-2 Wired Location Service 27-3 27-1 Configuring LLDP, LLDP-MED, and Wired Location Service Default LLDP Configuration 27-5 Configuration Guidelines 27-5 Enabling LLDP 27-6 Configuring LLDP Characteristics 27-7 Configuring LLDP-MED TLVs 27-8 Configuring Network-Policy TLV 27-9 Configuring Location TLV and Wir
Contents Destination Port 29-8 RSPAN VLAN 29-9 SPAN and RSPAN Interaction with Other Features SPAN and RSPAN and Switch Stacks 29-10 29-9 Configuring SPAN and RSPAN 29-10 Default SPAN and RSPAN Configuration 29-11 Configuring Local SPAN 29-11 SPAN Configuration Guidelines 29-11 Creating a Local SPAN Session 29-12 Creating a Local SPAN Session and Configuring Incoming Traffic 29-15 Specifying VLANs to Filter 29-16 Configuring RSPAN 29-17 RSPAN Configuration Guidelines 29-17 Configuring a VLAN as an RSPAN
Contents Defining the Message Severity Level 31-9 Limiting Syslog Messages Sent to the History Table and to SNMP Enabling the Configuration-Change Logger 31-11 Configuring UNIX Syslog Servers 31-12 Logging Messages to a UNIX Syslog Daemon 31-13 Configuring the UNIX System Logging Facility 31-13 Displaying the Logging Configuration CHAPTER 32 Configuring SNMP 31-10 31-14 32-1 Understanding SNMP 32-1 SNMP Versions 32-2 SNMP Manager Functions 32-4 SNMP Agent Functions 32-4 SNMP Community Strings 32-4 U
Contents Registering and Defining an Embedded Event Manager TCL Script Displaying Embedded Event Manager Information CHAPTER 34 Configuring Network Security with ACLs 33-7 33-7 34-1 Understanding ACLs 34-1 Supported ACLs 34-2 Port ACLs 34-3 Router ACLs 34-4 VLAN Maps 34-5 Handling Fragmented and Unfragmented Traffic ACLs and Switch Stacks 34-6 34-5 Configuring IPv4 ACLs 34-7 Creating Standard and Extended IPv4 ACLs 34-8 Access List Numbers 34-8 ACL Logging 34-9 Creating a Numbered Standard ACL 34-
Contents Using VLAN Maps in Your Network 34-35 Wiring Closet Configuration 34-35 Denying Access to a Server on Another VLAN 34-36 Using VLAN Maps with Router ACLs 34-37 VLAN Maps and Router ACL Configuration Guidelines 34-38 Examples of Router ACLs and VLAN Maps Applied to VLANs 34-39 ACLs and Switched Packets 34-39 ACLs and Bridged Packets 34-39 ACLs and Routed Packets 34-40 ACLs and Multicast Packets 34-41 Displaying IPv4 ACL Configuration CHAPTER 35 Configuring QoS 34-42 35-1 Understanding QoS 3
Contents Upgrading from Cisco IOS Release 12.
Contents Configuration Guidelines 35-78 Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID 35-80 Configuring SRR Shaped Weights on Egress Queues 35-82 Configuring SRR Shared Weights on Egress Queues 35-83 Configuring the Egress Expedite Queue 35-84 Limiting the Bandwidth on an Egress Interface 35-84 Displaying Standard QoS Information CHAPTER 36 35-78 35-85 Configuring EtherChannels and Link-State Tracking
Contents Link-State Tracking Configuration Guidelines 36-26 Configuring Link-State Tracking 36-26 Displaying Link-State Tracking Status 36-27 CHAPTER 37 Configuring TelePresence E911 IP Phone Support Understanding TelePresence E911 IP Phone Support 37-1 37-1 Configuring TelePresence E911 IP Phone Support 37-2 Configuration Guidelines 37-2 Enabling TelePresence E911 IP Phone Support 37-3 Example 37-3 CHAPTER 38 Configuring IP Unicast Routing 38-1 Understanding IP Routing 38-2 Types of Routing 38-3
Contents Configuring RIP Authentication 38-23 Configuring Summary Addresses and Split Horizon Configuring Split Horizon 38-24 38-23 Configuring OSPF 38-25 Default OSPF Configuration 38-26 OSPF for Routed Access 38-28 OSPF Nonstop Forwarding 38-28 Configuring Basic OSPF Parameters 38-29 Configuring OSPF Interfaces 38-30 Configuring OSPF Area Parameters 38-31 Configuring Other OSPF Parameters 38-32 Changing LSA Group Pacing 38-34 Configuring a Loopback Interface 38-34 Monitoring OSPF 38-35 Configuring EIGR
Contents Configuring IS-IS Dynamic Routing 38-66 Default IS-IS Configuration 38-67 Nonstop Forwarding Awareness 38-68 Enabling IS-IS Routing 38-68 Configuring IS-IS Global Parameters 38-70 Configuring IS-IS Interface Parameters 38-72 Monitoring and Maintaining ISO IGRP and IS-IS 38-74 Configuring Multi-VRF CE 38-75 Understanding Multi-VRF CE 38-76 Default Multi-VRF CE Configuration 38-78 Multi-VRF CE Configuration Guidelines 38-78 Configuring VRFs 38-79 Configuring Multicast VRFs 38-80 Configuring VRF-Awar
Contents Monitoring and Maintaining the IP Network CHAPTER 39 Configuring IPv6 Unicast Routing 38-106 39-1 Understanding IPv6 39-2 IPv6 Addresses 39-2 Supported IPv6 Unicast Routing Features 39-3 128-Bit Wide Unicast Addresses 39-3 DNS for IPv6 39-4 Path MTU Discovery for IPv6 Unicast 39-4 ICMPv6 39-4 Neighbor Discovery 39-4 Default Router Preference 39-5 IPv6 Stateless Autoconfiguration and Duplicate Address Detection IPv6 Applications 39-5 Dual IPv4 and IPv6 Protocol Stacks 39-5 DHCP for IPv6 Addre
Contents Configuring RIP for IPv6 39-22 Configuring OSPF for IPv6 39-23 Configuring EIGRP for IPv6 39-25 Configuring HSRP for IPv6 39-25 Enabling HSRP Version 2 39-26 Enabling an HSRP Group for IPv6 Displaying IPv6 CHAPTER 40 39-26 39-28 Configuring IPv6 MLD Snooping 40-1 Understanding MLD Snooping 40-1 MLD Messages 40-2 MLD Queries 40-3 Multicast Client Aging Robustness 40-3 Multicast Router Discovery 40-3 MLD Reports 40-4 MLD Done Messages and Immediate-Leave 40-4 Topology Change Notification Proc
Contents Displaying IPv6 ACLs CHAPTER 42 Configuring HSRP 41-8 42-1 Understanding HSRP 42-1 HSRP Versions 42-3 Multiple HSRP 42-4 HSRP and Switch Stacks 42-5 Configuring HSRP 42-5 Default HSRP Configuration 42-5 HSRP Configuration Guidelines 42-6 Enabling HSRP 42-6 Configuring HSRP Priority 42-8 Configuring MHSRP 42-10 Configuring HSRP Authentication and Timers 42-10 Enabling HSRP Support for ICMP Redirect Messages Configuring HSRP Groups and Clustering 42-12 Troubleshooting HSRP 42-13 Displaying H
Contents Tracking Interface Line-Protocol or IP Routing State 44-2 Configuring a Tracked List 44-3 Configuring a Tracked List with a Boolean Expression 44-3 Configuring a Tracked List with a Weight Threshold 44-4 Configuring a Tracked List with a Percentage Threshold 44-5 Configuring HSRP Object Tracking 44-7 Configuring Other Tracking Characteristics 44-8 Configuring IP SLAs Object Tracking 44-8 Configuring Static Routing Support 44-10 Configuring a Primary Interface 44-10 Configuring a Cisco IP SLAs Moni
Contents Bootstrap Router 46-7 Multicast Forwarding and Reverse Path Check Understanding DVMRP 46-9 Understanding CGMP 46-9 Multicast Routing and Switch Stacks 46-7 46-10 Configuring IP Multicast Routing 46-10 Default Multicast Routing Configuration 46-11 Multicast Routing Configuration Guidelines 46-11 PIMv1 and PIMv2 Interoperability 46-11 Auto-RP and BSR Configuration Guidelines 46-12 Configuring Basic Multicast Routing 46-12 Configuring Source-Specific Multicast 46-14 SSM Components Overview 46-14 H
Contents Configuring Optional IGMP Features 46-38 Default IGMP Configuration 46-39 Configuring the Switch as a Member of a Group 46-39 Controlling Access to IP Multicast Groups 46-40 Changing the IGMP Version 46-41 Modifying the IGMP Host-Query Message Interval 46-41 Changing the IGMP Query Timeout for IGMPv2 46-42 Changing the Maximum Query Response Time for IGMPv2 Configuring the Switch as a Statically Connected Member 46-43 46-43 Configuring Optional Multicast Routing Features 46-44 Enabling CGMP Serv
Contents Default MSDP Configuration 47-4 Configuring a Default MSDP Peer 47-4 Caching Source-Active State 47-6 Requesting Source Information from an MSDP Peer 47-8 Controlling Source Information that Your Switch Originates 47-8 Redistributing Sources 47-9 Filtering Source-Active Request Messages 47-10 Controlling Source Information that Your Switch Forwards 47-11 Using a Filter 47-12 Using TTL to Limit the Multicast Data Sent in SA Messages 47-13 Controlling Source Information that Your Switch Receives 47-
Contents Recovering from a Command Switch Failure 49-8 Replacing a Failed Command Switch with a Cluster Member 49-9 Replacing a Failed Command Switch with Another Switch 49-11 Recovering from Lost Cluster Member Connectivity Preventing Autonegotiation Mismatches 49-12 Troubleshooting Power over Ethernet Switch Ports Disabled Port Caused by Power Loss 49-13 Disabled Port Caused by False Link Up 49-13 SFP Module Security and Identification Monitoring SFP Module Status Monitoring Temperature 49-12 49-13
Contents Troubleshooting Power over Ethernet (PoE) Troubleshooting Stackwise 49-31 CHAPTER 50 Configuring Online Diagnostics 50-1 Understanding How Online Diagnostics Work Scheduling Online Diagnostics 49-28 50-1 50-2 Configuring Health-Monitoring Diagnostics 50-2 Running Online Diagnostic Tests 50-3 Starting Online Diagnostic Tests 50-3 Displaying Online Diagnostic Tests and Test Results APPENDIX A 50-5 Configuring the Catalyst 3750G Integrated Wireless LAN Controller Switch Understanding t
Contents Extracting a tar File C-8 Displaying the Contents of a File C-8 Working with Configuration Files C-9 Guidelines for Creating and Using Configuration Files C-10 Configuration File Types and Location n C-10 Creating a Configuration File By Using a Text Editor C-11 Copying Configuration Files By Using TFTP C-11 Preparing to Download or Upload a Configuration File B y Using TFTP C-11 Downloading the Configuration File By Using TFTP C-12 Uploading the Configuration File By Using TFTP C-13 Copying Con
Contents Uploading an Image File By Using RCP C-39 Copying an Image File from One Stack Member to Another APPENDIX D Unsupported Commands in Cisco IOS Release 12.
Contents IP SLA D-8 Unsupported MPLS Health Monitor Commands D-8 Unsupported Ethernet Gatekeeper Registration Commands Unsupported VoIP Call Setup Probe Commands D-8 D-8 IP Unicast Routing D-8 Unsupported Privileged EXEC or User EXEC Commands D-8 Unsupported Global Configuration Commands D-9 Unsupported Interface Configuration Commands D-9 Unsupported BGP Router Configuration Commands D-9 Unsupported VPN Configuration Commands D-10 Unsupported Route Map Commands D-10 IPv6 D-10 IPv4-v6 Tunneling Command
Contents Unsupported Global Configuration Command D-15 Unsupported Interface Configuration Commands D-15 Unsupported Policy-Map Configuration Command D-15 RADIUS D-16 Unsupported Global Configuration Commands D-16 SNMP D-16 Unsupported Global Configuration Commands D-16 SNMPv3 D-16 Unsupported 3DES Encryption Commands D-16 Spanning Tree D-16 Unsupported Global Configuration Command D-16 Unsupported Interface Configuration Command D-16 VLAN D-17 Unsupported Global Configuration Command D-17 Unsupporte
Contents Catalyst 3750 Switch Software Configuration Guide xlviii OL-8550-09
Preface Audience This guide is for the networking professional managing the Catalyst 3750 switch, hereafter referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking. Purpose The Catalyst 3750 switch is supported by either the IP base image or the IP services image.
Preface Conventions This publication uses these conventions to convey instructions and information: Command descriptions use these conventions: • Commands and keywords are in boldface text. • Arguments for which you supply values are in italic. • Square brackets ([ ]) mean optional elements. • Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements. • Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional element.
Preface See these documents for other information about the switch: • Release Notes for the Catalyst 3750, 3560, 2975, and 2960 Switches • Catalyst 3750, 3560, 3550, 2975, 2975, 2970, and 2960 and 2960-S Switch System Message Guide • Catalyst 3750 Switch Software Configuration Guide • Catalyst 3750 Switch Command Reference • Catalyst 3750 Switch Hardware Installation Guide • Catalyst 3750 Switch Getting Started Guide • Catalyst 3750 Integrated Wireless LAN Controller Switch Getting Started Gui
Preface Obtaining Documentation, Obtaining Support, and Security Guidelines For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.
CH A P T E R 1 Overview This chapter provides these topics about the Catalyst 3750 switch software: • Features, page 1-1 • Default Settings After Initial Switch Configuration, page 1-17 • Network Configuration Examples, page 1-20 • Where to Go Next, page 1-30 Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. In this document, IP refers to IP Version 4 (IPv4) unless there is a specific reference to IP Version 6 (IPv6).
Chapter 1 Overview Features Some features described in this chapter are available only on the cryptographic (supports encryption) version of the software. You must obtain authorization to use this feature and to download the cryptographic version of the software from Cisco.com. For more information, see the release notes for this release.
Chapter 1 Overview Features – Viewing a topology of interconnected devices to identify existing switch clusters and eligible switches that can join a cluster and to identify link information between switches. – Monitoring real-time status of a switch or multiple switches from the LEDs on the front-panel images. The system, redundant power system (RPS), and port LED colors on the images are similar to those used on the physical LEDs. Note The Network Assistant must be downloaded from cisco.com/go/cna.
Chapter 1 Overview Features • Smart Install to allow a single point of management (director) in a network. You can use Smart Install to provide zero touch image and configuration upgrade of newly deployed switches and image and configuration downloads for any client switches. For more information, see the Cisco Smart Install Configuration Guide. • Smart Install enhancements in Cisco IOS Release 12.
Chapter 1 Overview Features • Multicast VLAN registration (MVR) to continuously send multicast streams in a multicast VLAN while isolating the streams from subscriber VLANs for bandwidth and security reasons. • IGMP filtering for controlling the set of multicast groups to which hosts on a switch port can belong. • IGMP throttling for configuring the action when the maximum number of entries is in the IGMP forwarding table. • IGMP leave timer for configuring the leave latency for the network.
Chapter 1 Overview Features • SNMP—SNMP management applications such as CiscoWorks2000 LAN Management Suite (LMS) and HP OpenView. You can manage from an SNMP-compatible management station that is running platforms such as HP OpenView or SunNet Manager. The switch supports a comprehensive set of MIB extensions and four remote monitoring (RMON) groups. For more information about using SNMP, see Chapter 32, “Configuring SNMP.
Chapter 1 Overview Features • Source Specific Multicast (SSM) mapping for multicast applications provides a mapping of source to group, allowing listeners to connect to multicast sources dynamically and reduces dependencies on the application • Support for Enhanced Interior Gateway Routing Protocol (EIGRP) IPv6 to utilize IPv6 transport, communicate with IPv6 peers, and advertise IPv6 routes • Support for these IP services, making them VRF aware so that they can operate on multiple routing instances:
Chapter 1 Overview Features • DHCP Snooping enhancement to support the selection of a fixed string-based format for the circuit-id sub-option of the Option 82 DHCP field • Increased support for LLPD-MED by allowing the switch to grant power to the power device (PD), based on the power policy TLV request Availability and Redundancy Features • HSRP for command switch and Layer 3 router redundancy • Enhanced object tracking, which separates the tracking mechanism from HSRP and creates a separate, sta
Chapter 1 Overview Features • Flex Link Layer 2 interfaces to back up one another as an alternative to STP for basic link redundancy • Link-state tracking to mirror the state of the ports that carry upstream traffic from connected hosts and servers, and to allow the failover of the server traffic to an operational link on another Cisco Ethernet switch.
Chapter 1 Overview Features Security Features • IP Service Level Agreements (IP SLAs) support to measure network performance by using active traffic monitoring • IP SLAs EOT to use the output from IP SLAs tracking operations triggered by an action such as latency, jitter, or packet loss for a standby router failover takeover • Web authentication to allow a supplicant (client) that does not support IEEE 802.
Chapter 1 Overview Features • IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. These features are supported: – Multidomain authentication (MDA) to allow both a data device and a voice device, such as an IP phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.
Chapter 1 Overview Features – NAC Layer 2 IP validation of the posture of endpoint systems or clients before granting the devices network access. For information about configuring NAC Layer 2 IP validation, see the Network Admission Control Software Configuration Guide. – IEEE 802.1x inaccessible authentication bypass. For information about configuring this feature, see the “Configuring the Inaccessible Authentication Bypass Feature” section on page 10-57.
Chapter 1 Overview Features • Support for 3DES and AES with version 3 of the Simple Network Management Protocol (SNMPv3). This release adds support for the 168-bit Triple Data Encryption Standard (3DES) and the 128-bit, 192-bit, and 256-bit Advanced Encryption Standard (AES) encryption algorithms to SNMPv3. • Support for the Security Group Tag (SCT) Exchange Protocol (SXP) component of Cisco TrustSec, a security architecture using authentication, encryption, and access control.
Chapter 1 Overview Features • Egress queues and scheduling – Four egress queues per port – WTD as the congestion-avoidance mechanism for managing the queue lengths and providing drop precedences for different traffic classifications – SRR as the scheduling service for specifying the rate at which packets are dequeued to the egress interface (shaping or sharing is supported on egress queues). Shaped egress queues are guaranteed but limited to using a share of port bandwidth.
Chapter 1 Overview Features • Protocol-Independent Multicast (PIM) for multicast routing within the network, allowing for devices in the network to receive the multicast feed requested and for switches not participating in the multicast to be pruned.
Chapter 1 Overview Features • Support for EEM 3.2, which introduces event detectors for Neighbor Discovery, Identity, and MAC-Address-Table.
Chapter 1 Overview Default Settings After Initial Switch Configuration Default Settings After Initial Switch Configuration The switch is designed for plug-and-play operation, requiring only that you assign basic IP information to the switch and connect it to the other devices in your network. If you have specific network needs, you can change the interface-specific and system- and stack-wide settings.
Chapter 1 Overview Default Settings After Initial Switch Configuration – Auto-MDIX is enabled. For more information, see Chapter 12, “Configuring Interface Characteristics.” – Flow control is off. For more information, see Chapter 12, “Configuring Interface Characteristics.” – PoE is autonegotiate. For more information, see Chapter 12, “Configuring Interface Characteristics.” • VLANs – Default VLAN is VLAN 1. For more information, see Chapter 13, “Configuring VLANs.
Chapter 1 Overview Default Settings After Initial Switch Configuration • Port-based traffic – Broadcast, multicast, and unicast storm control is disabled. For more information, see Chapter 25, “Configuring Port-Based Traffic Control.” – No protected ports are defined. For more information, see Chapter 25, “Configuring Port-Based Traffic Control.” – Unicast and multicast traffic flooding is not blocked. For more information, see Chapter 25, “Configuring Port-Based Traffic Control.
Chapter 1 Overview Network Configuration Examples Network Configuration Examples This section provides network configuration concepts and includes examples of using the switch to create dedicated network segments and interconnecting the segments through Fast Ethernet and Gigabit Ethernet connections.
Chapter 1 Overview Network Configuration Examples Table 1-2 Providing Network Services Network Demands Efficient bandwidth usage for multimedia applications and guaranteed bandwidth for critical applications High demand on network redundancy and availability to provide always on mission-critical applications An evolving demand for IP telephony Suggested Design Methods • Use IGMP snooping to efficiently forward multimedia and multicast traffic.
Chapter 1 Overview Network Configuration Examples You can use the switches and switch stacks to create the following: • Cost-effective wiring closet (Figure 1-1)—A cost-effective way to connect many users to the wiring closet is to have a switch stack of up to nine Catalyst 3750 switches. To preserve switch connectivity if one switch in the stack fails, connect the switches as recommended in the hardware installation guide, and enable either cross-stack Etherchannel or cross-stack UplinkFast.
Chapter 1 Overview Network Configuration Examples Figure 1-2 High-Performance Wiring Closet Catalyst 4500 or 6500 multilayer switch Catalyst 3750 Layer 3 StackWise switch stack 86928 Si • Redundant Gigabit backbone—Using HSRP, you can create backup paths between two Catalyst 3750G multilayer Gigabit switches to enhance network reliability and load balancing for different VLANs and subnets. Using HSRP also provides faster network convergence if any network failure occurs.
Chapter 1 Overview Network Configuration Examples Using dual SFP module uplinks from the switches provides redundant uplinks to the network core. Using SFP modules provides flexibility in media and distance options through fiber-optic connections. The various lengths of stack cable available, ranging from 0.5 meter to 3 meters provide extended connections to the switch stacks across multiple server racks, for multiple stack aggregation.
Chapter 1 Overview Network Configuration Examples Figure 1-5 Linux Server Cluster Catalyst 3750 Redundant SFP StackWise switch stack module uplinks EtherChannel across uplinks Catalyst 3750 StackWise switch stack 86932 Campus core Linux cluster parallelprocessing server farm 32-Gbps ring Small to Medium-Sized Network Using Catalyst 3750 Switches Figure 1-6 shows a configuration for a network of up to 500 employees.
Chapter 1 Overview Network Configuration Examples For prestandard and IEEE 802.3af-compliant powered devices connected to Catalyst PoE switches, IEEE 802.1p/Q QoS gives voice traffic forwarding-priority over data traffic. Catalyst PoE switch ports automatically detect any Cisco pre-standard and IEEE 802.3af-compliant powered devices that are connected. Each PoE switch port provides 15.4 W of power per port.
Chapter 1 Overview Network Configuration Examples per-user basis. The switch ports are configured as either trusted or untrusted. You can configure a trusted port to trust the CoS value, the DSCP value, or the IP precedence. If you configure the port as untrusted, you can use an ACL to mark the frame in accordance with the network policy. Each stack provides inter-VLAN routing.
Chapter 1 Overview Network Configuration Examples Multidwelling Network Using Catalyst 3750 Switches A growing segment of residential and commercial customers are requiring high-speed access to Ethernet metropolitan-area networks (MANs). Figure 1-8 shows a configuration for a Gigabit Ethernet MAN ring using multilayer switch stacks as aggregation switches in the mini-point-of-presence (POP) location. These switches are connected through 1000BASE-X SFP module ports.
Chapter 1 Overview Network Configuration Examples Figure 1-8 Catalyst 3750 Switches in a MAN Configuration Service Provider POP Cisco 12000 Gigabit switch routers Catalyst 6500 switches Si Si Catalyst 3750 StackWise switch stack Mini-POP Gigabit MAN Si Residential location Catalyst switches Set-top box Residential gateway (hub) Set-top box 93795 TV PC TV Long-Distance, High-Bandwidth Transport Configuration Figure 1-9 shows a configuration for sending 8 Gigabits of data over a single fiber
Chapter 1 Overview Where to Go Next Figure 1-9 Long-Distance, High-Bandwidth Transport Configuration Access layer Aggregation layer CWDM OADM modules Eight 1-Gbps connections CWDM OADM modules Catalyst 4500 multilayer switches 95750 8 Gbps Catalyst switches Where to Go Next Before configuring the switch, review these sections for startup information: • Chapter 2, “Using the Command-Line Interface” • Chapter 3, “Assigning the Switch IP Address and Default Gateway” Catalyst 3750 Switch Softw
CH A P T E R 2 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your Catalyst 3750 switch.Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the hostname Switch. Table 2-1 Command Mode Summary Mode Access Method Prompt User EXEC Begin a session with Switch> your switch. Exit Method About This Mode Enter logout or quit. Use this mode to • Change terminal settings. • Perform basic tests.
Chapter 2 Using the Command-Line Interface Understanding the Help System Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method Interface configuration While in global configuration mode, enter the interface command (with a specific interface). Switch(config-if)# Use this mode to configure To exit to global configuration mode, parameters for the Ethernet ports. enter exit. To return to privileged EXEC mode, press Ctrl-Z or enter end.
Chapter 2 Using the Command-Line Interface Understanding Abbreviated Commands Table 2-2 Help Summary (continued) Command Purpose ? List all commands available for a particular command mode. For example: Switch> ? command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword.
Chapter 2 Using the Command-Line Interface Understanding CLI Error Messages Understanding CLI Error Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Table 2-3 Common CLI Error Messages Error Message Meaning How to Get Help % Ambiguous command: "show con" You did not enter enough characters for your switch to recognize the command.
Chapter 2 Using the Command-Line Interface Using Command History Using Command History The software provides a history or record of commands that you have entered. The command history feature is particularly useful for recalling long or complex commands or entries, including access lists.
Chapter 2 Using the Command-Line Interface Using Editing Features Disabling the Command History Feature The command history feature is automatically enabled. You can disable it for the current terminal session or for the command line. These procedures are optional. To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command.
Chapter 2 Using the Command-Line Interface Using Editing Features Editing Commands through Keystrokes Table 2-5 shows the keystrokes that you need to edit command lines. These keystrokes are optional. Table 2-5 Editing Commands through Keystrokes Capability Keystroke1 Move around the command line to make changes or corrections. Press Ctrl-B, or press the Move the cursor back one character. left arrow key. Purpose Press Ctrl-F, or press the right arrow key. Move the cursor forward one character.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Scroll down a line or screen on displays that are longer than the terminal screen can display. Press the Return key. Scroll down one line. Press the Space bar. Scroll down one screen. Press Ctrl-L or Ctrl-R. Redisplay the current command line.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands. This is useful when you need to sort through large amounts of output or if you want to exclude output that you do not need to see. Using these commands is optional.
Chapter 2 Using the Command-Line Interface Accessing the CLI You can use one of these methods to establish a connection with the switch: • Connect the switch console port to a management station or dial-up modem. For information about connecting to the console port, see the switch getting started guide or hardware installation guide. • Use any Telnet TCP/IP or encrypted Secure Shell (SSH) package from a remote management station.
Chapter 2 Using the Command-Line Interface Accessing the CLI Catalyst 3750 Switch Software Configuration Guide 2-12 OL-8550-09
CH A P T E R 3 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assigning the IP address and default gateway information) for the Catalyst 3750 switch by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 3 Assigning the Switch IP Address and Default Gateway Understanding the Boot Process Understanding the Boot Process To start your switch, you need to follow the procedures in the Getting Started Guide or the hardware installation guide for installing and powering on the switch and for setting up the initial switch configuration (IP address, subnet mask, default gateway, secret and Telnet passwords, and so forth).
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Assigning Switch Information You can assign IP information through the switch setup program, through a DHCP server, or manually. Use the switch setup program if you want to be prompted for specific IP information. With this program, you can also configure a hostname and an enable secret password.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Understanding DHCP-Based Autoconfiguration DHCP provides configuration information to Internet hosts and internetworking devices. This protocol consists of two components: one for delivering configuration parameters from a DHCP server to a device and a mechanism for allocating network addresses to devices.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information In a DHCPREQUEST broadcast message, the client returns a formal request for the offered configuration information to the DHCP server. The formal request is broadcast so that all other DHCP servers that received the DHCPDISCOVER broadcast message from the client can reclaim the IP addresses that they offered to the client.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DHCP Auto-Image Update You can use DHCP auto-image upgrade with DHCP autoconfiguration to download both a configuration and a new image to one or more switches in your network. The switch (or switches) downloading the new configuration and the new image can be blank (or only have a default factory configuration loaded).
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring DHCP-Based Autoconfiguration These sections contain this configuration information: • DHCP Server Configuration Guidelines, page 3-7 • Configuring the TFTP Server, page 3-8 • Configuring the DNS, page 3-8 • Configuring the Relay Device, page 3-9 • Obtaining Configuration Files, page 3-10 • Example Configuration, page 3-11 DHCP Server Configuration Guidelines Follow these guidelines if you are
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DHCP Server and Switch Stacks The DHCP binding database is managed on the stack master. When a new stack master is assigned, the new master downloads the saved binding database from the TFTP server. If the stack master fails, all unsaved bindings are lost. The IP addresses associated with the lost bindings are released.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The DNS server can be on the same or on a different LAN as the switch. If it is on a different LAN, the switch must be able to access it through a router. Configuring the Relay Device You must configure a relay device, also referred to as a relay agent, when a switch sends broadcast packets that require a response from a host on a different LAN.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Obtaining Configuration Files Depending on the availability of the IP address and the configuration filename in the DHCP reserved lease, the switch obtains its configuration information in these ways: • The IP address and the configuration filename is reserved for the switch and provided in the DHCP reply (one-file read method).
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Example Configuration Figure 3-3 shows a sample network for retrieving IP information by using DHCP-based autoconfiguration. Figure 3-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 DHCP server 10.0.0.2 DNS server 10.0.0.3 TFTP server (tftpserver) 111394 10.0.0.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method. This file contains the hostname to be assigned to the switch based on its IP address.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Step 4 Command Purpose network network-number mask prefix-length Specify the subnet network number and mask of the DHCP address pool. Note The prefix length specifies the number of bits that comprise the address prefix. The prefix is an alternative way of specifying the network mask of the client. The prefix length must be preceded by a forward slash (/).
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring DHCP Auto-Image Update (Configuration File and Image) Beginning in privileged EXEC mode, follow these steps to configure DHCP autoconfiguration to configure TFTP and DHCP settings on a new switch to download a new image and a new configuration file. Note Before following the steps in this table, you must create a text file (for example, autoinstall_dhcp) that will be uploaded to the switch.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information This example shows how to configure a switch as a DHCP server so it downloads a configuration file: Switch# config terminal Switch(config)# ip dhcp pool pool1 Switch(dhcp-config)# network 10.10.10.0 255.255.255.0 Switch(dhcp-config)# bootfile config-boot.text Switch(dhcp-config)# default-router 10.10.10.1 Switch(dhcp-config)# option 150 10.10.10.1 Switch(dhcp-config)# option 125 hex 0000.0009.0a05.08661.7574.6f69.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information This example uses a Layer 3 SVI interface on VLAN 99 to enable DHCP-based autoconfiguration with a saved configuration: Switch# configure terminal Switch(conf)# boot host dhcp Switch(conf)# boot host retry timeout 300 Switch(conf)# banner config-save ^C Caution - Saving Configuration File to NVRAM May Cause You to No longer Automatically Download Configuration Files at Reboot^C Switch(config)# vlan 99 Switch(config
Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Step 5 Command Purpose ip default-gateway ip-address Enter the IP address of the next-hop router interface that is directly connected to the switch where a default gateway is being configured. The default gateway receives IP packets with unresolved destination IP addresses from the switch.
Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration interface VLAN1 ip address 172.20.137.50 255.255.255.0 no ip directed-broadcast ! ip default-gateway 172.20.137.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration This example shows how to configure the NVRAM buffer size: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# boot buffersize 524288 Switch(config)# end Switch# show boot BOOT path-list : Config file : flash:/config.text Private Config file : flash:/private-config.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Default Boot Configuration Table 3-3 shows the default boot-up configuration. Table 3-3 Default Boot Configuration Feature Default Setting Operating system software image The switch attempts to automatically boot up the system using information in the BOOT environment variable.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Step 4 Command Purpose show boot Verify your entries. The boot config-file global configuration command changes the setting of the CONFIG_FILE environment variable. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no boot config-file global configuration command.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Booting a Specific Software Image By default, the switch attempts to automatically boot up the system using information in the BOOT environment variable. If this variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Controlling Environment Variables With a normally operating switch, you enter the boot loader mode only through a switch console connection configured for 9600 b/s. Unplug the switch power cord, and press the switch Mode button while reconnecting the power cord. You can release the Mode button a second or two after the LED above port 1 turns off. Then the boot loader switch: prompt appears.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Table 3-4 describes the function of the most common environment variables. Table 3-4 Environment Variables Variable Boot Loader Command Cisco IOS Global Configuration Command BOOT set BOOT filesystem:/file-url ... boot system {filesystem:/file-url ...| switch {number | all}} A semicolon-separated list of executable files to try to load and execute when automatically booting.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Note A scheduled reload must take place within approximately 24 days. Configuring a Scheduled Reload To configure your switch to reload the software image at a later time, use one of these commands in privileged EXEC mode: • reload in [hh:]mm [text] This command schedules a reload of the software to take affect in the specified minutes or hours and minutes.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image This example shows how to reload the software on the switch on the current day at 7:30 p.
CH A P T E R 4 Configuring Cisco IOS Configuration Engine This chapter describes how to configure the feature on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. Note For complete configuration information for the Cisco Configuration Engine, go to http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.
Chapter 4 Configuring Cisco IOS Configuration Engine Understanding Cisco Configuration Engine Software Figure 4-1 Configuration Engine Architectural Overview Service provider network Configuration engine Data service directory Configuration server Event service 141327 Web-based user interface Order entry configuration management • Configuration Service, page 4-2 • Event Service, page 4-3 • What You Should Know About the CNS IDs and Device Hostnames, page 4-3 Configuration Service The Configu
Chapter 4 Configuring Cisco IOS Configuration Engine Understanding Cisco Configuration Engine Software Event Service The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine. The Event Service is a highly capable publish-and-subscribe communication method.
Chapter 4 Configuring Cisco IOS Configuration Engine Understanding Cisco Configuration Engine Software DeviceID Each configured switch participating on the event bus has a unique DeviceID, which is analogous to the switch source address so that the switch can be targeted as a specific destination on the bus. All switches configured with the cns config partial global configuration command must access the event bus.
Chapter 4 Configuring Cisco IOS Configuration Engine Understanding Cisco IOS Agents Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent.
Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Incremental (Partial) Configuration After the network is running, new services can be added by using the Cisco IOS agent. Incremental (partial) configurations can be sent to the switch. The actual configuration can be sent as an event payload by way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation.
Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Table 4-1 Prerequisites for Enabling Automatic Configuration (continued) Device DHCP server TFTP server CNS Configuration Engine Note Required Configuration • IP address assignment • TFTP server IP address • Path to bootstrap configuration file on the TFTP server • Default gateway IP address • A bootstrap configuration file that includes the CNS configuration commands that enable the switch to communicate with
Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cns event {hostname | ip-address} [port-number] [backup] [failover-time seconds] [keepalive seconds retry-count] [reconnect time] [source ip-address] Enable the event agent, and enter the gateway parameters.
Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: • The cns config initial global configuration command enables the Cisco IOS agent and initiates an initial configuration on the switch.
Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Command Step 7 Purpose discover {controller controller-type | dlci Specify the interface parameters in the CNS connect profile. [subinterface subinterface-number] | interface • For controller controller-type, enter the controller type. [interface-type] | line line-type} • For dlci, enter the active data-link connection identifiers (DLCIs).
Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Command Step 14 Purpose cns config initial {hostname | ip-address} Enable the Cisco IOS agent, and initiate an initial configuration. [port-number] [event] [no-persist] [page page] • For {hostname | ip-address}, enter the hostname or the [source ip-address] [syntax-check] IP address of the configuration server. • (Optional) For port-number, enter the port number of the configuration server. The default port number is 80.
Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents This example shows how to configure an initial configuration on a remote switch when the switch IP address is known. The Configuration Engine IP address is 172.28.129.22. Switch(config)# cns template connect template-dhcp Switch(config-tmpl-conn)# cli ip address dhcp Switch(config-tmpl-conn)# exit Switch(config)# cns template connect ip-route Switch(config-tmpl-conn)# cli ip route 0.0.0.0 0.0.0.
Chapter 4 Configuring Cisco IOS Configuration Engine Displaying CNS Configuration Displaying CNS Configuration Table 4-2 Privileged EXEC show Commands Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed. show cns config stats Displays statistics about the Cisco IOS agent.
Chapter 4 Configuring Cisco IOS Configuration Engine Displaying CNS Configuration Catalyst 3750 Switch Software Configuration Guide 4-14 OL-8550-09
CH A P T E R 5 Managing Switch Stacks This chapter provides the concepts and procedures to manage Catalyst 3750 stacks. See the command reference for command syntax and usage information. The switch command reference has command syntax and usage information.
Chapter 5 Managing Switch Stacks Understanding Stacks All members are eligible masters. If the master becomes unavailable, the remaining members elect a new master from among themselves. One of the factors is the stack member priority value. The switch with the highest stack-member priority-value becomes the master. The system-level features supported on the master are supported on the entire stack.
Chapter 5 Managing Switch Stacks Understanding Stacks – Stack Management Connectivity, page 5-15 – Stack Configuration Scenarios, page 5-16 Stack Membership A standalone switch is a stack with one member that is also the master. You can connect one standalone switch to another (Figure 5-1 on page 5-4) to create a stack containing two stack members, with one of them as the master. You can connect standalone switches to an existing stack (Figure 5-2 on page 5-4) to increase the stack membership.
Chapter 5 Managing Switch Stacks Understanding Stacks Figure 5-1 Creating a Switch Stack from Two Standalone Switches Standalone switch Standalone switch 86880 Stack member 1 Stack member 2 and stack master Standalone switch Standalone switch 86880 Stack member 1 Stack member 2 and stack master Figure 5-2 Adding a Standalone Switch to a Switch Stack Stack member 1 Stack member 2 and stack master Stack member 3 Standalone switch Stack member 1 Stack member 3 Stack member 4 86881 Stack membe
Chapter 5 Managing Switch Stacks Understanding Stacks 3. The switch that is not using the default interface-level configuration. 4. The switch with the higher priority switch software version.
Chapter 5 Managing Switch Stacks Understanding Stacks Stack MAC Address and Router MAC Address The MAC address of the master determines the stack MAC address. When the stack initializes, the MAC address of the master determines the bridge ID and router MAC address that identify the stack in the network. If the master changes, the MAC address of the new master determines the new bridge ID and router MAC address.
Chapter 5 Managing Switch Stacks Understanding Stacks Member Priority Values A high priority value for a member increases the chance that it will be elected master and keep its member number. The priority value can be 1 to 15. The default priority value is 1. Note We recommend that you assign the highest priority value to the switch that you want to be the stack master. The switch is then re-elected as master if a re-election occurs.
Chapter 5 Managing Switch Stacks Understanding Stacks Effects of Adding a Provisioned Switch to a Stack When you add a provisioned switch to the switch stack, the stack applies either the provisioned configuration or the default configuration to it. Table 5-1 lists the events that occur when the switch stack compares the provisioned configuration with the provisioned switch.
Chapter 5 Managing Switch Stacks Understanding Stacks Table 5-1 Results of Comparing the Provisioned Configuration with the Provisioned Switch (continued) Scenario Result The stack member number of the provisioned switch is not found in the provisioned configuration. The switch stack applies the default configuration to the provisioned switch and adds it to the stack.
Chapter 5 Managing Switch Stacks Understanding Stacks All stack members use the SDM template configured on the stack master. If the stack master is using an aggregator template, only Catalyst 3750-12S switches can be stack members. All other switches attempting to join this switch stack enter SDM-mismatch mode. These switches can join the stack only when the stack master is running a desktop SDM template.
Chapter 5 Managing Switch Stacks Understanding Stacks the mismatched software and tries to upgrade (or downgrade) the switch in version-mismatch mode with the stack image or with a tar file image from the stack flash memory. The software uses the automatic upgrade (auto-upgrade) and the automatic advise (auto-advise) features. The port LEDs on switches in version-mismatch mode will also stay off. Pressing the Mode button does not change the LED mode.
Chapter 5 Managing Switch Stacks Understanding Stacks • Automatic advise (auto-advise)—when the auto-upgrade process cannot find appropriate version-mismatch member software to copy to the switch in version-mismatch mode, the auto-advise process tells you the command (archive copy-sw or archive download-sw privileged EXEC command) and the image name (tar filename) needed to manually upgrade the switch stack or the switch in version-mismatch mode.
Chapter 5 Managing Switch Stacks Understanding Stacks *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Total Image File Size:0x00818A00 *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Minimum Dram required:0x08000000 *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Image Suffix:universalk9-122-53.SE *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Image Directory:c3750-ipservices-mz.122-25.SEB *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Image Name:c3750-ipservices-mz.122-25.SEB *Mar 11 20:36:15.
Chapter 5 Managing Switch Stacks Understanding Stacks *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:members have been scanned, and it has *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:been determined that the stack can be *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:repaired by issuing the following *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:command(s): *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW: *Mar 1 00:04:22.
Chapter 5 Managing Switch Stacks Understanding Stacks For information about • The benefits of provisioning a switch stack, see the “Stack Offline Configuration” section on page 5-7. • File systems and configuration files, see Appendix C, “Working with the Cisco IOS File System, Configuration Files, and Software Images.
Chapter 5 Managing Switch Stacks Understanding Stacks Stack Through an IP Address The stack is managed through a system-level IP address. You can still manage the stack through the same IP address even if you remove the master or any other stack member from the stack, provided there is IP connectivity. Note Members keep their IP addresses when you remove them from a stack.
Chapter 5 Managing Switch Stacks Understanding Stacks Table 5-2 Switch Stack Configuration Scenarios Scenario Master election specifically determined by existing masters Master election specifically determined by the member priority value Master election specifically determined by the configuration file Master election specifically determined by the cryptographic IP services image software Master election specifically determined by the cryptographic IP base image software Master election specificall
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Table 5-2 Switch Stack Configuration Scenarios (continued) Scenario Result Member number conflict Assuming that one member has a higher priority value than the other member: The member with the higher priority value keeps its member number. The other member has a new stack member number. Add a member Master failure 1. Ensure that both members have the same member number.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Default Switch Stack Configuration Table 5-3 shows the default switch stack configuration. Table 5-3 Default Switch Stack Configuration Feature Default Setting Stack MAC address timer Disabled. Member number 1 Member priority value 1 Offline configuration The switch stack is not provisioned. Persistent MAC address Disabled. Enabling Persistent MAC Address The MAC address of the master determines the stack MAC address.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Beginning in privileged EXEC mode, follow these steps to enable persistent MAC address. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 stack-mac persistent timer [0 | time-value] Enable a time delay after a stack-master change before the stack MAC address changes to that of the new stack master.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack This example shows how to configure the persistent MAC address feature for a 7-minute time delay and to verify the configuration: Switch(config)# stack-mac persistent timer 7 WARNING: The stack continues to use the base MAC of the old Master WARNING: as the stack MAC after a master switchover until the MAC WARNING: persistency timer expires.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Setting the Member Priority Value Note This task is available only from the master. Beginning in privileged EXEC mode, follow these steps to assign a priority value to a member: This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 switch stack-member-number priority new-priority-number Specify the member number and the new priority for the member.
Chapter 5 Managing Switch Stacks Accessing the CLI of a Specific Member Command Purpose Step 6 show switch stack-member-number Verify the status of the provisioned switch. For stack-member-number, enter the same number as in Step 2. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove provisioned information and to avoid receiving an error message, remove the specified switch from the stack before you use the no form of this command.
Chapter 5 Managing Switch Stacks Displaying Stack Information Displaying Stack Information To display saved configuration changes after resetting a specific member or the stack, use these privileged EXEC commands: Table 5-4 Commands for Displaying Stack Information Command Description show platform stack passive-links all Display all stack information, such as the stack protocol version. show platform stack ports {buffer | history} Display the StackWise port events and history.
Chapter 5 Managing Switch Stacks Troubleshooting Stacks • A stack is in the full-ring state when all members are connected through the StackWise ports and are in the ready state. • The stack is in the partial-ring state when – All members are connected through the StackWise ports, but some all are not in the ready state. – Some members are not connected through the StackWise ports.
Chapter 5 Managing Switch Stacks Troubleshooting Stacks Table 5-5 show switch stack-ports summary Command Output Field Description Switch#/Port# Member number and its StackWise port number. Stack Port Status • Absent—No cable is detected on the StackWise port. • Down—A cable is detected, but either no connected neighbor is up, or the StackWise port is disabled. • OK—A cable is detected, and the connected neighbor is up.
Chapter 5 Managing Switch Stacks Troubleshooting Stacks • Hardware Loopback Example: LINK OK event, page 5-29 • Hardware Loop Example: LINK NOT OK Event, page 5-30 Software Loopback In a stack with three members, StackWise cables connect all the members.
Chapter 5 Managing Switch Stacks Troubleshooting Stacks Software Loopback Example: No Connected StackWise Cable Catalyst 3750 switch port status: Switch# show switch stack-ports summary Switch#/ Stack Neighbor Cable Link Port# Port Length OK Status -------- ------ -------- -------- ---1/1 Absent None No cable Yes 1/2 Absent None No cable Yes Link Active Sync OK -----No No ---Yes Yes Link Active Sync OK -----No No ---No No # Changes To LinkOK --------1 1 In Loopback # Changes To LinkOK --------
Chapter 5 Managing Switch Stacks Troubleshooting Stacks Hardware Loopback The show platform stack ports buffer privileged EXEC command output shows the hardware loopback values.
Chapter 5 Managing Switch Stacks Troubleshooting Stacks On a Catalyst 3750-E switch: Switch# show platform stack ports buffer Stack Debug Event Data Trace ============================================================== Event type LINK: Link status change Event type RAC: RAC changes to Not OK Event type SYNC: Sync changes to Not OK ============================================================== Event Stack Stack PCS Info Count Port ========= ===== =================================== Event type: LINK OK Stac
Chapter 5 Managing Switch Stacks Troubleshooting Stacks On a Catalyst 3750-E switch: Switch# show platform stack ports buffer Stack Debug Event Data Trace ============================================================== Event type LINK: Link status change Event type RAC: RAC changes to Not OK Event type SYNC: Sync changes to Not OK ============================================================== Event Stack Count Port ========= ===== Event type: LINK 0000000014 1 0000000014 2 Event type: RAC 0000000015 1 0000
Chapter 5 Managing Switch Stacks Troubleshooting Stacks This is now the port status: Switch# show switch stack-ports summary Switch#/ Stack Neighbor Cable Link Port# Port Length OK Status -------- ------ -------- -------- ---1/1 OK 2 50 cm Yes 1/2 Absent None No cable No 2/1 Down None 50 cm No 2/2 OK 1 50 cm Yes Link Active Sync OK -----Yes No No Yes ---Yes No No Yes # Changes To LinkOK --------1 2 2 1 In Loopback -------No No No No Only one end of the cable connects to a StackWise port, Port 1 on
CH A P T E R 6 Clustering Switches This chapter provides the concepts and procedures to create and manage Catalyst 3750 switch clusters. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. You can create and manage switch clusters by using Cisco Network Assistant (hereafter known as Network Assistant), the command-line interface (CLI), or SNMP. For complete procedures, see the online help. For the CLI cluster commands, see the switch command reference.
Chapter 6 Clustering Switches Understanding Switch Clusters In a switch cluster, 1 switch must be the cluster command switch and up to 15 other switches can be cluster member switches. The total number of switches in a cluster cannot exceed 16 switches. The cluster command switch is the single point of access used to configure, manage, and monitor the cluster member switches. Cluster members can belong to only one cluster at a time. Note A switch cluster is different from a switch stack.
Chapter 6 Clustering Switches Understanding Switch Clusters Table 6-1 Switch Software and Cluster Capability (continued) Switch Cisco IOS Release Cluster Capability Catalyst 2940 12.1(13)AY or later Member or command switch Catalyst 3500 XL 12.0(5.1)XU or later Member or command switch Catalyst 2900 XL (8-MB switches) 12.0(5.1)XU or later Member or command switch Catalyst 2900 XL (4-MB switches) 11.2(8.5)SA6 (recommended) Member switch only Catalyst 1900 and 2820 9.
Chapter 6 Clustering Switches Understanding Switch Clusters Candidate Switch and Cluster Member Switch Characteristics Candidate switches are cluster-capable switches and switch stacks that have not yet been added to a cluster. Cluster member switches are switches and switch stacks that have actually been added to a switch cluster.
Chapter 6 Clustering Switches Planning a Switch Cluster Planning a Switch Cluster Anticipating conflicts and compatibility issues is a high priority when you manage several switches through a cluster.
Chapter 6 Clustering Switches Planning a Switch Cluster Discovery Through CDP Hops By using CDP, a cluster command switch can discover switches up to seven CDP hops away (the default is three hops) from the edge of the cluster. The edge of the cluster is where the last cluster member switches are connected to the cluster and to candidate switches. For example, cluster member switches 9 and 10 in Figure 6-1 are at the edge of the cluster.
Chapter 6 Clustering Switches Planning a Switch Cluster Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-3 Discovery Through Different VLANs Command device VLAN 62 VLAN trunk 9,16 VLAN 50 VLAN trunk 9,16 VLAN 16 VLAN trunk 4,16 101322 VLAN 62 Discovery Through Different Management VLANs Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 cluster command switches can discover and manage cluster member switches in different VLANs and different management VLANs.
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-4 Discovery Through Different Management VLANs with a Layer 3 Cluster Command Switch Command device Standby command device VLAN 9 VLAN 16 VLAN 16 VLAN 62 VLAN 9 Device 5 (management VLAN 62) VLAN 9 VLAN trunk 4, 62 Device 7 (management VLAN 4) Device 4 (management VLAN 16) Device 6 (management VLAN 9) Device 8 (management VLAN 9) VLAN 4 VLAN 62 Device 9 (management VLAN 62) Device 10 (management VLAN 4) 101323 Device 3 (mana
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-5 Discovery Through Routed Ports Command device VLAN 9 RP RP VLAN 62 VLAN 9 VLAN 62 VLAN 9 Member device 7 (management VLAN 62) 101324 VLAN 4 Discovery of Newly Installed Switches To join a cluster, the new, out-of-the-box switch must be connected to the cluster through one of its access ports. An access port (AP) carries the traffic of and belongs to only one VLAN.
Chapter 6 Clustering Switches Planning a Switch Cluster HSRP and Standby Cluster Command Switches The switch supports Hot Standby Router Protocol (HSRP) so that you can configure a group of standby cluster command switches.
Chapter 6 Clustering Switches Planning a Switch Cluster Virtual IP Addresses You need to assign a unique virtual IP address and group number and name to the cluster standby group. This information must be configured on a specific VLAN or routed port on the active cluster command switch. The active cluster command switch receives traffic destined for the virtual IP address.
Chapter 6 Clustering Switches Planning a Switch Cluster Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL cluster member switches must be connected to the cluster standby group through their management VLANs.
Chapter 6 Clustering Switches Planning a Switch Cluster When the previously active cluster command switch resumes its active role, it receives a copy of the latest cluster configuration from the active cluster command switch, including members that were added while it was down. The active cluster command switch sends a copy of the cluster configuration to the cluster standby group. IP Addresses You must assign IP information to a cluster command switch.
Chapter 6 Clustering Switches Planning a Switch Cluster If you change the member-switch password to be different from the command-switch password and save the change, the switch is not manageable by the cluster command switch until you change the member-switch password to match the command-switch password. Rebooting the member switch does not revert the password back to the command-switch password. We recommend that you do not change the member-switch password after it joins a cluster.
Chapter 6 Clustering Switches Planning a Switch Cluster Table 6-2 Basic Comparison of Switch Stacks and Switch Clusters (continued) Switch Stack Switch Cluster Switch stack supports up to four simultaneous stack master failures Switch cluster supports only one cluster command switch failure at a time Stack members (as a switch stack) behave and is presented as Cluster members are various, independent switches that are a single, unified system in the network not managed as and do not behave as a uni
Chapter 6 Clustering Switches Using the CLI to Manage Switch Clusters TACACS+ and RADIUS If Terminal Access Controller Access Control System Plus (TACACS+) is configured on a cluster member, it must be configured on all cluster members. Similarly, if RADIUS is configured on a cluster member, it must be configured on all cluster members. Further, the same switch cluster cannot have some members configured with TACACS+ and other members configured with RADIUS.
Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Command-switch privilege levels map to the Catalyst 1900 and Catalyst 2820 cluster member switches running standard and Enterprise Edition Software as follows: • If the command-switch privilege level is 1 to 14, the cluster member switch is accessed at privilege level 1. • If the command-switch privilege level is 15, the cluster member switch is accessed at privilege level 15.
Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Figure 6-8 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 33020 Trap Tr ap ap Tr Member 1 Member 2 Member 3 Catalyst 3750 Switch Software Configuration Guide OL-8550-09 6-19
Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Catalyst 3750 Switch Software Configuration Guide 6-20 OL-8550-09
CH A P T E R 7 Administering the Switch This chapter describes how to perform one-time operations to administer the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 7 Administering the Switch Managing the System Time and Date The system clock can then be set from these sources: • NTP • Manual configuration The system clock can provide time to these services: • User show commands • Logging and debugging messages The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT).
Chapter 7 Administering the Switch Managing the System Time and Date Figure 7-1 shows a typical network example using NTP. Switch A is the NTP master, with Switches B, C, and D configured in NTP server mode, in server association with Switch A. Switch E is configured as an NTP peer to the upstream and downstream switches, Switch B and Switch F.
Chapter 7 Administering the Switch Managing the System Time and Date Configuring NTP The switch does not have a hardware-supported clock and cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available. The switch also has no hardware support for a calendar. As a result, the ntp update-calendar and the ntp master global configuration commands are not available.
Chapter 7 Administering the Switch Managing the System Time and Date Configuring NTP Authentication This procedure must be coordinated with the administrator of the NTP server; the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server.
Chapter 7 Administering the Switch Managing the System Time and Date Configuring NTP Associations An NTP association can be a peer association (this switch can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this switch synchronizes to the other device, and not the other way around).
Chapter 7 Administering the Switch Managing the System Time and Date Configuring NTP Broadcast Service The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead.
Chapter 7 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure the switch to receive NTP broadcast packets from connected peers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to receive NTP broadcast packets, and enter interface configuration mode. Step 3 ntp broadcast client Enable the interface to receive NTP broadcast packets.
Chapter 7 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp access-group {query-only | serve-only | serve | peer} access-list-number Create an access group, and apply a basic IP access list.
Chapter 7 Administering the Switch Managing the System Time and Date To remove access control to the switch NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command. This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99.
Chapter 7 Administering the Switch Managing the System Time and Date Command Purpose Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. The specified interface is used for the source address for all packets sent to all destinations.
Chapter 7 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to set the system clock: Step 1 Command Purpose clock set hh:mm:ss day month year Manually set the system clock using one of these formats. or • For hh:mm:ss, specify the time in hours (24-hour format), minutes, and seconds. The time specified is relative to the configured time zone. • For day, specify the day by date in the month. • For month, specify the month by name.
Chapter 7 Administering the Switch Managing the System Time and Date Command Purpose Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. The minutes-offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC. For example, the time zone for some sections of Atlantic Canada (AST) is UTC-3.
Chapter 7 Administering the Switch Configuring a System Name and Prompt Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 Configure summer time to start on the first date and end on the second clock summer-time zone date [month date year hh:mm month date year hh:mm date.
Chapter 7 Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, from the Cisco.com page, select Documentation > Cisco IOS Software > 12.2 Mainline > Command References and see the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols.
Chapter 7 Administering the Switch Configuring a System Name and Prompt To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the hostnames, specify the name server that is present on your network, and enable the DNS.
Chapter 7 Administering the Switch Creating a Banner Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.
Chapter 7 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day.
Chapter 7 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message.
Chapter 7 Administering the Switch Managing the MAC Address Table These sections contain this configuration information: • Building the Address Table, page 7-20 • MAC Addresses and VLANs, page 7-20 • MAC Addresses and Switch Stacks, page 7-21 • Default MAC Address Table Configuration, page 7-21 • Changing the Address Aging Time, page 7-21 • Removing Dynamic Address Entries, page 7-22 • Configuring MAC Address Change Notification Traps, page 7-22 • Configuring MAC Address Move Notification
Chapter 7 Administering the Switch Managing the MAC Address Table When private VLANs are configured, address learning depends on the type of MAC address: • Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the associated VLANs. For example, a MAC address learned in a private-VLAN secondary VLAN is replicated in the primary VLAN. • Static MAC addresses configured in a primary or secondary VLAN are not replicated in the associated VLANs.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the dynamic address table aging time: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table aging-time [0 | 10-1000000] [vlan vlan-id] Set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated. The range is 10 to 1000000 seconds. The default is 300.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address change notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message. | 2c | 3}} community-string notification-type • For host-addr, specify the name or address of the NMS.
Chapter 7 Administering the Switch Managing the MAC Address Table Step 9 Command Purpose show mac address-table notification change interface Verify your entries. show running-config Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable MAC address-change notification traps, use the no snmp-server enable traps mac-notification change global configuration command.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address-move notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message. | 2c | 3}} community-string notification-type • For host-addr, specify the name or address of the NMS.
Chapter 7 Administering the Switch Managing the MAC Address Table Configuring MAC Threshold Notification Traps When you configure MAC threshold notification, an SNMP notification is generated and sent to the network management system when a MAC address table threshold limit is reached or exceeded.
Chapter 7 Administering the Switch Managing the MAC Address Table To disable MAC address-threshold notification traps, use the no snmp-server enable traps mac-notification threshold global configuration command. To disable the MAC address-threshold notification feature, use the no mac address-table notification threshold global configuration command. This example shows how to specify 172.20.10.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to add a static address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table static mac-addr vlan vlan-id interface interface-id Add a static address to the MAC address table. • For mac-addr, specify the destination MAC unicast address to add to the address table.
Chapter 7 Administering the Switch Managing the MAC Address Table • If you add a unicast MAC address as a static address and configure unicast MAC address filtering, the switch either adds the MAC address as a static address or drops packets with that MAC address, depending on which command was entered last. The second command that you entered overrides the first command.
Chapter 7 Administering the Switch Managing the MAC Address Table Follow these guidelines when disabling MAC address learning on a VLAN: • Use caution before disabling MAC address learning on a VLAN with a configured switch virtual interface (SVI). The switch then floods all IP packets in the Layer 2 domain.
Chapter 7 Administering the Switch Managing the ARP Table Displaying Address Table Entries You can display the MAC address table by using one or more of the privileged EXEC commands described in Table 7-4: Table 7-4 Commands for Displaying the MAC Address Table Command Description show ip igmp snooping groups Displays the Layer 2 multicast entries for all VLANs or the specified VLAN. show mac address-table address Displays MAC address table information for the specified MAC address.
Chapter 7 Administering the Switch Managing the ARP Table Catalyst 3750 Switch Software Configuration Guide 7-32 OL-8550-09
CH A P T E R 8 Configuring SDM Templates The Catalyst 3750 switch command reference has command syntax and usage information. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
Chapter 8 Configuring SDM Templates Understanding the SDM Templates Table 8-1 Approximate Number of Feature Resources Allowed by Each Template for Desktop or Aggregator Switches Desktop Templates Aggregator Templates Resource Access Default Routing VLAN Access Default Routing VLAN Unicast MAC addresses 4K 6K 3K 12 K 6K 6K 6K 12 K IGMP groups and multicast routes 1K 1K 1K 1K 1K 1K 1K 1K Unicast routes 6K 8K 11 K 0 12 K 12 K 20 K 0 • Directly connected hosts 4K 6K
Chapter 8 Configuring SDM Templates Understanding the SDM Templates • Note Table 8-2 Aggregator dual IPv4 and IPv6 VLAN template—supports basic Layer 2, multicast, QoS, and ACLs for IPv4,and basic Layer 2 and ACLs for IPv6 on Catalyst 3750-12S switches. An IPv4 route requires only one TCAM entry. Because of the hardware compression scheme used for IPv6, an IPv6 route can take more than one TCAM entry, reducing the number of entries forwarded in hardware.
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template If the stack master is a Catalyst 3750-12S switch using an aggregator template and a new stack member is not a Catalyst 3750-12S, the stack member is not able to support the template that is running on the stack master. The switch attempting to join the stack goes into SDM mismatch mode, the stack master does not attempt to change the SDM template, and the switch cannot be a functioning member of the stack.
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template SDM Template Configuration Guidelines • When you select and configure SDM templates, you must reload the switch for the configuration to take effect. • Use the sdm prefer vlan global configuration command only on switches intended for Layer 2 switching with no routing. When you use the VLAN template, no system resources are reserved for routing entries, and any routing is done through software.
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template Setting the SDM Template Beginning in privileged EXEC mode, follow these steps to use the SDM template to maximize feature usage: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template number of unicast mac addresses: number of igmp groups + multicast routes: number of unicast routes: number of directly connected hosts: number of indirect routes: number of qos aces: number of security aces: 3K 1K 11K 3K 8K 512 1K On next reload, template will be "aggregate routing" template. To return to the default template, use the no sdm prefer global configuration command.
Chapter 8 Configuring SDM Templates Displaying the SDM Templates Displaying the SDM Templates Use the show sdm prefer privileged EXEC command with no parameters to display the active template. Use the show sdm prefer [access | default | dual-ipv4-and-ipv6 {default | vlan | routing} vlan [desktop]] privileged EXEC command to display the resource numbers supported by the specified template. Note The desktop keyword is available only on Catalyst 3750-12S aggregator switches.
Chapter 8 Configuring SDM Templates Displaying the SDM Templates This is an example of output from the show sdm prefer dual-ipv4-and-ipv6 default command entered on a desktop switch: Switch# show sdm prefer dual-ipv4-and-ipv6 default “desktop IPv4 and IPv6 default” template: The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.
Chapter 8 Configuring SDM Templates Displaying the SDM Templates Catalyst 3750 Switch Software Configuration Guide 8-10 OL-8550-09
CH A P T E R 9 Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands To prevent unauthorized access into your switch, you should configure one or more of these security features: • At a minimum, you should configure passwords and privileges at each switch port. These passwords are locally stored on the switch. When users attempt to access the switch through a port or line, they must enter the password specified for the port or line before they can access the switch.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Default Password and Privilege Level Configuration Table 9-1 shows the default password and privilege level configuration. Table 9-1 Default Password and Privilege Levels Feature Default Setting Enable password and privilege level No password is defined. The default is level 15 (privileged EXEC level). The password is not encrypted in the configuration file.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Protecting Enable and Enable Secret Passwords with Encryption To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands To re-enable password recovery, use the service password-recovery global configuration command. Note Disabling password recovery will not work if you have set the switch to boot up manually by using the boot manual global configuration command. This command produces the boot loader prompt (switch:) after the switch is power cycled.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Configuring Username and Password Pairs You can configure username and password pairs, which are locally stored on the switch. These pairs are assigned to lines or ports and authenticate each user before that user can access the switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip traffic command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Logging into and Exiting a Privilege Level Beginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit to a specified privilege level: Step 1 Command Purpose enable level Log in to a specified privilege level. For level, the range is 0 to 15. Step 2 disable level Exit to a specified privilege level. For level, the range is 0 to 15.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ The goal of TACACS+ is to provide a method for managing multiple network access points from a single management service. Your switch can be a network access server along with other Cisco routers and access servers. A network access server provides connections to a single user, to a network or subnetwork, and to interconnected networks as shown in Figure 9-1.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ The TACACS+ protocol provides authentication between the switch and the TACACS+ daemon, and it ensures confidentiality because all protocol exchanges between the switch and the TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your switch.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Configuring TACACS+ This section describes how to configure your switch to support TACACS+. At a minimum, you must identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+ authentication. You can optionally define method lists for TACACS+ authorization and accounting.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to identify the IP host or host maintaining TACACS+ server and optionally set the encryption key: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 tacacs-server host hostname [port integer] [timeout integer] [key string] Identify the IP host or hosts maintaining a TACACS+ server.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Step 5 Command Purpose login authentication {default | list-name} Apply the authentication list to a line or set of lines. • If you specify default, use the default list created with the aaa authentication login command. • For list-name, specify the list created with the aaa authentication login command. Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to specify TACACS+ authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network tacacs+ Configure the switch for user TACACS+ authorization for all network-related service requests.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Establishing a Session with a Router if the AAA Server is Unreachable The aaa accounting system guarantee-first command guarantees system accounting as the first record, which is the default condition. In some situations, users might be prevented from starting a session on the console or terminal connection until after the system reloads, which can take more than 3 minutes.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Use RADIUS in these network environments that require access security: • Networks with multiple-vendor access servers, each supporting RADIUS. For example, access servers from several vendors use a single RADIUS server-based security database.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: 1. The user is prompted to enter a username and password. 2. The username and encrypted password are sent over the network to the RADIUS server. 3. The user receives one of these responses from the RADIUS server: a. ACCEPT—The user is authenticated. b.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This feature is integrated with the Cisco Secure Access Control Server (ACS) 5.1. For information about ACS: http://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html The RADIUS interface is enabled by default on Catalyst switches.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Table 9-3 Error-Cause Values Value Explanation 201 Residual Session Context Removed 202 Invalid EAP Packet (Ignored) 401 Unsupported Attribute 402 Missing Attribute 403 NAS Identification Mismatch 404 Invalid Request 405 Unsupported Service 406 Unsupported Extension 407 Invalid Attribute Value 501 Administratively Prohibited 502 Request Not Routable (Proxy) 503 Session Context Not Found 504
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS For disconnect and CoA requests targeted to a particular session, any one of these session identifiers can be used: • Calling-Station-ID (IETF attribute 31, which should contain the MAC address) • Audit-Session-ID (Cisco vendor-specific attribute) • Accounting-Session-ID (IETF attribute 44).
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning with Cisco IOS Release 12.2(52)SE, the switch supports the commands shown in Table 9-4. Table 9-4 CoA Commands Supported on the Switch Command1 Cisco VSA Reauthenticate host Cisco:Avpair=“subscriber:command=reauthenticate” Terminate session This is a standard disconnect request that does not require a VSA.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Session Termination There are three types of CoA requests that can trigger session termination. A CoA Disconnect-Request terminates the session, without disabling the host port. This command causes re-initialization of the authenticator state machine for the specified host, but does not restrict that host’s access to the network.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Because this command is session-oriented, it must be accompanied by one or more of the session identification attributes described in the “Session Identification” section on page 9-22. If the session cannot be located, the switch returns a CoA-NAK message with the “Session Context Not Found” error-code attribute.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Identifying the RADIUS Server Host Switch-to-RADIUS-server communication involves several components: • Hostname or IP address • Authentication destination port • Accounting destination port • Key string • Timeout period • Retransmission value You identify RADIUS security servers by their hostname or IP address, hostname and specific UDP port numbers, or their IP address and specific UDP port numbers.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting: Switch(config)# radius-server host host1 Note You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Step 3 Purpose aaa authentication login {default Create a login authentication method list. | list-name} method1 [method2...] • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 8 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 9-30. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network-related service requests.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Establishing a Session with a Router if the AAA Server is Unreachable The aaa accounting system guarantee-first command guarantees system accounting as the first record, which is the default condition. In some situations, users might be prevented from starting a session on the console or terminal connection until after the system reloads, which can take more than 3 minutes.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes. The full set of features available for TACACS+ authorization can then be used for RADIUS.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Note For a complete list of RADIUS attributes or more information about vendor-specific attribute 26, see the “RADIUS Attributes” appendix in the Cisco IOS Security Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring CoA on the Switch Beginning in privileged EXEC mode, follow these steps to configure CoA on a switch. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Monitoring and Troubleshooting CoA Functionality Use these Cisco IOS commands to monitor and troubleshoot CoA functionality on the switch: • debug radius • debug aaa coa • debug aaa pod • debug aaa subsys • debug cmdhd [detail | error | events] • show aaa attributes protocol radius Configuring RADIUS Server Load Balancing This feature allows access and authentication requests to be evenly across all RADI
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Understanding Kerberos Kerberos is a secret-key network authentication protocol, which was developed at the Massachusetts Institute of Technology (MIT). It uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication and authenticates requests for network resources. Kerberos uses the concept of a trusted third party to perform secure verification of users and services.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 9-5 Kerberos Terms (continued) Term Definition Instance An authorization level label for Kerberos principals. Most Kerberos principals are of the form user@REALM (for example, smith@EXAMPLE.COM). A Kerberos principal with a Kerberos instance has the form user/instance@REALM (for example, smith/admin@EXAMPLE.COM).
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Kerberos Operation A Kerberos server can be a Catalyst 3750 switch that is configured as a network security server and that can authenticate remote users by using the Kerberos protocol. Although you can customize Kerberos in a number of ways, remote users attempting to access network services must pass through three layers of security before they can access network services.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization Authenticating to Network Services This section describes the third layer of security through which a remote user must pass. The user with a TGT must now authenticate to the network services in a Kerberos realm.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Command Purpose Step 3 aaa authentication login default local Set the login authentication to use the local username database. The default keyword applies the local user database authentication to all ports. Step 4 aaa authorization exec local Configure user AAA authorization, check the local database, and allow the user to run an EXEC shell.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell • Displaying the SSH Configuration and Status, page 9-50 For SSH configuration examples, see the “SSH Configuration Examples” section in the “Configuring Secure Shell” chapter of the Cisco IOS Security Configuration Guide, Cisco IOS Release 12.2: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfssh.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Note This software release does not support IP Security (IPSec). Limitations These limitations apply to SSH: • The switch supports Rivest, Shamir, and Adelman (RSA) authentication. • SSH supports only the execution-shell application. • The SSH server and the SSH client are supported only on DES (56-bit) and 3DES (168-bit) data encryption software.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: 1. Download the cryptographic software image from Cisco.com. This step is required. For more information, see the release notes for this release. 2. Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server. 3.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Configuring the SSH Server Beginning in privileged EXEC mode, follow these steps to configure the SSH server: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip ssh version [1 | 2] (Optional) Configure the switch to run SSH Version 1 or SSH Version 2. • 1—Configure the switch to run SSH Version 1. • 2—Configure the switch to run SSH Version 2.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Displaying the SSH Configuration and Status To display the SSH server configuration and status, use one or more of the privileged EXEC commands in Table 9-6: Table 9-6 Commands for Displaying the SSH Server Configuration and Status Command Purpose show ip ssh Shows the version and configuration information for the SSH server. show ssh Shows the status of the SSH server.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Understanding Secure HTTP Servers and Clients On a secure HTTP connection, data to and from an HTTP server is encrypted before being sent over the Internet. HTTP with SSL encryption provides a secure connection to allow such functions as configuring a switch from a Web browser. Cisco's implementation of the secure HTTP server and secure HTTP client uses an implementation of SSL Version 3.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP If a self-signed certificate has been generated, this information is included in the output of the show running-config privileged EXEC command. This is a partial sample output from that command displaying a self-signed certificate. Switch# show running-config Building configuration...
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP The more secure and more complex CipherSuites require slightly more processing time. This list defines the CipherSuites supported by the switch and ranks them from fastest to slowest in terms of router processing load (speed): 1. SSL_RSA_WITH_DES_CBC_SHA—RSA key exchange (RSA Public Key Cryptography) with DES-CBC for message encryption and SHA for message digest 2.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Configuring a CA Trustpoint For secure HTTP connections, we recommend that you configure an official CA trustpoint. A CA trustpoint is more secure than a self-signed certificate. Beginning in privileged EXEC mode, follow these steps to configure a CA trustpoint: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Configuring the Secure HTTP Server If you are using a certificate authority for certification, you should use the previous procedure to configure the CA trustpoint on the switch before enabling the HTTP server. If you have not configured a CA trustpoint, a self-signed certificate is generated the first time that you enable the secure HTTP server.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Command Step 11 Purpose ip http timeout-policy idle seconds life (Optional) Specify how long a connection to the HTTP server can remain seconds requests value open under the defined circumstances: • idle—the maximum time period when no data is received or response data cannot be sent. The range is 1 to 600 seconds. The default is 180 seconds (3 minutes).
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show ip http client secure status Display the status of the HTTP secure server to verify the configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no ip http client secure-trustpoint name to remove a client trustpoint configuration.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Information About Secure Copy To configure the Secure Copy feature, you should understand these concepts. The behavior of SCP is similar to that of remote copy (rcp), which comes from the Berkeley r-tools suite, except that SCP relies on SSH for security.
CH A P T E R 10 Configuring IEEE 802.1x Port-Based Authentication IEEE 802.1x port-based authentication prevents unauthorized devices (clients) from gaining access to the network. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. The Catalyst 3750 switch command reference and the “RADIUS Commands” section in the Cisco IOS Security Command Reference, Release 12.2, have command syntax and usage information.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • Authentication Manager, page 10-8 • Ports in Authorized and Unauthorized States, page 10-11 • 802.1x Authentication and Switch Stacks, page 10-12 • 802.1x Host Mode, page 10-13 • Multidomain Authentication, page 10-13 • 802.1x Multiple Authentication Mode, page 10-14 • MAC Move, page 10-15 • MAC Replace, page 10-16 • 802.1x Accounting, page 10-17 • 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Device Roles Device roles with 802.1x port-based authentication: Figure 10-1 802.1x Device Roles Authentication server (RADIUS) 101229 Workstations (clients) • Client—the device (workstation) that requests access to the LAN and switch services and responds to requests from the switch. The workstation must be running 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Authentication Process When 802.1x port-based authentication is enabled and the client supports 802.1x-compliant client software, these events occur: • If the client identity is valid and the 802.1x authentication succeeds, the switch grants the client access to the network. • If 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 10-2 shows the authentication process. Figure 10-2 Authentication Flowchart Start No Is the client IEEE 802.1x capable? IEEE 802.1x authentication process times out. Is MAC authentication bypass enabled? 1 Yes Yes Start IEEE 802.1x port-based authentication. Client identity is invalid The switch gets an EAPOL message, and the EAPOL message exchange begins.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The Termination-Action RADIUS attribute (Attribute [29]) specifies the action to take during re-authentication. The actions are Initialize and ReAuthenticate. When the Initialize action is set (the attribute value is DEFAULT), the 802.1x session ends, and connectivity is lost during re-authentication.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 10-3 Message Exchange Authentication server (RADIUS) Client EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS Access-Request EAP-Request/OTP RADIUS Access-Challenge EAP-Response/OTP RADIUS Access-Request EAP-Success RADIUS Access-Accept Port Authorized 101228 EAPOL-Logoff Port Unauthorized If 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Authentication Manager In Cisco IOS Release 12.2(46)SE and earlier, you could not use the same authorization methods, including CLI commands and messages, on this switch and also on other network devices, such as a Catalyst 6000. You had to use separate authentication configurations. Cisco IOS Release 12.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Table 10-1 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Authentication Manager CLI Commands The authentication-manager interface-configuration commands control all the authentication methods, such as 802.1x, MAC authentication bypass, and web authentication. The authentication manager commands determine the priority and order of authentication methods applied to a connected host.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Table 10-2 Authentication Manager Commands and Earlier 802.1x Commands (continued) The authentication manager commands in Cisco IOS Release 12.2(50)SE or later The equivalent 802.1x commands in Cisco IOS Release 12.2(46)SE and earlier Description authentication timer dot1x timeout Set the timers.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • auto—enables 802.1x authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port changes from down to up or when an EAPOL-start frame is received.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication 802.1x Host Mode You can configure an 802.1x port for single-host or for multiple-hosts mode. In single-host mode (see Figure 10-1 on page 10-3), only one client can be connected to the 802.1x-enabled switch port. The switch detects the client by sending an EAPOL frame when the port link state changes to the up state.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Note If you use a dynamic VLAN to assign a voice VLAN on an MDA-enabled switch port on a switch running Cisco IOS Release 12.2(37)SE, the voice device fails authorization. • To authorize a voice device, the AAA server must be configured to send a Cisco Attribute-Value (AV) pair attribute with a value of device-traffic-class=voice.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication If a hub or access point is connected to an 802.1x-enabled port, each connected client must be authenticated. For non-802.1x devices, you can use MAC authentication bypass or web authentication as the per-host authentication fallback method to authenticate different hosts with different methods on a single port. There is no limit to the number of data hosts can authenticate on a multiauthport.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication You can globally enable MAC move so the device is reauthenticated on the new port. When a host moves to a second port, the session on the first port is deleted, and the host is reauthenticated on the new port. MAC move is supported on all host modes. (The authenticated host can move to any port on the switch, no matter which host mode is enabled on the that port.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication 802.1x Accounting The 802.1x standard defines how users are authorized and authenticated for network access but does not keep track of network usage. 802.1x accounting is disabled by default. You can enable 802.1x accounting to monitor this activity on 802.1x-enabled ports: • User successfully authenticates. • User logs off. • Link-down occurs. • Re-authentication successfully occurs.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Table 10-3 Accounting AV Pairs (continued) Attribute Number AV Pair Name START INTERIM STOP Attribute[49] Acct-Terminate-Cause Never Never Always Attribute[61] NAS-Port-Type Always Always Always 1. The Framed-IP-Address AV pair is sent only if a valid Dynamic Host Control Protocol (DHCP) binding exists for the host in the DHCP snooping bindings table.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication When configured on the switch and the RADIUS server, 802.1x authentication with VLAN assignment has these characteristics: • If no VLAN is supplied by the RADIUS server or if 802.1x authentication is disabled, the port is configured in its access VLAN after successful authentication. Recall that an access VLAN is a VLAN assigned to an access port.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication – [81] Tunnel-Private-Group-ID = VLAN name, VLAN ID, or VLAN-Group – [83] Tunnel-Preference Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the 802.1x-authenticated user.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication To configure per-user ACLs, you need to perform these tasks: • Enable AAA authentication. • Enable AAA authorization by using the network keyword to allow interface configuration from the RADIUS server. • Enable 802.1x authentication. • Configure the user profile and VSAs on the RADIUS server. • Configure the 802.1x port for single-host mode.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication If there is no static ACL on a port in open authentication mode: • An auth-default-ACL-OPEN is created and allows all traffic. • Policies are enforced with IP address insertion to prevent security breaches. • Web authentication is subject to the auth-default-ACL-OPEN. To control access for hosts with no authorization policy, you can configure a directive.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs You can set the CiscoSecure-Defined-ACL Attribute-Value pair on the Cisco Secure ACS with the RADIUS cisco-av-pair vendor-specific attributes (VSAs). This pair specifies the names of the downloadable ACLs on the Cisco Secure ACS with the #ACL#-IP-name-number attribute. • The name is the ACL name.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The switch maintains the EAPOL packet history. If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the device connected to that interface is an 802.1x-capable supplicant, and the interface does not change to the guest VLAN state. EAPOL history is cleared if the interface link status goes down.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Note You can configure a VLAN to be both the guest VLAN and the restricted VLAN if you want to provide the same services to both types of users. Without this feature, the client attempts and fails authentication indefinitely, and the switch port remains in the spanning-tree blocking state.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Support on Multiple-Authentication Ports To support inaccessible bypass on multiple-authentication (multiauth) ports, you can use the authentication event server dead action reinitialize vlan vlan-id. When a new host tries to connect to the critical port, that port is reinitialized and all the connected hosts are moved to the user-specified access VLAN.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • Private VLAN—You can configure inaccessible authentication bypass on a private VLAN host port. The access VLAN must be a secondary private VLAN. • Voice VLAN—Inaccessible authentication bypass is compatible with voice VLAN, but the RADIUS-configured or user-specified access VLAN and the voice VLAN must be different.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Note If you enable 802.1x authentication on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds. For more information about voice VLANs, see Chapter 15, “Configuring Voice VLAN.” 802.1x Authentication with Port Security You can configure an 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication For more information about enabling port security on your switch, see the “Configuring Port Security” section on page 25-9. 802.1x Authentication with Wake-on-LAN The 802.1x authentication with the wake-on-LAN (WoL) feature allows dormant PCs to be powered when the switch receives a specific Ethernet frame, known as the magic packet.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication If the switch already authorized a port by using MAC authentication bypass and detects an 802.1x supplicant, the switch does not unauthorize the client connected to the port. When re-authentication occurs, the switch uses 802.1x authentication as the preferred re-authentication process if the previous session ended because the Termination-Action RADIUS attribute value is DEFAULT.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication 802.1x User Distribution You can configure 802.1x user distribution to load-balance users with the same group name across multiple different VLANs. The VLANs are either supplied by the RADIUS server or configured through the switch CLI under a VLAN group name. • Configure the RADIUS server to send more than one VLAN name for a user.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Network Admission Control Layer 2 802.1x Validation The switch supports the Network Admission Control (NAC) Layer 2 802.1x validation, which checks the antivirus condition or posture of endpoint systems or clients before granting the devices network access. With NAC Layer 2 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • Multiple-hosts mode with open authentication–Any host can access the network. • Multiple-authentication mode with open authentication–Similar to MDA, except multiple hosts can be authenticated. For more information see the “Configuring the Host Mode” section on page 10-46. Using Voice Aware 802.1x Security You use the voice aware 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Use the dot1x supplicant force-multicast global configuration command on the supplicant switch for Network Edge Access Topology (NEAT) to work in all host modes. • Host Authorization: Ensures that only traffic from authorized hosts (connecting to the switch with supplicant) is allowed on the network.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • ACLs that you configure • ACLs from the Access Control Server (ACS) An IEEE 802.1x port in single-host mode uses ACLs from the ACS to provide different levels of service to an IEEE 802.1x-authenticated user. When the RADIUS server authenticates this type of user and port, it sends ACL attributes based on the user identity to the switch.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring 802.1x Authentication These sections contain this configuration information: • Default 802.1x Authentication Configuration, page 10-37 • 802.1x Authentication Configuration Guidelines, page 10-38 • Configuring 802.1x Readiness Check, page 10-40 (optional) • Configuring Voice Aware 802.1x Security, page 10-41 (optional) • Configuring 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Default 802.1x Authentication Configuration Table 10-4 shows the default 802.1x authentication configuration. Table 10-4 Default 802.1x Authentication Configuration Feature Default Setting Switch 802.1x enable state Disabled. Per-port 802.1x enable state Disabled (force-authorized). The port sends and receives normal traffic without 802.1x-based authentication of the client. AAA Disabled.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Table 10-4 Default 802.1x Authentication Configuration (continued) Feature Default Setting MAC authentication bypass Disabled. Voice-aware security Disabled 802.1x Authentication Configuration Guidelines These section has configuration guidelines for these features: • 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication – EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an 802.1x port. If you try to enable 802.1x authentication on an EtherChannel port, an error message appears, and 802.1x authentication is not enabled. – Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication MAC Authentication Bypass • Unless otherwise stated, the MAC authentication bypass guidelines are the same as the 802.1x authentication guidelines. For more information, see the “802.1x Authentication” section on page 10-38. • If you disable MAC authentication bypass from a port after the port has been authorized with its MAC address, the port state is not affected.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to enable the 802.1x readiness check on the switch: Step 1 Command Purpose dot1x test eapol-capable [interface interface-id] Enable the 802.1x readiness check on the switch. (Optional) For interface-id specify the port on which to check for 802.1x readiness. Note If you omit the optional interface keyword, all interfaces on the switch are tested.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to enable voice aware 802.1x security: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 errdisable detect cause security-violation shutdown vlan Shut down any VLAN on which a security violation error occurs. Step 3 errdisable recovery cause security-violation (Optional) Enable automatic per-VLAN error recovery.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 3 Command Purpose aaa authentication dot1x {default} method1 Create an 802.1x authentication method list. To create a default list to use when a named list is not specified in the authentication command, use the default keyword followed by the method that is to be used in default situations. The default method list is automatically applied to all ports.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 7 The user disconnects from the port. Step 8 The switch sends a stop message to the accounting server. Beginning in privileged EXEC mode, follow these steps to configure 802.1x port-based authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication dot1x {default} method1 Create an 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring the Switch-to-RADIUS-Server Communication RADIUS security servers are identified by their hostname or IP address, hostname and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation. Configuring the Host Mode Beginning in privileged EXEC mode, follow these steps to allow a single host (client) or multiple hosts on an 802.1x-authorized port.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 7 Command Purpose show authentication interface interface-id Verify your entries. or show dot1x interface interface-id Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable multiple hosts on the port, use the no authentication host-mode or the no dot1x host-mode multi-host interface configuration command. This example shows how to enable 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 4 Command Purpose authentication timer {{[inactivity | reauthenticate]} {restart value}} Set the number of seconds between re-authentication attempts.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Changing the Quiet Period When the switch cannot authenticate the client, the switch remains idle for a set period of time and then tries again. The dot1x timeout quiet-period interface configuration command controls the idle period. A failed client authentication might occur because the client provided an invalid password.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 3 Command Purpose dot1x timeout tx-period seconds Set the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request. The range is 1 to 65535 seconds; the default is 5. Step 4 end Return to privileged EXEC mode. Step 5 show authentication interface-id Verify your entries.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication This example shows how to set 5 as the number of times that the switch sends an EAP-request/identity request before restarting the authentication process: Switch(config-if)# dot1x max-req 5 Setting the Re-Authentication Number You can also change the number of times that the switch restarts the authentication process before the port changes to the unauthorized state.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to globally enable MAC move on the switch. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 authentication mac-move permit Enable MAC move on the switch. Step 3 end Return to privileged EXEC mode. Step 4 show running-config (Optional) Verify your entries.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring 802.1x Accounting Enabling AAA system accounting with 802.1x accounting allows system reload events to be sent to the accounting RADIUS server for logging. The server can then infer that all active 802.1x sessions are closed. Because RADIUS uses the unreliable UDP transport protocol, accounting messages might be lost due to poor network conditions.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring a Guest VLAN When you configure a guest VLAN, clients that are not 802.1x-capable are put into the guest VLAN when the server does not receive a response to its EAP request/identity frame. Clients that are 802.1x-capable but that fail authentication are not granted network access. The switch supports guest VLANs in single-host or multiple-hosts mode.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring a Restricted VLAN When you configure a restricted VLAN on a switch stack or a switch, clients that are 802.1x-compliant are moved into the restricted VLAN when the authentication server does not receive a valid username and password. The switch supports restricted VLANs only in single-host mode. Beginning in privileged EXEC mode, follow these steps to configure a restricted VLAN.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure the maximum number of allowed authentication attempts. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the “802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring the Inaccessible Authentication Bypass Feature You can configure the inaccessible bypass feature, also referred to as critical authentication or the AAA fail policy. Beginning in privileged EXEC mode, follow these steps to configure the port as a critical port and enable the inaccessible authentication bypass feature. This procedure is optional.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Step 5 Purpose dot1x critical {eapol | (Optional) Configure the parameters for inaccessible authentication bypass: recovery delay milliseconds} eapol—Specify that the switch sends an EAPOL-Success message when the switch successfully authenticates the critical port.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Switch(config-if)# dot1x critical recovery action reinitialize Switch(config-if)# dot1x critical vlan 20 Switch(config-if)# end Configuring 802.1x Authentication with WoL Beginning in privileged EXEC mode, follow these steps to enable 802.1x authentication with WoL. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring MAC Authentication Bypass Beginning in privileged EXEC mode, follow these steps to enable MAC authentication bypass. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the “802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring 802.1x User Distribution Beginning in global configuration, follow these steps to configure a VLAN group and to map a VLAN to it: Command Purpose Step 1 vlan group vlan-group-name vlan-list vlan-list Configure a VLAN group, and map a single VLAN or a range of VLANs to it. Step 2 show vlan group all vlan-group-name Verify the configuration.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring NAC Layer 2 802.1x Validation You can configure NAC Layer 2 802.1x validation, which is also referred to as 802.1x authentication with a RADIUS server. Beginning in privileged EXEC mode, follow these steps to configure NAC Layer 2 802.1x validation. The procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring an Authenticator and a Supplicant Switch with NEAT Configuring this feature requires that one switch outside a wiring closet is configured as a supplicant and is connected to an authenticator switch. For overview information, see the “802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT)” section on page 10-33.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 5 Step 6 Command Purpose password password Create a password for the new username. dot1x supplicant force-multicast Force the switch to send only multicast EAPOL packets when it receives either unicast or multicast packets. This also allows NEAT to work on the supplicant switch in all host modes.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring Downloadable ACLs The policies take effect after client authentication and the client IP address addition to the IP device tracking table. The switch then applies the downloadable ACL to the port. Beginning in privileged EXEC mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip device tracking Configure the ip device tracking table.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 3 interface interface-id Enter interface configuration mode. Step 4 ip access-group acl-id in Configure the default ACL on the port in the input direction. Note The acl-id is an access list name or number. Step 5 exit Returns to global configuration mode. Step 6 aaa new-model Enables AAA.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring VLAN ID-based MAC Authentication Beginning in privileged EXEC mode, follow these steps: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mab request format attribute 32 vlan access-vlan Enable VLAN ID-based MAC authentication. Step 3 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring Open1x Beginning in privileged EXEC mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Step 3 authentication control-direction {both | in} (Optional) Configure the port control as unidirectional or bidirectional.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 3 no dot1x pae Disable 802.1x authentication on the port. Step 4 end Return to privileged EXEC mode. Step 5 show authentication interface-id Verify your entries. or show dot1x interface interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To configure the port as an 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Displaying 802.1x Statistics and Status Displaying 802.1x Statistics and Status To display 802.1x statistics for all ports, use the show dot1x all statistics privileged EXEC command. To display 802.1x statistics for a specific port, use the show dot1x statistics interface interface-id privileged EXEC command. To display the 802.
CH A P T E R 11 Configuring Web-Based Authentication This chapter describes how to configure web-based authentication. It contains these sections: Note • Understanding Web-Based Authentication, page 11-1 • Configuring Web-Based Authentication, page 11-9 • Displaying Web-Based Authentication Status, page 11-17 For complete syntax and usage information for the switch commands used in this chapter, refer to the command reference for this release.
Chapter 11 Configuring Web-Based Authentication Understanding Web-Based Authentication • Web Authentication Customizable Web Pages, page 11-6 • Web-based Authentication Interactions with Other Features, page 11-7 Device Roles With web-based authentication, the devices in the network have these specific roles: • Client—The device (workstation) that requests access to the LAN and the services and responds to requests from the switch.
Chapter 11 Configuring Web-Based Authentication Understanding Web-Based Authentication Session Creation When web-based authentication detects a new host, it creates a session as follows: • Reviews the exception list. If the host IP is included in the exception list, the policy from the exception list entry is applied, and the session is established.
Chapter 11 Configuring Web-Based Authentication Understanding Web-Based Authentication Local Web Authentication Banner You can create a banner that will appear when you log in to a switch by using web authentication. The banner appears on both the login page and the authentication-result pop-up pages. • Authentication Successful • Authentication Failed • Authentication Expired You create a banner by using the ip admission auth-proxy-banner http global configuration command.
Chapter 11 Configuring Web-Based Authentication Understanding Web-Based Authentication Figure 11-3 Customized Web Banner If you do not enable a banner, only the username and password dialog boxes appear in the web authentication login screen, and no banner appears when you log into the switch, as shown in Figure 11-4. Figure 11-4 Login Screen With No Banner For more information, see the Cisco IOS Security Command Reference and the “Configuring a Web Authentication Local Banner” section on page 11-16.
Chapter 11 Configuring Web-Based Authentication Understanding Web-Based Authentication Web Authentication Customizable Web Pages During the web-based authentication process, the switch internal HTTP server hosts four HTML pages to deliver to an authenticating client. The server uses these pages to notify you of these four-authentication process states: • Login—Your credentials are requested. • Success—The login was successful. • Fail—The login failed.
Chapter 11 Configuring Web-Based Authentication Understanding Web-Based Authentication Figure 11-5 Customizeable Authentication Page For more information, see the “Customizing the Authentication Proxy Web Pages” section on page 11-13. Web-based Authentication Interactions with Other Features • Port Security, page 11-7 • LAN Port IP, page 11-8 • Gateway IP, page 11-8 • ACLs, page 11-8 • Context-Based Access Control, page 11-8 • 802.
Chapter 11 Configuring Web-Based Authentication Understanding Web-Based Authentication LAN Port IP You can configure LAN port IP (LPIP) and Layer 2 web-based authentication on the same port. The host is authenticated by using web-based authentication first, followed by LPIP posture validation. The LPIP host policy overrides the web-based authentication host policy. If the web-based authentication idle timer expires, the NAC policy is removed. The host is authenticated, and posture is validated again.
Chapter 11 Configuring Web-Based Authentication Configuring Web-Based Authentication Configuring Web-Based Authentication • Default Web-Based Authentication Configuration, page 11-9 • Web-Based Authentication Configuration Guidelines and Restrictions, page 11-9 • Web-Based Authentication Configuration Task List, page 11-10 • Configuring the Authentication Rule and Interfaces, page 11-10 • Configuring AAA Authentication, page 11-11 • Configuring Switch-to-RADIUS-Server Communication, page 11-11
Chapter 11 Configuring Web-Based Authentication Configuring Web-Based Authentication • Hosts that are more than one hop away might experience traffic disruption if an STP topology change results in the host traffic arriving on a different port. This occurs because the ARP and DHCP updates might not be sent after a Layer 2 (STP) topology change. • Web-based authentication does not support VLAN assignment as a downloadable-host policy. • Web-based authentication is not supported for IPv6 traffic.
Chapter 11 Configuring Web-Based Authentication Configuring Web-Based Authentication This example shows how to verify the configuration: Switch# show ip admission configuration Authentication Proxy Banner not configured Authentication global cache time is 60 minutes Authentication global absolute time is 0 minutes Authentication global init state time is 2 minutes Authentication Proxy Watch-list is disabled Authentication Proxy Rule Configuration Auth-proxy name webauth1 http list not specified inactivity
Chapter 11 Configuring Web-Based Authentication Configuring Web-Based Authentication The combination of the IP address and UDP port number creates a unique identifier, that enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service (for example, authentication) the second host entry that is configured functions as the failover backup to the first one.
Chapter 11 Configuring Web-Based Authentication Configuring Web-Based Authentication Note You need to configure some settings on the RADIUS server, including: the switch IP address, the key string to be shared by both the server and the switch, and the downloadable ACL (DACL). For more information, see the RADIUS server documentation.
Chapter 11 Configuring Web-Based Authentication Configuring Web-Based Authentication Command Purpose Step 3 ip admission proxy http failure page file device:fail-filename Specify the location of the custom HTML file to use in place of the default login failure page. Step 4 ip admission proxy http login expired page file device:expired-filename Specify the location of the custom HTML file to use in place of the default login expired page.
Chapter 11 Configuring Web-Based Authentication Configuring Web-Based Authentication Specifying a Redirection URL for Successful Login You can specify a URL to which the user is redirected after authentication, effectively replacing the internal Success HTML page. Command Purpose ip admission proxy http success redirect url-string Specify a URL for redirection of the user in place of the default login success page.
Chapter 11 Configuring Web-Based Authentication Configuring Web-Based Authentication This example shows how to determine whether any connected hosts are in the AAA Down state: Switch# show ip admission cache Authentication Proxy Cache Client IP 209.165.201.11 Port 0, timeout 60, state ESTAB (AAA Down) This example shows how to view detailed information about a particular session based on the host IP address: Switch# show ip admission cache 209.165.201.11 Address : 209.165.201.11 MAC Address : 0000.0000.
Chapter 11 Configuring Web-Based Authentication Displaying Web-Based Authentication Status Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 11 Configuring Web-Based Authentication Displaying Web-Based Authentication Status Catalyst 3750 Switch Software Configuration Guide 11-18 OL-8550-09
CH A P T E R 12 Configuring Interface Characteristics This chapter defines the types of Catalyst 3750 interfaces and describes how to configure them. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
Chapter 12 Configuring Interface Characteristics Understanding Interface Types Note For information about the internal ports in the Catalyst 3750G Integrated Wireless LAN Controller switch, see Appendix A, “Configuring the Catalyst 3750G Integrated Wireless LAN Controller Switch.” Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users.
Chapter 12 Configuring Interface Characteristics Understanding Interface Types Note When you change a Layer 3 interface into Layer 2 mode, the configuration information related to the affected interface might be lost, and the interface is returned to its default configuration. For detailed information about configuring access port and trunk port characteristics, see Chapter 13, “Configuring VLANs.” For more information about tunnel ports, see Chapter 17, “Configuring IEEE 802.
Chapter 12 Configuring Interface Characteristics Understanding Interface Types port automatically becomes a member of that VLAN. Traffic is forwarded to and from the trunk port for that VLAN. If VTP learns of an enabled VLAN that is not in the allowed list for a trunk port, the port does not become a member of the VLAN, and traffic for the VLAN is not forwarded to or from the port. For more information about trunk ports, see Chapter 13, “Configuring VLANs.
Chapter 12 Configuring Interface Characteristics Understanding Interface Types Switch Virtual Interfaces A switch virtual interface (SVI) represents a VLAN of switch ports as one interface to the routing or bridging function in the system. You can associate only one SVI with a VLAN. You configure an SVI for a VLAN only to route between VLANs, to fallback-bridge nonroutable protocols between VLANs, or to provide IP host connectivity to the switch.
Chapter 12 Configuring Interface Characteristics Understanding Interface Types is a monitoring port, you might configure autostate exclude on that port so that the VLAN goes down when all other ports go down. When enabled on a port, autostate exclude applies to all VLANs that are enabled on that port. The VLAN interface is brought up when one Layer 2 port in the VLAN has had time to converge (transition from STP listening-learning state to forwarding state).
Chapter 12 Configuring Interface Characteristics Understanding Interface Types Power over Ethernet Ports PoE switch ports automatically supply power to these connected devices (if the switch senses that there is no power on the circuit): • Cisco pre-standard powered devices (such as Cisco IP Phones and Cisco Aironet access points) • IEEE 802.3 af-compliant powered devices A powered device can receive redundant power when it is connected only to a PoE switch port and to an AC power source.
Chapter 12 Configuring Interface Characteristics Understanding Interface Types Powered-Device Detection and Initial Power Allocation The switch detects a Cisco pre-standard or an IEEE-compliant powered device when the PoE-capable port is in the no-shutdown state, PoE is enabled (the default), and the connected device is not being powered by an AC adaptor.
Chapter 12 Configuring Interface Characteristics Understanding Interface Types Power Management Modes Supported PoE modes: • auto—The switch automatically detects if the connected device requires power. If the switch discovers a powered device connected to the port and if the switch has enough power, it grants power, updates the power budget, turns on power to the port on a first-come, first-served basis, and updates the LEDs. For LED information, see the hardware installation guide.
Chapter 12 Configuring Interface Characteristics Understanding Interface Types Connecting Interfaces Devices within a single VLAN can communicate directly through any switch. Ports in different VLANs cannot exchange data without going through a routing device. With a standard Layer 2 switch, ports in different VLANs have to exchange information through a router.
Chapter 12 Configuring Interface Characteristics Using Interface Configuration Mode Using Interface Configuration Mode The switch supports these interface types: • Physical ports—switch ports and routed ports • VLANs—switch virtual interfaces • Port channels—EtherChannel interfaces You can also configure a range of interfaces (see the “Configuring a Range of Interfaces” section on page 12-13).
Chapter 12 Configuring Interface Characteristics Using Interface Configuration Mode If the switch has SFP modules, the numbering of these ports depends on the type of other interfaces on the switch. If the port type changes from Fast Ethernet to Gigabit Ethernet (SFP), the port numbers begin again from 1; if the port type remains Gigabit Ethernet, the port numbers continue consecutively.
Chapter 12 Configuring Interface Characteristics Using Interface Configuration Mode Configuring a Range of Interfaces You can use the interface range global configuration command to configure multiple interfaces with the same configuration parameters. When you enter the interface-range configuration mode, all command parameters that you enter are attributed to all interfaces within that range until you exit this mode.
Chapter 12 Configuring Interface Characteristics Using Interface Configuration Mode • 0/1 - 4 0/1-4 The interface range command only works with VLAN interfaces that have been configured with the interface vlan command. The show running-config privileged EXEC command displays the configured VLAN interfaces. VLAN interfaces not displayed by the show running-config command cannot be used with the interface range command.
Chapter 12 Configuring Interface Characteristics Using Interface Configuration Mode Use the no define interface-range macro_name global configuration command to delete a macro.
Chapter 12 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Ethernet Interfaces These sections contain this configuration information: • Default Ethernet Interface Configuration, page 12-16 • Configuration Guidelines for 10-Gigabit Ethernet Interfaces, page 12-17 • Configuring Interface Speed and Duplex Mode, page 12-17 • Configuring IEEE 802.
Chapter 12 Configuring Interface Characteristics Configuring Ethernet Interfaces Table 12-2 Default Layer 2 Ethernet Interface Configuration (continued) Feature Default Setting Port blocking (unknown multicast Disabled (not blocked) (Layer 2 interfaces only). See the and unknown unicast traffic) “Configuring Port Blocking” section on page 25-8. Broadcast, multicast, and unicast storm control Disabled. See the “Default Storm Control Configuration” section on page 25-3.
Chapter 12 Configuring Interface Characteristics Configuring Ethernet Interfaces Switch models can include combinations of Fast Ethernet (10/100-Mb/s) ports, Gigabit Ethernet (10/100/1000-Mb/s) ports, 10-Gigabit module ports, and small form-factor pluggable (SFP) module slots supporting SFP modules.
Chapter 12 Configuring Interface Characteristics Configuring Ethernet Interfaces Setting the Interface Speed and Duplex Parameters Beginning in privileged EXEC mode, follow these steps to set the speed and duplex mode for a physical interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the physical interface to be configured, and enter interface configuration mode.
Chapter 12 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to set the interface speed to 100 Mb/s on a 10/100/1000 Mb/s port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# speed 100 Configuring IEEE 802.3x Flow Control Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end.
Chapter 12 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Auto-MDIX on an Interface When automatic medium-dependent interface crossover (auto-MDIX) is enabled on an interface, the interface automatically detects the required cable connection type (straight through or crossover) and configures the connection appropriately.
Chapter 12 Configuring Interface Characteristics Configuring Ethernet Interfaces Switch(config-if)# mdix auto Switch(config-if)# end Configuring a Power Management Mode on a PoE Port For most situations, the default configuration (auto mode) works well, providing plug-and-play operation. No further configuration is required. However, use the following procedure to give a PoE port higher priority, to make it data only, or to specify a maximum wattage to disallow high-power powered devices on a port.
Chapter 12 Configuring Interface Characteristics Configuring Ethernet Interfaces Command Purpose Step 5 show power inline [interface-id | module switch-number] Display PoE status for a switch or switch stack, for the specified interface, or for a specified stack member. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. For information about the output of the show power inline user EXEC command, see the command reference for this release.
Chapter 12 Configuring Interface Characteristics Configuring Ethernet Interfaces For more information about the IEEE power classifications, see the “Power over Ethernet Ports” section on page 12-7. Beginning in privileged EXEC mode, follow these steps to configure the amount of power budgeted to a powered device connected to each PoE port on a switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no cdp run (Optional) Disable CDP.
Chapter 12 Configuring Interface Characteristics Configuring Layer 3 Interfaces Adding a Description for an Interface You can add a description about an interface to help you remember its function. The description appears in the output of these privileged EXEC commands: show configuration, show running-config, and show interfaces. Beginning in privileged EXEC mode, follow these steps to add a description for an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 12 Configuring Interface Characteristics Configuring Layer 3 Interfaces • Routed ports: Routed ports are physical ports configured to be in Layer 3 mode by using the no switchport interface configuration command. • Layer 3 EtherChannel ports: EtherChannel interfaces made up of routed ports. EtherChannel port interfaces are described in Chapter 36, “Configuring EtherChannels and Link-State Tracking.” A Layer 3 switch can have an IP address assigned to each routed port and SVI.
Chapter 12 Configuring Interface Characteristics Configuring Layer 3 Interfaces Step 7 Command Purpose show interfaces [interface-id] Verify the configuration. show ip interface [interface-id] show running-config interface [interface-id] Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove an IP address from an interface, use the no ip address interface configuration command.
Chapter 12 Configuring Interface Characteristics Configuring the System MTU Configuring the System MTU The default maximum transmission unit (MTU) size for frames received and transmitted on all interfaces is 1500 bytes. You can increase the MTU size for all interfaces operating at 10 or 100 Mb/s by using the system mtu global configuration command. You can increase the MTU size to support jumbo frames on all Gigabit Ethernet interfaces by using the system mtu jumbo global configuration command.
Chapter 12 Configuring Interface Characteristics Configuring the Cisco Redundant Power System 2300 Step 3 Command Purpose system mtu jumbo bytes (Optional) Change the MTU size for all Gigabit Ethernet interfaces on the switch stack. The range is 1500 to 9000 bytes; the default is 1500 bytes. Step 4 system mtu routing bytes (Optional) Change the system MTU for routed ports. The range is 1500 to the system MTU value, the maximum MTU that can be routed for all ports.
Chapter 12 Configuring Interface Characteristics Configuring the Cisco Redundant Power System 2300 Beginning in user EXEC mode: Step 1 Command Purpose power rps switch-number name {string | serialnumber} Specify the name of the RPS 2300. The keywords have these meanings: • switch-number—Specify the stack member to which the RPS 2300 is connected. The range is 1 to 9, depending on the switch member numbers in the stack. This keyword is supported only on Catalyst 3750v2 switches.
Chapter 12 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces To return to the default name setting (no configured name), use the power rps switch-number port rps-port-id name user EXEC command with no space between the quotation marks. To return to the default port mode, use the power rps switch-number port rps-port-id active command. To return to the default port priority, use the power rps switch-number port rps-port-id priority command.
Chapter 12 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Table 12-4 Show Commands for Interfaces (continued) Command Purpose show interface [interface-id] stats (Optional) Display the input and output packets by the switching path for the interface. show interfaces tengigabitethernet interface-id detail (Optional) Display status of a connected ten gigabit module, such as temperature and alarm status.
Chapter 12 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Shutting Down and Restarting the Interface Shutting down an interface disables all functions on the specified interface and marks the interface as unavailable on all monitoring command displays. This information is communicated to other network servers through all dynamic routing protocols. The interface is not mentioned in any routing updates.
Chapter 12 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 3750 Switch Software Configuration Guide 12-34 OL-8550-09
CH A P T E R 13 Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 3750 switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS). Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
Chapter 13 Configuring VLANs Understanding VLANs Figure 13-1 shows an example of VLANs segmented into logically defined networks. Figure 13-1 VLANs as Logically Defined Networks Engineering VLAN Marketing VLAN Accounting VLAN Cisco router Floor 3 Gigabit Ethernet Floor 2 90571 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Chapter 13 Configuring VLANs Understanding VLANs VLAN range (VLANs 1 to 4094). Extended range VLANs (VLANs 1006 to 4094) are supported only in VTP version 3. You cannot convert from VTP version 3 to VTP version 2 if extended VLANs are configured in the domain. Although the switch stack supports a total of 1005 (normal range and extended range) VLANs, the number of routed ports, SVIs, and other configured features affects the use of the switch hardware.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Table 13-1 Port Membership Modes and Characteristics Membership Mode VLAN Membership Characteristics VTP Characteristics Voice VLAN VTP is not required; it has no effect on a A voice VLAN port is an access port attached to a voice VLAN. Cisco IP Phone, configured to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Caution You can cause inconsistency in the VLAN database if you attempt to manually delete the vlan.dat file. If you want to modify the VLAN configuration, use the commands described in these sections and in the command reference for this release. To change the VTP configuration, see Chapter 14, “Configuring VTP.” You use the interface configuration mode to define the port membership mode and to add and remove ports from VLANs.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Token Ring VLANs Although the switch does not support Token Ring connections, a remote device such as a Catalyst 5000 series switch with Token Ring connections could be managed from one of the supported switches.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs • When a switch in a stack learns a new VLAN or deletes or modifies an existing VLAN (either through VTP over network ports or through the CLI), the VLAN information is communicated to all stack members. • When a switch joins a stack or when stacks merge, VTP information (the vlan.dat file) on the new switches will be consistent with the stack master.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Table 13-2 Ethernet VLAN Defaults and Ranges Parameter Default Range VLAN ID 1 1 to 4094. Note Extended-range VLANs (VLAN IDs 1006 to 4094) are only saved in the VLAN database in VTP version 3. VLAN name VLANxxxx, where xxxx represents four numeric No range digits (including leading zeros) equal to the VLAN ID number IEEE 802.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Command Purpose Step 3 name vlan-name (Optional) Enter a name for the VLAN. If no name is entered for the VLAN, the default is to append the vlan-id with leading zeros to the word VLAN. For example, VLAN0004 is a default VLAN name for VLAN 4. Step 4 mtu mtu-size (Optional) Change the MTU size (or other VLAN characteristic). Step 5 remote-span Note Step 6 end Return to privileged EXEC mode.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Command Purpose Step 4 show vlan brief Verify the VLAN removal. Step 5 copy running-config startup config (Optional) If the switch is in VTP transparent mode, the VLAN configuration is saved in the running configuration file as well as in the VLAN database. This saves the configuration in the switch startup configuration file.
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Configuring Extended-Range VLANs With VTP version 1 and version 2, when the switch is in VTP transparent mode (VTP disabled), you can create extended-range VLANs (in the range 1006 to 4094). VTP version supports extended-range VLANs in server or transparent move. Extended-range VLANs enable service providers to extend their infrastructure to a greater number of customers.
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs If the number of VLANs on the switch exceeds the maximum number of spanning-tree instances, we recommend that you configure the IEEE 802.1s Multiple STP (MSTP) on your switch to map multiple VLANs to a single spanning-tree instance. For more information about MSTP, see Chapter 19, “Configuring MSTP.” • Each routed port on the switch creates an internal VLAN for its use.
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Beginning in privileged EXEC mode, follow these steps to create an extended-range VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp mode transparent Configure the switch for VTP transparent mode, disabling VTP. Note This step is not required for VTP version 3. Step 3 vlan vlan-id Enter an extended-range VLAN ID and enter VLAN configuration mode. The range is 1006 to 4094.
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Beginning in privileged EXEC mode, follow these steps to release a VLAN ID that is assigned to an internal VLAN and to create an extended-range VLAN with that ID: Command Purpose Step 1 show vlan internal usage Display the VLAN IDs being used internally by the switch. If the VLAN ID that you want to use is an internal VLAN, the display shows the routed port that is using the VLAN ID. Enter that port number in Step 3.
Chapter 13 Configuring VLANs Displaying VLANs Displaying VLANs Use the show vlan privileged EXEC command to display a list of all VLANs on the switch, including extended-range VLANs. The display includes VLAN status, ports, and configuration information. Table 13-3 lists the privileged EXEC commands for monitoring VLANs. Table 13-3 VLAN Monitoring Commands Command Purpose show interfaces [vlan vlan-id] Display characteristics for all interfaces or for the specified VLAN configured on the switch.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Configuring VLAN Trunks These sections contain this conceptual information: • Trunking Overview, page 13-16 • Encapsulation Types, page 13-18 • Default Layer 2 Ethernet Interface VLAN Configuration, page 13-19 • Configuring an Ethernet Interface as a Trunk Port, page 13-19 • Configuring Trunk Ports for Load Sharing, page 13-24 Trunking Overview A trunk is a point-to-point link between one or more Ethernet switch interfaces and another network
Chapter 13 Configuring VLANs Configuring VLAN Trunks Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which is a Point-to-Point Protocol. However, some internetworking devices might forward DTP frames improperly, which could cause misconfigurations. To avoid this, you should configure interfaces connected to devices that do not support DTP to not forward DTP frames, that is, to turn off DTP.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Encapsulation Types Table 13-5 lists the Ethernet trunk encapsulation types and keywords. Table 13-5 Ethernet Trunk Encapsulation Types Encapsulation Function switchport trunk encapsulation isl Specifies ISL encapsulation on the trunk link. switchport trunk encapsulation dot1q Specifies IEEE 802.1Q encapsulation on the trunk link.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Default Layer 2 Ethernet Interface VLAN Configuration Table 13-6 shows the default Layer 2 Ethernet interface VLAN configuration.
Chapter 13 Configuring VLANs Configuring VLAN Trunks – STP Port Fast setting. – trunk status: if one port in a port group ceases to be a trunk, all ports cease to be trunks. • We recommend that you configure no more than 24 trunk ports in PVST mode and no more than 40 trunk ports in MST mode. • If you try to enable IEEE 802.1x on a trunk port, an error message appears, and IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to trunk, the port mode is not changed.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Configuring a Trunk Port Beginning in privileged EXEC mode, follow these steps to configure a port as a trunk port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured for trunking, and enter interface configuration mode. Step 3 switchport trunk encapsulation {isl | dot1q | negotiate} Configure the port to support ISL or IEEE 802.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Defining the Allowed VLANs on a Trunk By default, a trunk port sends traffic to and receives traffic from all VLANs. All VLAN IDs, 1 to 4094, are allowed on each trunk. However, you can remove VLANs from the allowed list, preventing traffic from those VLANs from passing over the trunk.
Chapter 13 Configuring VLANs Configuring VLAN Trunks To return to the default allowed VLAN list of all VLANs, use the no switchport trunk allowed vlan interface configuration command. This example shows how to remove VLAN 2 from the allowed VLAN list on a port: Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# switchport trunk allowed vlan remove 2 Switch(config-if)# end Changing the Pruning-Eligible List The pruning-eligible list applies only to trunk ports.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Configuring the Native VLAN for Untagged Traffic A trunk port configured with IEEE 802.1Q tagging can receive both tagged and untagged traffic. By default, the switch forwards untagged traffic in the native VLAN configured for the port. The native VLAN is VLAN 1 by default. Note The native VLAN can be assigned any VLAN ID. For information about IEEE 802.1Q configuration issues, see the “IEEE 802.1Q Configuration Considerations” section on page 13-18.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Load Sharing Using STP Port Priorities When two ports on the same switch form a loop, the switch uses the STP port priority to decide which port is enabled and which port is in a blocking state. You can set the priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN. The trunk port with the higher priority (lower values) for a VLAN is forwarding traffic for that VLAN.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Step 5 Command Purpose show vtp status Verify the VTP configuration on both Switch A and Switch B. In the display, check the VTP Operating Mode and the VTP Domain Name fields. Step 6 show vlan Verify that the VLANs exist in the database on Switch A. Step 7 configure terminal Enter global configuration mode. Step 8 interface interface-id_1 Define the interface to be configured as a trunk, and enter interface configuration mode.
Chapter 13 Configuring VLANs Configuring VLAN Trunks In Figure 13-4, Trunk ports 1 and 2 are configured as 100BASE-T ports. These VLAN path costs are assigned: • VLANs 2 through 4 are assigned a path cost of 30 on Trunk port 1. • VLANs 8 through 10 retain the default 100BASE-T path cost on Trunk port 1 of 19. • VLANs 8 through 10 are assigned a path cost of 30 on Trunk port 2. • VLANs 2 through 4 retain the default 100BASE-T path cost on Trunk port 2 of 19.
Chapter 13 Configuring VLANs Configuring VMPS Command Purpose Step 14 Repeat Steps 9 through 13 on the other configured trunk interface on Switch A, and set the spanning-tree path cost to 30 for VLANs 8, 9, and 10. Step 15 exit Return to privileged EXEC mode. Step 16 show running-config Verify your entries. In the display, verify that the path costs are set correctly for both trunk interfaces. Step 17 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 13 Configuring VLANs Configuring VMPS If the port already has a VLAN assignment, the VMPS provides one of these responses: • If the VLAN in the database matches the current VLAN on the port, the VMPS sends an success response, allowing access to the host. • If the VLAN in the database does not match the current VLAN on the port and active hosts exist on the port, the VMPS sends an access-denied or a port-shutdown response, depending on the secure mode of the VMPS.
Chapter 13 Configuring VLANs Configuring VMPS VMPS Configuration Guidelines These guidelines and restrictions apply to dynamic-access port VLAN membership: • You should configure the VMPS before you configure ports as dynamic-access ports. • When you configure a port as a dynamic-access port, the spanning-tree Port Fast feature is automatically enabled for that port. The Port Fast mode accelerates the process of bringing the port into the forwarding state. • IEEE 802.
Chapter 13 Configuring VLANs Configuring VMPS Step 3 Command Purpose vmps server ipaddress (Optional) Enter the IP address of the switch acting as a secondary VMPS server. You can enter up to three secondary server addresses. Step 4 end Return to privileged EXEC mode. Step 5 show vmps Verify your entries in the VMPS Domain Server field of the display. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 13 Configuring VLANs Configuring VMPS Reconfirming VLAN Memberships Beginning in privileged EXEC mode, follow these steps to confirm the dynamic-access port VLAN membership assignments that the switch has received from the VMPS: Command Purpose Step 1 vmps reconfirm Reconfirm dynamic-access port VLAN membership. Step 2 show vmps Verify the dynamic VLAN reconfirmation status.
Chapter 13 Configuring VLANs Configuring VMPS Monitoring the VMPS You can display information about the VMPS by using the show vmps privileged EXEC command. The switch displays this information about the VMPS: • VMPS VQP Version—the version of VQP used to communicate with the VMPS. The switch queries the VMPS that is using VQP Version 1. • Reconfirm Interval—the number of minutes the switch waits before reconfirming the VLAN-to-MAC-address assignments.
Chapter 13 Configuring VLANs Configuring VMPS • End stations are connected to the clients, Switch B and Switch I. • The database configuration file is stored on the TFTP server with the IP address 172.20.22.7. Figure 13-5 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6500 series switch A Primary VMPS Server 1 Router 172.20.26.150 172.20.22.7 Client switch B End station 1 Dynamic-access port 172.20.26.151 Trunk port Switch C 172.20.26.152 Switch D 172.20.26.
CH A P T E R 14 Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the Catalyst 3750 switches. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 14 Configuring VTP Understanding VTP The switch supports 1005 VLANs, but the number of routed ports, SVIs, and other configured features affects the usage of the switch hardware. If the switch is notified by VTP of a new VLAN and the switch is already using the maximum available hardware resources, it sends a message that there are not enough hardware resources available and shuts down the VLAN. The output of the show vlan user EXEC command shows the VLAN in a suspended state.
Chapter 14 Configuring VTP Understanding VTP If you configure a switch for VTP transparent mode, you can create and modify VLANs, but the changes are not sent to other switches in the domain, and they affect only the individual switch. However, configuration changes made when the switch is in this mode are saved in the switch running configuration and can be saved to the switch startup configuration file.
Chapter 14 Configuring VTP Understanding VTP VTP Advertisements Each switch in the VTP domain sends periodic global configuration advertisements from each trunk port to a reserved multicast address. Neighboring switches receive these advertisements and update their VTP and VLAN configurations as necessary.
Chapter 14 Configuring VTP Understanding VTP • Consistency Checks—In VTP version 2, VLAN consistency checks (such as VLAN names and values) are performed only when you enter new information through the CLI or SNMP. Consistency checks are not performed when new information is obtained from a VTP message or when information is read from NVRAM. If the MD5 digest on a received VTP message is correct, its information is accepted.
Chapter 14 Configuring VTP Understanding VTP VTP Pruning VTP pruning increases network available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to reach the destination devices. Without VTP pruning, a switch floods broadcast, multicast, and unknown unicast traffic across all trunk links within a VTP domain even though receiving switches might discard them. VTP pruning is disabled by default.
Chapter 14 Configuring VTP Understanding VTP Figure 14-2 Optimized Flooded Traffic with VTP Pruning Switch D Port 2 Flooded traffic is pruned. Port 4 Switch B Red VLAN Switch E Flooded traffic is pruned. Port 5 Switch F Switch C Switch A 89241 Port 1 Enabling VTP pruning on a VTP server enables pruning for the entire management domain. Making VLANs pruning-eligible or pruning-ineligible affects pruning eligibility for those VLANs on that trunk only (not on all switches in the VTP domain).
Chapter 14 Configuring VTP Configuring VTP • If you do not configure the persistent MAC address feature (by entering the stack-mac persistent timer [0 | time-value] global configuration command, when the new master is elected, it sends a takeover message with the new master MAC address as the primary server. • If persistent MAC address is configured, the new master waits for the configured stack-mac persistent timer value.
Chapter 14 Configuring VTP Configuring VTP VTP mode is transparent, the VTP domain name and mode are also saved in the switch running configuration file, and you can save it in the switch startup configuration file by entering the copy running-config startup-config privileged EXEC command. You must use this command if you want to save VTP mode as transparent if the switch resets.
Chapter 14 Configuring VTP Configuring VTP VTP Version Follow these guidelines when deciding which VTP version to implement: • All switches in a VTP domain must have the same domain name, but they do not need to run the same VTP version. • A VTP version 2-capable switch can operate in the same VTP domain as a switch running VTP version 1 if version 2 is disabled on the version 2-capable switch (version 2 is disabled by default).
Chapter 14 Configuring VTP Configuring VTP If you are configuring VTP on a cluster member switch to a VLAN, use the rcommand privileged EXEC command to log in to the member switch. For more information about the command, see the command reference for this release. In VTP versions 1 and 2, when you configure extended-range VLANs on the switch, the switch must be in VTP transparent mode. VTP version 3 also supports creating extended-range VLANs in client or server mode.
Chapter 14 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to configure the VTP mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp domain domain-name Configure the VTP administrative-domain name. The name can be 1 to 32 characters. All switches operating in VTP server or client mode under the same administrative responsibility must be configured with the same domain name.
Chapter 14 Configuring VTP Configuring VTP Configuring a VTP Version 3 Password Beginning in privileged EXEC mode, follow these steps to configure the password when using VTP version 3: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp password password [hidden | secret] (Optional) Set the password for the VTP domain. The password can be 8 to 64 characters.
Chapter 14 Configuring VTP Configuring VTP This example shows how to configure a switch as the primary server for the VLAN database (the default) when a hidden or secret password was configured: Switch# vtp primary vlan Enter VTP password: mypassword This switch is becoming Primary server for vlan feature in the VTP domain VTP Database Conf Switch ID Primary Server Revision System Name ------------ ---- -------------- -------------- -------- -------------------VLANDB Yes 00d0.00b8.1400=00d0.00b8.
Chapter 14 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode. Beginning in privileged EXEC mode, follow these steps to enable VTP pruning in the VTP domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 14 Configuring VTP Configuring VTP Adding a VTP Client Switch to a VTP Domain Before adding a VTP client to a VTP domain, always verify that its VTP configuration revision number is lower than the configuration revision number of the other switches in the VTP domain. Switches in a VTP domain always use the VLAN configuration of the switch with the highest VTP configuration revision number.
Chapter 14 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 14-3 shows the privileged EXEC commands for monitoring VTP activity. Table 14-3 VTP Monitoring Commands Command Purpose show vtp counters Display counters about VTP messages that have been sent and received.
Chapter 14 Configuring VTP Monitoring VTP Catalyst 3750 Switch Software Configuration Guide 14-18 OL-8550-09
CH A P T E R 15 Configuring Voice VLAN This chapter describes how to configure the voice VLAN feature on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. Voice VLAN is referred to as an auxiliary VLAN in some Catalyst 6500 family switch documentation. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 15 Configuring Voice VLAN Understanding Voice VLAN Figure 15-1 shows one way to connect a Cisco 7960 IP Phone. Figure 15-1 Cisco 7960 IP Phone Connected to a Switch Cisco IP Phone 7960 Phone ASIC P2 3-port switch P3 Access port 101351 P1 PC Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN Cisco IP Phone Data Traffic The switch can also process tagged data traffic (traffic in IEEE 802.1Q or IEEE 802.1p frame types) from the device attached to the access port on the Cisco IP Phone (see Figure 15-1).
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN • Do not configure voice VLAN on private VLAN ports. • The Power over Ethernet (PoE) switches are capable of automatically providing power to Cisco pre-standard and IEEE 802.3af-compliant powered devices if they are not being powered by an AC power source. For information about PoE interfaces, see the “Configuring a Power Management Mode on a PoE Port” section on page 12-22.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN Note When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP Phone, the phone requires up to two MAC addresses. The phone address is learned on the voice VLAN and might also be learned on the access VLAN.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN Step 4 Command Purpose switchport voice {detect cisco-phone [full-duplex] | vlan {vlan-id | dot1p | none | untagged}} Configure how the Cisco IP Phone carries voice traffic: • detect—Configure the interface to detect and recognize a Cisco IP phone. • cisco-phone—When you initially implement the switchport voice detect command, this is the only allowed option. The default is no switchport voice detect cisco-phone [full-duplex].
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN full-duplex Cisco IP Phone Switch(config-if)# switchport voice detect cisco-phone full-duplex full-duplex full duplex keyword Switch(config-if)# end This example shows how to disable switchport voice detect on a Cisco IP Phone: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 15 Configuring Voice VLAN Displaying Voice VLAN To return the port to its default setting, use the no switchport priority extend interface configuration command. Displaying Voice VLAN To display voice VLAN configuration for an interface, use the show interfaces interface-id switchport privileged EXEC command.
CH A P T E R 16 Configuring Private VLANs This chapter describes how to configure private VLANs on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 16 Configuring Private VLANs Understanding Private VLANs Figure 16-1 Private-VLAN Domain Private VLAN domain Subdomain Subdomain Secondary isolated VLAN 116083 Secondary community VLAN Primary VLAN There are two types of secondary VLANs: • Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.
Chapter 16 Configuring Private VLANs Understanding Private VLANs Primary and secondary VLANs have these characteristics: • Primary VLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports. • Isolated VLAN —A private VLAN has only one isolated VLAN.
Chapter 16 Configuring Private VLANs Understanding Private VLANs Private VLANs across Multiple Switches As with regular VLANs, private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. The trunk port treats the private VLAN as any other VLAN. A feature of private VLANs across multiple switches is that traffic from an isolated port in switch A does not reach an isolated port on Switch B. See Figure 16-2.
Chapter 16 Configuring Private VLANs Understanding Private VLANs You should also see the “Secondary and Primary VLAN Configuration” section on page 16-7 under the “Private-VLAN Configuration Guidelines” section. Private VLANs and Unicast, Broadcast, and Multicast Traffic In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but devices connected to interfaces in different VLANs must communicate at the Layer 3 level.
Chapter 16 Configuring Private VLANs Configuring Private VLANs Private VLANs and Switch Stacks Private VLANs can operate within the switch stack, and private-VLAN ports can reside on different stack members. However, some changes to the switch stack can impact private-VLAN operation: • If a stack contains only one private-VLAN promiscuous port and the stack member that contains that port is removed from the stack, host ports in that private VLAN lose connectivity outside the private VLAN.
Chapter 16 Configuring Private VLANs Configuring Private VLANs Step 5 If inter-VLAN routing will be used, configure the primary SVI, and map secondary VLANs to the primary. See the “Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface” section on page 16-14. Step 6 Verify private-VLAN configuration. Default Private-VLAN Configuration No private VLANs are configured.
Chapter 16 Configuring Private VLANs Configuring Private VLANs • We recommend that you prune the private VLANs from the trunks on devices that carry no traffic in the private VLANs. • You can apply different quality of service (QoS) configurations to primary, isolated, and community VLANs. • Sticky ARP – Sticky ARP entries are those learned on SVIs and Layer 3 interfaces. They entries do not age out.
Chapter 16 Configuring Private VLANs Configuring Private VLANs Private-VLAN Port Configuration Follow these guidelines when configuring private-VLAN ports: • Use only the private-VLAN configuration commands to assign ports to primary, isolated, or community VLANs. Layer 2 access ports assigned to the VLANs that you configure as primary, isolated, or community VLANs are inactive while the VLAN is part of the private-VLAN configuration. Layer 2 trunk interfaces remain in the STP forwarding state.
Chapter 16 Configuring Private VLANs Configuring Private VLANs • A private-VLAN host or promiscuous port cannot be a SPAN destination port. If you configure a SPAN destination port as a private-VLAN port, the port becomes inactive. • If you configure a static MAC address on a promiscuous port in the primary VLAN, you must add the same static address to all associated secondary VLANs.
Chapter 16 Configuring Private VLANs Configuring Private VLANs Command Purpose Step 14 end Return to privileged EXEC mode. Step 15 show vlan private-vlan [type] Verify the configuration. or show interfaces status Step 16 copy running-config startup config Save your entries in the switch startup configuration file. To save the private-VLAN configuration, you need to save the VTP transparent mode configuration and private-VLAN configuration in the switch startup configuration file.
Chapter 16 Configuring Private VLANs Configuring Private VLANs Configuring a Layer 2 Interface as a Private-VLAN Host Port Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN host port and to associate it with primary and secondary VLANs: Note Isolated and community VLANs are both secondary VLANs. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 16 Configuring Private VLANs Configuring Private VLANs Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN promiscuous port and map it to primary and secondary VLANs: Note Isolated and community VLANs are both secondary VLANs. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 16 Configuring Private VLANs Configuring Private VLANs Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface If the private VLAN will be used for inter-VLAN routing, you configure an SVI for the primary VLAN and map secondary VLANs to the SVI. Note Isolated and community VLANs are both secondary VLANs.
Chapter 16 Configuring Private VLANs Monitoring Private VLANs Monitoring Private VLANs Table 16-1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces, including the VLANs to which they belongs. show vlan private-vlan [type] Display the private-VLAN information for the switch stack. show interface switchport Display the private-VLAN configuration on interfaces.
Chapter 16 Configuring Private VLANs Monitoring Private VLANs Catalyst 3750 Switch Software Configuration Guide 16-16 OL-8550-09
CH A P T E R 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Virtual private networks (VPNs) provide enterprise-scale connectivity on a shared infrastructure, often Ethernet-based, with the same security, prioritization, reliability, and manageability requirements of private networks.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling Customer traffic tagged in the normal way with appropriate VLAN IDs comes from an IEEE 802.1Q trunk port on the customer device and into a tunnel port on the service-provider edge switch. The link between the customer device and the edge switch is asymmetric because one end is configured as an IEEE 802.1Q trunk port, and the other end is configured as a tunnel port.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling Original (Normal), IEEE 802.1Q, and Double-Tagged Ethernet Packet Formats Source address Destination Length/ address EtherType DA SA Len/Etype DA SA Etype DA SA Etype Frame Check Sequence Data Tag Tag FCS Len/Etype Etype Tag Original Ethernet frame Data Len/Etype FCS IEE 802.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling These sections contain this configuration information: • Default IEEE 802.1Q Tunneling Configuration, page 17-4 • IEEE 802.1Q Tunneling Configuration Guidelines, page 17-4 • IEEE 802.1Q Tunneling and Other Features, page 17-6 • Configuring an IEEE 802.1Q Tunneling Port, page 17-6 Default IEEE 802.1Q Tunneling Configuration By default, IEEE 802.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling These are some ways to solve this problem: • Use ISL trunks between core switches in the service-provider network. Although customer interfaces connected to edge switches must be IEEE 802.1Q trunks, we recommend using ISL trunks for connecting switches in the core layer. • Use the vlan dot1q tag native global configuration command to configure the edge switch so that all packets going out an IEEE 802.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling and Other Features Although IEEE 802.1Q tunneling works well for Layer 2 packet switching, there are incompatibilities between some Layer 2 features and Layer 3 switching. • A tunnel port cannot be a routed port. • IP routing is not supported on a VLAN that includes IEEE 802.1Q ports. Packets received from a tunnel port are forwarded based only on Layer 2 information.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling Command Purpose Step 5 exit Return to global configuration mode. Step 6 vlan dot1q tag native (Optional) Set the switch to enable tagging of native VLAN packets on all IEEE 802.1Q trunk ports. When not set, and a customer VLAN ID is the same as the native VLAN, the trunk port does not apply a metro tag, and packets could be sent to the wrong destination.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling When protocol tunneling is enabled, edge switches on the inbound side of the service-provider network encapsulate Layer 2 protocol packets with a special MAC address and send them across the service-provider network. Core switches in the network do not process these packets but forward them as normal packets.
Chapter 17 Configuring IEEE 802.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling For example, in Figure 17-6, Customer A has two switches in the same VLAN that are connected through the SP network. When the network tunnels PDUs, switches on the far ends of the network can negotiate the automatic creation of EtherChannels without needing dedicated lines. See the “Configuring Layer 2 Tunneling for EtherChannels” section on page 17-14 for instructions.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling See Figure 17-4, with Customer X and Customer Y in access VLANs 30 and 40, respectively. Asymmetric links connect the customers in Site 1 to edge switches in the service-provider network. The Layer 2 PDUs (for example, BPDUs) coming into Switch 2 from Customer Y in Site 1 are forwarded to the infrastructure as double-tagged packets with the well-known MAC address as the destination MAC address.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Layer 2 Protocol Tunneling Configuration Guidelines These are some configuration guidelines and operating characteristics of Layer 2 protocol tunneling: • The switch supports tunneling of CDP, STP, including multiple STP (MSTP), and VTP. Protocol tunneling is disabled by default but can be enabled for the individual protocols on IEEE 802.1Q tunnel ports or access ports.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Beginning in privileged EXEC mode, follow these steps to configure a port for Layer 2 protocol tunneling: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the interface to be configured as a tunnel port.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Use the no l2protocol-tunnel [cdp | stp | vtp] interface configuration command to disable protocol tunneling for one of the Layer 2 protocols or for all three. Use the no l2protocol-tunnel shutdown-threshold [cdp | stp | vtp] and the no l2protocol-tunnel drop-threshold [cdp | stp | vtp] commands to return the shutdown and drop thresholds to the default settings.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Step 4 Command Purpose l2protocol-tunnel point-to-point [pagp | lacp | udld] (Optional) Enable point-to-point protocol tunneling for the desired protocol. If no keyword is entered, tunneling is enabled for all three protocols.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Configuring the Customer Switch After configuring the SP edge switch, begin in privileged EXEC mode and follow these steps to configure a customer switch for Layer 2 protocol tunneling for EtherChannels: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter the interface configuration mode. This should be the customer switch port.
Chapter 17 Configuring IEEE 802.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status Monitoring and Maintaining Tunneling Status Table 17-2 shows the privileged EXEC commands for monitoring and maintaining IEEE 802.1Q and Layer 2 protocol tunneling. Table 17-2 Commands for Monitoring and Maintaining Tunneling Command Purpose clear l2protocol-tunnel counters Clear the protocol counters on Layer 2 protocol tunneling ports. show dot1q-tunnel Display IEEE 802.
CH A P T E R 18 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the Catalyst 3750 switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.
Chapter 18 Configuring STP Understanding Spanning-Tree Features • Supported Spanning-Tree Instances, page 18-10 • Spanning-Tree Interoperability and Backward Compatibility, page 18-11 • STP and IEEE 802.1Q Trunks, page 18-11 • VLAN-Bridge Spanning Tree, page 18-11 • Spanning Tree and Switch Stacks, page 18-12 For configuration information, see the “Configuring Spanning-Tree Features” section on page 18-12.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch. In a switch stack, all switches use the same bridge ID for a given spanning-tree instance. • The spanning-tree path cost to the root switch.
Chapter 18 Configuring STP Understanding Spanning-Tree Features – Selects the lowest designated path cost – Selects the lowest port ID Only one outgoing port on the stack root switch is selected as the root port. The remaining switches in the stack become its designated switches (Switch 2 and Switch 3) as shown in Figure 18-1 on page 18-4. • The shortest distance to the root switch is calculated for each switch based on the path cost. • A designated switch for each LAN segment is selected.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Bridge ID, Switch Priority, and Extended System ID The IEEE 802.1D standard requires that each switch has an unique bridge identifier (bridge ID), which controls the selection of the root switch. Because each VLAN is considered as a different logical bridge with PVST+ and rapid PVST+, the same switch must have a different bridge IDs for each configured VLAN. Each VLAN on the switch has a unique 8-byte bridge ID.
Chapter 18 Configuring STP Understanding Spanning-Tree Features An interface moves through these states: • From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled • From learning to forwarding or to disabled • From forwarding to disabled Figure 18-2 illustrates how an interface moves through the states.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each switch interface. A switch initially functions as the root until it exchanges BPDUs with other switches. This exchange establishes which switch in the network is the root or root switch.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices, as shown in Figure 18-4. Spanning tree automatically disables one interface but enables it if the other one fails. If one link is high-speed and the other is low-speed, the low-speed link is always disabled.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Because each VLAN is a separate spanning-tree instance, the switch accelerates aging on a per-VLAN basis. A spanning-tree reconfiguration on one VLAN can cause the dynamic addresses learned on that VLAN to be subject to accelerated aging. Dynamic addresses on other VLANs can be unaffected and remain subject to the aging interval entered for the switch.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Interoperability and Backward Compatibility Table 18-2 lists the interoperability and compatibility among the supported spanning-tree modes in a network.
Chapter 18 Configuring STP Configuring Spanning-Tree Features VLAN spanning trees to prevent loops from forming if there are multiple connections among VLANs. It also prevents the individual spanning trees from the VLANs being bridged from collapsing into a single spanning tree. To support VLAN-bridge spanning tree, some of the spanning-tree timers are increased. To use the fallback bridging feature, you must have the IP services image installed on your switch.
Chapter 18 Configuring STP Configuring Spanning-Tree Features • Configuring the Switch Priority of a VLAN, page 18-21 (optional) • Configuring Spanning-Tree Timers, page 18-22 (optional) Default Spanning-Tree Configuration Table 18-3 shows the default spanning-tree configuration. Table 18-3 Default Spanning-Tree Configuration Feature Default Setting Enable state Enabled on VLAN 1. For more information, see the “Supported Spanning-Tree Instances” section on page 18-10. Spanning-tree mode PVST+.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Caution Switches that are not running spanning tree still forward BPDUs that they receive so that the other switches on the VLAN that have a running spanning-tree instance can break loops. Therefore, spanning tree must be running on enough switches to break all the loops in the network; for example, at least one switch on each loop in the VLAN must be running spanning tree.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Changing the Spanning-Tree Mode. The switch supports three spanning-tree modes: PVST+, rapid PVST+, or MSTP. By default, the switch runs the PVST+ protocol. Beginning in privileged EXEC mode, follow these steps to change the spanning-tree mode. If you want to enable a mode that is different from the default mode, this procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Disabling Spanning Tree Spanning tree is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit specified in the “Supported Spanning-Tree Instances” section on page 18-10. Disable spanning tree only if you are sure there are no loops in the network topology.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Note The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not configure an access switch as the spanning-tree primary root. Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).
Chapter 18 Configuring STP Configuring Spanning-Tree Features Configuring a Secondary Root Switch When you configure a switch as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified VLAN if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Note If your switch is a member of a switch stack, you must use the spanning-tree [vlan vlan-id] cost cost interface configuration command instead of the spanning-tree [vlan vlan-id] port-priority priority interface configuration command to select an interface to put in the forwarding state. Assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 18 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree [vlan vlan-id] port-priority interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree port priorities, see the “Configuring Trunk Ports for Load Sharing” section on page 13-24. Configuring Path Cost The spanning-tree path cost default value is derived from the media speed of an interface.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Note The show spanning-tree interface interface-id privileged EXEC command displays information only for ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. To return to the default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 18-4 describes the timers that affect the entire spanning-tree performance. Table 18-4 Spanning-Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches. Forward-delay timer Controls how long each of the listening and learning states last before the interface begins forwarding.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id forward-time seconds Configure the forward time of a VLAN.
Chapter 18 Configuring STP Displaying the Spanning-Tree Status Configuring the Transmit Hold-Count You can configure the BPDU burst size by changing the transmit hold count value. Note Changing this parameter to a higher value can have a significant impact on CPU utilization, especially in Rapid-PVST mode. Lowering this value can slow down convergence in certain scenarios. We recommend that you maintain the default setting.
CH A P T E R 19 Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Catalyst 3750 switch. Note The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard. The MST implementations in Cisco IOS releases earlier than Cisco IOS Release 12.2(25)SECare prestandard.
Chapter 19 Configuring MSTP Understanding MSTP • Configuring MSTP Features, page 19-15 • Displaying the MST Configuration and Status, page 19-28 Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances.
Chapter 19 Configuring MSTP Understanding MSTP IST, CIST, and CST Unlike PVST+ and rapid PVST+ in which all the spanning-tree instances are independent, the MSTP establishes and maintains two types of spanning trees: • An internal spanning tree (IST), which is the spanning tree that runs in an MST region. Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance for a region, known as the internal spanning tree (IST).
Chapter 19 Configuring MSTP Understanding MSTP For correct operation, all switches in the MST region must agree on the same CIST regional root. Therefore, any two switches in the region only synchronize their port roles for an MST instance if they converge to a common CIST regional root. Operations Between MST Regions If there are multiple regions or legacy IEEE 802.
Chapter 19 Configuring MSTP Understanding MSTP Only the CST instance sends and receives BPDUs, and MST instances add their spanning-tree information into the BPDUs to interact with neighboring switches and compute the final spanning-tree topology. Because of this, the spanning-tree parameters related to BPDU transmission (for example, hello time, forward time, max-age, and max-hops) are configured only on the CST instance but affect all MST instances.
Chapter 19 Configuring MSTP Understanding MSTP Hop Count The IST and MST instances do not use the message-age and maximum-age information in the configuration BPDU to compute the spanning-tree topology. Instead, they use the path cost to the root and a hop-count mechanism similar to the IP time-to-live (TTL) mechanism. By using the spanning-tree mst max-hops global configuration command, you can configure the maximum hops inside the region and apply it to the IST and all MST instances in that region.
Chapter 19 Configuring MSTP Understanding MSTP IEEE 802.1s Implementation The Cisco implementation of the IEEE MST standard includes features required to meet the standard, as well as some of the desirable prestandard functionality that is not yet incorporated into the published standard. Port Role Naming Change The boundary role is no longer in the final MST standard, but this boundary concept is maintained in Cisco’s implementation.
Chapter 19 Configuring MSTP Understanding MSTP Figure 19-2 Standard and Prestandard Switch Interoperation Segment X MST Region Switch A 92721 Switch B Segment Y Note We recommend that you minimize the interaction between standard and prestandard MST implementations. Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release.
Chapter 19 Configuring MSTP Understanding RSTP MSTP and Switch Stacks A switch stack appears as a single spanning-tree node to the rest of the network, and all stack members use the same switch ID for a given spanning tree. The switch ID is derived from the MAC address of the stack master. If a switch that does not support MSTP is added to a switch stack that does support MSTP or the reverse, the switch is put into a version mismatch state.
Chapter 19 Configuring MSTP Understanding RSTP These sections describe how the RSTP works: • Port Roles and the Active Topology, page 19-10 • Rapid Convergence, page 19-11 • Synchronization of Port Roles, page 19-12 • Bridge Protocol Data Unit Format and Processing, page 19-13 For configuration information, see the “Configuring MSTP Features” section on page 19-15.
Chapter 19 Configuring MSTP Understanding RSTP Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN. It provides rapid convergence for edge ports, new root ports, and ports connected through point-to-point links as follows: • Edge ports—If you configure a port as an edge port on an RSTP switch by using the spanning-tree portfast interface configuration command, the edge port immediately transitions to the forwarding state.
Chapter 19 Configuring MSTP Understanding RSTP Proposal and Agreement Handshaking for Rapid Convergence Switch A Proposal Switch B Root Agreement Designated switch F DP F RP Root F DP Proposal Designated switch Agreement F RP Root F DP Designated switch F RP F DP Switch C F RP DP = designated port RP = root port F = forwarding 88760 Figure 19-4 Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new root por
Chapter 19 Configuring MSTP Understanding RSTP After ensuring that all of the ports are synchronized, the switch sends an agreement message to the designated switch corresponding to its root port. When the switches connected by a point-to-point link are in agreement about their port roles, the RSTP immediately transitions the port states to forwarding. The sequence of events is shown in Figure 19-5. Figure 19-5 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5.
Chapter 19 Configuring MSTP Understanding RSTP The sending switch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN. The port role in the proposal message is always set to the designated port. The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal. The port role in the agreement message is always set to the root port. The RSTP does not have a separate topology change notification (TCN) BPDU.
Chapter 19 Configuring MSTP Configuring MSTP Features • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them. • Protocol migration—For backward compatibility with IEEE 802.1D switches, RSTP selectively sends IEEE 802.
Chapter 19 Configuring MSTP Configuring MSTP Features Default MSTP Configuration Table 19-4 shows the default MSTP configuration. Table 19-4 Default MSTP Configuration Feature Default Setting Spanning-tree mode PVST+ (Rapid PVST+ and MSTP are disabled). Switch priority (configurable on a per-CIST port basis) 32768. Spanning-tree port priority (configurable on a per-CIST port basis) 128. Spanning-tree port cost (configurable on a per-CIST port basis) 1000 Mbps: 4. 100 Mbps: 19. 10 Mbps: 100.
Chapter 19 Configuring MSTP Configuring MSTP Features • For load balancing across redundant paths in the network to work, all VLAN-to-instance mapping assignments must match; otherwise, all traffic flows on a single link. You can achieve load balancing across a switch stack by manually configuring the path cost. • All MST boundary ports must be forwarding for load balancing between a PVST+ and an MST cloud or between a rapid-PVST+ and an MST cloud.
Chapter 19 Configuring MSTP Configuring MSTP Features Step 3 Command Purpose instance instance-id vlan vlan-range Map VLANs to an MST instance. • For instance-id, the range is 0 to 4094. • For vlan vlan-range, the range is 1 to 4094. When you map VLANs to an MST instance, the mapping is incremental, and the VLANs specified in the command are added to or removed from the VLANs that were previously mapped.
Chapter 19 Configuring MSTP Configuring MSTP Features Instance Vlans Mapped -------- --------------------0 1-9,21-4094 1 10-20 ------------------------------Switch(config-mst)# exit Switch(config)# Configuring the Root Switch The switch maintains a spanning-tree instance for the group of VLANs mapped to it. A switch ID, consisting of the switch priority and the switch MAC address, is associated with each instance. For a group of VLANs, the switch with the lowest switch ID becomes the root switch.
Chapter 19 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure a switch as the root switch. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst instance-id root primary [diameter net-diameter [hello-time seconds]] Configure a switch as the root switch.
Chapter 19 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure a switch as the secondary root switch. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst instance-id root secondary [diameter net-diameter [hello-time seconds]] Configure a switch as the secondary root switch.
Chapter 19 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the MSTP port priority of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports and port-channel logical interfaces. The port-channel range is 1 to 48.
Chapter 19 Configuring MSTP Configuring MSTP Features Configuring Path Cost The MSTP path cost default value is derived from the media speed of an interface. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 19 Configuring MSTP Configuring MSTP Features Configuring the Switch Priority You can configure the switch priority and make it more likely that a standalone switch or a switch in the stack will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority.
Chapter 19 Configuring MSTP Configuring MSTP Features Configuring the Hello Time You can configure the interval between the generation of configuration messages by the root switch by changing the hello time. Beginning in privileged EXEC mode, follow these steps to configure the hello time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 19 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Aging Time Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-age seconds Configure the maximum-aging time for all MST instances.
Chapter 19 Configuring MSTP Configuring MSTP Features Specifying the Link Type to Ensure Rapid Transitions If you connect a port to another port through a point-to-point link and the local port becomes a designated port, the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the “Rapid Convergence” section on page 19-11.
Chapter 19 Configuring MSTP Displaying the MST Configuration and Status Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show spanning-tree mst interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the port to its default setting, use the no spanning-tree mst prestandard interface configuration command.
CH A P T E R 20 Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Catalyst 3750 switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+). You can configure only the noted features when your switch stack is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features • Understanding Root Guard, page 20-10 • Understanding Loop Guard, page 20-11 Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features configuration, such as the connection of an unauthorized device, and the BPDU guard feature puts the port in the error-disabled state. When this happens, the switch shuts down the entire port on which the violation occurred.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 20-2 Switches in a Hierarchical Network Backbone switches Root bridge 101231 Distribution switches Active link Blocked link Access switches If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 20-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B L1 L2 L3 43575 Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root. As shown in Figure 20-5, the stack-root port on Switch 1 provides the path to the root of the spanning tree. The alternate stack-root ports on Switches 2 and 3 can provide an alternate path to the spanning-tree root if the current stack-root switch fails or if its link to the spanning-tree root fails.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Each switch in the stack decides if the sending switch is a better choice than itself to be the stack root of this spanning-tree instance by comparing the root, cost, and bridge ID. If the sending switch is the best choice as the stack root, each switch in the stack returns an acknowledgement; otherwise, it sends a fast-transition request.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features BackboneFast, which is enabled by using the spanning-tree backbonefast global configuration command, starts when a root port or blocked interface on a switch receives inferior BPDUs from its designated switch. An inferior BPDU identifies a switch that declares itself as both the root bridge and the designated switch.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If link L1 fails as shown in Figure 20-7, Switch C cannot detect this failure because it is not connected directly to link L1. However, because Switch B is directly connected to the root switch over L1, it detects the failure, elects itself the root, and begins sending BPDUs to Switch C, identifying itself as the root.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding EtherChannel Guard You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device. A misconfiguration can occur if the switch interfaces are configured in an EtherChannel, but the interfaces on the other device are not. A misconfiguration can also occur if the channel parameters are not the same at both ends of the EtherChannel.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 20-9 Root Guard in a Service-Provider Network Customer network Service-provider network Potential spanning-tree root without root guard enabled Desired root switch 101232 Enable the root-guard feature on these interfaces to prevent switches in the customer network from becoming the root switch or being in the path to the root.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features These sections contain this configuration information: • Default Optional Spanning-Tree Configuration, page 20-12 • Optional Spanning-Tree Configuration Guidelines, page 20-12 • Enabling Port Fast, page 20-13 (optional) • Enabling BPDU Guard, page 20-14 (optional) • Enabling BPDU Filtering, page 20-15 (optional) • Enabling UplinkFast for Use with Redund
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Port Fast An interface with the Port Fast feature enabled is moved directly to the spanning-tree forwarding state without waiting for the standard forward-time delay. Caution Use Port Fast only when connecting a single end station to an access or trunk port.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BPDU Guard When you globally enable BPDU guard on ports that are Port Fast-enabled (the ports are in a Port Fast-operational state), spanning tree continues to run on the ports. They remain up unless they receive a BPDU. In a valid configuration, Port Fast-enabled ports do not receive BPDUs.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BPDU Filtering When you globally enable BPDU filtering on Port Fast-enabled interfaces, it prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling UplinkFast for Use with Redundant Links UplinkFast cannot be enabled on VLANs that have been configured with a switch priority. To enable UplinkFast on a VLAN with switch priority configured, first restore the switch priority on the VLAN to the default value by using the no spanning-tree vlan vlan-id priority global configuration command.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Cross-Stack UplinkFast When you enable or disable the UplinkFast feature by using the spanning-tree uplinkfast global configuration command, CSUF is automatically globally enabled or disabled on nonstack port interfaces. For more information, see the “Enabling UplinkFast for Use with Redundant Links” section on page 20-16.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling EtherChannel Guard You can enable EtherChannel guard to detect an EtherChannel misconfiguration if your switch is running PVST+, rapid PVST+, or MSTP. Beginning in privileged EXEC mode, follow these steps to enable EtherChannel guard. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable root guard, use the no spanning-tree guard interface configuration command.
Chapter 20 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 20-2: Table 20-2 Commands for Displaying the Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information on active interfaces only. show spanning-tree detail Displays a detailed summary of interface information.
CH A P T E R 21 Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the Catalyst 3750 switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 21 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature typically configured in service provider or enterprise networks where customers do not want to run STP on the switch. If the switch is running STP, Flex Links is not necessary because STP already provides link-level redundancy or backup.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update VLAN Flex Link Load Balancing and Support VLAN Flex Link load-balancing allows you to configure a Flex Link pair so that both ports simultaneously forward the traffic for some mutually exclusive VLANs. For example, if Flex Link ports are configured for 1-100 VLANs, the traffic of the first 50 VLANs can be forwarded on one port and the rest on the other port.
Chapter 21 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature Generating IGMP Reports When the backup link comes up after the changeover, the upstream new distribution switch does not start forwarding multicast data, because the port on the upstream router, which is connected to the blocked Flex Link port, is not part of any multicast group.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update This output shows a querier for VLANs 1 and 401, with their queries reaching the switch through Gigabit Ethernet1/0/11: Switch# show ip igmp snooping querier Vlan IP Address IGMP Version Port ------------------------------------------------------------1 1.1.1.1 v2 Gi1/0/11 401 41.41.41.
Chapter 21 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature This is output for the show ip igmp snooping mrouter command for VLAN 1 and 401: Switch# show ip igmp snooping mrouter Vlan ports -------1 Gi1/0/11(dynamic), Gi1/0/12(dynamic) 401 Gi1/0/11(dynamic), Gi1/0/12(dynamic) Similarly, both the Flex Link ports are a part of the learned groups.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and the MAC Address-Table Move Update Figure 21-3 MAC Address-Table Move Update Example Server Switch C Port 4 Port 3 Switch B Switch D Port 1 Port 2 141223 Switch A PC Configuring Flex Links and the MAC Address-Table Move Update These sections contain this information: • Default Configuration, page 21-8 • Configuration Guidelines, page 21-8 • Configuring Flex Links, page 21-9 • Confi
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and the MAC Address-Table Move Update Default Configuration The Flex Links are not configured, and there are no backup interfaces defined. The preemption mode is off. The preemption delay is 35 seconds. The MAC address-table move update feature is not configured on the switch. Configuration Guidelines Follow these guidelines to configure Flex Links: • You can configure up to 16 backup links.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and the MAC Address-Table Move Update Configuring Flex Links Beginning in privileged EXEC mode, follow these steps to configure a pair of Flex Links: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface, and enter interface configuration mode.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and the MAC Address-Table Move Update Beginning in privileged EXEC mode, follow these steps to configure a preemption scheme for a pair of Flex Links: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface, and enter interface configuration mode.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and the MAC Address-Table Move Update Configuring VLAN Load Balancing on Flex Links Beginning in privileged EXEC mode, follow these steps to configure VLAN load balancing on Flex Links: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface, and enter interface configuration mode.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and the MAC Address-Table Move Update When a Flex Link interface comes up, VLANs preferred on this interface are blocked on the peer interface and moved to the forwarding state on the interface that has just come up. In this example, if interface Gi2/0/6 comes up, VLANs preferred on this interface are blocked on the peer interface Gi2/0/8 and forwarded on Gi2/0/6.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and the MAC Address-Table Move Update Command Purpose Step 4 end Return to global configuration mode. Step 5 mac address-table move update transmit Enable the access switch to send MAC address-table move updates to other switches in the network if the primary link goes down and the switch starts forwarding traffic through the standby link. Step 6 end Return to privileged EXEC mode.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Monitoring Flex Links and the MAC Address-Table Move Update Command Purpose Step 4 show mac address-table move update Verify the configuration. Step 5 copy running-config startup config (Optional) Save your entries in the switch startup configuration file. To disable the MAC address-table move update feature, use the no mac address-table move update receive configuration command.
CH A P T E R 22 Configuring DHCP Features and IP Source Guard Features This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the Catalyst 3750 switch. It also describes how to configure the IP source guard feature. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Understanding DHCP Snooping These sections contain this information: • DHCP Server, page 22-2 • DHCP Relay Agent, page 22-2 • DHCP Snooping, page 22-2 • Option-82 Data Insertion, page 22-4 • Cisco IOS DHCP Server Database, page 22-7 • DHCP Snooping Binding Database, page 22-8 • DHCP Snooping and Switch Stacks, page 22-9 For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Service
Chapter 22 Configuring DHCP Features and IP Source Guard Features Understanding DHCP Snooping The DHCP snooping binding database has the MAC address, the IP address, the lease time, the binding type, the VLAN number, and the interface information that corresponds to the local untrusted interfaces of a switch. It does not have information regarding hosts interconnected with a trusted interface. In a service-provider network, a trusted interface is connected to a port on a device in the same network.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Understanding DHCP Snooping Option-82 Data Insertion In residential, metropolitan Ethernet-access environments, DHCP can centrally manage the IP address assignments for a large number of subscribers. When the DHCP option-82 feature is enabled on the switch, a subscriber device is identified by the switch port through which it connects to the network (in addition to its MAC address).
Chapter 22 Configuring DHCP Features and IP Source Guard Features Understanding DHCP Snooping • The DHCP server receives the packet. If the server is option-82-capable, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. Then the DHCP server echoes the option-82 field in the DHCP reply.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Understanding DHCP Snooping Figure 22-2 Suboption Packet Formats Circuit ID Suboption Frame Format Suboption Circuit type ID type Length Length 1 6 0 VLAN 4 1 byte 1 byte 1 byte 1 byte Module Port 2 bytes 1 byte 1 byte Remote ID Suboption Frame Format Suboption Remote type ID type Length Length 8 0 6 1 byte 1 byte 1 byte 1 byte MAC address 6 bytes 116300 2 Figure 22-3 shows the packet formats for user-configured remote-ID
Chapter 22 Configuring DHCP Features and IP Source Guard Features Understanding DHCP Snooping Figure 22-3 User-Configured Suboption Packet Formats Circuit ID Suboption Frame Format (for user-configured string): Suboption Circuit type ID type Length Length 1 N+2 1 N 1 byte 1 byte 1 byte 1 byte ASCII Circuit ID string N bytes (N = 3-63) Remote ID Suboption Frame Format (for user-configured string): 2 N+2 1 N 1 byte 1 byte 1 byte 1 byte ASCII Remote ID string or hostname 145774 Suboption Remo
Chapter 22 Configuring DHCP Features and IP Source Guard Features Understanding DHCP Snooping DHCP Snooping Binding Database When DHCP snooping is enabled, the switch uses the DHCP snooping binding database to store information about untrusted interfaces. The database can have up to 8192 bindings. Each database entry (binding) has an IP address, an associated MAC address, the lease time (in hexadecimal format), the interface to which the binding applies, and the VLAN to which the interface belongs.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Configuring DHCP Snooping When the switch starts and the calculated checksum value equals the stored checksum value, the switch reads entries from the binding file and adds the bindings to its DHCP snooping binding database. The switch ignores an entry when one of these situations occurs: • The switch reads the entry and the calculated checksum value does not equal the stored checksum value. The entry and the ones following it are ignored.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Configuring DHCP Snooping Default DHCP Snooping Configuration Table 22-1 shows the default DHCP snooping configuration.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Configuring DHCP Snooping • Before configuring the DHCP relay agent on your switch, make sure to configure the device that is acting as the DHCP server. For example, you must specify the IP addresses that the DHCP server can assign or exclude, configure DHCP options for devices, or set up the DHCP database agent.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Configuring DHCP Snooping To disable the DHCP server and relay agent, use the no service dhcp global configuration command. See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Configuring DHCP Snooping Command Purpose Step 10 show running-config Verify your entries. Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the DHCP packet forwarding address, use the no ip helper-address address interface configuration command.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Configuring DHCP Snooping Command Step 8 Purpose ip dhcp snooping vlan vlan information (Optional) Configure the circuit-ID suboption for the specified interface. option format-type circuit-id Specify the VLAN and port identifier, using a VLAN ID in the range of [override] string ASCII-string 1 to 4094. The default circuit ID is the port identifier in the format vlan-mod-port.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Configuring DHCP Snooping Enabling DHCP Snooping on Private VLANs You can enable DHCP snooping on private VLANs. If DHCP snooping is enabled, the configuration is propagated to both a primary VLAN and its associated secondary VLANs. If DHCP snooping is enabled on the primary VLAN, it is also configured on the secondary VLANs.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Displaying DHCP Snooping Information Command Purpose Step 4 ip dhcp snooping database write-delay Specify the duration for which the transfer should be delayed after the seconds binding database changes. The range is from 15 to 86400 seconds. The default is 300 seconds (5 minutes). Step 5 end Step 6 ip dhcp snooping binding mac-address (Optional) Add binding entries to the DHCP snooping binding database.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Understanding IP Source Guard Understanding IP Source Guard IPSG is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks if a host tries to use the IP address of its neighbor.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Understanding IP Source Guard IP Source Guard for Static Hosts Note Do not use IPSG (IP source guard) for static hosts on uplink ports or trunk ports. IPSG for static hosts extends the IPSG capability to non-DHCP and static environments. The previous IPSG used the entries created by DHCP snooping to validate the hosts connected to a switch. Any traffic received from a host without a valid DHCP binding entry is dropped.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Configuring IP Source Guard Configuring IP Source Guard • Default IP Source Guard Configuration, page 22-20 • IP Source Guard Configuration Guidelines, page 22-20 • Enabling IP Source Guard, page 22-21 • Configuring IP Source Guard for Static Hosts, page 22-22 Default IP Source Guard Configuration By default, IP source guard is disabled.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Configuring IP Source Guard • If the number of ternary content addressable memory (TCAM) entries exceeds the maximum, the CPU usage increases. • In a switch stack, if IP source guard is configured on a stack member interface and you remove the switch configuration by entering the no switch stack-member-number provision global configuration command, the interface static bindings are removed from the binding table.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Configuring IP Source Guard To disable IP source guard with source IP address filtering, use the no ip verify source interface configuration command. To delete a static IP source binding entry, use the no ip source global configuration command. This example shows how to enable IP source guard with source IP and MAC filtering on VLANs 10 and 11: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Configuring IP Source Guard Step 6 Command Purpose ip verify source tracking port-security Enable IPSG for static hosts with MAC address filtering. When you enable both IP source guard and port security by using the ip verify source port-security interface configuration command: Note Step 7 ip device tracking maximum number • The DHCP server must support option 82, or the client is not assigned an IP address.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Configuring IP Source Guard This example shows how to enable IPSG for static hosts with IP filters on a Layer 2 access port and to verify the valid IP bindings on the interface Gi0/3: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Configuring IP Source Guard 200.1.1.2 200.1.1.2 200.1.1.3 200.1.1.3 200.1.1.4 200.1.1.4 200.1.1.5 200.1.1.5 200.1.1.6 200.1.1.7 0001.0600.0000 0001.0600.0000 0001.0600.0000 0001.0600.0000 0001.0600.0000 0001.0600.0000 0001.0600.0000 0001.0600.0000 0001.0600.0000 0001.0600.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Configuring IP Source Guard Configuring IP Source Guard for Static Hosts on a Private VLAN Host Port Note You must globally configure the ip device tracking maximum limit-number interface configuration command globally for IPSG for static hosts to work.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Configuring IP Source Guard This example shows how to enable IPSG for static hosts with IP filters on a private VLAN host port: Switch(config)# vlan 200 Switch(config-vlan)# private-vlan primary Switch(config-vlan)# exit Switch(config)# vlan 201 Switch(config-vlan)# private-vlan isolated Switch(config-vlan)# exit Switch(config)# vlan 200 Switch(config-vlan)# private-vlan association 201 Switch(config-vlan)# exit Switch(config)# int fastEth
Chapter 22 Configuring DHCP Features and IP Source Guard Features Displaying IP Source Guard Information Displaying IP Source Guard Information To display the IP source guard information, use one or more of the privileged EXEC commands in Table 22-3: Table 22-3 Commands for Displaying IP Source Guard Information Command Purpose show ip device tracking Display the active IP or MAC binding entries for all interfaces. show ip source binding Display the IP source bindings on a switch.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Configuring DHCP Server Port-Based Address Allocation Default Port-Based Address Allocation Configuration By default, DHCP server port-based address allocation is disabled. Port-Based Address Allocation Configuration Guidelines These are the configuration guidelines for DHCP port-based address allocation: • Only one IP address can be assigned per port.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Configuring DHCP Server Port-Based Address Allocation not offered to the client, and other clients are not served by the pool. By entering this command, users can configure a group of switches with DHCP pools that share a common IP subnet and that ignore requests from clients of other switches. Beginning in privileged EXEC mode follow these steps to preassign an IP address and to associate it to a client identified by the interface name.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Displaying DHCP Server Port-Based Address Allocation ip dhcp subscriber-id interface-name ip dhcp excluded-address 10.1.1.1 10.1.1.3 ! ip dhcp pool dhcppool network 10.1.1.0 255.255.255.0 address 10.1.1.
Chapter 22 Configuring DHCP Features and IP Source Guard Features Displaying DHCP Server Port-Based Address Allocation Catalyst 3750 Switch Software Configuration Guide OL-8550-09 22-31
Chapter 22 Configuring DHCP Features and IP Source Guard Features Displaying DHCP Server Port-Based Address Allocation Catalyst 3750 Switch Software Configuration Guide 22-32 OL-8550-09
CH A P T E R 23 Configuring Dynamic ARP Inspection This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 3750 switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 23 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Figure 23-1 Host A (IA, MA) ARP Cache Poisoning A B Host B (IB, MB) Host C (man-in-the-middle) (IC, MC) 111750 C Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA.
Chapter 23 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header. Use the ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command. For more information, see the “Performing Validation Checks” section on page 23-12.
Chapter 23 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a switch running dynamic ARP inspection.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Logging of Dropped Packets When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Table 23-1 Default Dynamic ARP Inspection Configuration (continued) Feature Default Setting Log buffer When dynamic ARP inspection is enabled, all denied or dropped ARP packets are logged. The number of entries in the log is 32. The number of system messages is limited to 5 per second. The logging-rate interval is 1 second. Per-VLAN logging All denied or dropped ARP packets are logged.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection • The operating rate for the port channel is cumulative across all the physical ports within the channel. For example, if you configure the port channel with an ARP rate-limit of 400 pps, all the interfaces combined on the channel receive an aggregate 400 pps. The rate of incoming ARP packets on EtherChannel ports is equal to the sum of the incoming rate of packets from all the channel members.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Beginning in privileged EXEC mode, follow these steps to configure dynamic ARP inspection. You must perform this procedure on both switches. This procedure is required. Command Purpose Step 1 show cdp neighbors Verify the connection between the switches. Step 2 configure terminal Enter global configuration mode. Step 3 ip arp inspection vlan vlan-range Enable dynamic ARP inspection on a per-VLAN basis.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Configuring ARP ACLs for Non-DHCP Environments This procedure shows how to configure dynamic ARP inspection when Switch B shown in Figure 23-2 on page 23-3 does not support dynamic ARP inspection or DHCP snooping. If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and Host 1 could be attacked by either Switch B or Host 2.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 5 Command Purpose ip arp inspection filter arp-acl-name vlan vlan-range [static] Apply the ARP ACL to the VLAN. By default, no defined ARP ACLs are applied to any VLAN. • For arp-acl-name, specify the name of the ACL created in Step 2. • For vlan-range, specify the VLAN that the switches and hosts are in.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection This example shows how to configure an ARP ACL called host2 on Switch A, to permit ARP packets from Host 2 (IP address 1.1.1.1 and MAC address 0001.0001.0001), to apply the ACL to VLAN 1, and to configure port 1 on Switch A as untrusted: Switch(config)# arp access-list host2 Switch(config-arp-acl)# permit ip host 1.1.1.1 mac host 1.1.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 5 Command Purpose errdisable recovery cause arp-inspection interval interval (Optional) Enable error recovery from the dynamic ARP inspection error-disable state. By default, recovery is disabled, and the recovery interval is 300 seconds. For interval interval, specify the time in seconds to recover from the error-disable state. The range is 30 to 86400. Step 6 exit Return to privileged EXEC mode.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip arp inspection validate {[src-mac] [dst-mac] [ip]} Perform a specific check on incoming ARP packets. By default, no checks are performed.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer or increase the logging rate.
Chapter 23 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Step 3 Command Purpose ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {all | none | permit}} Control the type of packets that are logged per VLAN. By default, all denied or all dropped packets are logged. The term logged means the entry is placed in the log buffer and a system message is generated.
Chapter 23 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information To clear or display dynamic ARP inspection statistics, use the privileged EXEC commands in Table 23-3: Table 23-3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics.
CH A P T E R 24 Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on the Catalyst 3750 switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
Chapter 24 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Understanding IGMP Snooping Layer 2 switches can use IGMP snooping to constrain the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with IP multicast devices.
Chapter 24 Configuring IGMP Snooping and MVR Understanding IGMP Snooping IGMP Versions The switch supports IGMP Version 1, IGMP Version 2, and IGMP Version 3. These versions are interoperable on the switch. For example, if IGMP snooping is enabled on an IGMPv2 switch and the switch receives an IGMPv3 report from a host, the switch can forward the IGMPv3 report to the multicast router. Note The switch supports IGMPv3 snooping based only on the destination multicast MAC address.
Chapter 24 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 24-1 Initial IGMP Join Message Router A 1 IGMP report 224.1.2.3 VLAN PFC CPU 0 45750 Forwarding table 2 3 4 5 Host 1 Host 2 Host 3 Host 4 Router A sends a general query to the switch, which forwards the query to ports 2 through 5, which are all members of the same VLAN. Host 1 wants to join multicast group 224.1.2.3 and multicasts an IGMP membership report (IGMP join message) to the group.
Chapter 24 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 24-2 Second Host Joining a Multicast Group Router A 1 VLAN PFC CPU 0 45751 Forwarding table 2 Host 1 Table 24-2 3 Host 2 4 Host 3 5 Host 4 Updated IGMP Snooping Forwarding Table Destination Address Type of Packet Ports 224.1.2.3 IGMP 1, 2, 5 Leaving a Multicast Group The router sends periodic multicast general queries, and the switch forwards these queries through all ports in the VLAN.
Chapter 24 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Immediate Leave Immediate Leave is only supported on IGMP Version 2 hosts. The switch uses IGMP snooping Immediate Leave to remove from the forwarding table an interface that sends a leave message without the switch sending group-specific queries to the interface. The VLAN interface is pruned from the multicast tree for the multicast group specified in the original leave message.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping IGMP Snooping and Switch Stacks IGMP snooping functions across the switch stack; that is, IGMP control information from one switch is distributed to all switches in the stack. (See Chapter 5, “Managing Switch Stacks,” for more information about switch stacks.) Regardless of the stack member through which IGMP multicast data enters the stack, the data reaches the hosts that have registered for that group.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Table 24-3 Default IGMP Snooping Configuration (continued) Feature Default Setting IGMP snooping querier Disabled IGMP report suppression Enabled 1. TCN = Topology Change Notification Enabling or Disabling IGMP Snooping By default, IGMP snooping is globally enabled on the switch. When globally enabled or disabled, it is also enabled or disabled in all existing VLAN interfaces.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Setting the Snooping Method Multicast-capable router ports are added to the forwarding table for every Layer 2 multicast entry.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring a Multicast Router Port To add a multicast router port (add a static connection to a multicast router), use the ip igmp snooping vlan mrouter global configuration command on the switch. Note Static connections to multicast routers are supported only on switch ports.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring a Host Statically to Join a Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure a host on an interface. Beginning in privileged EXEC mode, follow these steps to add a Layer 2 port as a member of a multicast group: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 4 show ip igmp snooping vlan vlan-id Verify that Immediate Leave is enabled on the VLAN interface. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable IGMP Immediate Leave on a VLAN, use the no ip igmp snooping vlan vlan-id immediate-leave global configuration command.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring TCN-Related Commands These sections describe how to control flooded multicast traffic during a TCN event: • Controlling the Multicast Flooding Time After a TCN Event, page 24-13 • Recovering from Flood Mode, page 24-13 • Disabling Multicast Flooding During a TCN Event, page 24-14 Controlling the Multicast Flooding Time After a TCN Event You can control the time that multicast traffic is flooded after a TCN event by us
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to enable the switch to send the global leave message whether or not it is the spanning-tree root: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping tcn query solicit Send an IGMP leave message (global leave) to speed the process of recovering from the flood mode caused during a TCN event.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring the IGMP Snooping Querier Follow these guidelines when configuring the IGMP snooping querier: • Configure the VLAN in global configuration mode. • Configure an IP address on the VLAN interface. When enabled, the IGMP snooping querier uses the IP address as the query source address.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping This example shows how to set the IGMP snooping querier source address to 10.0.0.64: Switch# configure terminal Switch(config)# ip igmp snooping querier 10.0.0.
Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Displaying IGMP Snooping Information You can display IGMP snooping information for dynamically learned and statically configured router ports and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for IGMP snooping. To display IGMP snooping information, use one or more of the privileged EXEC commands in Table 24-4.
Chapter 24 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration For more information about the keywords and options in these commands, see the command reference for this release. Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service-provider network (for example, the broadcast of multiple television channels over a service-provider network).
Chapter 24 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Using MVR in a Multicast Television Application In a multicast television application, a PC or a television with a set-top box can receive the multicast stream. Multiple set-top boxes or PCs can be connected to one subscriber port, which is a switch port configured as an MVR receiver port. Figure 24-3 is an example configuration. DHCP assigns an IP address to the set-top box or the PC.
Chapter 24 Configuring IGMP Snooping and MVR Configuring MVR When a subscriber changes channels or turns off the television, the set-top box sends an IGMP leave message for the multicast stream. The switch CPU sends a MAC-based general query through the receiver port VLAN. If there is another set-top box in the VLAN still subscribing to this group, that set-top box must respond within the maximum response time specified in the query.
Chapter 24 Configuring IGMP Snooping and MVR Configuring MVR Default MVR Configuration Table 24-5 shows the default MVR configuration. Table 24-5 Default MVR Configuration Feature Default Setting MVR Disabled globally and per interface Multicast addresses None configured Query response time 0.
Chapter 24 Configuring IGMP Snooping and MVR Configuring MVR Note For complete syntax and usage information for the commands used in this section, see the command reference for this release. Beginning in privileged EXEC mode, follow these steps to configure MVR parameters: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mvr Enable MVR on the switch.
Chapter 24 Configuring IGMP Snooping and MVR Configuring MVR Configuring MVR Interfaces Beginning in privileged EXEC mode, follow these steps to configure Layer 2 MVR interfaces: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mvr Enable MVR on the switch. Step 3 interface interface-id Specify the Layer 2 port to configure, and enter interface configuration mode.
Chapter 24 Configuring IGMP Snooping and MVR Displaying MVR Information This example shows how to configure a port as a receiver port, statically configure the port to receive multicast traffic sent to the multicast group address, configure Immediate Leave on the port, and verify the results. Switch(config)# mvr Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# mvr type receiver Switch(config-if)# mvr vlan 22 group 228.1.23.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Configuring IGMP Filtering and Throttling In some environments, for example, metropolitan or multiple-dwelling unit (MDU) installations, you might want to control the set of multicast groups to which a user on a switch port can belong. You can control the distribution of multicast services, such as IP/TV, based on some type of subscription or service plan.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Default IGMP Filtering and Throttling Configuration Table 24-7 shows the default IGMP filtering configuration.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Beginning in privileged EXEC mode, follow these steps to create an IGMP profile: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp profile profile number Assign a number to the profile you are configuring, and enter IGMP profile configuration mode. The profile umber range is 1 to 4294967295.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Beginning in privileged EXEC mode, follow these steps to apply an IGMP profile to a switch port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the physical interface, and enter interface configuration mode. The interface must be a Layer 2 port that does not belong to an EtherChannel port group.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling To remove the maximum group limitation and return to the default of no maximum, use the no ip igmp max-groups interface configuration command. This example shows how to limit to 25 the number of IGMP groups that a port can join.
Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config interface interface-id Verify the configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default action of dropping the report, use the no ip igmp max-groups action interface configuration command.
CH A P T E R 25 Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 25 Configuring Port-Based Traffic Control Configuring Storm Control Understanding Storm Control Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation, mistakes in network configurations, or users issuing a denial-of-service attack can cause a storm.
Chapter 25 Configuring Port-Based Traffic Control Configuring Storm Control Figure 25-1 Broadcast Storm Control Example Forwarded traffic Blocked traffic Total number of broadcast packets or bytes 0 T1 T2 T3 T4 T5 Time 46651 Threshold The combination of the storm-control suppression level and the 1-second time interval controls the way the storm control algorithm works. A higher threshold allows more packets to pass through.
Chapter 25 Configuring Port-Based Traffic Control Configuring Storm Control Beginning in privileged EXEC mode, follow these steps to storm control and threshold levels: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Chapter 25 Configuring Port-Based Traffic Control Configuring Storm Control Command Purpose Step 6 show storm-control [interface-id] [broadcast | multicast | unicast] Verify the storm control suppression levels set on the interface for the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 25 Configuring Port-Based Traffic Control Configuring Protected Ports Beginning in privileged EXEC mode, follow these steps to configure the threshold level for each interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 errdisable detect cause small-frame Enable the small-frame rate-arrival feature on the switch. Step 3 errdisable recovery interval interval (Optional) Specify the time to recover from the specified error-disabled state.
Chapter 25 Configuring Port-Based Traffic Control Configuring Protected Ports Because a switch stack represents a single logical switch, Layer 2 traffic is not forwarded between any protected ports in the switch stack, whether they are on the same or different switches in the stack.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Blocking Configuring Port Blocking By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition where no traffic is blocked and normal forwarding occurs on the port, use the no switchport block {multicast | unicast} interface configuration commands.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Understanding Port Security These sections contain this conceptual information: • Secure MAC Addresses, page 25-10 • Security Violations, page 25-11 Secure MAC Addresses You configure the maximum number of secure addresses allowed on a port by using the switchport port-security maximum value interface configuration command.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Security Violations It is a security violation when one of these situations occurs: • The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface. • An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Default Port Security Configuration Table 25-2 shows the default port security configuration for an interface. Table 25-2 Default Port Security Configuration Feature Default Setting Port security Disabled on a port. Sticky address learning Disabled. Maximum number of secure MAC addresses per port 1 Violation mode Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Table 25-3 summarizes port security compatibility with other port-based features. Table 25-3 Port Security Compatibility with Other Switch Features Type of Port or Feature on Port 1 DTP port Compatible with Port Security 2 No Trunk port Yes Dynamic-access port3 No Routed port No SPAN source port Yes SPAN destination port No EtherChannel No Tunneling port Yes Protected port Yes IEEE 802.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Step 6 Command Purpose switchport port-security [maximum value [vlan {vlan-list | {access | voice}}]] (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch stack is set by the maximum number of available MAC addresses allowed in the system. This number is set by the active Switch Database Management (SDM) template.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Command Step 7 Purpose switchport port-security [violation (Optional) Set the violation mode, the action to be taken when a security {protect | restrict | shutdown | violation is detected, as one of these: shutdown vlan}] • protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC address
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Step 8 Command Purpose switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}] (Optional) Enter a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table. All addresses are now dynamically learned.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# switchport switchport switchport switchport switchport port-security port-security port-security port-security port-security mac-address 0000.0000.0003 mac-address sticky 0000.0000.0001 vlan voice mac-address 0000.0000.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security To disable port security aging for all secure addresses on a port, use the no switchport port-security aging time interface configuration command. To disable aging for only statically configured secure addresses, use the no switchport port-security aging static interface configuration command.
Chapter 25 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# switchport private-vlan mapping 2061 2201-2206,3101 Switch(config-if)# switchport mode private-vlan promiscuous Switch(config-if)# switchport port-security maximum 288 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security violation restrict Note Ports that have both port security and private VLANs configured
CH A P T E R 26 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 26 Configuring CDP Configuring CDP For a switch and connected endpoint devices running Cisco Medianet • CDP identifies connected endpoints that communicate directly with the switch. • To prevent duplicate reports of neighboring devices, only one wired switch reports the location information. • The wired switch and the endpoints both send and receive location information. For information, go to: http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cdp_discover.html.
Chapter 26 Configuring CDP Configuring CDP Configuring the CDP Characteristics You can configure the frequency of CDP updates, the amount of time to hold the information before discarding it, and whether or not to send Version-2 advertisements. Beginning in privileged EXEC mode, follow these steps to configure the CDP timer, holdtime, and advertisement type. Note Steps 2 through 4 are all optional and can be performed in any order.
Chapter 26 Configuring CDP Configuring CDP Beginning in privileged EXEC mode, follow these steps to disable the CDP device discovery capability: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no cdp run Disable CDP. Step 3 end Return to privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to enable CDP when it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 26 Configuring CDP Monitoring and Maintaining CDP Beginning in privileged EXEC mode, follow these steps to enable CDP on a port when it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you are enabling CDP, and enter interface configuration mode. Step 3 cdp enable Enable CDP on the interface after disabling it. Step 4 end Return to privileged EXEC mode.
Chapter 26 Configuring CDP Monitoring and Maintaining CDP Catalyst 3750 Switch Software Configuration Guide 26-6 OL-8550-09
CH A P T E R 27 Configuring LLDP, LLDP-MED, and Wired Location Service This chapter describes how to configure the Link Layer Discovery Protocol (LLDP), LLDP Media Endpoint Discovery (LLDP-MED) and wired location service on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 27 Configuring LLDP, LLDP-MED, and Wired Location Service Understanding LLDP, LLDP-MED, and Wired Location Service The switch supports these basic management TLVs. These are mandatory LLDP TLVs. • Port description TLV • System name TLV • System description TLV • System capabilities TLV • Management address TLV These organizationally specific LLDP TLVs are also advertised to support LLDP-MED. Note • Port VLAN ID TLV ((IEEE 802.
Chapter 27 Configuring LLDP, LLDP-MED, and Wired Location Service Understanding LLDP, LLDP-MED, and Wired Location Service Starting with Cisco IOS Release 12.2(52)SE, when LLDP is enabled and power is applied to a port, the power TLV determines the actual power requirement of the endpoint device so that the system power budget can be adjusted accordingly. The switch processes the requests and either grants or denies power based on the current power budget.
Chapter 27 Configuring LLDP, LLDP-MED, and Wired Location Service Understanding LLDP, LLDP-MED, and Wired Location Service Depending on the device capabilities, the switch obtains this client information at link up: • Slot and port specified in port connection • MAC address specified in the client MAC address • IP address specified in port connection • 802.
Chapter 27 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service • Default LLDP Configuration, page 27-5 • Configuration Guidelines, page 27-5 • Enabling LLDP, page 27-6 • Configuring LLDP Characteristics, page 27-7 • Configuring LLDP-MED TLVs, page 27-8 • Configuring Network-Policy TLV, page 27-9 • Configuring Location TLV and Wired Location Service, page 27-10 Default LLDP Configu
Chapter 27 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Enabling LLDP Beginning in privileged EXEC mode, follow these steps to enable LLDP: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 lldp run Enable LLDP globally on the switch. Step 3 interface interface-id Specify the interface on which you are enabling LLDP, and enter interface configuration mode.
Chapter 27 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP Characteristics You can configure the frequency of LLDP updates, the amount of time to hold the information before discarding it, and the initialization delay time. You can also select the LLDP and LLDP-MED TLVs to send and receive. Beginning in privileged EXEC mode, follow these steps to configure the LLDP characteristics.
Chapter 27 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP-MED TLVs By default, the switch only sends LLDP packets until it receives LLDP-MED packets from the end device. It then sends LLDP packets with MED TLVs, as well. When the LLDP-MED entry has been aged out, it again only sends LLDP packets. By using the lldp interface configuration command, you can configure the interface not to send the TLVs listed in Table 27-2.
Chapter 27 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Configuring Network-Policy TLV Beginning in privileged EXEC mode, follow these steps to create a network-policy profile, configure the policy attributes, and apply it to an interface. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service This example shows how to configure VLAN 100 for voice application with CoS and to enable the network-policy profile and network-policy TLV on an interface: Switch# configure terminal Switch(config)# network-policy 1 Switch(config-network-policy)# voice vlan 100 cos 4 Switch(config-network-policy)# exit Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# network-policy pr
Chapter 27 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Command Purpose Step 7 show location Verify the configuration. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of each command to return to the default setting.
Chapter 27 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service To monitor and maintain LLDP, LLDP-MED, and wired location service on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear lldp counters Reset the traffic counters to zero. clear lldp table Delete the LLDP neighbor information table.
CH A P T E R 28 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 28 Configuring UDLD Understanding UDLD A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection.
Chapter 28 Configuring UDLD Configuring UDLD • Event-driven detection and echoing UDLD relies on echoing as its detection mechanism. Whenever a UDLD device learns about a new neighbor or receives a resynchronization request from an out-of-sync neighbor, it restarts the detection window on its side of the connection and sends echo messages in reply. Because this behavior is the same on all UDLD neighbors, the sender of the echoes expects to receive an echo in reply.
Chapter 28 Configuring UDLD Configuring UDLD Default UDLD Configuration Table 28-1 shows the default UDLD configuration.
Chapter 28 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch and all members in the switch stack: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 28 Configuring UDLD Configuring UDLD Enabling UDLD on an Interface Beginning in privileged EXEC mode, follow these steps either to enable UDLD in the aggressive or normal mode or to disable UDLD on a port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be enabled for UDLD, and enter interface configuration mode. Step 3 udld port [aggressive] UDLD is disabled by default.
Chapter 28 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release.
Chapter 28 Configuring UDLD Displaying UDLD Status Catalyst 3750 Switch Software Configuration Guide 28-8 OL-8550-09
CH A P T E R 29 Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN These sections contain this conceptual information: • Local SPAN, page 29-2 • Remote SPAN, page 29-3 • SPAN and RSPAN Concepts and Terminology, page 29-4 • SPAN and RSPAN Interaction with Other Features, page 29-9 • SPAN and RSPAN and Switch Stacks, page 29-10 Local SPAN Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and destination ports are in the same switch or switch stack.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 29-2 is an example of a local SPAN in a switch stack, where the source and destination ports reside on different stack members.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 29-3 Example of RSPAN Configuration RSPAN destination ports RSPAN destination session Switch C Intermediate switches must support RSPAN VLAN RSPAN VLAN RSPAN source session A RSPAN source ports Switch B RSPAN source session B RSPAN source ports 101366 Switch A SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed over normal trunk ports to the destination switch. An RSPAN destination session takes all packets received on the RSPAN VLAN, strips off the VLAN tagging, and presents them on the destination port.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • Transmit (Tx) SPAN—The goal of transmit (or egress) SPAN is to monitor as much as possible all the packets sent by the source interface after all modification and processing is performed by the switch. A copy of each packet sent by the source is sent to the destination port for that SPAN session. The copy is provided after the packet is modified.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN A source port has these characteristics: • It can be monitored in multiple SPAN sessions. • Each source port can be configured with a direction (ingress, egress, or both) to monitor. • It can be any port type (for example, EtherChannel, Fast Ethernet, Gigabit Ethernet, and so forth).
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Destination Port Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user, usually a network analyzer. A destination port has these characteristics: • For a local SPAN session, the destination port must reside on the same switch stack as the source port.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN RSPAN VLAN The RSPAN VLAN carries SPAN traffic between RSPAN source and destination sessions. It has these special characteristics: • All traffic in the RSPAN VLAN is always flooded. • No MAC address learning occurs on the RSPAN VLAN. • RSPAN VLAN traffic only flows on trunk ports. • RSPAN VLANs must be configured in VLAN configuration mode by using the remote-span VLAN configuration mode command.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN A physical port that belongs to an EtherChannel group can be configured as a SPAN source port and still be a part of the EtherChannel. In this case, data from the physical port is monitored as it participates in the EtherChannel. However, if a physical port that belongs to an EtherChannel group is configured as a SPAN destination, it is removed from the group.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Default SPAN and RSPAN Configuration Table 29-1 shows the default SPAN and RSPAN configuration. Table 29-1 Default SPAN and RSPAN Configuration Feature Default Setting SPAN state (SPAN and RSPAN) Disabled. Source port traffic to monitor Both received and sent traffic (both). Encapsulation type (destination port) Native form (untagged packets).
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • You can configure a disabled port to be a source or destination port, but the SPAN function does not start until the destination port and at least one source port or source VLAN are enabled. • You can limit SPAN traffic to specific VLANs by using the filter vlan keyword. If a trunk port is being monitored, only traffic on the VLANs specified with this keyword is monitored. By default, all VLANs are monitored on a trunk port.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 3 Command Purpose monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx] Specify the SPAN session and the source port (monitored port). For session_number, the range is 1 to 66. For interface-id, specify the source port or source VLAN to monitor. • For source interface-id, specify the source port to monitor.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 6 Command Purpose show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating a Local SPAN Session and Configuring Incoming Traffic Beginning in privileged EXEC mode, follow these steps to create a SPAN session, to specify the source ports or VLANs and the destination ports, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance).
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN monitor session session_number destination interface interface-id global configuration command. For destination interfaces, the encapsulation and ingress options are ignored with the no form of the command.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 show monitor [session session_number] Verify the configuration. show running-config Step 8 copy running-config startup-config (Optional) Save the configuration in the configuration file. To monitor all VLANs on the trunk port, use the no monitor session session_number filter global configuration command.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • RSPAN VLANs are included as sources for port-based RSPAN sessions when source trunk ports have active RSPAN VLANs. RSPAN VLANs can also be sources in SPAN sessions. However, since the switch does not monitor spanned traffic, it does not support egress spanning of packets on any RSPAN VLAN identified as the destination of an RSPAN source session on the switch.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 3 remote-span Configure the VLAN as an RSPAN VLAN. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save the configuration in the configuration file. To remove the remote SPAN characteristic from a VLAN and convert it back to a normal VLAN, use the no remote-span VLAN configuration command. This example shows how to create RSPAN VLAN 901.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 3 Command Purpose monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx] Specify the RSPAN session and the source port (monitored port). For session_number, the range is 1 to 66. Enter a source port or source VLAN for the RSPAN session: • For interface-id, specify the source port to monitor.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating an RSPAN Destination Session You configure the RSPAN destination session on a different switch or switch stack; that is, not the switch or switch stack on which the source session was configured.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to configure VLAN 901 as the source remote VLAN and port 1 as the destination interface: Switch(config)# monitor session 1 source remote vlan 901 Switch(config)# monitor session 1 destination interface gigabitethernet2/0/1 Switch(config)# end Creating an RSPAN Destination Session and Configuring Incoming Traffic Beginning in privileged EXEC mode, follow these steps to create an RSPAN destination session, to specify t
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 6 Command Purpose show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete an RSPAN session, use the no monitor session session_number global configuration command.
Chapter 29 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Step 5 Command Purpose monitor session session_number destination remote vlan vlan-id Specify the RSPAN session and the destination remote VLAN (RSPAN VLAN). For session_number, enter the session number specified in step 3. For vlan-id, specify the RSPAN VLAN to carry the monitored traffic to the destination port. Step 6 end Return to privileged EXEC mode.
CH A P T E R 30 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information.
Chapter 30 Configuring RMON Understanding RMON Understanding RMON RMON is an Internet Engineering Task Force (IETF) standard monitoring specification that allows various network agents and console systems to exchange network monitoring data. You can use the RMON feature with the Simple Network Management Protocol (SNMP) agent in the switch to monitor all the traffic flowing among switches on all connected LAN segments as shown in Figure 30-1.
Chapter 30 Configuring RMON Configuring RMON Configuring RMON These sections contain this configuration information: • Default RMON Configuration, page 30-3 • Configuring RMON Alarms and Events, page 30-3 (required) • Collecting Group History Statistics on an Interface, page 30-5 (optional) • Collecting Group Ethernet Statistics on an Interface, page 30-6 (optional) Default RMON Configuration RMON is disabled by default; no alarms or events are configured.
Chapter 30 Configuring RMON Configuring RMON Beginning in privileged EXEC mode, follow these steps to enable RMON alarms and events. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 rmon alarm number variable interval {absolute | delta} rising-threshold value [event-number] falling-threshold value [event-number] [owner string] Set an alarm on a MIB object. Step 3 • For number, specify the alarm number. The range is 1 to 65535.
Chapter 30 Configuring RMON Configuring RMON To disable an alarm, use the no rmon alarm number global configuration command on each alarm you configured. You cannot disable at once all the alarms that you configured. To disable an event, use the no rmon event number global configuration command. To learn more about alarms and events and how they interact with each other, see RFC 1757. You can set an alarm on any MIB object.
Chapter 30 Configuring RMON Configuring RMON Command Purpose Step 6 show rmon history Display the contents of the switch history table. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable history collection, use the no rmon collection history index interface configuration command. Collecting Group Ethernet Statistics on an Interface Beginning in privileged EXEC mode, follow these steps to collect group Ethernet statistics on an interface.
Chapter 30 Configuring RMON Displaying RMON Status Displaying RMON Status To display the RMON status, use one or more of the privileged EXEC commands in Table 30-1: Table 30-1 Commands for Displaying RMON Status Command Purpose show rmon Displays general RMON statistics. show rmon alarms Displays the RMON alarm table. show rmon events Displays the RMON event table. show rmon history Displays the RMON history table. show rmon statistics Displays the RMON statistics table.
Chapter 30 Configuring RMON Displaying RMON Status Catalyst 3750 Switch Software Configuration Guide 30-8 OL-8550-09
CH A P T E R 31 Configuring System Message Logging This chapter describes how to configure system message logging on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Chapter 31 Configuring System Message Logging Configuring System Message Logging You can set the severity level of the messages to control the type of messages displayed on the consoles and each of the destinations. You can time-stamp log messages or set the syslog source address to enhance real-time debugging and management. For information on possible messages, see the system message guide for this release.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Table 31-1 describes the elements of syslog messages. Table 31-1 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages” section on page 31-8. Date and time of the message or event.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Default System Message Logging Configuration Table 31-2 shows the default system message logging configuration. Table 31-2 Default System Message Logging Configuration Feature Default Setting System message logging to the console Enabled. Console severity Debugging (and numerically lower levels; see Table 31-3 on page 31-10). Logging file configuration No filename specified. Logging buffer size 4096 bytes.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to disable message logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no logging console Disable message logging. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server. To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 31-12.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Synchronizing Log Messages You can synchronize unsolicited messages and debug privileged EXEC command output with solicited device output and prompts for a specific console port line or virtual terminal line. You can identify the types of messages to be output asynchronously based on the level of severity.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to enable sequence numbers in log messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service sequence-numbers Enable sequence numbers. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Note Specifying a level causes messages at that level and numerically lower levels to appear at the destination. To disable logging to the console, use the no logging console global configuration command. To disable logging to a terminal other than the console, use the no logging monitor global configuration command. To disable logging to syslog servers, use the no logging trap global configuration command.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to change the level and history table size defaults. This procedure is optional. Command Step 1 Step 2 Purpose configure terminal logging history level Enter global configuration mode. 1 Change the default level of syslog messages stored in the history file and sent to the SNMP server. See Table 31-3 on page 31-10 for a list of level keywords.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to enable configuration logging: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 archive Enter archive configuration mode. Step 3 log config Enter configuration-change logger configuration mode. Step 4 logging enable Enable configuration change logging.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. This procedure is optional. Log in as root, and perform these steps: Note Step 1 Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network.
Chapter 31 Configuring System Message Logging Displaying the Logging Configuration Step 4 Command Purpose logging facility facility-type Configure the syslog facility. See Table 31-4 on page 31-14 for facility-type keywords. The default is local7. Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
CH A P T E R 32 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS Network Management Command Reference, Release 12.4: http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_book.
Chapter 32 Configuring SNMP Understanding SNMP These sections contain this conceptual information: • SNMP Versions, page 32-2 • SNMP Manager Functions, page 32-4 • SNMP Agent Functions, page 32-4 • SNMP Community Strings, page 32-4 • Using SNMP to Access MIB Variables, page 32-5 • SNMP Notifications, page 32-5 • SNMP ifIndex MIB Object Values, page 32-6 SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standar
Chapter 32 Configuring SNMP Understanding SNMP Table 32-1 identifies the characteristics of the different combinations of security models and levels. Table 32-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication.
Chapter 32 Configuring SNMP Understanding SNMP SNMP Manager Functions The SNMP manager uses information in the MIB to perform the operations described in Table 32-2. Table 32-2 SNMP Operations Operation Description get-request Retrieves a value from a specific variable. get-next-request Retrieves a value from a variable within a table.1 get-bulk-request2 Retrieves large blocks of data, such as multiple rows in a table, that would otherwise require the transmission of many small blocks of data.
Chapter 32 Configuring SNMP Understanding SNMP Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software. CiscoWorks 2000 software uses the switch MIB variables to set device variables and to poll devices on the network for specific information. The results of a poll can be displayed as a graph and analyzed to troubleshoot internetworking problems, increase network performance, verify the configuration of devices, monitor traffic loads, and more.
Chapter 32 Configuring SNMP Configuring SNMP SNMP ifIndex MIB Object Values In an NMS, the IF-MIB generates and assigns an interface index (ifIndex) object value that is a unique number greater than zero to identify a physical or a logical interface. When the switch reboots or the switch software is upgraded, the switch uses this same value for the interface. For example, if the switch assigns a port 2 an ifIndex value of 10003, this value is the same after the switch reboots.
Chapter 32 Configuring SNMP Configuring SNMP Default SNMP Configuration Table 32-4 shows the default SNMP configuration. Table 32-4 Default SNMP Configuration Feature Default Setting SNMP agent Disabled1. SNMP trap receiver None configured. SNMP traps None enabled except the trap for TCP connections (tty). SNMP version If no version keyword is present, the default is Version 1. SNMPv3 authentication If no keyword is entered, the default is the noauth (noAuthNoPriv) security level.
Chapter 32 Configuring SNMP Configuring SNMP invalid, and you need to reconfigure SNMP users by using the snmp-server user username global configuration command. Similar restrictions require the reconfiguration of community strings when the engine ID changes. Disabling the SNMP Agent Beginning in privileged EXEC mode, follow these steps to disable the SNMP agent: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no snmp-server Disable the SNMP agent operation.
Chapter 32 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure a community string on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server community string [view Configure the community string. view-name] [ro | rw] Note The @ symbol is used for delimiting the context information. [access-list-number] Avoid using the @ symbol as part of the SNMP community string when configuring this command.
Chapter 32 Configuring SNMP Configuring SNMP This example shows how to assign the string comaccess to SNMP, to allow read-only access, and to specify that IP access list 4 can use the community string to gain access to the switch SNMP agent: Switch(config)# snmp-server community comaccess ro 4 Configuring SNMP Groups and Users You can specify an identification name (engine ID) for the local or remote SNMP server engine on the switch.
Chapter 32 Configuring SNMP Configuring SNMP Command Step 3 Purpose snmp-server group groupname {v1 | v2c | v3 Configure a new SNMP group on the remote device. {auth | noauth | priv}} [read readview] • For groupname, specify the name of the group. [write writeview] [notify notifyview] [access • Specify a security model: access-list] – v1 is the least secure of the possible security models. – v2c is the second least secure model. It allows transmission of informs and integers twice the normal width.
Chapter 32 Configuring SNMP Configuring SNMP Command Step 4 Purpose Add a new user for an SNMP group. snmp-server user username groupname {remote host [udp-port port]} {v1 [access • The username is the name of the user on the host that connects access-list] | v2c [access access-list] | v3 to the agent. [encrypted] [access access-list] [auth {md5 | • The groupname is the name of the group to which the user is sha} auth-password]} [priv {des | 3des | aes associated.
Chapter 32 Configuring SNMP Configuring SNMP Configuring SNMP Notifications A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Note Many commands use the word traps in the command syntax.
Chapter 32 Configuring SNMP Configuring SNMP Table 32-5 Switch Notification Types (continued) Notification Type Keyword port-security Description Generates SNMP port security traps. You can also set a maximum trap rate per second. The range is from 0 to 1000; the default is 0, which means that there is no rate limit.
Chapter 32 Configuring SNMP Configuring SNMP Step 5 Command Purpose snmp-server host host-addr [informs | traps] [version {1 | 2c | 3 {auth | noauth | priv}}] community-string [notification-type] Specify the recipient of an SNMP trap operation. • For host-addr, specify the name or Internet address of the host (the targeted recipient). • (Optional) Enter informs to send SNMP informs to the host. • (Optional) Enter traps (the default) to send SNMP traps to the host.
Chapter 32 Configuring SNMP Configuring SNMP Step 11 Command Purpose show running-config Verify your entries. Note Step 12 copy running-config startup-config To display SNMPv3 information about auth | noauth | priv mode configuration, you must enter the show snmp user privileged EXEC command. (Optional) Save your entries in the configuration file. The snmp-server host command specifies which hosts receive the notifications.
Chapter 32 Configuring SNMP Configuring SNMP Setting the Agent Contact and Location Information Beginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server contact text Set the system contact string. For example: snmp-server contact Dial System Operator at beeper 21555.
Chapter 32 Configuring SNMP Configuring SNMP Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. SNMP Examples This example shows how to enable all versions of SNMP. The configuration permits any SNMP manager to access all objects with read-only permissions using the community string public.
Chapter 32 Configuring SNMP Displaying SNMP Status Displaying SNMP Status To display SNMP input and output statistics, including the number of illegal community string entries, errors, and requested variables, use the show snmp privileged EXEC command. You also can use the other privileged EXEC commands in Table 32-6 to display SNMP information. For information about the fields in the displays, see the Cisco IOS Configuration Fundamentals Command Reference.
Chapter 32 Configuring SNMP Displaying SNMP Status Catalyst 3750 Switch Software Configuration Guide 32-20 OL-8550-09
CH A P T E R 33 Configuring Embedded Event Manager Embedded Event Manager (EEM) is a distributed and customized approach to event detection and recovery within a Cisco IOS device. EEM offers the ability to monitor events and take informational, corrective, or any other EEM action when the monitored events occur or when a threshold is reached. An EEM policy defines an event and the actions to be taken when that event occurs.
Chapter 33 Configuring Embedded Event Manager Understanding Embedded Event Manager Figure 33-1 shows the relationship between the EEM server, the core event publishers (event detectors), and the event subscribers (policies). The event publishers screen events and publish them when there is a match on an event specification that is provided by the event subscriber. Event detectors notify the EEM server when an event occurs.
Chapter 33 Configuring Embedded Event Manager Understanding Embedded Event Manager Note The stack member switch does not generate events and does not support memory threshold notifications or IOSWdSysmon event detectors. • Application-specific event detector—Allows any EEM policy to publish an event. • IOS CLI event detector—Generates policies based on the commands entered through the CLI.
Chapter 33 Configuring Embedded Event Manager Understanding Embedded Event Manager – A watchdog timer publishes an event when a timer counts down to zero. The timer automatically resets itself to its initial value and starts to count down again. – A CRON timer publishes an event by using a UNIX standard CRON specification to define when the event is to be published. A CRON timer never publishes events more than once per minute.
Chapter 33 Configuring Embedded Event Manager Understanding Embedded Event Manager Embedded Event Manager Environment Variables EEM uses environment variables in EEM policies. These variables are defined in a EEM policy tool command language (TCL) script by running a CLI command and the event manager environment command. • User-defined variables Defined by the user for a user-defined policy. • Cisco-defined variables Defined by Cisco for a specific sample policy.
Chapter 33 Configuring Embedded Event Manager Configuring Embedded Event Manager Configuring Embedded Event Manager • Registering and Defining an Embedded Event Manager Applet, page 33-6 • Registering and Defining an Embedded Event Manager TCL Script, page 33-7 For complete information about configuring embedded event manager, see the Cisco IOS Network Management Configuration Guide, Release 12.4T.
Chapter 33 Configuring Embedded Event Manager Displaying Embedded Event Manager Information Registering and Defining an Embedded Event Manager TCL Script Beginning in privileged EXEC mode, perform this task to register a TCL script with EEM and to define the TCL script and policy commands. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 33 Configuring Embedded Event Manager Displaying Embedded Event Manager Information Catalyst 3750 Switch Software Configuration Guide 33-8 OL-8550-09
CH A P T E R 34 Configuring Network Security with ACLs This chapter describes how to configure network security on the Catalyst 3750 switch by using access control lists (ACLs), also referred to as access lists. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. In this chapter, references to IP ACLs are specific to IP Version 4 (IPv4) ACLs. For information about IPv6 ACLs, see Chapter 41, “Configuring IPv6 ACLs.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs any applied ACLs to verify that the packet has the required permissions to be forwarded, based on the criteria specified in the access lists. One by one, it tests packets against the conditions in an access list. The first match decides whether the switch accepts or rejects the packets. Because the switch stops testing after the first match, the order of conditions in the list is critical.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs • When an input router ACL and input port ACL exist in a switch virtual interface (SVI), incoming packets received on ports to which a port ACL is applied are filtered by the port ACL. Incoming routed IP packets received on other ports are filtered by the router ACL. Other packets are not filtered.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs Figure 34-1 Using ACLs to Control Traffic to a Network Host A Host B Research & Development network = ACL denying traffic from Host B and permitting traffic from Host A = Packet 101365 Human Resources network When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs As with port ACLs, the switch examines ACLs associated with features configured on a given interface. However, you can apply only inbound port ACLs, while router ACLs are supported in both directions. As packets enter the switch on an interface, ACLs associated with all inbound features configured on that interface are examined.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs Some ACEs do not check Layer 4 information and therefore can be applied to all packet fragments. ACEs that do test Layer 4 information cannot be applied in the standard manner to most of the fragments in a fragmented IP packet.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs • If packets must be forwarded by software for any reason (for example, not enough hardware resources), the master switch forwards the packets only after applying ACLs on the packets. • It programs its hardware with the ACL information it processes. Stack members perform these ACL functions: • They receive the ACL information from the master switch and program their hardware.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Creating Standard and Extended IPv4 ACLs This section describes IP ACLs. An ACL is a sequential collection of permit and deny conditions. One by one, the switch tests packets against the conditions in an access list. The first match determines whether the switch accepts or rejects the packet. Because the switch stops testing after the first match, the order of the conditions is critical.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Table 34-1 Note Access List Numbers (continued) Access List Number Type Supported 1200–1299 IPX summary address access list No 1300–1999 IP standard access list (expanded range) Yes 2000–2699 IP extended access list (expanded range) Yes In addition to numbered standard and extended ACLs, you can also create standard and extended named IP ACLs by using the supported numbers.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Creating a Numbered Standard ACL Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} Define a standard IPv4 access list by using a source address and source [source-wildcard] [log] wildcard. The access-list-number is a decimal number from 1 to 99 or 1300 to 1999.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs The switch always rewrites the order of standard access lists so that entries with host matches and entries with matches having a don’t care mask of 0.0.0.0 are moved to the top of the list, above any entries with non-zero don’t care masks. Therefore, in show command output and in the configuration file, the ACEs do not necessarily appear in the order in which they were entered.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs or or Step 2b Command Purpose access-list access-list-number {deny | permit} protocol any any [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] In access-list configuration mode, define an extended IP access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and an abbreviation for a destination and destination wildcard of 0.0.0.0 255.255.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Step 2d Command Purpose access-list access-list-number {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] (Optional) Define an extended ICMP access list and the access conditions. Enter icmp for Internet Control Message Protocol.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs After an ACL is created, any additions (possibly entered from the terminal) are placed at the end of the list. You cannot selectively add or remove access list entries from a numbered access list. Note When you are creating an ACL, remember that, by default, the end of the access list contains an implicit deny statement for all packets if it did not find a match before reaching the end.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create a standard ACL using names: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip access-list standard name Define a standard IPv4 access list using a name, and enter access-list configuration mode. The name can be a number from 1 to 99.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs When you are creating standard extended ACLs, remember that, by default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end. For standard ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask. After you create an ACL, any additions are placed at the end of the list.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to configure a time-range parameter for an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 time-range time-range-name Assign a meaningful name (for example, workhours) to the time range to be created, and enter time-range configuration mode. The name cannot contain a space or quotation mark and must begin with a letter.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs This example uses named ACLs to permit and deny the same traffic.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Applying an IPv4 ACL to a Terminal Line You can use numbered ACLs to control access to one or more terminal lines. You cannot apply named ACLs to lines. You must set identical restrictions on all the virtual terminal lines because a user can attempt to connect to any of them. For procedures for applying ACLs to interfaces, see the “Applying an IPv4 ACL to an Interface” section on page 34-20.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Note By default, the router sends Internet Control Message Protocol (ICMP) unreachable messages when a packet is denied by an access group. These access-group denied packets are not dropped in hardware but are bridged to the switch CPU so that it can generate the ICMP-unreachable message.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Hardware and Software Treatment of IP ACLs ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to the CPU for software processing. If the hardware reaches its capacity to store ACL configurations, packets are sent to the CPU for forwarding. The forwarding rate for software-forwarded traffic is substantially less than for hardware-forwarded traffic.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs For example, if you apply this ACL to an interface: permit permit permit permit tcp tcp tcp tcp source source source source source-wildcard source-wildcard source-wildcard source-wildcard destination destination destination destination destination-wildcard range 5 60 destination-wildcard range 15 160 destination-wildcard range 115 1660 destination-wildcard And if this message appears: ACLMGR-2-NOVMR: Cannot generate hardware rep
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Figure 34-3 Using Router ACLs to Control Traffic Server A Benefits Server B Payroll Port 2 Port 1 Accounting 172.20.128.64-95 101354 Human Resources 172.20.128.0-31 This example uses a standard ACL to filter traffic coming into Server B from a port, permitting traffic only from Accounting’s source addresses 172.20.128.64 to 172.20.128.95.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Numbered ACLs In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host. Using access list 2, the switch accepts one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the switch accepts addresses on all other network 36.0.0.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.255 and denies any other TCP traffic. It permits ICMP traffic, denies UDP traffic from any source to the destination address range 171.69.0.0 through 179.69.255.255 with a destination port less than 1024, denies any other IP traffic, and provides a log of the result.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs In this example of a named ACL, the Jones subnet is not allowed access: Switch(config)# ip access-list standard prevention Switch(config-std-nacl)# remark Do not allow Jones subnet through Switch(config-std-nacl)# deny 171.69.0.0 0.0.255.
Chapter 34 Configuring Network Security with ACLs Creating Named MAC Extended ACLs This is a an example of a log for an extended ACL: 01:24:23:%SEC-6-IPACCESSLOGDP:list ext1 permitted packet 01:25:14:%SEC-6-IPACCESSLOGDP:list ext1 permitted packets 01:26:12:%SEC-6-IPACCESSLOGP:list ext1 denied udp packet 01:31:33:%SEC-6-IPACCESSLOGP:list ext1 denied udp packets icmp 10.1.1.15 -> 10.1.1.61 (0/0), 1 icmp 10.1.1.15 -> 10.1.1.61 (0/0), 7 0.0.0.0(0) -> 255.255.255.255(0), 1 0.0.0.0(0) -> 255.255.255.
Chapter 34 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Step 3 Command Purpose {deny | permit} {any | host source MAC address | source MAC address mask} {any | host destination MAC address | destination MAC address mask} [type mask | lsap lsap mask | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump | msdos | mumps | netbios | vines-echo |vines-ip | xns-idp | 0-65535] [cos cos] In extended MAC acces
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps • A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one. Beginning in privileged EXEC mode, follow these steps to apply a MAC access list to control access to a Layer 2 interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps To create a VLAN map and apply it to one or more VLANs, perform these steps: Step 1 Create the standard or extended IPv4 ACLs or named MAC extended ACLs that you want to apply to the VLAN. See the “Creating Standard and Extended IPv4 ACLs” section on page 34-8 and the “Creating a VLAN Map” section on page 34-32. Step 2 Enter the vlan access-map global configuration command to create a VLAN ACL map entry.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps • When a frame is Layer-2 forwarded within a private VLAN, the same VLAN map is applied at the ingress side and at the egress side. When a frame is routed from inside a private VLAN to an external port, the private-VLAN map is applied at the ingress side. – For frames going upstream from a host port to a promiscuous port, the VLAN map configured on the secondary VLAN is applied.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps Examples of ACLs and VLAN Maps These examples show how to create ACLs and VLAN maps that for specific purposes. Example 1 This example shows how to create an ACL and a VLAN map to deny a packet. In the first map, any packets that match the ip1 ACL (TCP packets) would be dropped. You first create the ip1ACL to permit any TCP packet and no other packets.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps Example 3 In this example, the VLAN map has a default action of drop for MAC packets and a default action of forward for IP packets. Used with MAC extended access lists good-hosts and good-protocols, the map will have the following results: • Forward MAC packets from hosts 0000.0c00.0111 and 0000.0c00.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps Applying a VLAN Map to a VLAN Beginning in privileged EXEC mode, follow these steps to apply a VLAN map to one or more VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan filter mapname vlan-list list Apply the VLAN map to one or more VLAN IDs. The list can be a single VLAN ID (22), a consecutive list (10-22), or a string of VLAN IDs (12, 22, 30).
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps Figure 34-4 Wiring Closet Configuration Switch B Switch A Switch C VLAN map: Deny HTTP from X to Y. HTTP is dropped at entry point. Host Y 10.1.1.34 101355 VLAN 1 VLAN 2 Packet Host X 10.1.1.32 If you do not want HTTP traffic switched from Host X to Host Y, you can configure a VLAN map on Switch A to drop all HTTP traffic from Host X (IP address 10.1.1.32) to Host Y (IP address 10.1.1.
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 34-5 Deny Access to a Server on Another a VLAN VLAN map 10.1.1.100 Subnet 10.1.2.0/8 Server (VLAN 10) 10.1.1.4 Host (VLAN 10) Layer 3 switch Host (VLAN 20) Packet Host (VLAN 10) 101356 10.1.1.8 This example shows how to deny access to a server on another VLAN by creating the VLAN map SERVER 1 that denies access to hosts in subnet 10.1.2.0.8, host 10.1.1.4, and host 10.1.1.8 and permits other IP traffic.
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Note When you use router ACLs with VLAN maps, packets that require logging on the router ACLs are not logged if they are denied by a VLAN map. If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match the type, the default is to drop the packet. If there is no match clause in the VLAN map, and no action specified, the packet is forwarded if it does not match any VLAN map entry.
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Examples of Router ACLs and VLAN Maps Applied to VLANs This section gives examples of applying router ACLs and VLAN maps to a VLAN for switched, bridged, routed, and multicast packets. Although the following illustrations show packets being forwarded to their destination, each time the packet’s path crosses a line indicating a VLAN map or an ACL, it is also possible that the packet might be dropped, rather than forwarded.
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 34-7 Applying ACLs on Bridged Packets VLAN 10 map VLAN 20 map Frame Host B (VLAN 20) Host A (VLAN 10) VLAN 10 101358 Fallback bridge VLAN 20 Packet ACLs and Routed Packets Figure 34-8 shows how ACLs are applied on routed packets. For routed packets, the ACLs are applied in this order: 1. VLAN map for input VLAN 2. Input router ACL 3. Output router ACL 4.
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs ACLs and Multicast Packets Figure 34-9 shows how ACLs are applied on packets that are replicated for IP multicasting. A multicast packet being routed has two different kinds of filters applied: one for destinations that are other ports in the input VLAN and another for each of the destinations that are in other VLANs to which the packet has been routed.
Chapter 34 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Displaying IPv4 ACL Configuration You can display the ACLs that are configured on the switch, and you can display the ACLs that have been applied to interfaces and VLANs. When you use the ip access-group interface configuration command to apply ACLs to a Layer 2 or 3 interface, you can display the access groups on the interface. You can also display the MAC ACLs applied to a Layer 2 interface.
CH A P T E R 35 Configuring QoS This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the Catalyst 3750 switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 35 Configuring QoS Understanding QoS Understanding QoS Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Chapter 35 Configuring QoS Understanding QoS Figure 35-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 header IP header Data Layer 2 ISL Frame ISL header (26 bytes) Encapsulated frame 1... (24.5 KB) FCS (4 bytes) 3 bits used for CoS Layer 2 802.1Q and 802.
Chapter 35 Configuring QoS Understanding QoS Basic QoS Model To implement QoS, the switch must distinguish packets or flow from one another (classify), assign a label to indicate the given quality of service as the packets move through the switch, make the packets comply with the configured resource usage limits (police and mark), and provide different treatment (queue and schedule) in all situations where resource contention exists.
Chapter 35 Configuring QoS Understanding QoS Actions at the egress port include queueing and scheduling: Figure 35-2 • Queueing evaluates the QoS packet label and the corresponding DSCP or CoS value before selecting which of the four egress queues to use. Because congestion can occur when multiple ingress ports simultaneously send data to an egress port, WTD differentiates traffic classes and subjects the packets to different thresholds based on the QoS label.
Chapter 35 Configuring QoS Understanding QoS You specify which fields in the frame or packet that you want to use to classify incoming traffic. For non-IP traffic, you have these classification options as shown in Figure 35-3: • Trust the CoS value in the incoming frame (configure the port to trust CoS). Then use the configurable CoS-to-DSCP map to generate a DSCP value for the packet. Layer 2 ISL frame headers carry the CoS value in the 3 least-significant bits of the 1-byte User field.
Chapter 35 Configuring QoS Understanding QoS Figure 35-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface configuration for classification. Trust DSCP (IP traffic). IP and non-IP traffic Trust DSCP or IP precedence (non-IP traffic). Trust IP precedence (IP traffic). Assign DSCP identical to DSCP in packet. Check if packet came with CoS label (tag). Yes (Optional) Modify the DSCP by using the DSCP-to-DSCP-mutation map.
Chapter 35 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: Note • If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken.
Chapter 35 Configuring QoS Understanding QoS You create and name a policy map by using the policy-map global configuration command. When you enter this command, the switch enters the policy-map configuration mode. In this mode, you specify the actions to take on a specific traffic class by using the class, trust, or set policy-map configuration and policy-map class configuration commands.
Chapter 35 Configuring QoS Understanding QoS Note The 10-Gigabit Ethernet interfaces do not support policing. Policing on Physical Ports In policy maps on physical ports, you can create these types of policers: • Individual—QoS applies the bandwidth limits specified in the policer separately to each matched traffic class. You configure this type of policer within a policy map by using the police policy-map class configuration command.
Chapter 35 Configuring QoS Understanding QoS Figure 35-4 Policing and Marking Flowchart on Physical Ports Start Get the clasification result for the packet. No Is a policer configured for this packet? Yes Check if the packet is in profile by querying the policer. No Yes Pass through Check out-of-profile action configured for this policer. Drop Drop packet. Mark Done 86835 Modify DSCP according to the policed-DSCP map. Generate a new QoS label.
Chapter 35 Configuring QoS Understanding QoS When configuring policing on an SVI, you can create and configure a hierarchical policy map with these two levels: • VLAN level—Create this primary level by configuring class maps and classes that specify the port trust state or set a new DSCP or IP precedence value in the packet. The VLAN-level policy map applies only to the VLAN in an SVI and does not support policers.
Chapter 35 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an QoS label based on the DSCP or CoS value from the classification stage: • During classification, QoS uses configurable mapping tables to derive a corresponding DSCP or CoS value from a received CoS, DSCP, or IP precedence value. These maps include the CoS-to-DSCP map and the IP-precedence-to-DSCP map.
Chapter 35 Configuring QoS Understanding QoS Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 35-6.
Chapter 35 Configuring QoS Understanding QoS CoS 6-7 CoS 4-5 CoS 0-3 WTD and Queue Operation 100% 1000 60% 600 40% 400 0 86692 Figure 35-7 For more information, see the “Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds” section on page 35-73, the “Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set” section on page 35-78, and the “Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID” section on page 35-80.
Chapter 35 Configuring QoS Understanding QoS Queueing and Scheduling on Ingress Queues Figure 35-8 shows the queueing and scheduling flowchart for ingress ports. Figure 35-8 Queueing and Scheduling Flowchart for Ingress Ports Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds. Are thresholds being exceeded? Yes No Drop packet. Send packet to the stack ring. Note 86693 Queue the packet. Service the queue according to the SRR weights.
Chapter 35 Configuring QoS Understanding QoS You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Chapter 35 Configuring QoS Understanding QoS Figure 35-9 Queueing and Scheduling Flowchart for Egress Ports Start Receive packet from the stack ring. Read QoS label (DSCP or CoS value). Determine egress queue number and threshold based on the label. Are thresholds being exceeded? Yes No Drop packet. Queue the packet. Service the queue according to the SRR weights. Rewrite DSCP and/or CoS value as appropriate. Done 86694 Send the packet out the port.
Chapter 35 Configuring QoS Understanding QoS buffers) or not empty (free buffers). If the queue is not over-limit, the switch can allocate buffer space from the reserved pool or from the common pool (if it is not empty). If there are no free buffers in the common pool or if the queue is over-limit, the switch drops the frame.
Chapter 35 Configuring QoS Understanding QoS modify it. You map a port to queue-set by using the queue-set qset-id interface configuration command. Modify the queue-set configuration to change the WTD threshold percentages. For more information about how WTD works, see the “Weighted Tail Drop” section on page 35-14. Shaped or Shared Mode SRR services each queue-set in shared or shaped mode.
Chapter 35 Configuring QoS Configuring Auto-QoS rewritten according to the DSCP-to-CoS map. If you configure the port to trust the CoS of the incoming frame and it is an IP packet, the CoS value in the frame is not changed, but the DSCP might be changed according to the CoS-to-DSCP map. The input mutation causes the DSCP to be rewritten depending on the new value of DSCP chosen. The set action in a policy map also causes the DSCP to be rewritten.
Chapter 35 Configuring QoS Configuring Auto-QoS Generated Auto-QoS Configuration By default, auto-QoS is disabled on all ports. Packets are not modified--the CoS, DSCP and IP precedence values in the packet are not changed. When you enable the auto-QoS feature on the first port of the interface: • Ingress packet label is used to categorize traffic, to assign packet labels, and to configure the ingress and egress queues.
Chapter 35 Configuring QoS Configuring Auto-QoS Table 35-3 Table 35-4 Auto-QoS Configuration for the Ingress Queues Ingress Queue Queue Number CoS-to-Queue Map Queue Weight (Bandwidth) Queue (Buffer) Size SRR shared 1 0, 1, 2, 3, 6, 7 70 percent 90 percent Priority 2 4, 5 30 percent 10 percent Auto-QoS Configuration for the Egress Queues Queue (Buffer) Size Queue (Buffer) for Gigabit-Capable Size for 10/100 Ports Ethernet Ports Egress Queue Queue Number CoS-to-Queue Map Queue Weight
Chapter 35 Configuring QoS Configuring Auto-QoS • A switch is enabled with QoS, these guidelines take effect: – If you configure the interface for conditional trust on a voice device, only the legacy auto-QoS VoIP configuration is generated. – If you configure the interface for conditional trust on a video device, the enhanced auto-QoS configuration is generated.
Chapter 35 Configuring QoS Configuring Auto-QoS Table 35-5 Generated Auto-QoS Configuration (continued) Enhanced Automatically Generated Command{Video|Trust|Classify} Description Automatically Generated Command {voip} The switch automatically maps CoS values to an egress queue and to a threshold ID.
Chapter 35 Configuring QoS Configuring Auto-QoS Table 35-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command {voip} The switch automatically maps DSCP values to an egress queue and to a threshold ID.
Chapter 35 Configuring QoS Configuring Auto-QoS Table 35-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command {voip} The switch automatically sets up the ingress queues, with queue 2 as the priority queue and queue 1 in shared mode. The switch also configures the bandwidth and buffer size for the ingress queues.
Chapter 35 Configuring QoS Configuring Auto-QoS Switch(config-pmap)# class AutoQoS-VoIP-Control-Trust Switch(config-pmap-c)# set dscp cs3 Switch(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit After creating the class maps and policy maps, the switch automatically applies the policy map called AutoQoS-Police-SoftPhone to an ingress interface on which auto-QoS with the Cisco SoftPhone feature is enabled.
Chapter 35 Configuring QoS Configuring Auto-QoS If you entered the auto qos classify command, the switch automatically creates class maps and policy maps.
Chapter 35 Configuring QoS Configuring Auto-QoS Switch(config-pmap-c)# set dscp cs3 Switch(config-pmap-c)# police 32000 8000 exceed-action drop Switch(config-pmap)# class AUTOQOS_DEFAULT_CLASS Switch(config-pmap-c)# set dscp default Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit ; Switch(config-if)# service-policy input AUTOQOS-SRND4-CLASSIFY-POLICE-POLICY This is the enhanced configuration for the auto qos voip cisco-phone command: Switch(config)# mls qos map policed-ds
Chapter 35 Configuring QoS Configuring Auto-QoS Switch(config-pmap-c)# set dscp af11 Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-pmap)# class AUTOQOS_TRANSACTION_CLASS Switch(config-pmap-c)# set dscp af21 Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-pmap)# class AUTOQOS_SCAVANGER_CLASS Switch(config-pmap-c)# set dscp cs1 Switch(config-pmap-c)# police 10000000 8000 exceed-action drop Switch(config-pmap)# clas
Chapter 35 Configuring QoS Configuring Auto-QoS • To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other QoS commands. If necessary, you can fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoS configuration is completed. For more information, see the Effects of Auto-QoS on the Configuration, page 35-31. • After auto-QoS is enabled, do not modify a policy map or aggregate policer that includes AutoQoS in its name.
Chapter 35 Configuring QoS Configuring Auto-QoS Enabling Auto-QoS For optimum QoS performance, enable auto-QoS on all the devices in your network. Beginning in privileged EXEC mode, follow these steps to enable auto-QoS devices within a QoS domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 35 Configuring QoS Displaying Auto-QoS Information Command Purpose Step 7 end Return to privileged EXEC mode. Step 8 show auto qos interface interface-id Verify your entries. This command displays the auto-QoS command on the interface on which auto-QoS was enabled. You can use the show running-config privileged EXEC command to display the auto-QoS configuration and the user modifications.
Chapter 35 Configuring QoS Configuring Standard QoS Configuring Standard QoS Before configuring standard QoS, you must have a thorough understanding of these items: • The types of applications used and the traffic patterns on your network. • Traffic characteristics and needs of your network. Is the traffic bursty? Do you need to reserve bandwidth for voice and video streams? • Bandwidth requirements and speed of the network. • Location of congestion points in the network.
Chapter 35 Configuring QoS Configuring Standard QoS Table 35-6 Default Ingress Queue Configuration (continued) Feature Queue 1 Queue 2 WTD drop threshold 1 100 percent 100 percent WTD drop threshold 2 100 percent 100 percent 1. The bandwidth is equally shared between the queues. SRR sends packets in shared mode only. 2. Queue 2 is the priority queue. SRR services the priority queue for its configured share before servicing the other queue.
Chapter 35 Configuring QoS Configuring Standard QoS Table 35-10 shows the default CoS output queue threshold map when QoS is enabled. Table 35-10 Default CoS Output Queue Threshold Map CoS Value Queue ID–Threshold ID 0, 1 2–1 2, 3 3–1 4 4–1 5 1–1 6, 7 4–1 Table 35-11 shows the default DSCP output queue threshold map when QoS is enabled.
Chapter 35 Configuring QoS Configuring Standard QoS QoS ACL Guidelines • It is not possible to match IP fragments against configured IP extended ACLs to enforce QoS. IP fragments are sent as best-effort. IP fragments are denoted by fields in the IP header. • Only one ACL per class map and only one match class-map configuration command per class map are supported. The ACL can have multiple ACEs, which match fields against the contents of the packet.
Chapter 35 Configuring QoS Configuring Standard QoS Policing Guidelines • The port ASIC device, which controls more than one physical port, supports 256 policers (255 user-configurable policers plus 1 policer reserved for system internal use). The maximum number of user-configurable policers supported per port is 63.
Chapter 35 Configuring QoS Configuring Standard QoS Enabling QoS Globally By default, QoS is disabled on the switch. Beginning in privileged EXEC mode, follow these steps to enable QoS. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS globally.
Chapter 35 Configuring QoS Configuring Standard QoS Configuring Classification Using Port Trust States These sections describe how to classify incoming traffic by using port trust states.
Chapter 35 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be trusted, and enter interface configuration mode. Valid interfaces include physical ports. Step 3 mls qos trust [cos | dscp | ip-precedence] Configure the port trust state.
Chapter 35 Configuring QoS Configuring Standard QoS Configuring the CoS Value for an Interface QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports. Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 35 Configuring QoS Configuring Standard QoS the telephone is connected to trust the CoS labels of all traffic received on that port. Use the mls qos trust dscp interface configuration command to configure a routed port to which the telephone is connected to trust the DSCP labels of all traffic received on that port.
Chapter 35 Configuring QoS Configuring Standard QoS Enabling DSCP Transparency Mode The switch supports the DSCP transparency feature. It affects only the DSCP field of a packet at egress. By default, DSCP transparency is disabled. The switch modifies the DSCP field in an incoming packet, and the DSCP field in the outgoing packet is based on the quality of service (QoS) configuration, including the port trust setting, policing and marking, and the DSCP-to-DSCP mutation map.
Chapter 35 Configuring QoS Configuring Standard QoS Figure 35-12 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. 101235 IP traffic Beginning in privileged EXEC mode, follow these steps to configure the DSCP-trusted state on a port and modify the DSCP-to-DSCP-mutation map.
Chapter 35 Configuring QoS Configuring Standard QoS To return a port to its non-trusted state, use the no mls qos trust interface configuration command. To return to the default DSCP-to-DSCP-mutation map values, use the no mls qos map dscp-mutation dscp-mutation-name global configuration command.
Chapter 35 Configuring QoS Configuring Standard QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify non-IP traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 35 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended ACL, repeating the command as many times as necessary. • For access-list-number, enter the access list number.
Chapter 35 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Create a Layer 2 MAC ACL by specifying the name of the list. After entering this command, the mode changes to extended MAC ACL configuration.
Chapter 35 Configuring QoS Configuring Standard QoS Classifying Traffic by Using Class Maps You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. The class map defines the criteria to use to match against a specific traffic flow to further classify it. Match statements can include criteria such as an ACL, IP precedence values, or DSCP values.
Chapter 35 Configuring QoS Configuring Standard QoS Command Step 4 Purpose match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported. • For access-group acl-index-or-name, specify the number or name of the ACL created in Step 2.
Chapter 35 Configuring QoS Configuring Standard QoS Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps You can configure a nonhierarchical policy map on a physical port that specifies which traffic class to act on.
Chapter 35 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a nonhierarchical policy map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 class-map [match-all | match-any] class-map-name Create a class map, and enter class-map configuration mode. By default, no class maps are defined. • (Optional) Use the match-all keyword to perform a logical-AND of all matching statements under this class map.
Chapter 35 Configuring QoS Configuring Standard QoS Step 5 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, go to Step 6. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 35 Configuring QoS Configuring Standard QoS Command Purpose Step 8 exit Return to policy map configuration mode. Step 9 exit Return to global configuration mode. Step 10 interface interface-id Specify the port to attach to the policy map, and enter interface configuration mode. Valid interfaces include physical ports. Step 11 service-policy input policy-map-name Specify the policy-map name, and apply it to an ingress port. Only one policy map per ingress port is supported.
Chapter 35 Configuring QoS Configuring Standard QoS Switch(config-ext-mac)# exit Switch(config)# class-map macclass1 Switch(config-cmap)# match access-group maclist1 Switch(config-cmap)# exit Switch(config)# policy-map macpolicy1 Switch(config-pmap)# class macclass1 Switch(config-pmap-c)# set dscp 63 Switch(config-pmap-c)# exit Switch(config-pmap)# class macclass2 maclist2 Switch(config-pmap-c)# set dscp 45 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet1/0/
Chapter 35 Configuring QoS Configuring Standard QoS • A policy map can contain multiple class statements, each with different match criteria and actions. • A separate policy-map class can exist for each type of traffic received on the SVI. • In a switch stack, you cannot use the match input-interface class-map configuration command to specify interfaces across stack members in a policy-map class. • A policy-map and a port trust state can both run on a physical interface.
Chapter 35 Configuring QoS Configuring Standard QoS • When you configure a default traffic class by using the class class-default policy-map configuration command, unclassified traffic (traffic that does not meet the match criteria specified in the traffic classes) is treated as default traffic class (class-default). Beginning in privileged EXEC mode, follow these steps to create a hierarchical policy map: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 35 Configuring QoS Configuring Standard QoS Step 6 Command Purpose class-map [match-all | match-any] class-map-name Create an interface-level class map, and enter class-map configuration mode. By default, no class maps are defined. • (Optional) Use the match-all keyword to perform a logical-AND of all matching statements under this class map. All match criteria in the class map must be matched.
Chapter 35 Configuring QoS Configuring Standard QoS Step 12 Command Purpose police rate-bps burst-byte [exceed-action {drop | policed-dscp-transmit}] Define an individual policer for the classified traffic. By default, no policer is defined. For information on the number of policers supported, see the “Standard QoS Configuration Guidelines” section on page 35-37. For rate-bps, specify average traffic rate in bits per second (b/s). The range is 8000 to 10000000000.
Chapter 35 Configuring QoS Configuring Standard QoS Step 17 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, omit Step 18. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 35 Configuring QoS Configuring Standard QoS Step 23 Command Purpose service-policy input policy-map-name Specify the VLAN-level policy-map name, and apply it to the SVI. Repeat the previous step and this command to apply the policy map to other SVIs. If the hierarchical VLAN-level policy map has more than one interface-level policy map, all class maps must be configured to the same VLAN-level policy map specified in the service-policy policy-map-name command.
Chapter 35 Configuring QoS Configuring Standard QoS Switch(config-pmap-c)# set dscp 7 Switch(config-pmap-c)# service-policy port-plcmap-1 Switch(config-pmap-c)# exit Switch(config-pmap)# class cm-2 Switch(config-pmap-c)# service-policy port-plcmap-1 Switch(config-pmap-c)# set dscp 10 Switch(config-pmap)# exit Switch(config-pmap)# class cm-3 Switch(config-pmap-c)# service-policy port-plcmap-2 Switch(config-pmap-c)# set dscp 20 Switch(config-pmap)# exit Switch(config-pmap)# class cm-4 Switch(config-pmap-c)
Chapter 35 Configuring QoS Configuring Standard QoS You can configure aggregate policers only in nonhierarchical policy maps on physical ports. Note The 10-Gigabit interfaces do not support policing by using an aggregate policer. Beginning in privileged EXEC mode, follow these steps to create an aggregate policer: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 35 Configuring QoS Configuring Standard QoS Step 8 Command Purpose interface interface-id Specify the port to attach to the policy map, and enter interface configuration mode. Valid interfaces include physical ports. Step 9 service-policy input policy-map-name Specify the policy-map name, and apply it to an ingress port. Only one policy map per ingress port is supported. Step 10 end Return to privileged EXEC mode.
Chapter 35 Configuring QoS Configuring Standard QoS Configuring DSCP Maps These sections contain this configuration information: • Configuring the CoS-to-DSCP Map, page 35-67 (optional) • Configuring the IP-Precedence-to-DSCP Map, page 35-68 (optional) • Configuring the Policed-DSCP Map, page 35-69 (optional, unless the null settings in the map are not appropriate) • Configuring the DSCP-to-CoS Map, page 35-70 (optional) • Configuring the DSCP-to-DSCP-Mutation Map, page 35-71 (optional, unless th
Chapter 35 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the CoS-to-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map cos-dscp dscp1...dscp8 Modify the CoS-to-DSCP map. For dscp1...dscp8, enter eight DSCP values that correspond to CoS values 0 to 7. Separate each DSCP value with a space. The DSCP range is 0 to 63. Step 3 end Return to privileged EXEC mode.
Chapter 35 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the IP-precedence-to-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map ip-prec-dscp dscp1...dscp8 Modify the IP-precedence-to-DSCP map. For dscp1...dscp8, enter eight DSCP values that correspond to the IP precedence values 0 to 7. Separate each DSCP value with a space. The DSCP range is 0 to 63.
Chapter 35 Configuring QoS Configuring Standard QoS To return to the default map, use the no mls qos policed-dscp global configuration command.
Chapter 35 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-CoS map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-cos dscp-list to cos Modify the DSCP-to-CoS map. • For dscp-list, enter up to eight DSCP values separated by spaces. Then enter the to keyword. • For cos, enter the CoS value to which the DSCP values correspond.
Chapter 35 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-DSCP-mutation map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-mutation dscp-mutation-name in-dscp to out-dscp Modify the DSCP-to-DSCP-mutation map. • For dscp-mutation-name, enter the mutation map name. You can create more than one map by specifying a new name.
Chapter 35 Configuring QoS Configuring Standard QoS Note In the above DSCP-to-DSCP-mutation map, the mutated values are shown in the body of the matrix. The d1 column specifies the most-significant digit of the original DSCP; the d2 row specifies the least-significant digit of the original DSCP. The intersection of the d1 and d2 values provides the mutated value. For example, a DSCP value of 12 corresponds to a mutated value of 10.
Chapter 35 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and to set WTD thresholds. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input dscp-map Map DSCP or CoS values to an ingress queue and to a threshold ID.
Chapter 35 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent.
Chapter 35 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to allocate bandwidth between the ingress queues. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input bandwidth weight1 weight2 Assign shared round robin weights to the ingress queues. The default setting for weight1 and weight2 is 4 (1/2 of the bandwidth is equally shared between the two queues).
Chapter 35 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the priority queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input priority-queue queue-id bandwidth weight Assign a queue as the priority queue and guarantee bandwidth on the stack ring if the ring is congested.
Chapter 35 Configuring QoS Configuring Standard QoS These sections contain this configuration information: • Configuration Guidelines, page 35-78 • Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set, page 35-78 (optional) • Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID, page 35-80 (optional) • Configuring SRR Shaped Weights on Egress Queues, page 35-82 (optional) • Configuring SRR Shared Weights on Egress Queues, page 35-83 (optional) • Configur
Chapter 35 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and to drop thresholds for a queue-set. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos queue-set output qset-id buffers allocation1 ... allocation4 Allocate buffers to a queue-set. By default, all allocation values are equally mapped among the four queues (25, 25, 25, 25).
Chapter 35 Configuring QoS Configuring Standard QoS Command Purpose Step 7 show mls qos interface [interface-id] buffers Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos queue-set output qset-id buffers global configuration command.
Chapter 35 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an egress queue and to a threshold ID. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue output dscp-map queue queue-id threshold threshold-id dscp1...dscp8 Map DSCP or CoS values to an egress queue and to a threshold ID.
Chapter 35 Configuring QoS Configuring Standard QoS Configuring SRR Shaped Weights on Egress Queues Note You cannot configure SSR shaped weights on the 10-Gigabit interfaces. You can specify how much of the available bandwidth is allocated to each queue. The ratio of the weights is the ratio of frequency in which the SRR scheduler sends packets from each queue. You can configure the egress queues for shaped or shared weights, or both.
Chapter 35 Configuring QoS Configuring Standard QoS This example shows how to configure bandwidth shaping on queue 1. Because the weight ratios for queues 2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.
Chapter 35 Configuring QoS Configuring Standard QoS Configuring the Egress Expedite Queue You can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. SRR services this queue until it is empty before servicing the other queues. Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 35 Configuring QoS Displaying Standard QoS Information Beginning in privileged EXEC mode, follow these steps to limit the bandwidth on an egress port. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be rate limited, and enter interface configuration mode. Step 3 srr-queue bandwidth limit weight1 Specify the percentage of the port speed to which the port should be limited.
Chapter 35 Configuring QoS Displaying Standard QoS Information Table 35-15 Commands for Displaying Standard QoS Information (continued) Command Purpose show mls qos maps [cos-dscp | cos-input-q | cos-output-q | dscp-cos | dscp-input-q | dscp-mutation dscp-mutation-name | dscp-output-q | ip-prec-dscp | policed-dscp] Display QoS mapping information. show mls qos queue-set [qset-id] Display QoS settings for the egress queues.
CH A P T E R 36 Configuring EtherChannels and Link-State Tracking This chapter describes how to configure EtherChannels on the Catalyst 3750 switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Chapter 36 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Understanding EtherChannels • EtherChannel Overview, page 36-2 • Port-Channel Interfaces, page 36-4 • Port Aggregation Protocol, page 36-5 • Link Aggregation Control Protocol, page 36-7 • EtherChannel On Mode, page 36-8 • Load Balancing and Forwarding Methods, page 36-8 • EtherChannel and Switch Stacks, page 36-10 EtherChannel Overview An EtherChannel consists of individual Fast Ethernet or Gigabit Ethe
Chapter 36 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels The EtherChannel provides full-duplex bandwidth up to 800 Mb/s (Fast EtherChannel) or 8 Gb/s (Gigabit EtherChannel) between your switch and another switch or host. Each EtherChannel can consist of up to eight compatibly configured Ethernet ports. All ports in each EtherChannel must be configured as either Layer 2 or Layer 3 ports. The number of EtherChannels is limited to 48.
Chapter 36 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Figure 36-3 Cross-Stack EtherChannel Catalyst 3750 switch stack Switch 1 StackWise port connections Switch A Switch 2 Switch 3 86493 Channel group 1 Port-Channel Interfaces When you create an EtherChannel, a port-channel logical interface is involved: • With Layer 2 ports, use the channel-group interface configuration command to dynamically create the port-channel logical interface.
Chapter 36 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Figure 36-4 Relationship of Physical Ports, Logical Port Channels, and Channel Groups Logical port-channel Physical ports 101238 Channel-group binding After you configure an EtherChannel, configuration changes applied to the port-channel interface apply to all the physical ports assigned to the port-channel interface.
Chapter 36 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels PAgP Modes Table 36-1 shows the user-configurable EtherChannel PAgP modes for the channel-group interface configuration command. Table 36-1 EtherChannel PAgP Modes Mode Description auto Places a port into a passive negotiating state, in which the port responds to PAgP packets it receives but does not start PAgP packet negotiation. This setting minimizes the transmission of PAgP packets.
Chapter 36 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels To prevent a dual-active situation, the core switches send PAgP protocol data units (PDUs) through the RSLs to the remote switches. The PAgP PDUs identify the active switch, and the remote switches forward the PDUs to core switches so that the core switches are in sync. If the active switch fails or resets, the standby switch takes over as the active switch.
Chapter 36 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Ports can form an EtherChannel when they are in different LACP modes as long as the modes are compatible. For example: • A port in the active mode can form an EtherChannel with another port that is in the active or passive mode. • A port in the passive mode cannot form an EtherChannel with another port that is also in the passive mode because neither port starts LACP negotiation.
Chapter 36 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels With destination-MAC address forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the channel based on the destination host’s MAC address of the incoming packet. Therefore, packets to the same destination are forwarded over the same port, and packets to a different destination are sent on a different port in the channel.
Chapter 36 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Figure 36-5 Load Distribution and Forwarding Methods Switch with source-based forwarding enabled EtherChannel 101239 Cisco router with destination-based forwarding enabled EtherChannel and Switch Stacks If a stack member that has ports participating in an EtherChannel fails or leaves the stack, the stack master removes the failed stack member switch ports from the EtherChannel.
Chapter 36 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Configuring EtherChannels These sections contain this configuration information: • Default EtherChannel Configuration, page 36-11 • EtherChannel Configuration Guidelines, page 36-12 • Configuring Layer 2 EtherChannels, page 36-13 (required) • Configuring Layer 3 EtherChannels, page 36-15 (required) • Configuring EtherChannel Load Balancing, page 36-18 (optional) • Configuring the PAgP Learn Method and Priorit
Chapter 36 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels EtherChannel Configuration Guidelines If improperly configured, some EtherChannel ports are automatically disabled to avoid network loops and other problems. Follow these guidelines to avoid configuration problems: • Do not try to configure more than 48 EtherChannels on the switch stack. • Configure a PAgP EtherChannel with up to eight Ethernet ports of the same type.
Chapter 36 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels • For Layer 2 EtherChannels: – Assign all ports in the EtherChannel to the same VLAN, or configure them as trunks. Ports with different native VLANs cannot form an EtherChannel. – If you configure an EtherChannel from trunk ports, verify that the trunking mode (ISL or IEEE 802.1Q) is the same on all the trunks. Inconsistent trunk modes on EtherChannel ports can have unexpected results.
Chapter 36 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Step 3 Command Purpose switchport mode {access | trunk} Assign all ports as static-access ports in the same VLAN, or configure them as trunks. switchport access vlan vlan-id If you configure the port as a static-access port, assign it to only one VLAN. The range is 1 to 4094. Step 4 Assign the port to a channel group, and specify the PAgP or the LACP mode.
Chapter 36 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels This example shows how to configure an EtherChannel on a switch.
Chapter 36 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to create a port-channel interface for a Layer 3 EtherChannel. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface port-channel port-channel-number Specify the port-channel logical interface, and enter interface configuration mode. For port-channel-number, the range is 1 to 48.
Chapter 36 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Step 5 Command Purpose channel-group channel-group-number mode {auto [non-silent] | desirable [non-silent] | on} | {active | passive} Assign the port to a channel group, and specify the PAgP or the LACP mode. For channel-group-number, the range is 1 to 48. This number must be the same as the port-channel-number (logical port) configured in the “Creating Port-Channel Logical Interfaces” section on page 36-15.
Chapter 36 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels This example shows how to configure an EtherChannel. It assigns two ports to channel 5 with the LACP mode active: Switch# configure terminal Switch(config)# interface range gigabitethernet2/0/1 -2 Switch(config-if-range)# no ip address Switch(config-if-range)# no switchport Switch(config-if-range)# channel-group 5 mode active Switch(config-if-range)# end This example shows how to configure a cross-stack EtherChannel.
Chapter 36 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command.
Chapter 36 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to configure your switch as a PAgP physical-port learner and to adjust the priority so that the same port in the bundle is selected for sending packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port for transmission, and enter interface configuration mode.
Chapter 36 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels If you configure more than eight links for an EtherChannel group, the software automatically decides which of the hot-standby ports to make active based on the LACP priority.
Chapter 36 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Configuring the LACP Port Priority By default, all ports use the same port priority. If the local system has a lower value for the system priority and the system ID than the remote system, you can affect which of the hot-standby links become active first by changing the port priority of LACP EtherChannel ports to a lower value than the default.
Chapter 36 Configuring EtherChannels and Link-State Tracking Displaying EtherChannel, PAgP, and LACP Status Displaying EtherChannel, PAgP, and LACP Status Table 36-4 Commands for Displaying EtherChannel, PAgP, and LACP Status Command Description show etherchannel [channel-group-number {detail | port | port-channel | protocol | summary}] {detail | load-balance | port | port-channel | protocol | summary} Displays EtherChannel information in a brief, detailed, and one-line summary form.
Chapter 36 Configuring EtherChannels and Link-State Tracking Understanding Link-State Tracking The configuration in Figure 36-6 ensures that the network traffic flow is balanced as follows: • For links to switches and other network devices – Server 1 and server 2 use switch A for primary links and switch B for secondary links. – Server 3 and server 4 use switch B for primary links and switch A for secondary links.
Chapter 36 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking You can recover a downstream interface link-down condition by removing the failed downstream port from the link-state group. To recover multiple downstream interfaces, disable the link-state group.
Chapter 36 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Default Link-State Tracking Configuration There are no link-state groups defined, and link-state tracking is not enabled for any group. Link-State Tracking Configuration Guidelines Follow these guidelines to avoid configuration problems: • An interface that is defined as an upstream interface cannot also be defined as a downstream interface in the same or a different link-state group. The reverse is also true.
Chapter 36 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# link state group 1 downstream interface gigabitethernet1/0/3 link state group 1 downstream interface gigabitethernet1/0/5 link state group 1 downstream end To disable a link-state group, use the no link state track number global configuration command.
Chapter 36 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Catalyst 3750 Switch Software Configuration Guide 36-28 OL-8550-09
CH A P T E R 37 Configuring TelePresence E911 IP Phone Support Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. The Catalyst 3750 switch command reference has command syntax and usage information. • Understanding TelePresence E911 IP Phone Support, page 37-1 • Configuring TelePresence E911 IP Phone Support, page 37-2 Understanding TelePresence E911 IP Phone Support You can use a Cisco IP phone as a user interface in a Cisco TelePresence System.
Chapter 37 Configuring TelePresence E911 IP Phone Support Configuring TelePresence E911 IP Phone Support TelePresence System. The switch adds ingress-egress port pairs to the CDP forwarding table. An ingress-egress port pair is a one-to-one mapping between an ingress switch port connected to the IP phone and an egress switch port connected to the codec. The IP phone and the codec communicate through the IP network.
Chapter 37 Configuring TelePresence E911 IP Phone Support Configuring TelePresence E911 IP Phone Support Enabling TelePresence E911 IP Phone Support Beginning in privileged EXEC mode: Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 cdp forward ingress port-id egress port-id Configures an ingress-egress port pair. • ingress port -id—Specifies the port connected to the CDP-enabled IP phone.
Chapter 37 Configuring TelePresence E911 IP Phone Support Configuring TelePresence E911 IP Phone Support Switch# show cdp forward Ingress Egress # packets # packets Port Port forwarded dropped ------------------------------------------------------------Gi2/0/2 Gi2/0/13 0 0 Switch# Catalyst 3750 Switch Software Configuration Guide 37-4 OL-8550-09
CH A P T E R 38 Configuring IP Unicast Routing This chapter describes how to configure IP Version 4 (IPv4) unicast routing on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. A switch stack operates and appears as a single router to the rest of the routers in the network. Basic routing functions, including static routing and the Routing Information Protocol (RIP), are available with both the IP base image and the IP services image.
Chapter 38 Configuring IP Unicast Routing Understanding IP Routing Note • Configuring Protocol-Independent Features, page 38-90 • Monitoring and Maintaining the IP Network, page 38-106 When configuring routing parameters on the switch and to allocate system resources to maximize the number of unicast routes allowed, you can use the sdm prefer routing global configuration command to set the Switch Database Management (sdm) feature to the routing template.
Chapter 38 Configuring IP Unicast Routing Understanding IP Routing Types of Routing Routers and Layer 3 switches can route packets in three different ways: • By using default routing • By using preprogrammed static routes for the traffic • By dynamically calculating routes by using a routing protocol Default routing refers to sending traffic with a destination unknown to the router to a default outlet or destination.
Chapter 38 Configuring IP Unicast Routing Understanding IP Routing • The MAC address of the stack master is used as the router MAC address for the whole stack, and all outside devices use this address to send IP packets to the stack. • All IP packets that require software forwarding or processing go through the CPU of the stack master.
Chapter 38 Configuring IP Unicast Routing Steps for Configuring Routing Caution Partitioning of the switch stack into two or more stacks might lead to undesirable behavior in the network. Steps for Configuring Routing By default, IP routing is disabled on the switch, and you must enable it before routing can take place. For detailed IP routing configuration information, see the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Configuring IP Addressing A required task for configuring IP routing is to assign IP addresses to Layer 3 network interfaces to enable the interfaces and allow communication with the hosts on those interfaces that use IP. These sections describe how to configure various IP addressing features. Assigning IP addresses to the interface is required; the other procedures are optional.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Table 38-1 Default Addressing Configuration (continued) Feature Default Setting IRDP Disabled. Defaults when enabled: • Broadcast IRDP advertisements. • Maximum interval between advertisements: 600 seconds. • Minimum interval between advertisements: 0.75 times max interval • Preference: 0. IP proxy ARP Enabled. IP routing Disabled. IP subnet-zero Disabled.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing You can use the all ones subnet (131.108.255.0) and even though it is discouraged, you can enable the use of subnet zero if you need the entire subnet space for your IP address. Beginning in privileged EXEC mode, follow these steps to enable subnet zero: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip subnet-zero Enable the use of subnet zero for interface addresses and routing updates.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Figure 38-3 No IP Classless Routing 128.0.0.0/8 128.20.4.1 128.20.0.0 Bit bucket 128.20.1.0 128.20.3.0 128.20.4.1 Host 45748 128.20.2.0 To prevent the switch from forwarding packets destined for unrecognized subnets to the best supernet route possible, you can disable classless routing behavior.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing The switch can use these forms of address resolution: • Address Resolution Protocol (ARP) is used to associate IP address with MAC addresses. Taking an IP address as input, ARP learns the associated MAC address and then stores the IP address/MAC address association in an ARP cache for rapid retrieval. Then the IP datagram is encapsulated in a link-layer frame and sent over the network.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 3 arp ip-address hardware-address type [alias] (Optional) Specify that the switch respond to ARP requests as if it were the owner of the specified IP address. Step 4 interface interface-id Enter interface configuration mode, and specify the interface to configure. Step 5 arp timeout seconds (Optional) Set the length of time an ARP cache entry will stay in the cache. The default is 14400 seconds (4 hours).
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Enable Proxy ARP By default, the switch uses proxy ARP to help hosts learn MAC addresses of hosts on other networks or subnets. Beginning in privileged EXEC mode, follow these steps to enable proxy ARP if it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to define a default gateway (router) when IP routing is disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip default-gateway ip-address Set up a default gateway (router). Step 3 end Return to privileged EXEC mode. Step 4 show ip redirects Display the address of the default gateway router to verify the setting.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 6 ip irdp maxadvertinterval seconds (Optional) Set the IRDP maximum interval between advertisements. The default is 600 seconds. Step 7 ip irdp minadvertinterval seconds (Optional) Set the IRDP minimum interval between advertisements. The default is 0.75 times the maxadvertinterval. If you change the maxadvertinterval, this value changes to the new default (0.75 of maxadvertinterval).
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Enabling Directed Broadcast-to-Physical Broadcast Translation By default, IP directed broadcasts are dropped; they are not forwarded. Dropping IP-directed broadcasts makes routers less susceptible to denial-of-service attacks. You can enable forwarding of IP-directed broadcasts on an interface where the broadcast becomes a physical (MAC-layer) broadcast.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Forwarding UDP Broadcast Packets and Protocols User Datagram Protocol (UDP) is an IP host-to-host layer protocol, as is TCP. UDP provides a low-overhead, connectionless session between two end systems and does not provide for acknowledgment of received datagrams. Network hosts occasionally use UDP broadcasts to find address, configuration, and name information.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to set the IP broadcast address on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to configure. Step 3 ip broadcast-address ip-address Enter a broadcast address different from the default, for example 128.1.255.255.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to use the bridging spanning-tree database to flood UDP datagrams: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip forward-protocol spanning-tree Use the bridging spanning-tree database to flood UDP datagrams. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entry.
Chapter 38 Configuring IP Unicast Routing Enabling IP Unicast Routing Table 38-3 Commands to Display Caches, Tables, and Databases Command Purpose show arp Display the entries in the ARP table. show hosts Display the default domain name, style of lookup service, name server hosts, and the cached list of hostnames and addresses. show ip aliases Display IP addresses mapped to TCP ports (aliases). show ip arp Display the IP ARP cache.
Chapter 38 Configuring IP Unicast Routing Configuring RIP You can now set up parameters for the selected routing protocols as described in these sections: • Configuring RIP, page 38-20 • Configuring OSPF, page 38-25 • Configuring EIGRP, page 38-36 • Configuring BGP, page 38-44 • Configuring Protocol-Independent Features, page 38-90 (optional) Configuring RIP The Routing Information Protocol (RIP) is an interior gateway protocol (IGP) created for use in small, homogeneous networks.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Table 38-4 Default RIP Configuration Feature Default Setting Auto summary Enabled. Default-information originate Disabled. Default metric Built-in; automatic metric translations. IP RIP authentication key-chain No authentication. Authentication mode: clear text. IP RIP receive version According to the version router configuration command. IP RIP send version According to the version router configuration command.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 5 neighbor ip-address (Optional) Define a neighboring router with which to exchange routing information. This step allows routing updates from RIP (normally a broadcast protocol) to reach nonbroadcast networks. Step 6 offset list [access-list number | name] {in | out} offset [type number] (Optional) Apply an offset list to routing metrics to increase incoming and outgoing metrics to routes learned through RIP.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Configuring RIP Authentication RIP Version 1 does not support authentication. If you are sending and receiving RIP Version 2 packets, you can enable RIP authentication on an interface. The key chain specifies \the set of keys that can be used on the interface. If a key chain is not configured, no authentication is performed, not even the default.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Beginning in privileged EXEC mode, follow these steps to set an interface to advertise a summarized local IP address and to disable split horizon on the interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure. Step 3 ip address ip-address subnet-mask Configure the IP address and IP subnet.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Beginning in privileged EXEC mode, follow these steps to disable split horizon on the interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to configure. Step 3 ip address ip-address subnet-mask Configure the IP address and IP subnet. Step 4 no ip split-horizon Disable split horizon on the interface.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF These sections contain this configuration information: Note • Default OSPF Configuration, page 38-26 • Configuring Basic OSPF Parameters, page 38-29 • Configuring OSPF Interfaces, page 38-30 • Configuring OSPF Area Parameters, page 38-31 • Configuring Other OSPF Parameters, page 38-32 • Changing LSA Group Pacing, page 38-34 • Configuring a Loopback Interface, page 38-34 • Monitoring OSPF, page 38-35 To enable OSPF, the stack mas
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Table 38-5 Default OSPF Configuration (continued) Feature Default Setting Distance OSPF dist1 (all routes within an area): 110. dist2 (all routes from one area to another): 110. and dist3 (routes from other routing domains): 110. OSPF database filter Disabled. All outgoing link-state advertisements (LSAs) are flooded to the interface. IP OSPF name lookup Disabled. Log adjacency changes Enabled. Neighbor None specified.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF OSPF for Routed Access With Cisco IOS Release 12.2(55)SE, the IP Base image supports OSPF for routed access. The IP services image is required if you need multiple OSPFv2 and OSPFv3 instances without route restrictions. Additionally, the IP services image is required to enable the multi-VRF-CE feature. OSPF for Routed Access is specifically designed so that you can extend Layer 3 routing capabilities to the wiring closet.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF After a stack master change, the new master sends an OSPF NSF signal to neighboring NSF-aware devices. A device recognizes this signal to mean that it should not reset the neighbor relationship with the stack. As the NSF-capable stack master receives signals from other routes on the network, it begins to rebuild its neighbor list.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF This example shows how to configure an OSPF routing process and assign it a process number of 109: Switch(config)# router ospf 109 Switch(config-router)# network 131.108.0.0 255.255.255.0 area 24 Configuring OSPF Interfaces You can use the ip ospf interface configuration commands to modify interface-specific OSPF parameters.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 11 ip ospf database-filter all out (Optional) Block flooding of OSPF LSA packets to the interface. By default, OSPF floods new LSAs over all interfaces in the same area, except the interface on which the LSA arrives. Step 12 end Return to privileged EXEC mode. Step 13 show ip ospf interface [interface-name] Display OSPF-related interface information.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 5 area area-id stub [no-summary] (Optional) Define an area as a stub area. The no-summary keyword prevents an ABR from sending summary link advertisements into the stub area. Step 6 area area-id nssa [no-redistribution] [default-information-originate] [no-summary] (Optional) Defines an area as a not-so-stubby-area. Every router within the same area must agree that the area is NSSA.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF • Default Metrics: OSPF calculates the OSPF metric for an interface according to the bandwidth of the interface. The metric is calculated as ref-bw divided by bandwidth, where ref is 10 by default, and bandwidth (bw) is specified by the bandwidth interface configuration command. For multiple links with high bandwidth, you can specify a larger number to differentiate the cost on those links.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Step 10 Command Purpose timers throttle spf spf-delay spf-holdtime spf-wait (Optional) Configure route calculation timers. • spf-delay—Delay between receiving a change to SPF calculation. The range is from 1 to 600000. miliseconds. • spf-holdtime—Delay between first and second SPF calculation. The range is form 1 to 600000 in milliseconds. • spf-wait—Maximum wait time in milliseconds for SPF calculations.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF its router ID, even if other interfaces have higher IP addresses. Because loopback interfaces never fail, this provides greater stability. OSPF automatically prefers a loopback interface over other interfaces, and it chooses the highest IP address among all loopback interfaces. Beginning in privileged EXEC mode, follow these steps to configure a loopback interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Configuring EIGRP Enhanced IGRP (EIGRP) is a Cisco proprietary enhanced version of the IGRP. EIGRP uses the same distance vector algorithm and distance information as IGRP; however, the convergence properties and the operating efficiency of EIGRP are significantly improved.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP This is the process whereby a new successor is determined. The amount of time it takes to recompute the route affects the convergence time. Recomputation is processor-intensive; it is advantageous to avoid recomputation if it is not necessary. When a topology change occurs, DUAL tests for feasible successors. If there are feasible successors, it uses any it finds to avoid unnecessary recomputation.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Table 38-7 Default EIGRP Configuration (continued) Feature Default Setting Distance Internal distance: 90. External distance: 170. EIGRP log-neighbor changes Disabled. No adjacency changes logged. IP authentication key-chain No authentication provided. IP authentication mode No authentication provided. IP bandwidth-percent 50 percent.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP EIGRP Nonstop Forwarding The switch stack supports two levels of EIGRP nonstop forwarding: • EIGRP NSF Awareness, page 38-39 • EIGRP NSF Capability, page 38-39 EIGRP NSF Awareness The EIGRP NSF Awareness feature is supported for IPv4 in the IP services image.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Configuring Basic EIGRP Parameters Beginning in privileged EXEC mode, follow these steps to configure EIGRP. Configuring the routing process is required; other steps are optional: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router eigrp autonomous-system number Enable an EIGRP routing process, and enter router configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Configuring EIGRP Interfaces Other optional EIGRP parameters can be configured on an interface basis. Beginning in privileged EXEC mode, follow these steps to configure EIGRP interfaces: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Beginning in privileged EXEC mode, follow these steps to enable authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure. Step 3 ip authentication mode eigrp autonomous-system md5 Enable MD5 authentication in IP EIGRP packets.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP capability and complete EIGRP routing, the switch must be running the IP services image. On a switch running the IP base image, if you try to configure multi-VRF-CE and EIGRP stub routing at the same time, the configuration is not allowed. In a network using EIGRP stub routing, the only allowable route for IP traffic to the user is through a switch that is configured with EIGRP stub routing.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Monitoring and Maintaining EIGRP You can delete neighbors from the neighbor table. You can also display various EIGRP routing statistics. Table 38-8 lists the privileged EXEC commands for deleting neighbors and displaying statistics. For explanations of fields in the resulting display, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.
Chapter 38 Configuring IP Unicast Routing Configuring BGP AS 100 EBGP, IBGP, and Multiple Autonomous Systems Router A 129.213.1.2 192.208.10.1 EBGP EBGP 129.213.1.1 Router B AS 300 Router D 192.208.10.2 IBGP 175.220.212.1 Router C 175.220.1.
Chapter 38 Configuring IP Unicast Routing Configuring BGP BGP Version 4 supports classless interdomain routing (CIDR) so you can reduce the size of your routing tables by creating aggregate routes, resulting in supernets. CIDR eliminates the concept of network classes within BGP and supports the advertising of IP prefixes.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Table 38-9 Default BGP Configuration (continued) Feature BGP community list BGP confederation identifier/peers Default Setting • Number: None defined. When you permit a value for the community number, the list defaults to an implicit deny for everything else that has not been permitted. • Format: Cisco default format (32-bit number). • Identifier: None configured. • Peers: None identified. BGP Fast external fallover Enabled.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Table 38-9 Default BGP Configuration (continued) Feature Default Setting Neighbor NSF1 Awareness • Advertisement interval: 30 seconds for external peers; 5 seconds for internal peers. • Change logging: Enabled. • Conditional advertisement: Disabled. • Default originate: No default route is sent to the neighbor. • Description: None. • Distribute list: None defined.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Nonstop Forwarding Awareness The BGP NSF Awareness feature is supported for IPv4 in the IP services image. To enable this feature with BGP routing, you need to enable Graceful Restart.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Step 5 Command Purpose neighbor {ip-address | peer-group-name} remote-as number Add an entry to the BGP neighbor table specifying that the neighbor identified by the IP address belongs to the specified AS. For EBGP, neighbors are usually directly connected, and the IP address is the address of the interface at the other end of the connection. For IBGP, the IP address can be the address of any of the router interfaces.
Chapter 38 Configuring IP Unicast Routing Configuring BGP These examples show how to configure BGP on the routers in Figure 38-5. Router A: Switch(config)# router bgp 100 Switch(config-router)# neighbor 129.213.1.1 remote-as 200 Router B: Switch(config)# router bgp 200 Switch(config-router)# neighbor 129.213.1.2 remote-as 100 Switch(config-router)# neighbor 175.220.1.2 remote-as 200 Router C: Switch(config)# router bgp 200 Switch(config-router)# neighbor 175.220.212.
Chapter 38 Configuring IP Unicast Routing Configuring BGP There are two types of reset, hard reset and soft reset. The switch support a soft reset without any prior configuration. To use a soft reset without preconfiguration, both BGP peers must support the soft route refresh capability, which is advertised in the OPEN message sent when the peers establish a TCP session.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Configuring BGP Decision Attributes When a BGP speaker receives updates from multiple autonomous systems that describe different paths to the same destination, it must choose the single best path for reaching that destination. When chosen, the selected path is entered into the BGP routing table and propagated to its neighbors. The decision is based on the value of attributes that the update contains and other BGP-configurable factors.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, follow these steps to configure some decision attributes: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enable a BGP routing process, assign it an AS number, and enter router configuration mode. Step 3 bgp best-path as-path ignore (Optional) Configure the router to ignore AS path length in selecting a route.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Use the no form of each command to return to the default state. Configuring BGP Filtering with Route Maps Within BGP, route maps can be used to control and to modify routing information and to define the conditions by which routes are redistributed between routing domains. See the “Using Route Maps to Redistribute Routing Information” section on page 38-94 for more information about route maps.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, follow these steps to apply a per-neighbor route map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enable a BGP routing process, assign it an AS number, and enter router configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Configuring Prefix Lists for BGP Filtering You can use prefix lists as an alternative to access lists in many BGP route filtering commands, including the neighbor distribute-list router configuration command. The advantages of using prefix lists include performance improvements in loading and lookup of large lists, incremental update support, easier CLI configuration, and greater flexibility.
Chapter 38 Configuring IP Unicast Routing Configuring BGP sequence number command; to reenable automatic generation, use the ip prefix-list sequence number command. To clear the hit-count table of prefix list entries, use the clear ip prefix-list privileged EXEC command. Configuring BGP Community Filtering One way that BGP controls the distribution of routing information based on the value of the COMMUNITIES attribute.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 5 set comm-list list-num delete (Optional) Remove communities from the community attribute of an inbound or outbound update that match a standard or extended community list specified by a route map. Step 6 exit Return to global configuration mode. Step 7 ip bgp-community new-format (Optional) Display and parse BGP communities in the format AA:NN. A BGP community is displayed in a two-part format 2 bytes long.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 7 neighbor {ip-address | peer-group-name} default-originate [route-map map-name] (Optional) Allow a BGP speaker (the local router) to send the default route 0.0.0.0 to a neighbor for use as a default route. Step 8 neighbor {ip-address | peer-group-name} send-community (Optional) Specify that the COMMUNITIES attribute be sent to the neighbor at this IP address.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 23 neighbor {ip-address | peer-group-name} soft-reconfiguration inbound (Optional) Configure the software to start storing received updates. Step 24 end Return to privileged EXEC mode. Step 25 show ip bgp neighbors Verify the configuration. Step 26 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 38 Configuring IP Unicast Routing Configuring BGP To delete an aggregate entry, use the no aggregate-address address mask router configuration command. To return options to the default values, use the command with keywords. Configuring Routing Domain Confederations One way to reduce the IBGP mesh is to divide an autonomous system into multiple subautonomous systems and to group them into a single confederation that appears as a single autonomous system.
Chapter 38 Configuring IP Unicast Routing Configuring BGP When the route reflector receives an advertised route, it takes one of these actions, depending on the neighbor: • A route from an external BGP speaker is advertised to all clients and nonclient peers. • A route from a nonclient peer is advertised to all clients. • A route from a client is advertised to all clients and nonclient peers. Hence, the clients need not be fully meshed.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, use these commands to configure BGP route dampening: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enter BGP router configuration mode. Step 3 bgp dampening Enable BGP route dampening. Step 4 bgp dampening half-life reuse suppress max-suppress [route-map map] (Optional) Change the default values of route dampening factors.
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing Table 38-11 IP BGP Clear and Show Commands (continued) Command Purpose show ip bgp prefix Display peer groups and peers not in peer groups to which the prefix has been advertised. Also display prefix attributes such as the next hop and the local prefix. show ip bgp cidr-only Display all BGP routes that contain subnet and supernet network masks.
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing When dynamically routing, you use IS-IS. This routing protocol supports the concept of areas. Within an area, all routers know how to reach all the system IDs. Between areas, routers know how to reach the proper area. IS-IS supports two levels of routing: station routing (within an area) and area routing (between areas). The key difference between the ISO IGRP and IS-IS NSAP addressing schemes is in the definition of area addresses.
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing This section briefly describes how to configure IS-IS routing. It includes this information: • Default IS-IS Configuration, page 38-67 • Enabling IS-IS Routing, page 38-68 • Configuring IS-IS Global Parameters, page 38-70 • Configuring IS-IS Interface Parameters, page 38-72 Default IS-IS Configuration Table 38-12 shows the default IS-IS configuration.
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing Nonstop Forwarding Awareness The integrated IS-IS NSF Awareness feature is supported for IPv4. The feature allows customer premises equipment (CPE) routers that are NSF-aware to help NSF-capable routers perform nonstop forwarding of packets.
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing Command Purpose Step 10 ip address ip-address-mask Define the IP address for the interface. An IP address is required on all interfaces in an area enabled for IS-IS if any one interface is configured for IS-IS routing. Step 11 end Return to privileged EXEC mode. Step 12 show isis [area tag] database detail Verify your entries.
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing Configuring IS-IS Global Parameters These are some optional IS-IS global parameters that you can configure: • You can force a default route into an IS-IS routing domain by configuring a default route controlled by a route map. You can also specify other filtering options configurable under a route map.
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing Step 9 Command Purpose set-overload-bit [on-startup {seconds | wait-for-bgp}] (Optional) Set an overload bit (a hippity bit) to allow other routers to ignore the router in their shortest path first (SPF) calculations if the router is having problems. • (Optional) on-startup—sets the overload bit only on startup.
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing Step 14 Command Purpose prc-interval prc-max-wait [prc-initial-wait prc-second-wait] (Optional) Sets IS-IS partial route computation (PRC) throttling timers. • prc-max-wait—the maximum interval (in seconds) between two consecutive PRC calculations. The range is 1 to 120; the default is 5. • prc-initial-wait—the initial PRC calculation delay (in milliseconds) after a topology change.
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing frequently and IS-IS adjacencies are failing unnecessarily. You can raise the hello multiplier and lower the hello interval correspondingly to make the hello protocol more reliable without increasing the time required to detect a link failure. • Other time intervals: – Complete sequence number PDU (CSNP) interval. CSNPs are sent by the designated router to maintain database synchronization – Retransmission interval.
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing Command Purpose Step 7 isis retransmit-interval seconds (Optional) Configure the number of seconds between retransmission of IS-IS LSPs for point-to-point links. The value you specify should be an integer greater than the expected round-trip delay between any two routers on the network. The range is from 0 to 65535. The default is 5 seconds.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Table 38-13 lists the privileged EXEC commands for clearing and displaying ISO CLNS and IS-IS routing. For explanations of the display fields, see the Cisco IOS Apollo Domain, Banyan VINES, DECnet, ISO CLNS and XNS Command Reference, Release 12.2, use the Cisco IOS command reference master index, or search online.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE The Catalyst 3750 switch supports multiple VPN routing/forwarding (multi-VRF) instances in customer edge (CE) devices (multi-VRF CE) when the switch is running the IP services image. Multi-VRF CE allows a service provider to support two or more VPNs with overlapping IP addresses. If you try to configure it on a switch running the IP base image, you see an error message.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE With multi-VRF CE, multiple customers can share one CE, and only one physical link is used between the CE and the PE. The shared CE maintains separate VRF tables for each customer and switches or routes packets for each customer based on its own routing table. Multi-VRF CE extends limited PE functionality to a CE device, giving it the ability to maintain separate VRF tables to extend the privacy and security of a VPN to the branch office.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE To configure VRF, you create a VRF table and specify the Layer 3 interface associated with the VRF. Then configure the routing protocols in the VPN and between the CE and the PE. BGP is the preferred routing protocol used to distribute VPN routing information across the provider’s backbone. The multi-VRF CE network has three major components: • VPN route target communities—lists of all other members of a VPN community.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE • A customer can use multiple VLANs as long as they do not overlap with those of other customers. A customer’s VLANs are mapped to a specific routing table ID that is used to identify the appropriate routing tables stored on the switch. • A Catalyst 3750 switch supports one global network and up to 26 VRFs. • Most routing protocols (BGP, OSPF, RIP, and static routing) can be used between the CE and the PE.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 5 route-target {export | import | both} route-target-ext-community Create a list of import, export, or import and export route target communities for the specified VRF. Enter either an AS system number and an arbitrary number (xxx:y) or an IP address and an arbitrary number (A.B.C.D:y). The route-target-ext-community should be the same as the route-distinguisher entered in Step 4.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 9 ip vrf forwarding vrf-name Associate the VRF with the Layer 3 interface. Step 10 ip address ip-address mask Configure IP address for the Layer 3 interface. Step 11 ip pim sparse-dense mode Enable PIM on the VRF-associated Layer 3 interface. Step 12 end Return to privileged EXEC mode. Step 13 show ip vrf [brief | detail | interfaces] [vrf-name] Verify the configuration.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE User Interface for ARP Beginning in privileged EXEC mode, follow these steps to configure VRF-aware services for ARP. For complete syntax and usage information for the commands, refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2. Command Purpose show ip arp vrf vrf-name Display the ARP table in the specified VRF.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE User Interface for HSRP HSRP support for VRFs ensures that HSRP virtual IP addresses are added to the correct IP routing table. Beginning in privileged EXEC mode, follow these steps to configure VRF-aware services for HSRP. For complete syntax and usage information for the commands, refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE User Interface for Traceroute Beginning in privileged EXEC mode, follow these steps to configure VRF-aware services for traceroute. For complete syntax and usage information for the commands, refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2. Command Purpose traceroute vrf vrf-name ipaddress Specify the name of a VPN VRF in which to find the destination address.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Configuring a VPN Routing Session Routing within the VPN can be configured with any supported routing protocol (RIP, OSPF, EIGRP, or BGP) or with static routing. The configuration shown here is for OSPF, but the process is the same for other protocols.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 6 address-family ipv4 vrf vrf-name Define BGP parameters for PE to CE routing sessions, and enter VRF address-family mode. Step 7 neighbor address remote-as as-number Define a BGP session between PE and CE routers. Step 8 neighbor address activate Activate the advertisement of the IPv4 address family. Step 9 end Return to privileged EXEC mode.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Configuring Switch A On Switch A, enable routing and configure VRF. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Switch(config)# interface vlan118 Switch(config-if)# ip vrf forwarding v12 Switch(config-if)# ip address 118.0.0.8 255.255.255.0 Switch(config-if)# exit Switch(config)# interface vlan208 Switch(config-if)# ip vrf forwarding v11 Switch(config-if)# ip address 208.0.0.8 255.255.255.0 Switch(config-if)# exit Configure OSPF routing in VPN1 and VPN2.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Switch(config-if)# no ip address Switch(config-if)# exit Switch(config)# interface vlan118 Switch(config-if)# ip address 118.0.0.11 255.255.255.0 Switch(config-if)# exit Switch(config)# router ospf 101 Switch(config-router)# network 118.0.0.0 0.0.0.255 area 0 Switch(config-router)# end Configuring the PE Switch B When used on switch B (the PE router), these commands configure only the connections to the CE device, Switch A.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Router(config-router-af)# network 3.3.1.0 mask 255.255.255.0 Router(config-router-af)# end Displaying Multi-VRF CE Status You can use the privileged EXEC commands in Table 38-15 to display information about multi-VRF CE configuration and status. Table 38-15 Commands for Displaying Multi-VRF CE Information Command Purpose show ip protocols vrf vrf-name Display routing protocol information associated with a VRF.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Configuring Distributed Cisco Express Forwarding Cisco Express Forwarding (CEF) is a Layer 3 IP switching technology used to optimize network performance. CEF implements an advanced IP look-up and forwarding algorithm to deliver maximum Layer 3 switching performance. CEF is less CPU-intensive than fast switching route caching, allowing more CPU processing power to be dedicated to packet forwarding.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 6 show ip cef Display the CEF status on all interfaces. Step 7 show cef linecard [slot-number] [detail] Display CEF-related interface information by stack member for all switches in the stack or for the specified switch. (Optional) For slot-number, enter the stack member switch number.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to configure a static route: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip route prefix mask {address | interface} [distance] Establish a static route. Step 3 end Return to privileged EXEC mode. Step 4 show ip route Display the current state of the routing table to verify the configuration.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Specifying Default Routes and Networks A router might not be able to learn the routes to all other networks. To provide complete routing capability, you can use some routers as smart routers and give the remaining routers default routes to the smart router. (Smart routers have routing table information for the entire internetwork.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features the conditions defined by the match command. Although redistribution is a protocol-independent feature, some of the match and set route-map configuration commands are specific to a particular protocol. One or more match commands and one or more set commands follow a route-map command. If there are no match commands, everything matches. If there are no set commands, nothing is done, other than the match.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 5 match ip address {access-list-number | access-list-name} [...access-list-number | ...access-list-name] Match a standard access list by specifying the name or number. It can be an integer from 1 to 199. Step 6 match metric metric-value Match the specified route metric. The metric-value can be an EIGRP metric with a specified value from 0 to 4294967295.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Step 18 Command Purpose set metric bandwidth delay reliability loading mtu Set the metric value to give the redistributed routes (for EIGRP only): • bandwidth—Metric value or IGRP bandwidth of the route in kilobits per second in the range 0 to 4294967295 • delay—Route delay in tens of microseconds in the range 0 to 4294967295.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 4 default-metric number Cause the current routing protocol to use the same metric value for all redistributed routes (BGP, RIP and OSPF). Step 5 default-metric bandwidth delay reliability loading mtu Cause the EIGRP routing protocol to use the same metric value for all non-EIGRP redistributed routes. Step 6 end Return to privileged EXEC mode.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features For more information about configuring route maps, see the “Using Route Maps to Redistribute Routing Information” section on page 38-94. You can use standard IP ACLs to specify match criteria for a source address or extended IP ACLs to specify match criteria based on an application, a protocol type, or an end station. The process proceeds through the route map until a match is found.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features • Policy-based routing based on packet length, TOS, set interface, set default next hop, or set default interface are not supported. Policy maps with no valid set actions or with set action set to Don’t Fragment are not supported.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to configure PBR: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 route-map map-tag [permit] [sequence number] Define any route maps used to control where packets are output, and enter route-map configuration mode. • map-tag—A meaningful name for the route map.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 11 end Return to privileged EXEC mode. Step 12 show route-map [map-name] (Optional) Display all route maps configured or only the one specified to verify configuration. Step 13 show ip policy (Optional) Display policy route maps attached to interfaces. Step 14 show ip local policy (Optional) Display whether or not local policy routing is enabled and, if so, the route map being used.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 7 end Return to privileged EXEC mode. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Use a network monitoring privileged EXEC command such as show ip ospf interface to verify the interfaces that you enabled as passive, or use the show ip interface privileged EXEC command to verify the interfaces that you enabled as active.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features router to intelligently discriminate between sources of routing information. The router always picks the route whose routing protocol has the lowest administrative distance. Table 38-16 on page 38-93 shows the default administrative distances for various routing information sources. Because each network has its own requirements, there are no general guidelines for assigning administrative distances.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to manage authentication keys: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 key chain name-of-chain Identify a key chain, and enter key chain configuration mode. Step 3 key number Identify the key number. The range is 0 to 2147483647. Step 4 key-string text Identify the key string.
Chapter 38 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Monitoring and Maintaining the IP Network You can remove all contents of a particular cache, table, or database. You can also display specific statistics. Use the privileged EXEC commands in Table 38-17 to clear routes or display status: Table 38-17 Commands to Clear IP Routes or Display Route Status Command Purpose clear ip route {network [mask | *]} Clear one or more routes from the IP routing table.
CH A P T E R 39 Configuring IPv6 Unicast Routing This chapter describes how to configure IPv6 unicast routing on the Catalyst 3750 switch. Note To use all IPv6 features in this chapter, the stack master must be running the IP services image. Switches running the IP base image support only IPv6 static routing and RIP for IPv6. For information about configuring IPv6 Multicast Listener Discovery (MLD) snooping, see Chapter 40, “Configuring IPv6 MLD Snooping.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 Understanding IPv6 IPv4 users can move to IPv6 and receive services such as end-to-end security, quality of service (QoS), and globally unique addresses. The IPv6 address space reduces the need for private addresses and Network Address Translation (NAT) processing by border routers at network edges. For information about how Cisco Systems implements IPv6, go to: http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 • IPv6 Address Output Display • Simplified IPv6 Packet Header Supported IPv6 Unicast Routing Features These sections describe the IPv6 protocol features supported by the switch: • 128-Bit Wide Unicast Addresses, page 39-3 • DNS for IPv6, page 39-4 • Path MTU Discovery for IPv6 Unicast, page 39-4 • ICMPv6, page 39-4 • Neighbor Discovery, page 39-4 • Default Router Preference, page 39-5 • IPv6 Stateless Autoconfiguration and Dup
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 These addresses are defined by a global routing prefix, a subnet ID, and an interface ID. Current global unicast address allocation uses the range of addresses that start with binary value 001 (2000::/3). Addresses with a prefix of 2000::/3(001) through E000::/3(111) must have 64-bit interface identifiers in the extended unique identifier (EUI)-64 format.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 Default Router Preference The switch supports IPv6 default router preference (DRP), an extension in router advertisement messages. DRP improves the ability of a host to select an appropriate router, especially when the host is multihomed and the routers are on different links. The switch does not support the Route Information Option in RFC 4191.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 Figure 39-1 Dual IPv4 and IPv6 Support on an Interface IPv4 IPv6 122379 10.1.1.1 3ffe:yyyy::1 Use the dual IPv4 and IPv6 switch database management (SDM) template to enable IPv6 routing. For more information about the dual IPv4 and IPv6 SDM template, see Chapter 8, “Configuring SDM Templates.” The dual desktop and aggregator IPv4 and IPv6 templates allow the switch to be used in dual stack environments.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 For more information about static routes, see the “Implementing Static Routes for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. RIP for IPv6 Routing Information Protocol (RIP) for IPv6 is a distance-vector protocol that uses hop count as a routing metric. It includes support for IPv6 addresses and prefixes and the all-RIP-routers multicast group address FF02::9 as the destination address for RIP update messages.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 SNMP and syslog over IPv6 provide these features: • Support for both IPv4 and IPv6 • IPv6 transport for SNMP and to modify the SNMP agent to support traps for an IPv6 host • SNMP- and syslog-related MIBs to support IPv6 addressing • Configuration of IPv6 hosts as trap receivers For support over IPv6, SNMP modifies the existing IP transport mapping to simultaneously support IPv4 and IPv6.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 • The switch as a tunnel endpoint supporting IPv4-to-IPv6 or IPv6-to-IPv4 tunneling protocols • IPv6 unicast reverse-path forwarding • IPv6 general prefixes Limitations Because IPv6 is implemented in switch hardware, some limitations occur due to the IPv6 compressed addresses in the TCAM. These hardware limitations result in some loss of functionality and limits some features. These are feature limitations.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 If a new switch becomes the stack master, it recomputes the IPv6 routing tables and distributes them to the member switches. While the new stack master is being elected and is resetting, the switch stack does not forward IPv6 packets. The stack MAC address changes, which also changes the IPv6 address.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Configuring IPv6 These sections contain this IPv6 forwarding configuration information: • Default IPv6 Configuration, page 39-11 • Configuring IPv6 Addressing and Enabling IPv6 Routing, page 39-12 • Configuring Default Router Preference, page 39-14 • Configuring IPv4 and IPv6 Protocol Stacks, page 39-15 • Configuring DHCP for IPv6 Address Assignment, page 39-16 • Configuring IPv6 ICMP Rate Limiting, page 39-20 • Configuring CEF and
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Configuring IPv6 Addressing and Enabling IPv6 Routing This section describes how to assign IPv6 addresses to individual Layer 3 interfaces and to globally forward IPv6 traffic on the switch. Before configuring IPv6 on the switch, consider these guidelines: • Be sure to select a dual IPv4 and IPv6 SDM template. • Not all features discussed in this chapter are supported by the Catalyst 3750 switch running the IP services image.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Command Purpose Step 6 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure. The interface can be a physical interface, a switch virtual interface (SVI), or a Layer 3 EtherChannel. Step 7 no switchport Remove the interface from Layer 2 configuration mode (if it is a physical interface).
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Switch# show ipv6 interface gigabitethernet1/0/1 GigabitEthernet1/0/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::20B:46FF:FE2F:D940 Global unicast address(es): 2001:0DB8:c18:1:20B:46FF:FE2F:D940, subnet is 2001:0DB8:c18:1::/64 [EUI] Joined group address(es): FF02::1 FF02::2 FF02::1:FF2F:D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, numb
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Configuring IPv4 and IPv6 Protocol Stacks Before configuring IPv6 routing, you must select an SDM template that supports IPv4 and IPv6. If not already configured, use the sdm prefer dual-ipv4-and-ipv6 {default | routing | vlan} [desktop] global configuration command to configure a template that supports IPv6. When you select a new template, you must reload the switch by using the reload privileged EXEC command so that the template takes effect.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 This example shows how to enable IPv4 and IPv6 routing on an interface. Switch(config)# sdm prefer dual-ipv4-and-ipv6 default Switch(config)# ip routing Switch(config)# ipv6 unicast-routing Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# no switchport Switch(config-if)# ip address 192.168.99.1 244.244.244.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Enabling DHCPv6 Server Function Beginning in privileged EXEC mode, follow these steps to enable the DHCPv6 server function on an interface. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 dhcp pool poolname Enter DHCP pool configuration mode, and define the name for the IPv6 DHCP pool. The pool name can be a symbolic string (such as Engineering) or an integer (such as 0).
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Step 10 Command Purpose ipv6 dhcp server [poolname | automatic] [rapid-commit] [preference value] [allow-hint] Enable DHCPv6 server function on an interface. • poolname—(Optional) User-defined name for the IPv6 DHCP pool. The pool name can be a symbolic string (such as Engineering) or an integer (such as 0). • automatic—(Optional) Enables the system to automatically determine which pool to use when allocating addresses for a client.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 This example shows how to configure a pool called 350 with vendor-specific options: Switch# configure terminal Switch(config)# ipv6 dhcp pool 350 Switch(config-dhcpv6)# address prefix 2001:1005::0/48 Switch(config-dhcpv6)# vendor-specific 9 Switch(config-dhcpv6-vs)# suboption 1 address 1000:235D::1 Switch(config-dhcpv6-vs)# suboption 2 ascii "IP-Phone" Switch(config-dhcpv6-vs)# end Enabling DHCPv6 Client Function Beginning in privileged EXEC mo
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Configuring IPv6 ICMP Rate Limiting ICMP rate limiting is enabled by default with a default interval between error messages of 100 milliseconds and a bucket size (maximum number of tokens to be stored in a bucket) of 10. Beginning in privileged EXEC mode, follow these steps to change the ICMP rate-limiting parameters: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Configuring Static Routes for IPv6 Before configuring a static IPv6 route, you must enable routing by using the ip routing global configuration command, enable the forwarding of IPv6 packets by using the ipv6 unicast-routing global configuration command, and enable IPv6 on at least one Layer 3 interface by configuring an IPv6 address on the interface.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Step 4 Command Purpose show ipv6 static [ipv6-address | ipv6-prefix/prefix length] [interface interface-id] [recursive] [detail] Verify your entries by displaying the contents of the IPv6 routing table. or • interface interface-id—(Optional) Display only those static routes with the specified interface as an egress interface. • recursive—(Optional) Display only recursive static routes.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Step 7 Command Purpose ipv6 rip name default-information {only | originate} (Optional) Originate the IPv6 default route (::/0) into the RIP routing process updates sent from the specified interface. Note To avoid routing loops after the IPv6 default route (::/0) is originated from any interface, the routing process ignores all default routes received on any interface.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these required and optional steps to configure IPv6 OSPF: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 router ospf process-id Enable OSPF router configuration mode for the process. The process ID is the number administratively assigned when enabling the OSPF for IPv6 routing process. It is locally assigned and can be a positive integer from 1 to 65535.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 To disable an OSPF routing process, use the no ipv6 router ospf process-id global configuration command. To disable the OSPF routing process for an interface, use the no ipv6 ospf process-id area area-id interface configuration command. For more information about configuring OSPF routing for IPv6, see the “Implementing OSPF for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Enabling HSRP Version 2 Beginning in privileged EXEC mode, follow these steps to enable HSRP version 2 on a Layer 3 interface. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the Layer 3 interface on which you want to specify the standby version. Step 3 standby version {1 | 2} Enter 2 to change the HSRP version. The default is 1.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Step 4 Command Purpose standby [group-number] preempt [delay {minimum seconds | reload seconds | sync seconds}] Configure the router to preempt, which means that when the local router has a higher priority than the active router, it assumes control as the active router. • (Optional) group-number—The group number to which the command applies.
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 Displaying IPv6 For complete syntax and usage information on these commands, see the Cisco IOS command reference publications. Table 39-2 shows the privileged EXEC commands for monitoring IPv6 on the switch. Table 39-2 Commands for Monitoring IPv6 Command Purpose show ipv6 access-list Display a summary of access lists. show ipv6 cef Display Cisco Express Forwarding for IPv6.
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 Table 39-4 shows the privileged EXEC commands for displaying information about IPv4 and IPv6 address types. Table 39-4 Commands for Displaying IPv4 and IPv6 Address Types Command Purpose show ip http server history Display the previous 20 connections to the HTTP server, including the IP address accessed and the time when the connection was closed.
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 3FFE:C000:16A:1::/64 attached to Loopback10 3FFE:C000:16A:1:20B:46FF:FE2F:D900/128 receive
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 This is an example of the output from the show ipv6 traffic privileged EXEC command.
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 Catalyst 3750 Switch Software Configuration Guide 39-32 OL-8550-09
CH A P T E R 40 Configuring IPv6 MLD Snooping You can use Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP version 6 (IPv6) multicast data to clients and routers in a switched network on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note To use IPv6, you must configure the dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
Chapter 40 Configuring IPv6 MLD Snooping Understanding MLD Snooping equivalent to IGMPv2 and MLD version 2 (MLDv2) is equivalent to IGMPv3. MLD is a subprotocol of Internet Control Message Protocol version 6 (ICMPv6), and MLD messages are a subset of ICMPv6 messages, identified in IPv6 packets by a preceding Next Header value of 58. The switch supports two versions of MLD snooping: • MLDv1 snooping detects MLDv1 control packets and sets up traffic bridging based on IPv6 destination multicast addresses.
Chapter 40 Configuring IPv6 MLD Snooping Understanding MLD Snooping MLD Queries The switch sends out MLD queries, constructs an IPv6 multicast address database, and generates MLD group-specific and MLD group-and-source-specific queries in response to MLD Done messages. The switch also supports report suppression, report proxying, Immediate-Leave functionality, and static IPv6 multicast MAC-address configuration. When MLD snooping is disabled, all MLD queries are flooded in the ingress VLAN.
Chapter 40 Configuring IPv6 MLD Snooping Understanding MLD Snooping • Received IPv6 multicast router control packets are always flooded to the ingress VLAN, whether or not MLD snooping is enabled on the switch. • After the discovery of the first IPv6 multicast router port, unknown IPv6 multicast data is forwarded only to the discovered router ports (before that time, all IPv6 multicast data is flooded to the ingress VLAN).
Chapter 40 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Topology Change Notification Processing When topology change notification (TCN) solicitation is enabled by using the ipv6 mld snooping tcn query solicit global configuration command, MLDv1 snooping sets the VLAN to flood all IPv6 multicast traffic with a configured number of MLDv1 queries before it begins sending multicast data only to selected ports.
Chapter 40 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Default MLD Snooping Configuration Table 40-1 shows the default MLD snooping configuration. Table 40-1 Default MLD Snooping Configuration Feature Default Setting MLD snooping (Global) Disabled. MLD snooping (per VLAN) Enabled. MLD snooping must be globally enabled for VLAN MLD snooping to take place. IPv6 Multicast addresses None configured. IPv6 Multicast router ports None configured.
Chapter 40 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Enabling or Disabling MLD Snooping By default, IPv6 MLD snooping is globally disabled on the switch and enabled on all VLANs. When MLD snooping is globally disabled, it is also disabled on all VLANs. When you globally enable MLD snooping, the VLAN configuration overrides the global configuration. That is, MLD snooping is enabled only on VLAN interfaces in the default state (enabled).
Chapter 40 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Configuring a Static Multicast Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure an IPv6 multicast address and member ports for a VLAN.
Chapter 40 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Beginning in privileged EXEC mode, follow these steps to add a multicast router port to a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 mld snooping vlan vlan-id mrouter interface interface-id Specify the multicast router VLAN ID, and specify the interface to the multicast router. • The VLAN ID range is 1 to 1001 and 1006 to 4094.
Chapter 40 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Configuring MLD Snooping Queries When Immediate Leave is not enabled and a port receives an MLD Done message, the switch generates MASQs on the port and sends them to the IPv6 multicast address for which the Done message was sent. You can optionally configure the number of MASQs that are sent and the length of time the switch waits for a response before deleting the port from the multicast group.
Chapter 40 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping This example shows how to set the MLD snooping global robustness variable to 3: Switch# configure terminal Switch(config)# ipv6 mld snooping robustness-variable 3 Switch(config)# exit This example shows how to set the MLD snooping last-listener query count for a VLAN to 3: Switch# configure terminal Switch(config)# ipv6 mld snooping vlan 200 last-listener-query-count 3 Switch(config)# exit This example shows how to set the MLD snoopi
Chapter 40 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information Displaying MLD Snooping Information You can display MLD snooping information for dynamically learned and statically configured router ports and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for MLD snooping. To display MLD snooping information, use one or more of the privileged EXEC commands in Table 40-2.
CH A P T E R 41 Configuring IPv6 ACLs This chapter includes information about configuring IPv6 ACLs on the Catalyst 3750 switch. You can filter IP version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces similarly to the way that you create and apply IP version 4(IPv4) named ACLs. You can also create and apply input router ACLs to filter Layer 3 management traffic. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 41 Configuring IPv6 ACLs Understanding IPv6 ACLs • IPv6 port ACLs – Supported on inbound traffic on Layer 2 interfaces only. – Applied to all IPv6 packets entering the interface. A switch stack running the IP base image supports only input router IPv6 ACLs. It does not support port ACLs or output IPv6 router ACLs. Note If you configure unsupported IPv6 ACLs, an error message appears and the configuration does not take affect. The switch does not support VLAN ACLs (VLAN maps) for IPv6 traffic.
Chapter 41 Configuring IPv6 ACLs Understanding IPv6 ACLs IPv6 ACL Limitations With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs. The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions: • IPv6 source and destination addresses—ACL matching is supported only on prefixes from /0 to /64 and host addresses (/128) that are in the extended universal identifier (EUI)-64 format.
Chapter 41 Configuring IPv6 ACLs Configuring IPv6 ACLs Configuring IPv6 ACLs Before configuring IPv6 ACLs, you must select one of the dual IPv4 and IPv6 SDM templates. To filter IPv6 traffic, you perform these steps: Step 1 Create an IPv6 ACL, and enter IPv6 access list configuration mode. Step 2 Configure the IPv6 ACL to block (deny) or pass (permit) traffic. Step 3 Apply the IPv6 ACL to an interface.
Chapter 41 Configuring IPv6 ACLs Configuring IPv6 ACLs Creating IPv6 ACLs Beginning in privileged EXEC mode, follow these steps to create an IPv6 ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 access-list access-list-name Define an IPv6 access list name, and enter IPv6 access-list configuration mode.
Chapter 41 Configuring IPv6 ACLs Configuring IPv6 ACLs Command Step 3b Purpose (Optional) Define a TCP access list and the access conditions. deny | permit tcp {source-ipv6-prefix/prefix-length Enter tcp for Transmission Control Protocol. The parameters are the same as | any | host source-ipv6-address} those described in Step 3a, with these additional optional parameters: [operator [port-number]] • ack—Acknowledgment bit set.
Chapter 41 Configuring IPv6 ACLs Configuring IPv6 ACLs Use the no deny | permit IPv6 access-list configuration commands with keywords to remove the deny or permit conditions from the specified access list. This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000.
Chapter 41 Configuring IPv6 ACLs Displaying IPv6 ACLs Displaying IPv6 ACLs You can display information about all configured access lists, all IPv6 access lists, or a specific access list by using one or more of the privileged EXEC commands in Table 41-1. Table 41-1 Commands for Displaying IPv6 Access List Information Command Purpose show access-lists Display all access lists configured on the switch.
CH A P T E R 42 Configuring HSRP This chapter describes how to use Hot Standby Router Protocol (HSRP) on the Catalyst 3750 switch to provide routing redundancy for routing IP traffic not dependent on the availability of any single router. HSRP for IPv4 is supported on switches running the IP base or IP services image. To use HSRP for IPv6, see Chapter 39, “Configuring IPv6 Unicast Routing.” Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 42 Configuring HSRP Understanding HSRP Note Routers in an HSRP group can be any router interface that supports HSRP, including Catalyst 3750 routed ports and switch virtual interfaces (SVIs). HSRP provides high network availability by providing redundancy for IP traffic from hosts on networks.
Chapter 42 Configuring HSRP Understanding HSRP Figure 42-1 Typical HSRP Configuration Host B 172.20.130.5 Active router 172.20.128.1 Virtual router Standby router 172.20.128.3 Router A 172.20.128.2 Router B Switch stack 172.20.128.55 172.20.128.32 Host C Host A 204346 Switch stack HSRP Versions The switch supports these Hot Standby Redundancy Protocol (HSRP) versions: • HSRPv1—Version 1 of the HSRP, the default version of HSRP.
Chapter 42 Configuring HSRP Understanding HSRP HSRPv2 has a different packet format than HSRPv1. A HSRPv2 packet uses the type-length-value (TLV) format and has a 6-byte identifier field with the MAC address of the physical router that sent the packet. If an interface running HSRPv1 gets an HSRPv2 packet, the type field is ignored. Multiple HSRP The switch supports Multiple HSRP (MHSRP), an extension of HSRP that allows load sharing between two or more HSRP groups.
Chapter 42 Configuring HSRP Configuring HSRP HSRP and Switch Stacks HSRP hello messages are generated by the stack master. If an HSRP-active stack master fails, a flap in the HSRP active state might occur. This is because HSRP hello messages are not generated while a new stack master is elected and initialized, and the standby router might become active after the stack master fails.
Chapter 42 Configuring HSRP Configuring HSRP HSRP Configuration Guidelines Follow these guidelines when configuring HSRP: • HSRP for IPv4 and HSRP for IPv6 are mutually exclusive. You cannot enable both at the same time. • HSRPv2 and HSRPv1 are mutually exclusive. HSRPv2 is not interoperable with HSRPv1 on an interface and the reverse. • You can configure up to 32 instances of HSRP groups.
Chapter 42 Configuring HSRP Configuring HSRP When the standby ip command is enabled on an interface and proxy ARP is enabled, if the interface’s Hot Standby state is active, proxy ARP requests are answered using the Hot Standby group MAC address. If the interface is in a different state, proxy ARP responses are suppressed. Beginning in privileged EXEC mode, follow these steps to create or enable HSRP on a Layer 3 interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 42 Configuring HSRP Configuring HSRP Configuring HSRP Priority The standby priority, standby preempt, and standby track interface configuration commands are all used to set characteristics for finding active and standby routers and behavior regarding when a new active router takes over. When configuring HSRP priority, follow these guidelines: • Assigning a priority allows you to select the active and standby routers.
Chapter 42 Configuring HSRP Configuring HSRP Command Step 4 Purpose standby [group-number] preempt Configure the router to preempt, which means that when the local router has [delay [minimum seconds] [reload a higher priority than the active router, it becomes the active router. seconds] [sync seconds]] • (Optional) group-number—The group number to which the command applies. • (Optional) delay minimum—Set to cause the local router to postpone taking over the active role for the number of seconds shown.
Chapter 42 Configuring HSRP Configuring HSRP Configuring MHSRP To enable MHSRP and load balancing, you configure two routers as active routers for their groups, with virtual routers as standby routers. This example shows how to enable the MHSRP configuration shown in Figure 42-2. You need to enter the standby preempt interface configuration command on each HSRP interface so that if a router fails and comes back up, the preemption occurs and restores load balancing.
Chapter 42 Configuring HSRP Configuring HSRP Beginning in privileged EXEC mode, use one or more of these steps to configure HSRP authentication and timers on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the HSRP interface on which you want to set authentication.
Chapter 42 Configuring HSRP Configuring HSRP Enabling HSRP Support for ICMP Redirect Messages The Internet Control Message Protocol (ICMP) is a network layer Internet protocol that provides message packets to report errors and other information relevant to IP processing. ICMP provides diagnostic functions, such as sending and directing error packets to the host. When the switch is running HSRP, make sure hosts do not discover the interface (or real) MAC addresses of routers in the HSRP group.
Chapter 42 Configuring HSRP Displaying HSRP Configurations Troubleshooting HSRP If one of the situations in Table 42-2 occurs, this message appears: %FHRP group not consistent with already configured groups on the switch stack virtual MAC reservation failed Table 42-2 Troubleshooting HSRP Situation Action You configure more than 32 HSRP group instances. Remove HSRP groups so that up to 32 group instances are configured.
Chapter 42 Configuring HSRP Displaying HSRP Configurations Catalyst 3750 Switch Software Configuration Guide 42-14 OL-8550-09
CH A P T E R 43 Configuring Cisco IOS IP SLAs Operations This chapter describes how to use Cisco IOS IP Service Level Agreements (SLAs) on the Catalyst 3750 switch. Cisco IP SLAs is a part of Cisco IOS software that allows Cisco customers to analyze IP service levels for IP applications and services by using active traffic monitoring—the generation of traffic in a continuous, reliable, and predictable manner—for measuring network performance.
Chapter 43 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs options such as source and destination IP address, User Datagram Protocol (UDP)/TCP port numbers, a type of service (ToS) byte (including Differentiated Services Code Point [DSCP] and IP Prefix bits), Virtual Private Network (VPN) routing/forwarding instance (VRF), and URL web address.
Chapter 43 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs Using Cisco IOS IP SLAs to Measure Network Performance You can use IP SLAs to monitor the performance between any area in the network—core, distribution, and edge—without deploying a physical probe. It uses generated traffic to measure network performance between two networking devices. Figure 43-1 shows how IP SLAs begins when the source device sends a generated packet to the destination device.
Chapter 43 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs IP SLAs Responder and IP SLAs Control Protocol The IP SLAs responder is a component embedded in the destination Cisco device that allows the system to anticipate and respond to IP SLAs request packets. The responder provides accurate measurements without the need for dedicated probes.
Chapter 43 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs Cisco IOS IP SLAs Responder Time Stamping Source router T2 T1 Target router Responder T3 T4 =T3-T2 RTT (Round-trip time) = T4 (Time stamp 4) - T1 (Time stamp 1) - 121380 Figure 43-2 An additional benefit of the two time stamps at the target device is the ability to track one-way delay, jitter, and directional packet loss. Because much network behavior is asynchronous, it is critical to have these statistics.
Chapter 43 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations An IP SLAs threshold violation can also trigger another IP SLAs operation for further analysis. For example, the frequency could be increased or an ICMP path echo or ICMP path jitter operation could be initiated for troubleshooting. Determining the type of threshold and the level to set can be complex, and depends on the type of IP service being used in the network.
Chapter 43 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Note that not all of the IP SLAs commands or operations described in this guide are supported on the switch. The switch supports IP service level analysis by using UDP jitter, UDP echo, HTTP, TCP connect, ICMP echo, ICMP path echo, ICMP path jitter, FTP, DNS, and DHCP, as well as multiple operation scheduling and proactive threshold monitoring.
Chapter 43 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Configuring the IP SLAs Responder The IP SLAs responder is available only on Cisco IOS software-based devices, including some Layer 2 switches that do not support full IP SLAs functionality, such as the Catalyst 2960 or the Cisco ME 2400 or IE 3000 switch running the LAN base image.
Chapter 43 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations In addition to monitoring jitter, the IP SLAs UDP jitter operation can be used as a multipurpose data gathering operation. The packets IP SLAs generates carry packet sending and receiving sequence information and sending and receiving time stamps from the source and the operational target.
Chapter 43 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Beginning in privileged EXEC mode, follow these steps to configure UDP jitter operation on the source device: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip sla operation-number Create an IP SLAs operation, and enter IP SLAs configuration mode.
Chapter 43 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Command Step 6 Purpose Configure the scheduling parameters for an individual IP SLAs operation. ip sla monitor schedule operation-number [life {forever | • operation-number—Enter the RTR entry number. seconds}] [start-time {hh:mm [:ss] [month day | day month] | pending • (Optional) life—Set the operation to run indefinitely (forever) or for a specific number of seconds. The range is from 0 to 2147483647.
Chapter 43 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Schedule: Operation frequency (seconds): 30 Next Scheduled Start Time: Pending trigger Group Scheduled : FALSE Randomly Scheduled : FALSE Life (seconds): 3600 Entry Ageout (seconds): never Recurring (Starting Everyday): FALSE Status of entry (SNMP RowStatus): notInService Threshold (milliseconds): 5000 Distribution Statistics: Number of statistic hours kept: 2 Number of statistic distribution buckets kept: 1 Statistic dist
Chapter 43 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Step 6 Command Purpose ip sla schedule operation-number [life {forever | seconds}] [start-time {hh:mm [:ss] [month day | day month] | pending | now | after hh:mm:ss] [ageout seconds] [recurring] Configure the scheduling parameters for an individual IP SLAs operation. • operation-number—Enter the RTR entry number. • (Optional) life—Set the operation to run indefinitely (forever) or for a specific number of seconds.
Chapter 43 Configuring Cisco IOS IP SLAs Operations Monitoring IP SLAs Operations Schedule: Operation frequency (seconds): 60 Next Scheduled Start Time: Pending trigger Group Scheduled : FALSE Randomly Scheduled : FALSE Life (seconds): 3600 Entry Ageout (seconds): never Recurring (Starting Everyday): FALSE Status of entry (SNMP RowStatus): notInService Threshold (milliseconds): 5000 Distribution Statistics: Number of statistic hours kept: 2 Number of statistic distribution buckets kept: 1 Statistic distr
CH A P T E R 44 Configuring Enhanced Object Tracking This chapter describes how to configure enhanced object tracking on the Catalyst 3750 switch. This feature provides a more complete alternative to the Hot Standby Routing Protocol (HSRP) tracking mechanism. which allows you to track the line-protocol state of an interface. If the line protocol state of an interface goes down, the HSRP priority of the interface is reduced and another HSRP device with a higher priority becomes active.
Chapter 44 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring Enhanced Object Tracking Features These sections describe configuring enhanced object tracking: • Default Configuration, page 44-2 • Tracking Interface Line-Protocol or IP Routing State, page 44-2 • Configuring a Tracked List, page 44-3 • Configuring HSRP Object Tracking, page 44-7 • Configuring Other Tracking Characteristics, page 44-8 • Configuring IP SLAs Object Tracking, page 44-8 •
Chapter 44 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Command Purpose Step 6 delay {up seconds [down seconds] (Optional) Specify a period of time in seconds to delay communicating state | [up seconds] down seconds} changes of a tracked object. The range is from 1 to 180 seconds. Step 7 end Return to privileged EXEC mode. Step 8 show track object-number Verify that the specified objects are being tracked.
Chapter 44 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Beginning in privileged EXEC mode, follow these steps to configure a tracked list of objects with a Boolean expression: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 track track-number list boolean {and | or} Configure a tracked list object, and enter tracking configuration mode. The track-number can be from 1 to 500.
Chapter 44 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Beginning in privileged EXEC mode, follow these steps to configure a tracked list of objects by using a weight threshold and to configure a weight for each object: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 track track-number list threshold weight Configure a tracked list object and enter tracking configuration mode. The track-number can be from 1 to 500.
Chapter 44 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Beginning in privileged EXEC mode, follow these steps to configure a tracked list of objects by using a percentage threshold: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 track track-number list threshold percentage Configure a tracked list object and enter tracking configuration mode. The track-number can be from 1 to 500.
Chapter 44 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring HSRP Object Tracking Beginning in privileged EXEC mode, follow these steps to configure a standby HSRP group to track an object and change the HSRP priority based on the object state: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 44 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Step 6 Command Purpose standby [group-number] track object-number [decrement [priority-decrement]] Configure HSRP to track an object and change the hot standby priority based on the state of the object. • (Optional) group-number—Enter the group number to which the tracking applies. • object-number—Enter a number representing the object to be tracked. The range is from 1 to 500; the default is 1.
Chapter 44 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features aspects of IP SLAs operation: state and reachability. For state, if the return code is OK, the track state is up; if the return code is not OK, the track state is down. For reachability, if the return code is OK or OverThreshold, reachability is up; if not OK, reachability is down.
Chapter 44 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring Static Routing Support Switches that are running the IP services image with Cisco IOS release 12.2(46)SE or later support enhanced object tracking static routing. Static routing support using enhanced object tracking provides the ability for the switch to use ICMP pings to identify when a preconfigured static route or a DHCP route goes down.
Chapter 44 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Command Purpose Step 5 ip address dhcp Acquire an IP address on an Ethernet interface from DHCP. Step 6 exit Return to global configuration mode. Configuring a Cisco IP SLAs Monitoring Agent and Track Object Beginning in privileged EXEC mode, follow these steps to configure network monitoring with Cisco IP SLAs: Step 1 configure terminal Enter global configuration mode.
Chapter 44 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring a Routing Policy and Default Route Beginning in privileged EXEC mode, follow these steps to configure a routing policy for backup static routing by using object tracking. For more details about the commands in the procedure: http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html : Step 1 configure terminal Enter global configuration mode.
Chapter 44 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking Monitoring Enhanced Object Tracking Use the privileged EXEC or User EXEC commands in Table 44-1 to display enhanced object tracking information. Table 44-1 Commands for Displaying Tracking Information Command Purpose show ip route track table Display information about the IP route track table. show track [object-number] Display information about the all tracking lists or the specified list.
Chapter 44 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking Catalyst 3750 Switch Software Configuration Guide 44-14 OL-8550-09
CH A P T E R 45 Configuring Cache Services By Using WCCP This chapter describes how to configure your Catalyst 3750 switch to redirect traffic to wide-area application engines (such as the Cisco Cache Engine 550) by using the Web Cache Communication Protocol (WCCP). This software release supports only WCCP version 2 (WCCPv2). WCCP is a Cisco-developed content-routing technology that you can use to integrate wide-area application engines—referred to as application engines—into your network infrastructure.
Chapter 45 Configuring Cache Services By Using WCCP Understanding WCCP When an application engine receives a request, it attempts to service it from its own local cache. If the requested information is not present, the application engine sends a separate request to the end server to retrieve the requested information. After receiving the requested information, the application engine forwards it to the requesting client and also caches it to fulfill future requests.
Chapter 45 Configuring Cache Services By Using WCCP Understanding WCCP WCCP Negotiation In the exchange of WCCP protocol messages, the designated application engine and the WCCP-enabled switch negotiate these items: • Forwarding method (the method by which the switch forwards packets to the application engine). The switch rewrites the Layer 2 header by replacing the packet destination MAC address with the target application engine MAC address. It then forwards the packet to the application engine.
Chapter 45 Configuring Cache Services By Using WCCP Understanding WCCP You can configure up to 8 service groups on a switch or switch stack and up to 32 cache engines per service group. WCCP maintains the priority of the service group in the group definition. WCCP uses the priority to configure the service groups in the switch hardware.
Chapter 45 Configuring Cache Services By Using WCCP Configuring WCCP WCCP and Switch Stacks WCCP support is the same for a switch stack as for a standalone switch. WCCP configuration information is propagated to all switches in the stack. All switches in the stack, including the stack master, process the information and program their hardware. For more information about switch stacks, see Chapter 5, “Managing Switch Stacks.
Chapter 45 Configuring Cache Services By Using WCCP Configuring WCCP WCCP Configuration Guidelines Before configuring WCCP on your switch, make sure to follow these configuration guidelines: • The application engines and switches in the same service group must be in the same subnetwork directly connected to the switch that has WCCP enabled.
Chapter 45 Configuring Cache Services By Using WCCP Configuring WCCP Beginning in privileged EXEC mode, follow these steps to enable the cache service, to set a multicast group address or group list, to configure routed interfaces, to redirect inbound packets received from a client to the application engine, enable an interface to listen for a multicast address, and to set a password. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 45 Configuring Cache Services By Using WCCP Configuring WCCP Command Purpose Step 14 exit Return to global configuration mode. Repeat Steps 8 through 13 for each client. Step 15 end Return to privileged EXEC mode. Step 16 show ip wccp web-cache Verify your entries. and show running-config Step 17 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the cache service, use the no ip wccp web-cache global configuration command.
Chapter 45 Configuring Cache Services By Using WCCP Monitoring and Maintaining WCCP Switch(config-if)# no shutdown Switch(config-if)# ip wccp web-cache redirect in Switch(config-if)# exit This example shows how to configure SVIs and how to enable the cache service with a multicast group list. VLAN 299 is created and configured with an IP address of 175.20.20.10. Gigabit Ethernet port 1 is connected through the Internet to the server and is configured as an access port in VLAN 299.
Chapter 45 Configuring Cache Services By Using WCCP Monitoring and Maintaining WCCP Table 45-2 Commands for Monitoring and Maintaining WCCP Command Purpose clear ip wccp web-cache Removes statistics for the web-cache service. show ip wccp web-cache Displays global information related to WCCP. show ip wccp web-cache detail Displays information for the switch and all application engines in the WCCP cluster.
CH A P T E R 46 Configuring IP Multicast Routing This chapter describes how to configure IP multicast routing on the Catalyst 3750 switch. IP multicasting is a more efficient way to use network resources, especially for bandwidth-intensive services such as audio and video. IP multicast routing enables a host (source) to send packets to a group of hosts (receivers) anywhere within the IP network by using a special form of IP address called the IP multicast group address.
Chapter 46 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing The Cisco IOS software supports these protocols to implement IP multicast routing: • Internet Group Management Protocol (IGMP) is used among hosts on a LAN and the routers (and multilayer switches) on that LAN to track the multicast groups of which hosts are members.
Chapter 46 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding IGMP To participate in IP multicasting, multicast hosts, routers, and multilayer switches must have the IGMP operating. This protocol defines the querier and host roles: • A querier is a network device that sends query messages to discover which network devices are members of a given multicast group.
Chapter 46 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding PIM PIM is called protocol-independent: regardless of the unicast routing protocols used to populate the unicast routing table, PIM uses this information to perform multicast forwarding instead of maintaining a separate multicast routing table. PIM is defined in RFC 2362, Protocol-Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification.
Chapter 46 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing When a new receiver on a previously pruned branch of the tree joins a multicast group, the PIM DM device detects the new receiver and immediately sends a graft message up the distribution tree toward the source.
Chapter 46 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing The PIM stub feature is enforced in the IP base image. If you upgrade to a higher software version, the PIM stub configuration remains until you reconfigure the interfaces. In Figure 46-2, Switch A routed uplink port 25 is connected to the router and PIM stub routing is enabled on the VLAN 100 interfaces and on Host 3.
Chapter 46 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Mapping agents periodically multicast the contents of their Group-to-RP mapping caches. Thus, all routers and switches automatically discover which RP to use for the groups that they support.
Chapter 46 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing With multicasting, the source is sending traffic to an arbitrary group of hosts represented by a multicast group address in the destination address field of the IP packet. To decide whether to forward or drop an incoming multicast packet, the router or multilayer switch uses a reverse path forwarding (RPF) check on the packet as follows and shown in Figure 46-3: 1.
Chapter 46 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Sparse-mode PIM uses the RPF lookup function to decide where it needs to send joins and prunes: • (S,G) joins (which are source-tree states) are sent toward the source. • (*,G) joins (which are shared-tree states) are sent toward the RP. DVMRP and dense-mode PIM use only source trees and use RPF as previously described.
Chapter 46 Configuring IP Multicast Routing Multicast Routing and Switch Stacks Multicast Routing and Switch Stacks For all multicast routing protocols, the entire stack appears as a single router to the network and operates as a single multicast router. In a Catalyst 3750 switch stack, the routing master (stack master) performs these functions: • It is responsible for completing the IP multicast routing functions of the stack. It fully initializes and runs the IP multicast routing protocols.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing Default Multicast Routing Configuration Table 46-2 shows the default multicast routing configuration. Table 46-2 Default Multicast Routing Configuration Feature Default Setting Multicast routing Disabled on all interfaces. PIM version Version 2. PIM mode No mode is defined. PIM stub routing None configured. PIM RP address None configured. PIM domain border Disabled. PIM multicast boundary None.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing Dense-mode groups in a mixed PIMv1 and PIMv2 region need no special configuration; they automatically interoperate. Sparse-mode groups in a mixed PIMv1 and PIMv2 region are possible because the Auto-RP feature in PIMv1 interoperates with the PIMv2 RP feature. Although all PIMv2 devices can also use PIMv1, we recommend that the RPs be upgraded to PIMv2.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing In populating the multicast routing table, dense-mode interfaces are always added to the table. Sparse-mode interfaces are added to the table only when periodic join messages are received from downstream devices or when there is a directly connected member on the interface. When forwarding from a LAN, sparse-mode operation occurs if there is an RP known for the group. If so, the packets are encapsulated and sent toward the RP.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable multicasting, use the no ip multicast-routing distributed global configuration command. To return to the default PIM version, use the no ip pim version interface configuration command.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing the IP addresses of sources from which they receive their traffic. The proposed standard approach for channel subscription signalling use IGMP include mode membership reports, which are supported only in IGMP version 3. SSM IP Address Range SSM can coexist with the ISM service by applying the SSM delivery model to a configured subset of the IP multicast group address range.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuration Guidelines This section contains the guidelines for configuring SSM. Legacy Applications Within the SSM Range Restrictions Existing applications in a network predating SSM do not work within the SSM range unless they are modified to support (S, G) channel subscriptions. Therefore, enabling SSM in a network can cause problems for existing applications if they use addresses within the designated SSM range.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring SSM Beginning in privileged EXEC mode, follow these steps to configure SSM: Command Purpose Step 1 ip pim ssm [default | range access-list] Define the SSM range of IP multicast addresses. Step 2 interface type number Select an interface that is connected to hosts on which IGMPv3 can be enabled, and enter the interface configuration mode.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuration Guidelines These are the SSM mapping configuration guidelines: • Before you configure SSM mapping, enable IP multicast routing, enable PIM sparse mode, and configure SSM. For information on enabling IP multicast routing and PIM sparse mode, see the “Default Multicast Routing Configuration” section on page 46-11.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing Static SSM Mapping With static SSM mapping, you can configure the last hop router to use a static map to determine the sources that are sending to groups. Static SSM mapping requires that you configure ACLs to define group ranges. Then you can map the groups permitted by those ACLs to sources by using the ip igmp static ssm-map global configuration command.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing To look up one or more source addresses for a group that includes G1, G2, G3, and G4, you must configure these DNS records on the DNS server: G4.G3.G2.G1 [multicast-domain] [timeout]IN A source-address-1 IN A source-address-2 IN A source-address-n See your DNS server documentation for more information about configuring DNS resource records. For information on SSM mapping: http://www.cisco.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing For SSM mapping configuration examples: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtssmma.html Configuring DNS-Based SSM Mapping To configure DNS-based SSM mapping, you need to create a DNS server zone or add records to an existing zone. If the routers that are using DNS-based SSM mapping are also using DNS for other purposes, you should use a normally configured DNS server.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Static Traffic Forwarding with SSM Mapping Use static traffic forwarding with SSM mapping to statically forward SSM traffic for certain groups. Beginning in privileged EXEC mode, follow these steps to configure static traffic forwarding with SSM mapping: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring PIM Stub Routing The PIM Stub routing feature supports multicast routing between the distribution layer and the access layer. It supports two types of PIM interfaces, uplink PIM interfaces, and PIM passive interfaces. A routed interface configured with the PIM passive mode does not pass or forward PIM control traffic, it only passes and forwards IGMP traffic.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing Switch(config)# interface vlan100 Switch(config-if)# ip pim passive Switch(config-if)# exit Switch(config)# interface GigabitEthernet3/0/20 Switch(config-if)# ip pim passive Switch(config-if)# exit Switch(config)# interface vlan100 Switch(config-if)# ip address 100.1.1.1 255.255.255.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing Senders of multicast traffic announce their existence through register messages received from the source first-hop router (designated router) and forwarded to the RP. Receivers of multicast packets use RPs to join a multicast group by using explicit join messages. RPs are not members of the multicast group; rather, they serve as a meeting place for multicast sources and group members.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing To remove an RP address, use the no ip pim rp-address ip-address [access-list-number] [override] global configuration command. This example shows how to configure the address of the RP to 147.106.6.22 for multicast group 225.2.2.2 only: Switch(config)# access-list 1 permit 225.2.2.2 0.0.0.0 Switch(config)# ip pim rp-address 147.106.6.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to deploy Auto-RP in an existing sparse-mode cloud. This procedure is optional. Step 1 Command Purpose show running-config Verify that a default RP is already configured on all PIM devices and the RP in the sparse-mode network. It was previously configured with the ip pim rp-address global configuration command. This step is not required for spare-dense-mode environments.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 5 Command Purpose ip pim send-rp-discovery scope ttl Find a switch whose connectivity is not likely to be interrupted, and assign it the role of RP-mapping agent. For scope ttl, specify the time-to-live value in hops to limit the RP discovery packets. All devices within the hop count from the source device receive the Auto-RP discovery messages.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing Filtering Incoming RP Announcement Messages You can add configuration commands to the mapping agents to prevent a maliciously configured router from masquerading as a candidate RP and causing problems. Beginning in privileged EXEC mode, follow these steps to filter incoming RP announcement messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows a sample configuration on an Auto-RP mapping agent that is used to prevent candidate RP announcements from being accepted from unauthorized candidate RPs: Switch(config)# Switch(config)# Switch(config)# Switch(config)# Switch(config)# ip pim rp-announce-filter rp-list 10 group-list 20 access-list 10 permit host 172.16.5.1 access-list 10 permit host 172.16.2.1 access-list 20 deny 239.0.0.0 0.0.255.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing To remove the PIM border, use the no ip pim bsr-border interface configuration command. Figure 46-5 Constraining PIMv2 BSR Messages PIMv2 sparse-mode network Configure the ip pim bsr-border command on this interface. BSR messages BSR messages Layer 3 switch BSR Layer 3 switch Neighboring PIMv2 domain 101243 Neighboring PIMv2 domain Configure the ip pim bsr-border command on this interface.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing To remove the boundary, use the no ip multicast boundary interface configuration command. This example shows a portion of an IP multicast boundary configuration that denies Auto-RP information: Switch(config)# access-list 1 deny 224.0.1.39 Switch(config)# access-list 1 deny 224.0.1.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing \Configuring Candidate RPs You can configure one or more candidate RPs. Similar to BSRs, the RPs should also have good connectivity to other devices and be in the backbone portion of the network. An RP can serve the entire IP multicast address space or a portion of it. Candidate RPs send candidate RP advertisements to the BSR.
Chapter 46 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows how to configure the switch to advertise itself as a candidate RP to the BSR in its PIM domain. Standard access list number 4 specifies the group prefix associated with the RP that has the address identified by a port. That RP is responsible for the groups with the prefix 239. Switch(config)# ip pim rp-candidate gigabitethernet1/0/2 group-list 4 Switch(config)# access-list 4 permit 239.0.0.0 0.255.255.
Chapter 46 Configuring IP Multicast Routing Configuring Advanced PIM Features Troubleshooting PIMv1 and PIMv2 Interoperability Problems When debugging interoperability problems between PIMv1 and PIMv2, check these in the order shown: 1. Verify RP mapping with the show ip pim rp-hash privileged EXEC command, making sure that all systems agree on the same RP for the same group. 2. Verify interoperability between different versions of DRs and RPs.
Chapter 46 Configuring IP Multicast Routing Configuring Advanced PIM Features This process describes the move from a shared tree to a source tree: 1. A receiver joins a group; leaf Router C sends a join message toward the RP. 2. The RP puts a link to Router C in its outgoing interface list. 3. A source sends data; Router A encapsulates the data in a register message and sends it to the RP. 4. The RP forwards the data down the shared tree to Router C and sends a join message toward the source.
Chapter 46 Configuring IP Multicast Routing Configuring Advanced PIM Features Beginning in privileged EXEC mode, follow these steps to configure a traffic rate threshold that must be reached before multicast routing is switched from the source tree to the shortest-path tree. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list.
Chapter 46 Configuring IP Multicast Routing Configuring Optional IGMP Features With PIM DM operation, the DR has meaning only if IGMPv1 is in use. IGMPv1 does not have an IGMP querier election process, so the elected DR functions as the IGMP querier. With PIM SM operation, the DR is the device that is directly connected to the multicast source. It sends PIM register messages to notify the RP that multicast traffic from a source needs to be forwarded down the shared tree.
Chapter 46 Configuring IP Multicast Routing Configuring Optional IGMP Features Default IGMP Configuration Table 46-4 shows the default IGMP configuration. Table 46-4 Default IGMP Configuration Feature Default Setting Multilayer switch as a member of a multicast group No group memberships are defined. Access to multicast groups All groups are allowed on an interface. IGMP version Version 2 on all interfaces. IGMP host-query message interval 60 seconds on all interfaces.
Chapter 46 Configuring IP Multicast Routing Configuring Optional IGMP Features This example shows how to enable the switch to join multicast group 255.2.2.2: Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip igmp join-group 255.2.2.2 Controlling Access to IP Multicast Groups The switch sends IGMP host-query messages to find which multicast groups have members on attached local networks. The switch then forwards to these group members all packets addressed to the multicast group.
Chapter 46 Configuring IP Multicast Routing Configuring Optional IGMP Features Changing the IGMP Version By default, the switch uses IGMP Version 2, which provides features such as the IGMP query timeout and the maximum query response time. All systems on the subnet must support the same version. The switch does not automatically detect Version 1 systems and switch to Version 1.
Chapter 46 Configuring IP Multicast Routing Configuring Optional IGMP Features Beginning in privileged EXEC mode, follow these steps to modify the host-query interval. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Chapter 46 Configuring IP Multicast Routing Configuring Optional IGMP Features Changing the Maximum Query Response Time for IGMPv2 If you are using IGMPv2, you can change the maximum query response time advertised in IGMP queries. The maximum query response time enables the switch to quickly detect that there are no more directly connected group members on a LAN. Decreasing the value enables the switch to prune groups faster.
Chapter 46 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Beginning in privileged EXEC mode, follow these steps to configure the switch itself to be a statically connected member of a group (and enable fast switching). This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Chapter 46 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Beginning in privileged EXEC mode, follow these steps to enable the CGMP server on the switch interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface that is connected to the Layer 2 Catalyst switch, and enter interface configuration mode. Step 3 ip cgmp [proxy] Enable CGMP on the interface.
Chapter 46 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features SDR is a multicast application that listens to a well-known multicast group address and port for Session Announcement Protocol (SAP) multicast packets from SAP clients, which announce their conference sessions.
Chapter 46 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Configuring an IP Multicast Boundary Administratively-scoped boundaries can be used to limit the forwarding of multicast traffic outside of a domain or subdomain. This approach uses a special range of multicast addresses, called administratively-scoped addresses, as the boundary mechanism.
Chapter 46 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to set up an administratively-scoped boundary. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list, repeating the command as many times as necessary.
Chapter 46 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Configuring DVMRP Interoperability Cisco multicast routers and multilayer switches using PIM can interoperate with non-Cisco multicast routers that use the DVMRP. PIM devices dynamically discover DVMRP multicast routers on attached networks by listening to DVMR probe messages.
Chapter 46 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Command Step 4 Purpose ip dvmrp metric metric [list Configure the metric associated with a set of destinations for DVMRP access-list-number] [[protocol process-id] reports. | [dvmrp]] • For metric, the range is 0 to 32. A value of 0 means that the route is not advertised. A value of 32 is equivalent to infinity (unreachable).
Chapter 46 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Configuring a DVMRP Tunnel The software supports DVMRP tunnels to the MBONE. You can configure a DVMRP tunnel on a router or multilayer switch if the other end is running DVMRP. The software then sends and receives multicast packets through the tunnel. This strategy enables a PIM domain to connect to the DVMRP router when all routers on the path do not support multicast routing.
Chapter 46 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Step 9 Command Purpose ip dvmrp accept-filter access-list-number [distance] neighbor-list access-list-number Configure an acceptance filter for incoming DVMRP reports. By default, all destination reports are accepted with a distance of 0. Reports from all neighbors are accepted. • For access-list-number, specify the access list number created in Step 2.
Chapter 46 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to advertise network 0.0.0.0 to DVMRP neighbors on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface that is connected to the DVMRP router, and enter interface configuration mode.
Chapter 46 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features These sections contain this configuration information: • Enabling DVMRP Unicast Routing, page 46-54 (optional) • Rejecting a DVMRP Nonpruning Neighbor, page 46-55 (optional) • Controlling Route Exchanges, page 46-57 (optional) For information on basic DVMRP features, see the “Configuring Basic DVMRP Interoperability Features” section on page 46-48.
Chapter 46 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Rejecting a DVMRP Nonpruning Neighbor By default, Cisco devices accept all DVMRP neighbors as peers, regardless of their DVMRP capability. However, some non-Cisco devices run old versions of DVMRP that cannot prune, so they continuously receive forwarded packets, wasting bandwidth. Figure 46-8 shows this scenario.
Chapter 46 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 46-9 Router Rejects Nonpruning DVMRP Neighbor Source router or RP RP Router A Multicast traffic gets to receiver, not to leaf DVMRP device Router B Receiver Layer 3 switch Leaf nonpruning DVMRP device 101245 Configure the ip dvmrp reject-non-pruners command on this interface. Note that the ip dvmrp reject-non-pruners interface configuration command prevents peering with neighbors only.
Chapter 46 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Controlling Route Exchanges These sections describe how to tune the Cisco device advertisements of DVMRP routes: • Limiting the Number of DVMRP Routes Advertised, page 46-57 (optional) • Changing the DVMRP Route Threshold, page 46-57 (optional) • Configuring a DVMRP Summary Address, page 46-58 (optional) • Disabling DVMRP Autosummarization, page 46-60 (optional) • Adding a Metric Offset to the DVMRP R
Chapter 46 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to change the threshold number of routes that trigger the warning. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip dvmrp routehog-notification route-count Configure the number of routes that trigger a syslog message. Step 3 end Return to privileged EXEC mode.
Chapter 46 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 46-10 Only Connected Unicast Routes Are Advertised by Default interface tunnel 0 ip unnumbered fastethernet1/0/1 DVMRP Report 151.16.0.0/16 m = 39 172.34.15.0/24 m = 42 202.13.3.0/24 m = 40 176.32.10.0/24 m=1 176.32.15.0/24 m=1 interface fastethernet1/0/1 ip addr 176.32.10.1 255.255.255.0 ip pim dense-mode DVMRP router interface fastethernet1/0/2 ip addr 176.32.15.1 255.255.255.
Chapter 46 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Disabling DVMRP Autosummarization By default, the software automatically performs some level of DVMRP summarization. Disable this function if you want to advertise all routes, not just a summary. In some special cases, you can use the neighboring DVMRP router with all subnet information to better control the flow of multicast traffic in the DVMRP network.
Chapter 46 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to change the default metric. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Chapter 46 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Clearing Caches, Tables, and Databases You can remove all contents of a particular cache, table, or database. Clearing a cache, table, or database might be necessary when the contents of the particular structure are or suspected to be invalid.
Chapter 46 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Table 46-6 Commands for Displaying System and Network Statistics (continued) Command Purpose show ip mpacket [source-address | name] [group-address | name] [detail] Display the contents of the circular cache-header buffer. show ip mroute [group-name | group-address] [source] [summary] [count] [active kbps] Display the contents of the IP multicast routing table.
Chapter 46 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Catalyst 3750 Switch Software Configuration Guide 46-64 OL-8550-09
CH A P T E R 47 Configuring MSDP This chapter describes how to configure the Multicast Source Discovery Protocol (MSDP) on the Catalyst 3750 switch. The MSDP connects multiple Protocol-Independent Multicast sparse-mode (PIM-SM) domains. MSDP is not fully supported in this software release because of a lack of support for Multicast Border Gateway Protocol (MBGP), which works closely with MSDP. However, it is possible to create default peers that MSDP can operate with if MBGP is not running.
Chapter 47 Configuring MSDP Understanding MSDP MSDP depends heavily on the Border Gateway Protocol (BGP) or MBGP for interdomain operation. We recommend that you run MSDP in RPs in your domain that are RPs for sources sending to global groups to be announced to the Internet. MSDP Operation Figure 47-1 shows MSDP operating between two MSDP peers. PIM uses MSDP as the standard mechanism to register a source with the RP of a domain. When MSDP is configured, this sequence occurs.
Chapter 47 Configuring MSDP Configuring MSDP Figure 47-1 MSDP Running Between RP Peers MSDP peer RP + MSDP peer MSDP SA M SD P SA Peer RPF flooding MSDP SA TCP connection BGP MSDP peer Receiver 49885 Register Multicast (S,G) Join PIM DR Source PIM sparse-mode domain MSDP Benefits MSDP has these benefits: • It breaks up the shared multicast distribution tree. You can make the shared tree local to your domain.
Chapter 47 Configuring MSDP Configuring MSDP • Controlling Source Information that Your Switch Originates, page 47-8 (optional) • Controlling Source Information that Your Switch Forwards, page 47-11 (optional) • Controlling Source Information that Your Switch Receives, page 47-13 (optional) • Configuring an MSDP Mesh Group, page 47-15 (optional) • Shutting Down an MSDP Peer, page 47-15 (optional) • Including a Bordering PIM Dense-Mode Region in MSDP, page 47-16 (optional) • Configuring an Or
Chapter 47 Configuring MSDP Configuring MSDP Figure 47-2 Default MSDP Peer Network Router C Default MSDP peer ISP C PIM domain SA SA SA 10.1.1.1 Default MSDP peer Default MSDP peer ISP A PIM domain Customer PIM domain 86515 Switch B Router A Beginning in privileged EXEC mode, follow these steps to specify a default MSDP peer. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 47 Configuring MSDP Configuring MSDP Step 3 Step 4 Command Purpose ip prefix-list name [description string] | seq number {permit | deny} network length (Optional) Create a prefix list using the name specified in Step 2. ip msdp description {peer-name | peer-address} text • (Optional) For description string, enter a description of up to 80 characters to describe this prefix list. • For seq number, enter the sequence number of the entry. The range is 1 to 4294967294.
Chapter 47 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to enable the caching of source/group pairs. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp cache-sa-state [list access-list-number] Enable the caching of source/group pairs (create an SA state). Those pairs that pass the access list are cached. For list access-list-number, the range is 100 to 199.
Chapter 47 Configuring MSDP Configuring MSDP Requesting Source Information from an MSDP Peer Local RPs can send SA requests and get immediate responses for all active sources for a given group. By default, the switch does not send any SA request messages to its MSDP peers when a new member joins a group and wants to receive multicast traffic. The new member waits to receive the next periodic SA message.
Chapter 47 Configuring MSDP Configuring MSDP Redistributing Sources SA messages originate on RPs to which sources have registered. By default, any source that registers with an RP is advertised. The A flag is set in the RP when a source is registered, which means the source is advertised in an SA unless it is filtered. Beginning in privileged EXEC mode, follow these steps to further restrict which registered sources are advertised. This procedure is optional.
Chapter 47 Configuring MSDP Configuring MSDP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] Create an IP standard access list, repeating the command as many times as necessary. or or access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended access list, repeating the command as many times as necessary.
Chapter 47 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to configure one of these options. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp filter-sa-request ip-address | name Filter all SA request messages from the specified MSDP peer.
Chapter 47 Configuring MSDP Configuring MSDP Using a Filter By creating a filter, you can perform one of these actions: • Filter all source/group pairs • Specify an IP extended access list to pass only certain source/group pairs • Filter based on match criteria in a route map Beginning in privileged EXEC mode, follow these steps to apply a filter. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 47 Configuring MSDP Configuring MSDP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the filter, use the no ip msdp sa-filter out {ip-address | name} [list access-list-number] [route-map map-tag] global configuration command. This example shows how to allow only (S,G) pairs that pass access list 100 to be forwarded in an SA message to the peer named switch.cisco.
Chapter 47 Configuring MSDP Configuring MSDP You can perform one of these actions: • Filter all incoming SA messages from an MSDP peer • Specify an IP extended access list to pass certain source/group pairs • Filter based on match criteria in a route map Beginning in privileged EXEC mode, follow these steps to apply a filter. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 47 Configuring MSDP Configuring MSDP To remove the filter, use the no ip msdp sa-filter in {ip-address | name} [list access-list-number] [route-map map-tag] global configuration command. This example shows how to filter all SA messages from the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet1/0/1 Switch(config)# ip msdp sa-filter in switch.cisco.
Chapter 47 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to shut down a peer. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp shutdown {peer-name | peer address} Administratively shut down the specified MSDP peer without losing configuration information. For peer-name | peer address, enter the IP address or name of the MSDP peer to shut down. Step 3 end Return to privileged EXEC mode.
Chapter 47 Configuring MSDP Configuring MSDP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note that the ip msdp originator-id global configuration command also identifies an interface to be used as the RP address.
Chapter 47 Configuring MSDP Monitoring and Maintaining MSDP Monitoring and Maintaining MSDP To monitor MSDP SA messages, peers, state, or peer status, use one or more of the privileged EXEC commands in Table 47-1: Table 47-1 Commands for Monitoring and Maintaining MSDP Command Purpose debug ip msdp [peer-address | name] [detail] [routes] Debugs an MSDP activity. debug ip msdp resets Debugs MSDP peer reset reasons.
CH A P T E R 48 Configuring Fallback Bridging This chapter describes how to configure fallback bridging (VLAN bridging) on the Catalyst 3750 switch. With fallback bridging, you can forward non-IP packets that the switch does not route between VLAN bridge domains and routed ports. To use this feature, the stack master must be running the IP services image. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 48 Configuring Fallback Bridging Understanding Fallback Bridging acts like a port on a router, but it is not connected to a router. A routed port is not associated with a particular VLAN, does not support VLAN subinterfaces, but behaves like a normal routed port. For more information about SVIs and routed ports, see Chapter 12, “Configuring Interface Characteristics.” A bridge group is an internal organization of network interfaces on a switch.
Chapter 48 Configuring Fallback Bridging Configuring Fallback Bridging Fallback Bridging and Switch Stacks When the stack master fails, a stack member becomes the new stack master by using the election process described in Chapter 5, “Managing Switch Stacks.” The new stack master creates new VLAN-bridge spanning-tree instance, which temporarily puts the spanning-tree ports used for fallback bridging into a nonforwarding state.
Chapter 48 Configuring Fallback Bridging Configuring Fallback Bridging Default Fallback Bridging Configuration Table 48-1 shows the default fallback bridging configuration. Table 48-1 Default Fallback Bridging Configuration Feature Default Setting Bridge groups None are defined or assigned to a port. No VLAN-bridge STP is defined. Switch forwards frames for stations that it has dynamically learned Enabled. Spanning tree parameters: • Switch priority • 32768. • Port priority • 128.
Chapter 48 Configuring Fallback Bridging Configuring Fallback Bridging Beginning in privileged EXEC mode, follow these steps to create a bridge group and to assign an interface to it. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 bridge bridge-group protocol vlan-bridge Assign a bridge group number, and specify the VLAN-bridge spanning-tree protocol to run in the bridge group. The ibm and dec keywords are not supported.
Chapter 48 Configuring Fallback Bridging Configuring Fallback Bridging Switch(config-if)# bridge-group 10 Switch(config-if)# exit Adjusting Spanning-Tree Parameters You might need to adjust certain spanning-tree parameters if the default values are not suitable. You configure parameters affecting the entire spanning tree by using variations of the bridge global configuration command. You configure interface-specific parameters by using variations of the bridge-group interface configuration command.
Chapter 48 Configuring Fallback Bridging Configuring Fallback Bridging To return to the default setting, use the no bridge bridge-group priority global configuration command. To change the priority on a port, use the bridge-group priority interface configuration command (described in the next section). This example shows how to set the switch priority to 100 for bridge group 10: Switch(config)# bridge 10 priority 100 Changing the Interface Priority You can change the priority for a port.
Chapter 48 Configuring Fallback Bridging Configuring Fallback Bridging Step 3 Command Purpose bridge-group bridge-group path-cost cost Assign the path cost of a port. • For bridge-group, specify the bridge group number. The range is 1 to 255. • For cost, enter a number from 0 to 65535. The higher the value, the higher the cost. – For 10 Mb/s, the default path cost is 100. – For 100 Mb/s, the default path cost is 19. – For 1000 Mb/s, the default path cost is 4.
Chapter 48 Configuring Fallback Bridging Configuring Fallback Bridging Adjusting the Interval between Hello BPDUs Beginning in privileged EXEC mode, follow these step to adjust the interval between hello BPDUs. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 bridge bridge-group hello-time seconds Specify the interval between hello BPDUs. • For bridge-group, specify the bridge group number. The range is 1 to 255.
Chapter 48 Configuring Fallback Bridging Configuring Fallback Bridging Changing the Maximum-Idle Interval If a switch does not receive BPDUs from the root switch within a specified interval, it recomputes the spanning-tree topology. Beginning in privileged EXEC mode, follow these steps to change the maximum-idle interval (maximum aging time). This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 48 Configuring Fallback Bridging Monitoring and Maintaining Fallback Bridging This example shows how to disable spanning tree on a port in bridge group 10: Switch(config)# interface gigabitethernet3/0/1 Switch(config-if)# bridge group 10 spanning-disabled Monitoring and Maintaining Fallback Bridging To monitor and maintain the network, use one or more of the privileged EXEC commands in Table 48-2: Table 48-2 Commands for Monitoring and Maintaining Fallback Bridging Command Purpose clear bridg
Chapter 48 Configuring Fallback Bridging Monitoring and Maintaining Fallback Bridging Catalyst 3750 Switch Software Configuration Guide 48-12 OL-8550-09
CH A P T E R 49 Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the Catalyst 3750 switch. Depending on the nature of the problem, you can use the command-line interface (CLI), the device manager, or Network Assistant to identify and solve problems. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 49 Troubleshooting Recovering from a Software Failure • Using the show platform forward Command, page 49-22 • Using the crashinfo Files, page 49-24 • Memory Consistency Check Routines, page 49-25 • Troubleshooting Tables, page 49-26 Recovering from a Software Failure Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file.
Chapter 49 Troubleshooting Recovering from a Lost or Forgotten Password Step 6 Press the Mode button and at the same time, reconnect the power cord to the switch. You can release the Mode button a second or two after the LED above port 1 goes off. Several lines of information about the software appear along with instructions: The system has been interrupted prior to initializing the flash file system.
Chapter 49 Troubleshooting Recovering from a Lost or Forgotten Password You enable or disable password recovery by using the service password-recovery global configuration command. When you enter the service password-recovery or no service password-recovery command on the stack master, it is propagated throughout the stack and applied to all switches in the stack. Follow the steps in this procedure if you have forgotten or lost the switch password.
Chapter 49 Troubleshooting Recovering from a Lost or Forgotten Password Step 3 Load any helper files: switch: load_helper Step 4 Display the contents of flash memory: switch: dir flash: The switch file system appears: Directory of flash: 13 drwx 192 11 -rwx 5825 18 -rwx 720 Mar 01 1993 22:30:48 Mar 01 1993 22:31:59 Mar 01 1993 02:21:30 c3750-ipservices-mz-122-25.SEB config.text vlan.dat 16128000 bytes total (10003456 bytes free) Step 5 Rename the configuration file to config.text.old.
Chapter 49 Troubleshooting Recovering from a Lost or Forgotten Password Step 12 Return to privileged EXEC mode: Switch (config)# exit Switch# Step 13 Write the running configuration to the startup configuration file: Switch# copy running-config startup-config The new password is now in the startup configuration. Note Step 14 This procedure is likely to leave your switch virtual interface in a shutdown state.
Chapter 49 Troubleshooting Recovering from a Lost or Forgotten Password Step 3 Display the contents of flash memory: switch: dir flash: The switch file system appears: Directory of flash: 13 drwx 192 Mar 01 1993 22:30:48 c3750-ipservice-mz-122-25.0 16128000 bytes total (10003456 bytes free) Step 4 Boot up the system: Switch: boot You are prompted to start the setup program.
Chapter 49 Troubleshooting Preventing Switch Stack Problems Preventing Switch Stack Problems Note • Make sure that the switches that you add to or remove from the switch stack are powered off. For all powering considerations in switch stacks, see the “Switch Installation” chapter in the hardware installation guide. • After adding or removing stack members, make sure that the switch stack is operating at full bandwidth (32 Gb/s). Press the Mode button on a stack member until the Stack mode LED is on.
Chapter 49 Troubleshooting Recovering from a Command Switch Failure If you have not configured a standby command switch, and your command switch loses power or fails in some other way, management contact with the member switches is lost, and you must install a new command switch. However, connectivity between switches that are still connected is not affected, and the member switches forward packets as usual.
Chapter 49 Troubleshooting Recovering from a Command Switch Failure Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system Would you like to enter basic management setup? [yes/no]: Step 10 Enter Y at the first prompt.
Chapter 49 Troubleshooting Recovering from a Command Switch Failure Replacing a Failed Command Switch with Another Switch To replace a failed command switch with a switch that is command-capable but not part of the cluster, follow these steps: Step 1 Insert the new switch in place of the failed command switch, and duplicate its connections to the cluster members. Step 2 Start a CLI session on the new command switch.
Chapter 49 Troubleshooting Recovering from Lost Cluster Member Connectivity Step 10 When prompted, assign a name to the cluster, and press Return. The cluster name can be 1 to 31 alphanumeric characters, dashes, or underscores. Step 11 When the initial configuration displays, verify that the addresses are correct. Step 12 If the displayed information is correct, enter Y, and press Return. If this information is not correct, enter N, press Return, and begin again at Step 9.
Chapter 49 Troubleshooting Troubleshooting Power over Ethernet Switch Ports Troubleshooting Power over Ethernet Switch Ports These sections describe how to troubleshoot Power over Ethernet (PoE) ports. Disabled Port Caused by Power Loss If a powered device (such as a Cisco IP Phone 7910) that is connected to a PoE switch port and is powered by an AC power source loses power from the AC power source, the device might enter an error-disabled state.
Chapter 49 Troubleshooting Monitoring SFP Module Status error-disabled state. After the elapsed interval, the switch brings the interface out of the error-disabled state and retries the operation. For more information about the errdisable recovery command, see the command reference for this release. If the module is identified as a Cisco SFP module, but the system is unable to read vendor-data information to verify its accuracy, an SFP module error message is generated.
Chapter 49 Troubleshooting Using Ping • Destination unreachable—If the default gateway cannot reach the specified network, a destination-unreachable message is returned. • Network or host unreachable—If there is no entry in the route table for the host or network, a network or host unreachable message is returned. Executing Ping If you attempt to ping a host in a different IP subnetwork, you must define a static route to the network or have IP routing configured to route between those subnets.
Chapter 49 Troubleshooting Using Layer 2 Traceroute To end a ping session, enter the escape sequence (Ctrl-^ X by default). Simultaneously press and release the Ctrl, Shift, and 6 keys and then press the X key.
Chapter 49 Troubleshooting Using IP Traceroute • If the source or destination MAC address belongs to multiple VLANs, you must specify the VLAN to which both the source and destination MAC addresses belong. If the VLAN is not specified, the path is not identified, and an error message appears. • The traceroute mac ip command output shows the Layer 2 path when the specified source and destination IP addresses belong to the same subnet.
Chapter 49 Troubleshooting Using IP Traceroute The traceroute privileged EXEC command uses the Time To Live (TTL) field in the IP header to cause routers and servers to generate specific return messages. Traceroute starts by sending a User Datagram Protocol (UDP) datagram to the destination host with the TTL field set to 1. If a router finds a TTL value of 1 or 0, it drops the datagram and sends an Internet Control Message Protocol (ICMP) time-to-live-exceeded message to the sender.
Chapter 49 Troubleshooting Using TDR Table 49-2 Traceroute Output Display Characters Character Description * The probe timed out. ? Unknown packet type. A Administratively unreachable. Usually, this output means that an access list is blocking traffic. H Host unreachable. N Network unreachable. P Protocol unreachable. Q Source quench. U Port unreachable. To end a trace in progress, enter the escape sequence (Ctrl-^ X by default).
Chapter 49 Troubleshooting Using Debug Commands Running TDR and Displaying the Results When you run TDR on an interface, you can run it on the stack master or a stack member. To run TDR, enter the test cable-diagnostics tdr interface interface-id privileged EXEC command: To display the results, enter the show cable-diagnostics tdr interface interface-id privileged EXEC command. For a description of the fields in the display, see the command reference for this release.
Chapter 49 Troubleshooting Using Debug Commands To disable debugging of SPAN, enter this command in privileged EXEC mode: Switch# no debug span-session Alternately, in privileged EXEC mode, you can enter the undebug form of the command: Switch# undebug span-session To display the state of each debugging option, enter this command in privileged EXEC mode: Switch# show debugging Enabling All-System Diagnostics Beginning in privileged EXEC mode, enter this command to enable all-system diagnostics: Switch#
Chapter 49 Troubleshooting Using the show platform forward Command Using the show platform forward Command The output from the show platform forward privileged EXEC command provides some useful information about the forwarding results if a packet entering an interface is sent through the system. Depending upon the parameters entered about the packet, the output provides lookup table results and port maps used to calculate forwarding destinations, bitmaps, and egress information.
Chapter 49 Troubleshooting Using the show platform forward Command This is an example of the output when the packet coming in on port 1 in VLAN 5 is sent to an address already learned on the VLAN on another port. It should be forwarded from the port on which the address was learned. Switch# show platform forward gigabitethernet1/01/1 vlan 5 1.1.1 0009.43a8.0145 ip 13.1.1.1 13.2.2.
Chapter 49 Troubleshooting Using the crashinfo Files ========================================== Egress:Asic 3, switch 1 Output Packets: -----------------------------------------Packet 1 Lookup Key-Used OutptACL 50_10010A05_0A010505-00_40000014_000A0000 Port Gi1/0/2 Vlan SrcMac 0007 XXXX.XXXX.0246 DstMac Cos 0009.43A8.
Chapter 49 Troubleshooting Memory Consistency Check Routines Extended crashinfo files are kept in this directory on the flash file system: flash:/crashinfo_ext/. The filenames are crashinfo_ext_n where n is a sequence number. You can configure the switch to not create the extended creashinfo file by using the no exception crashinfo global configuration command.
Chapter 49 Troubleshooting Troubleshooting Tables Table 49-3 Details of Checked TCAM Portions Column Description Values The number of invalid values found in the TCAM tables. Masks The number of invalid masks found in the TCAM tables. Fixups The number of initial attempts to fix the invalid values or masks. Retries The number of attempts to fix the invalid values or masks. Failures The number of failed attempts to fix the invalid values or masks.
Chapter 49 Troubleshooting Troubleshooting Tables Verifying the Problem and Cause To determine if high CPU utilization is a problem, enter the show processes cpu sorted privileged EXEC command. Note the underlined information in the first line of the output example. Switch# show processes cpu sorted CPU utilization for five seconds: 8%/0%; one minute: 7%; five minutes: 8% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 309 42289103 752750 56180 1.75% 1.20% 1.
Chapter 49 Troubleshooting Troubleshooting Tables Troubleshooting Power over Ethernet (PoE) Figure 49-1 Power Over Ethernet Troubleshooting Scenarios Symptom or problem Possible cause and solution No PoE on only one port. Verify that the powered device works on another PoE port. Trouble is on only one switch port. PoE and non-PoE devices do not work on this port, but do on other ports.
Chapter 49 Troubleshooting Troubleshooting Tables Figure 49-1 Power Over Ethernet Troubleshooting Scenarios (continued) Symptom or problem Possible cause and solution No PoE on all ports or a group of ports. If there is a continuous, intermittent, or reoccurring alarm related to power, replace the power supply if possible it is a field-replacable unit. Otherwise, replace the switch. Trouble is on all switch ports.
Chapter 49 Troubleshooting Troubleshooting Tables Figure 49-1 Power Over Ethernet Troubleshooting Scenarios (continued) Symptom or problem Possible cause and solution Verify all electrical connections from the switch to the powered device. Any unreliable connection results in power interruptions and irregular powered device After working normally, a Cisco phone or functioning such as erratic powered device disconnects and reloads.
Chapter 49 Troubleshooting Troubleshooting Tables Troubleshooting Stackwise Table 49-5 Switch Stack Troubleshooting Scenarios Symptom/problem How to Verify Problem Possible Cause/Solution General troubleshooting of switch stack issues Review this document. Use the Troubleshooting Switch Stacks document for problem solutions and tutorial information. Switch cannot join stack Enter the show switch privileged EXEC command.
Chapter 49 Troubleshooting Troubleshooting Tables Table 49-5 Switch Stack Troubleshooting Scenarios (continued) Symptom/problem How to Verify Problem Slow traffic throughput on stack Test the switch interface. ring Possible Cause/Solution Defective StackWise switch interface. Note The only solution is to replace the switch. Problems with stack master Review the rules of stack master election. Current stack master is rebooted or election.
CH A P T E R 50 Configuring Online Diagnostics This chapter describes how to configure the online diagnostics on the Catalyst 3750 switches. Note For complete syntax and usage information for the commands used in this chapter, see the switch command reference for this release.
Chapter 50 Configuring Online Diagnostics Scheduling Online Diagnostics Scheduling Online Diagnostics You can schedule online diagnostics to run at a designated time of day or on a daily, weekly, or monthly basis for a specific switch. Use the no form of this command to remove the scheduling.
Chapter 50 Configuring Online Diagnostics Running Online Diagnostic Tests This example shows how to configure the specified test to run every 2 minutes: Switch(config)# diagnostic monitor interval switch 1 test 1 00:02:00 0 1 This example shows how to set the failure threshold for test monitoring on a switch: Switch(config)# diagnostic monitor threshold switch 1 test 1 failure count 50 This example shows how to enable the generation of a syslog message when any health monitoring test fails: Switch(confi
Chapter 50 Configuring Online Diagnostics Running Online Diagnostic Tests This example shows how to start diagnostics test 2 on a switch disrupting normal system operations, causing the switch to lose stack connectivity, and then to reload: Switch# diagnostic start switch 1 test 2 Switch 1: Running test(s) 2 will cause the switch under test to reload after completion of the test list.
Chapter 50 Configuring Online Diagnostics Displaying Online Diagnostic Tests and Test Results Displaying Online Diagnostic Tests and Test Results You can display the online diagnostic tests that are configured for specific switches and check the results of the tests using the show commands.
Chapter 50 Configuring Online Diagnostics Displaying Online Diagnostic Tests and Test Results This example shows how to display the online diagnostic test status: Switch# show diagnostic status - Bootup Diagnostics, - Health Monitoring Diagnostics, - OnDemand Diagnostics, - Scheduled Diagnostics ====== ================================= =============================== ====== Card Description Current Running Test Run by ------ --------------------------------- -------------------------
A P P E N D I X A Configuring the Catalyst 3750G Integrated Wireless LAN Controller Switch The Catalyst 3750G Integrated Wireless LAN Controller Switch is an integrated Catalyst 3750 switch and Cisco 4400 series wireless LAN controller that supports up to 25 or 50 lightweight access points. The switch and the internal controller run separate software versions, which must be upgraded separately.
Appendix A Configuring the Catalyst 3750G Integrated Wireless LAN Controller Switch Understanding the Wireless LAN Controller Switch Understanding the Wireless LAN Controller Switch The Catalyst 3750G Integrated Wireless LAN Controller Switch is a Layer 3 IEEE 802.3af-compliant switch with an integrated wireless LAN controller capable of supporting up to 25 or 50 lightweight access points.
Appendix A Configuring the Catalyst 3750G Integrated Wireless LAN Controller Switch Understanding the Wireless LAN Controller Switch Controller and Switch Interaction The Catalyst 3750G switch and its internal controller are managed separately. You can manage the switch by using the switch CLI, eXpresso, or CNA. You can manage the controller by using the controller CLI, the embedded controller GUI, or WCS.
Appendix A Configuring the Catalyst 3750G Integrated Wireless LAN Controller Switch Configuring the Wireless LAN Controller Switch The ports are automatically configured with these parameters, including membership in an EtherChannel port group, and you should not change these configurations. However, it is important that the EtherChannel port group should be unique on the switch and in the stack; no other ports should belong to the port group that contains the internal ports.
Appendix A Configuring the Catalyst 3750G Integrated Wireless LAN Controller Switch Configuring the Wireless LAN Controller Switch You can also configure other parameters on these ports in interface configuration mode. For example, by default, all traffic on all VLANs are sent to the controller. You should limit the VLANs that are allowed on the internal trunk by using the switchport trunk allowed vlan interface configuration command.
Appendix A Configuring the Catalyst 3750G Integrated Wireless LAN Controller Switch Configuring the Wireless LAN Controller Switch Step 3 Command Purpose channel-group channel-group-number mode on Assign the port to a channel group, and disable PAgP and LACP. • For channel-group-number, the range is 1 to 48. • Selecting mode on forces the port to channel without PAgP or LACP. Note No other ports in the switch stack should be members of this channel group.
Appendix A Configuring the Catalyst 3750G Integrated Wireless LAN Controller Switch Displaying Internal Wireless Controller Information Displaying Internal Wireless Controller Information To use access the controller GUI, you need to enter the management interface IP address.
Appendix A Configuring the Catalyst 3750G Integrated Wireless LAN Controller Switch Displaying Internal Wireless Controller Information Catalyst 3750 Switch Software Configuration Guide A-8 OL-8550-09
A P P E N D I X B Supported MIBs This appendix lists the supported management information base (MIBs) for this release on the Catalyst 3750 switch. It contains these sections: • MIB List, page B-1 • Using FTP to Access the MIB Files, page B-4 • BRIDGE-MIB MIB List Note The BRIDGE-MIB supports the context of a single VLAN. By default, SNMP messages using the configured community string always provide information for VLAN 1.
Appendix B Supported MIBs MIB List • CISCO-IETF-IP-MIB • CISCO-IETF-IP-FORWARDING-MIB • CISCO-IGMP-FILTER-MIB • CISCO-IMAGE-MIB (Only stack master image details are shown.) • CISCO IP-STAT-MIB • CISCO-L2L3-INTERFACE-CONFIG-MIB • CISCO-LAG-MIB • CISCO-MAC-AUTH-BYPASS • CISCO-MAC-NOTIFICATION-MIB • CISCO-MEMORY-POOL-MIB (Only stack master image details are shown.
Appendix B Supported MIBs MIB List Note • IF-MIB (In and out counters for VLANs are not supported.) • IGMP-MIB • INET-ADDRESS-MIB • IPMROUTE-MIB • LLDP MED MIB • OLD-CISCO-CHASSIS-MIB (Partial support; some objects reflect only the stack master.) • OLD-CISCO-FLASH-MIB (Supports only the stack master. Use CISCO-FLASH_MIB.
Appendix B Supported MIBs Using FTP to Access the MIB Files Using FTP to Access the MIB Files You can get each MIB file by using this procedure: Step 1 Make sure that your FTP client is in passive mode. Note Some FTP clients do not support passive mode. Step 2 Use FTP to access the server ftp.cisco.com. Step 3 Log in with the username anonymous. Step 4 Enter your e-mail username when prompted for the password. Step 5 At the ftp> prompt, change directories to /pub/mibs/v1 and /pub/mibs/v2.
A P P E N D I X C Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the Catalyst 3750 switch flash file system, how to copy configuration files, and how to archive (upload and download) software images to a switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System These sections contain this configuration information: • Displaying Available File Systems, page C-2 • , page C-2 • Displaying Information about Files on a File System, page C-3 • Creating and Removing Directories, page C-4 • Copying Files, page C-5 • Deleting Files, page C-6 • Creating, Displaying, and Extracting tar Files, page C-6 • Displaying the Contents of a
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table C-1 show file systems Field Descriptions (continued) Field Value Flags Permission for file system. ro—read-only. rw—read/write.\ wo—write-only. Prefixes Alias for file system. flash:—Flash file system. nvram:—NVRAM. null:—Null destination for copies. You can copy a remote file to null to find its size. rcp:—Remote Copy Protocol (RCP) network server.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System To display information about files on a file system, use one of the privileged EXEC commands in Table C-2: Table C-2 Commands for Displaying Information About Files Command Description dir [/all] [filesystem:][filename] Display a list of files on a file system. show file systems Display more information about each of the files on a file system.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Use the /recursive keyword to delete the named directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Deleting Files When you no longer need a file on a flash memory device, you can permanently delete it. To delete a file or directory from a specified flash device, use the delete [/force] [/recursive] [filesystem:]/file-url privileged EXEC command. Use the /recursive keyword for deleting a directory and all subdirectories and the files contained in it.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System • For the RCP, the syntax is rcp:[[//username@location]/directory]/tar-filename.tar • For the TFTP, the syntax is tftp:[[//location]/directory]/tar-filename.tar The tar-filename.tar is the tar file to be created. For flash:/file-url, specify the location on the local flash file system from which the new tar file is created.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Extracting a tar File To extract a tar file into a directory on the flash file system, use this privileged EXEC command: archive tar /xtract source-url flash:/file-url [dir/file...] For source-url, specify the source URL alias for the local file system.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Working with Configuration Files This section describes how to create, load, and maintain configuration files. Note For information about configuration files in switch stacks, see the “Stack Configuration Files” section on page 5-14. Configuration files contain commands entered to customize the function of the Cisco IOS software.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Guidelines for Creating and Using Configuration Files Creating configuration files can aid in your switch configuration. Configuration files can contain some or all of the commands needed to configure one or more switches. For example, you might want to download the same configuration file to several switches that have the same hardware configuration.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Creating a Configuration File By Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately. This is one method of creating a configuration file: Step 1 Copy an existing configuration from a switch to a server.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation). • For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading the Configuration File By Using TFTP To upload a configuration file from a switch to a TFTP server for storage, follow these steps: Step 1 Verify that the TFTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File B y Using TFTP” section on page C-11.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files If the server has a directory structure, the configuration file is written to or copied from the directory associated with the username on the server. For example, if the configuration file resides in the home directory of a user on the server, specify that user's name as the remote username. For more information, see the documentation for your FTP server.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 Using FTP, copy the configuration file from a network server copy ftp:[[[//[username[:password]@]location]/directory] to the running configuration or to the startup configuration file.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using FTP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using FTP: Command Purpose Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using FTP” section on page C-14.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Copying Configuration Files By Using RCP The RCP provides another method of downloading, uploading, and copying configuration files between remote hosts and the switch. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection-oriented.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • When you upload a file to the RCP server, it must be properly configured to accept the RCP write request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to specify a remote username of netadmin1. Then it copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to store a startup configuration file on a server: Switch# configure terminal Switch(config)# ip rcmd remote-username netadmin2 Switch(config)# end Switch# copy nvram:startup-config rcp: Remote host[]? 172.16.101.101 Name of configuration file to write [switch2-confg]? Write file switch2-confg on host 172.16.101.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Understanding Configuration Replacement and Rollback To use the configuration replacement and rollback feature, you should understand these concepts: • Archiving a Configuration, page C-21 • Replacing a Configuration, page C-21 • Rolling Back a Configuration, page C-22 Archiving a Configuration The configuration archive provides a mechanism to store, organize, and manage an ar
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Rolling Back a Configuration You can also use the configure replace command to roll back changes that were made since the previous configuration was saved. Instead of basing the rollback operation on a specific set of changes that were applied, the configuration rollback capability reverts to a specific configuration based on a saved configuration file.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Configuring the Configuration Archive Using the configure replace command with the configuration archive and with the archive config command is optional but offers significant benefit for configuration rollback scenarios. Before using the archive config command, you must first configure the configuration archive.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Performing a Configuration Replacement or Rollback Operation Starting in privileged EXEC mode, follow these steps to replace the running configuration file with a saved configuration file: Step 1 Command Purpose archive config (Optional) Save the running configuration file to the configuration archive.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Working with Software Images This section describes how to archive (download and upload) software image files, which contain the system software, the Cisco IOS code, and the embedded device manager software.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management. The image is stored on the system board flash memory (flash:). You can use the show version privileged EXEC command to see the software version that is currently running on your switch.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Table C-3 info File Description (continued) Field Description total_image_file_size Specifies the size of all the images (the Cisco IOS image and the web management files) in the tar file, which is an approximate measure of how much flash memory is required to hold them image_feature Describes the core functionality of the image image_min_dram Specifies the minimum amount of DR
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Make sure that the /etc/services file contains this line: tftp 69/udp Note You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files. To restart the daemon, either stop the inetd process and restart it, or enter a fastboot command (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x).
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 3 Step 4 Command Purpose archive download-sw /allow-feature-upgrade /overwrite /reload tftp:[[//location]/directory]/image-name.tar Download the image file from the TFTP server to the switch, and overwrite the current image. archive download-sw /leave-old-sw /reload tftp:[[//location]/directory]/image-name.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Caution For the download and upload algorithms to operate properly, do not rename image names. Uploading an Image File By Using TFTP You can upload an image from the switch to a TFTP server. You can later download this image to the switch or to another switch of the same type.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images To upgrade a switch with an incompatible software image, use the archive copy-sw privileged EXEC command to copy the software image from an existing stack member to the incompatible switch. That switch automatically reloads and joins the stack as a fully functioning member.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images username global configuration command. This new name will be used during all archive operations. The new username is stored in NVRAM. If you are accessing the switch through a Telnet session and you have a valid username, this username is used, and you do not need to set the FTP username.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Step 8 Purpose archive download-sw /leave-old-sw /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and keep the current image. /image-name.tar • The /leave-old-sw option keeps the old software version after a download.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Uploading an Image File By Using FTP You can upload an image from the switch to an FTP server. You can later download this image to the same switch or to another switch of the same type. Use the upload feature only if the web management pages associated with the embedded device manager have been installed with the existing image.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Copying Image Files By Using RCP You can download a switch image from an RCP server or upload the image from the switch to an RCP server. You download a switch image file from a server to upgrade the switch software. You can overwrite the current image with the new one or keep the current image after a download. You upload a switch image file to a server for backup purposes.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images For the RCP copy request to execute successfully, an account must be defined on the network server for the remote username. If the server has a directory structure, the image file is written to or copied from the directory associated with the remote username on the server.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 archive download-sw /allow-feature-upgrade /overwrite /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Download the image file from the RCP server to the switch, and overwrite the current image. Step 7 archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-na me.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images If you specify the /leave-old-sw, the existing files are not removed. If there is not enough room to install the new image an keep the running image, the download process stops, and an error message is displayed. The algorithm installs the downloaded image onto the system board flash device (flash:).
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 archive upload-sw rcp:[[[//[username@]location]/directory]/image-na me.tar] Upload the currently running switch image to the RCP server. • For //username, specify the username; for the RCP copy request to execute, an account must be defined on the network server for the remote username.
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Beginning in privileged EXEC mode from the stack member that you want to upgrade, follow these steps to copy the running image file from the flash memory of a different stack member: Step 1 Command Purpose archive copy-sw /destination-system destination-stack-member-number /force-reload source-stack-member-number Copy the running image file from a stack member, and then unconditio
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Catalyst 3750 Switch Software Configuration Guide OL-8550-09 C-41
Appendix C Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Catalyst 3750 Switch Software Configuration Guide C-42 OL-8550-09
A P P E N D I X D Unsupported Commands in Cisco IOS Release 12.2(55)SE This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Catalyst 3750 switch prompt but are not supported in this release, either because they are not tested or because of switch hardware limitations. This is not a complete list.
Appendix D Unsupported Commands in Cisco IOS Release 12.2(55)SE Access Control Lists • SNMPv3, page D-16 • Spanning Tree, page D-16 • VLAN, page D-17 • VTP, page D-17 Access Control Lists Unsupported Privileged EXEC Commands access-enable [host] [timeout minutes] access-template [access-list-number | name] [dynamic-name] [source] [destination] [timeout minutes] clear access-template [access-list-number | name] [dynamic-name] [source] [destination].
Appendix D Unsupported Commands in Cisco IOS Release 12.
Appendix D Unsupported Commands in Cisco IOS Release 12.
Appendix D Unsupported Commands in Cisco IOS Release 12.
Appendix D Unsupported Commands in Cisco IOS Release 12.
Appendix D Unsupported Commands in Cisco IOS Release 12.2(55)SE IP Multicast Routing Unsupported Interface Configuration Commands transmit-interface type number IP Multicast Routing Unsupported Privileged EXEC Commands clear ip rtp header-compression [type number] The debug ip packet command displays packets received by the switch CPU. It does not display packets that are hardware-switched. The debug ip mcache command affects packets received by the switch CPU.
Appendix D Unsupported Commands in Cisco IOS Release 12.
Appendix D Unsupported Commands in Cisco IOS Release 12.
Appendix D Unsupported Commands in Cisco IOS Release 12.2(55)SE IPv6 neighbor advertise-map neighbor allowas-in neighbor default-originate neighbor description network backdoor table-map Unsupported VPN Configuration Commands All Unsupported Route Map Commands match route-type for policy-based routing (PBR) set as-path {tag | prepend as-path-string} set automatic-tag set dampening half-life reuse suppress max-suppress-time set default interface interface-id [interface-id.....
Appendix D Unsupported Commands in Cisco IOS Release 12.
Appendix D Unsupported Commands in Cisco IOS Release 12.
Appendix D Unsupported Commands in Cisco IOS Release 12.
Appendix D Unsupported Commands in Cisco IOS Release 12.
Appendix D Unsupported Commands in Cisco IOS Release 12.
Appendix D Unsupported Commands in Cisco IOS Release 12.
Appendix D Unsupported Commands in Cisco IOS Release 12.2(55)SE VLAN VLAN Unsupported Global Configuration Command vlan internal allocation policy {ascending | descending} Unsupported User EXEC Commands show running-config vlan show vlan ifindex vlan database Unsupported VLAN Database Commands vtp vlan VTP Unsupported Privileged EXEC Commands vtp {password password | pruning | version number} Note This command has been replaced by the vtp global configuration command.
Appendix D Unsupported Commands in Cisco IOS Release 12.
INDEX ACLs (continued) ACLs (continued) Catalyst 3750 Switch Software Configuration Guide OL-8550-09 IN-1
Index authentication (continued) CLI (continued) banners (continued) Catalyst 3750 Switch Software Configuration Guide IN-2 OL-8550-09
Index clusters, switch (continued) downloading (continued) cross-stack EtherChannel (continued) default configuration (continued) default configuration (continued) DHCP snooping (continued) Catalyst 3750 Switch Software Configuration Guide OL-8550-09 IN-3
Index DVMRP (continued) EtherChannel (continued) dynamic ARP inspection (continued) EtherChannel (continued) Catalyst 3750 Switch Software Configuration Guide IN-4 OL-8550-09
Index IGMP (continued) interfaces (continued) IGMP snooping (continued) Catalyst 3750 Switch Software Configuration Guide OL-8550-09 IN-5
Index IP multicast routing (continued) IP multicast routing (continued) Catalyst 3750 Switch Software Configuration Guide IN-6 OL-8550-09
Index IP SLAs (continued) IP source guard (continued) Catalyst 3750 Switch Software Configuration Guide OL-8550-09 IN-7
Index IP unicast routing (continued) monitoring (continued) Catalyst 3750 Switch Software Configuration Guide IN-8 OL-8550-09
Index MSDP (continued) MSTP (continued) Catalyst 3750 Switch Software Configuration Guide OL-8550-09 IN-9
Index MSTP (continued) Multi-VRF CE (continued) Catalyst 3750 Switch Software Configuration Guide IN-10 OL-8550-09
Index NTP (continued) OSPF (continued) Catalyst 3750 Switch Software Configuration Guide OL-8550-09 IN-11
Index port-based authentication (continued) port-base authentication(continued) Catalyst 3750 Switch Software Configuration Guide IN-12 OL-8550-09
Index port-base authentication (continued) port security (continued) Catalyst 3750 Switch Software Configuration Guide OL-8550-09 IN-13
Index private VLANs (continued) QoS (continued) Catalyst 3750 Switch Software Configuration Guide IN-14 OL-8550-09
Index QoS (continued) QoS (continued) Catalyst 3750 Switch Software Configuration Guide OL-8550-09 IN-15
Index QoS (continued) RADIUS (continued) Catalyst 3750 Switch Software Configuration Guide IN-16 OL-8550-09
Index RIP (continued) SNMP (continued) Catalyst 3750 Switch Software Configuration Guide OL-8550-09 IN-17
Index stacks, switch (continued) stacks, switch (continued) Catalyst 3750 Switch Software Configuration Guide IN-18 OL-8550-09
Index STP (continued) STP (continued) Catalyst 3750 Switch Software Configuration Guide OL-8550-09 IN-19
Index VLANs (continued) VMPS (continued) Catalyst 3750 Switch Software Configuration Guide IN-20 OL-8550-09
Index VTP (continued) WCCP (continued) Numerics 10-Gigabit Ethernet interfaces configuration guidelines defined 12-17 12-6 3750G integrated wireless LAN controller switch configuring the switch A-4 controller and switch interaction A-3 internal ports configuring A-4 reconfiguring A-5 A AAA down policy, NAC Layer 2 IP validation abbreviating commands ABRs 1-12 2-4 38-25 AC (command switch) 6-11 access-class command 34-20 access control entries See ACEs access control entry (ACE) 41-3
Index and Layer 2 protocol tunneling defined fragments and QoS guidelines 17-11 implicit deny 12-3 in switch clusters access template accounting undefined with IEEE 802.
Index router ACLs and VLAN map configuration guidelines 34-38 standard IP, configuring for QoS classification standard IPv4 34-10 34-8 OSPF 1-10 34-22 CDP 34-2 34-7 unsupported features, IPv6 41-3 RIP 34-37 VLAN maps 34-31 27-1, 27-2 13-19, 14-3, 14-4 aggregatable global unicast addresses 39-3 38-61 aggregated ports 34-30 See EtherChannel 21-4, 21-5, 21-6 21-2 42-1 aggregate policers 35-64 aggregate policing 1-13 aggregator template active traffic monitoring, IP SLAs 43-1 5-9, 8-1
Index encapsulation with TACACS+ 38-11 static cache configuration authorized ports with IEEE 802.
Index See voice VLAN route maps availability, features 38-55 route reflectors 1-8 38-62 routing domain confederation 38-62 routing session with multi-VRF CE B show commands supernets BackboneFast 20-7 support for disabling 20-17 Version 4 enabling 20-17 1-14 38-46 binding cluster group and HSRP group 42-12 binding database 1-8 address, DHCP server backup interfaces See DHCP, Cisco IOS server database See Flex Links backup links 38-64 38-61 described support for 38-85 DHCP s
Index RSTP format internal ports 19-13 BPDU filtering A-3 internal VLAN A-3 described 20-3 reconfiguring the internal ports disabling 20-15 switch stacks enabling 20-15 Catalyst 6000 switches support for A-2 authentication compatibility 1-8 BPDU guard 10-9 CA trustpoint described 20-2 configuring disabling 20-14 defined enabling 20-14 support for 9-54 9-51 CDP and trusted boundary 1-8 bridged packets, ACLs on configuring See fallback bridging 26-2 defined with LLDP
Index server support only switch support of CIDR See CoS 46-9 clearing interfaces 1-4 CLI 38-61 CipherSuites abbreviating commands 9-52 Cisco 7960 IP Phone command modes 15-1 Cisco Discovery Protocol described Cisco Express Forwarding wrapped lines Cisco intelligent power management error messages 12-7 Cisco IOS DHCP server getting help Cisco IOS File System 2-8 2-9 2-5 2-10 2-3 history See IFS changing the buffer size Cisco IOS IP SLAs 43-1 Cisco Redundant Power System 2300
Index through SNMP planning See CWDM SFPs 6-18 command-line interface 6-5 See CLI planning considerations automatic discovery 6-5 automatic recovery 6-11 CLI command modes commands abbreviating 6-17 host names 2-4 no and default 6-14 2-4 IP addresses 6-14 commands, setting privilege levels LRE profiles 6-17 command switch passwords RADIUS SNMP accessing 6-14 TACACS+ defined 6-15 See also candidate switch, command switch, cluster standby group, member switch, and standby comman
Index config.
Index described DHCP 36-3 22-10 illustration 36-4 DHCP option 82 22-10 support for 1-8 DHCP snooping 22-10 cross-stack UplinkFast, STP DHCP snooping binding database described 20-5 DNS disabling 20-17 dynamic ARP inspection enabling 20-17 EIGRP fast-convergence events Fast Uplink Transition Protocol normal-convergence events support for Flex Links 1-8 HSRP 12-16 48-4 21-8 42-5 IEEE 802.
Index RADIUS RIP destination-MAC address forwarding, EtherChannel 9-27 detecting indirect link failures, STP 38-20 RMON 30-3 device RSPAN 29-11 device discovery protocol SDM template benefits SPAN 29-11 described STP C-25 Cisco IOS server database 5-19 system message logging system name and prompt TACACS+ configuring 31-4 22-15 default configuration 7-15 described 9-13 22-10 22-7 DHCP for IPv6 28-4 VLAN, Layer 2 Ethernet interfaces VLANs 13-7 VMPS 13-29 voice VLAN 13-19
Index DHCP binding table DHCP snooping binding database See DHCP snooping binding database adding bindings DHCP object tracking, configuring primary interface 44-10 binding file format DHCP option 82 22-5 configuration guidelines default configuration displaying bindings 22-10 configuring 22-12 binding file 22-5 remote ID 22-5 bindings described 22-5 configuration guidelines default configuration 22-16 22-16 status and statistics 22-29 enabling entry 22-31 22-16 22-15 22-8 renewing
Index creating and removing C-4 using CMS 1-2 displaying the working C-4 using FTP C-32 discovery, clusters using HTTP See automatic discovery using RCP Distance Vector Multicast Routing Protocol distribute-list command C-37 using TFTP See DVMRP distance-vector protocols 1-2, C-25 C-28 using the device manager or Network Assistant C-25 38-3 drop threshold for Layer 2 protocol packets 38-103 17-11 DRP DNS and DHCP-based autoconfiguration default configuration 7-17 overview 7-15
Index displaying information log buffer 46-53 prevent peering with nonpruning rejecting nonpruning overview rate limit for incoming ARP packets 46-56 default configuration 46-55 routes described adding a metric offset advertising all 46-52 caching DVMRP routes learned in report messages 46-54 changing the threshold for syslog messages statistics 23-16 23-15 error-disabled state for exceeding rate limit 46-60 function of limiting unicast route advertisements 46-49 46-9 46-57 46-9 inter
Index troubleshooting types of connections dynamic routing enable secret password 13-33 encryption, CipherSuite 13-31 9-52 encryption for passwords 38-3 ISO CLNS 9-4 9-4 Enhanced IGRP 38-65 See EIGRP Dynamic Trunking Protocol enhanced object tracking See DTP backup static routing commands E defined EBGP HSRP editing features enabling and disabling keystrokes used wrapped lines 44-1 IP SLAs 2-8 44-2 44-9 line-protocol state 2-9 44-10 44-7 IP routing state 2-7 44-2 network
Index interaction EUI with STP event detectors, embedded event manager 36-12 with VLANs 39-4 events, RMON 36-13 LACP 30-4 examples described network configuration 36-7 displaying status expedite queue for QoS 36-23 hot-standby ports Express Setup 36-20 interaction with other features modes load balancing configuration guidelines 36-21 configuring 38-5 creating 36-8, 36-18 logical interfaces, described MSTP 36-19 STP 36-5 interaction with virtual switches 36-19 external B
Index clearing description 48-11 displaying 48-11 configuration guidelines default configuration described 12-10 creating C-6 extracting frame forwarding displaying available file systems 48-2 displaying file information 48-1 protocol, unsupported local file system names 48-4 stack changes, effects of setting the default disabling on an interface forward-delay interval hello BPDU interval interface priority 48-9 48-9 IPv6 traffic 41-4, 41-7 34-28 48-6 filters, IP flash device, numbe
Index QoS classification guide mode 35-7 QoS egress queueing and scheduling QoS ingress queueing and scheduling QoS policing and marking 35-18 described STP See device manager and Network Assistant 35-11 H 12-20 12-20 hardware limitations and Layer 3 interfaces forward-delay time MSTP GUIs 35-16 flowcontrol configuring 1-2 hello time 19-25 MSTP 18-23 STP Forwarding Information Base 19-25 18-22 help, for the command line See FIB HFTM space forwarding nonroutable protocols 48-1 F
Index definition 42-1 guidelines 42-6 monitoring ICMP Echo operation configuring object tracking overview priority IP SLAs 42-13 42-1 42-8 switch stack considerations and ingress SPAN 29-22 29-15 IEEE 802.1D See STP 39-26 IEEE 802.1p 39-25 15-1 IEEE 802.
Index configurable leave timer described 24-6 enabling 24-12 IGMP filtering configuring default configuration configuring the switch described as a member of a group 46-39 statically connected member controlling access to groups default configuration fast switching 46-43 support for 1-5 24-13 24-14 described 24-6 enabling 24-11 applying 24-13 host-query interval, modifying joining multicast group 24-27 configuration mode 24-13 configuring 46-41 24-26 24-27 IGMP snooping 24-3
Index described supported 24-25 displaying action IGP types of 24-30 12-11 12-1 interfaces range macro command 38-25 Immediate Leave, IGMP enabling interface types 24-6 12-11 Interior Gateway Protocol 40-9 inaccessible authentication bypass support for multiauth ports 10-25 10-26 See IGP internal BGP See IBGP initial configuration defaults internal neighbors, BGP 1-17 Express Setup 38-49 Internet Control Message Protocol 1-2 integrated wireless LAN controller switch see 3750G inte
Index redundant clusters using with Auto-RP 6-12 standby command switch Cisco implementation 6-12, 6-14 See also IP information IP base image 46-34 46-2 configuring basic multicast routing 1-1 IP broadcast address IP multicast boundary 38-16 ip cef distributed command IP directed broadcasts default configuration 38-91 46-47 46-11 enabling 38-15 ip igmp profile command 46-12 multicast forwarding 24-26 IP information PIM mode assigned 46-13 46-13 group-to-RP mappings manually A
Index stacking measuring network performance stack master functions monitoring 46-10 stack member functions 43-14 multioperations scheduling 46-10 statistics, displaying system and network 46-62 object tracking operation See also DVMRP reachability tracking See also IGMP responder automatic classification and queueing configuring 35-21 trusted boundary for QoS 35-43 43-5 on a Layer 2 access port on a PVLAN host port 43-2 supported metrics 43-2 threshold monitoring 35-43 IP Port S
Index enabling inter-VLAN 22-21, 22-22 filtering IP addressing source IP address classes 22-18 source IP and MAC address on provisioned switches IPv6 IRDP 22-18 source IP and MAC address filtering dynamic executing 49-18 overview 49-17 proxy ARP IP unicast routing 38-3 38-10 redistribution 38-94 reverse address resolution 38-9 administrative distances routed ports 38-93, 38-103 assigning IP addresses to Layer 3 interfaces 38-7 broadcast steps to configure supernet 38-16 UDP
Index matching criteria port IS-IS 41-3 addresses 41-1 precedence router addresses area routing 41-2 monitoring 41-2 address formats system routing 39-2 and switch stacks and IPv6 39-5 and trunk ports autoconfiguration 39-5 encapsulation configuring static routes default configuration clear commands 39-11 monitoring Enhanced Interior Gateway Routing Protocol (EIGRP) IPv6 39-7 EIGRP IPv6 Commands Router ID feature limitations area routing 38-65 38-66 system routing isolated port
Index network services configuration examples configuring multicast traffic 9-44 multiple devices on a port 9-40 unicast traffic 9-44 credentials cryptographic software image KDC Layer 3 features 9-40 49-16 1-14 Layer 3 interfaces 9-41 assigning IP addresses to 9-41 operation 49-17 49-16 usage guidelines 9-41 described 49-16 38-7 assigning IPv4 and IPv6 addresses to 9-43 realm 9-42 assigning IPv6 addresses to server 9-42 changing from Layer 2 mode support for types of 1-1
Index overview MAC addresses 27-1 supported TLVs aging time 27-2 switch stack considerations and VLAN association 27-2 transmission timer and holdtime, setting 27-7 LLDP-MED discovering 27-5 supported TLVs learning 27-2 in ACLs 7-22 34-28 IP address association 42-4 38-9 static 29-2 adding 27-3, 27-8 logging messages, ACL 7-28 allowing 34-9 login authentication 7-29, 7-30 characteristics of with RADIUS 9-30 with TACACS+ 9-14 dropping 7-29 removing 7-28 MAC address
Index for QoS classification magic packet maximum number of allowed devices, port-based authentication 10-40 35-6 10-29 manageability features maximum-paths command 1-6 MDA management access configuration guidelines in-band browser session CLI session SNMP described 1-7 automatic discovery 1-7 defined 27-2 management options 2-1 1-5 passwords 6-14 displaying 6-8 discovery through different management VLANs mapping tables for QoS example 6-8 49-25 49-25 memory consistency check rout
Index access groups BGP SFP status 34-42 38-64 cables for unidirectional links 28-1 12-32, 49-14 source-active messages 47-18 speed and duplex mode 12-19 CDP 26-5 SSM mapping CEF 38-91 traffic flowing among switches EIGRP traffic suppression 38-44 fallback bridging features HSRP tunneling 48-11 34-42 maps 42-13 IEEE 802.
Index monitoring root switch 47-18 peering relationship, overview shutting down secondary root switch 47-1 requesting source information from switch priority 47-8 defined clearing cache entries 19-4 19-16 default optional feature configuration filtering from a peer filtering incoming filtering to a peer displaying status 47-10 19-17 EtherChannel guard 47-12 described 47-13 enabling 47-18 restricting advertised sources 47-9 20-10 20-18 extended system ID effects on root switch 1-
Index described multicast VLAN 19-2 hop-count mechanism IST Multicast VLAN Registration 19-6 See MVR 19-3 supported spanning-tree instances optional features supported overview 24-18 multidomain authentication 19-2 See MDA 1-8 multioperations scheduling, IP SLAs 19-2 Port Fast multiple authentication described 20-2 enabling 20-13 10-14 multiple authentication mode configuring preventing root switch selection 10-46 Multiple HSRP 20-10 See MHSRP root guard described enabling mul
Index large network N 1-26 long-distance, high-bandwidth transport NAC multidwelling network AAA down policy 1-12 critical authentication IEEE 802.1x validation using RADIUS server inaccessible authentication bypass Layer 2 IEEE 802.1x validation named IPv4 ACLs small to medium-sized network 10-62 1-12, 10-57 1-11, 10-32, 10-62 1-12 1-25 network design performance services 1-20 1-20 See NEAT network management CDP native VLAN 26-1 RMON and IEEE 802.
Index associations optimizing system resources authenticating defined options, management 7-5 area parameters, configuring 7-7 configuring 7-6 server default configuration 38-33 route 7-11 38-32 settings 7-2 restricting access described creating an access group for IPv6 7-9 disabling NTP services per interface source IP address, configuring 38-26 38-25 39-7 interface parameters, configuring 7-10 LSA group pacing 7-10 monitoring 7-2 support for 38-29 metrics 7-4 displaying
Index enable overview 9-3 enable secret Telnet prune messages 9-4 RPF lookups 9-6 with usernames VTP domain 19-23 18-20 path MTU discovery 46-9 configuration guidelines 14-9 displaying MSTP 46-5 stub routing 9-7 path cost STP 46-5 PBR 46-63 enabling 46-23 overview 46-5 support for 39-4 46-23 1-15 versions defined interoperability 38-98 enabling troubleshooting interoperability problems 38-100 fast-switched policy-based routing local policy-based routing PC (passive comm
Index configuring configuring for each matched traffic class 35-53 802.
Index guidelines characteristics 10-39 initiation and message exchange magic packet method lists configuration tasks 10-6 described 10-29 maximum number of allowed devices per port 10-40 10-18 configuring described 10-14 per-user ACLs 10-19 voice aware 802.
Index port security aging and SVIs and switch stacks 25-18 and private VLANs benefits of 25-19 and QoS trusted boundary and stacking configuring 25-20 25-19 violations with other features 16-3 16-3 16-2 16-2, 16-3 16-14 monitoring 13-28 16-15 ports 27-2 power management TLV community 27-2, 27-8 Power over Ethernet 16-2 configuration guidelines See PoE configuring host ports preemption, default configuration described 21-8 preferential treatment of traffic isolated See QoS 9
Index defined 16-2 protected ports 1-10, 25-6 protocol-dependent modules, EIGRP described 35-21 disabling 35-34 displaying generated commands 38-37 Protocol-Independent Multicast Protocol 35-34 displaying the initial configuration See PIM effects on running configuration provider edge devices list of generated commands 38-76 provisioned switches and IP source guard 22-21 provisioning new members for a switch stack 5-7 basic model configuring definition 35-8 35-4 DSCP transparency
Index IP standard ACLs MAC ACLs scheduling, described 35-48 setting WTD thresholds 35-50 policy maps, hierarchical WTD, described 35-57 port trust states within the domain trusted boundary 35-4 automatic classification and queueing 35-85 DSCP transparency 35-45 detection and trusted settings 35-22 default standard configuration displaying statistics 35-17 IP phones 35-41 35-43 default auto configuration CoS-to-DSCP displaying 35-67 35-86 DSCP-to-CoS 35-78 buffer allocation scheme
Index high priority (expedite) location of 1-12 RADIUS Change of Authorization 35-14 9-35 9-20 range 35-20 macro 1-13 trust states 12-14 of interfaces bordering another domain described 9-19 tracking services accessed by user 35-15 WTD, described support for suggested network environments support for 35-14 SRR, described rewrites 35-20, 35-84 35-45 12-13 rapid convergence 19-11 rapid per-VLAN spanning-tree plus 35-6 trusted device See rapid PVST+ 35-43 within the domain rapi
Index EtherChannel HSRP passwords and privilege levels 36-3 RADIUS 42-1 STP 9-18 TACACS+ backbone multidrop backbone path cost reverse address resolution 20-5 RFC 20-16 1058, RIP redundant power system See Cisco Redundant Power System 2300 reliable transport protocol, EIGRP 38-20 1112, IP multicast and IGMP 1157, SNMPv1 38-36 1163, BGP 3-24 Remote Authentication Dial-In User Service 38-44 1166, IP addresses 1253, OSPF Remote Copy Protocol 1267, BGP 38-44 1305, NTP 7-2 See RCP Re
Index groups supported overview Routing Information Protocol 30-2 See RIP 30-2 routing protocol administrative distances statistics collecting group Ethernet collecting group history support for 30-6 30-5 RPS See Cisco Redundant Power System 2300 RPS 2300 1-16 See Cisco Redundant Power System 2300 root guard described RSPAN 20-10 enabling and stack changes 20-18 support for characteristics 1-8 root switch 29-9 default configuration 19-19 defined 18-16 route calculation timers, OSP
Index described desktop 19-9 restarting migration process topology changes overview 8-1 dual IPv4 and IPv6 19-28 types of 19-14 8-1 secondary VLANs 19-9 port roles 8-2 16-2 Secure Copy Protocol described secure HTTP client 19-10 synchronized configuring 19-12 proposal-agreement handshake process rapid convergence edge ports and Port Fast point-to-point links 19-11 19-11, 19-27 configuring 9-55 9-57 secure MAC addresses and switch stacks 25-19 25-17 maximum number of 19-10 S
Index severity levels, defining in system messages configuring 31-9 SFPs 32-8 for cluster switches monitoring status of numbering of overview 12-32, 49-14 security and identification default configuration 49-13 engine ID 49-14 shaped round robin groups See SRR host show access-lists hw-summary command 34-22 show and more command output, filtering 2-10 show cdp traffic command show configuration command 32-7 in clusters 32-6 6-15 and trap keyword 12-25 described 32-5 show int
Index types of users session limits 32-13 sessions 32-7, 32-10 versions supported SNMPv2C SNMPv3 configuring ingress forwarding 32-2 SNMP and Syslog Over IPv6 SNMPv1 29-11 39-7 32-2 creating 29-12 defined 29-4 29-16, 29-23 limiting source traffic to specific VLANs 32-2 removing destination (monitoring) ports 32-2 snooping, IGMP 24-2 specifying monitored ports 29-12 software compatibility with ingress traffic enabled 29-15 See stacks, switch source ports software images VLAN-
Index monitoring IP routing 9-57 SSM 38-4 IPv6 ACLs address management restrictions CGMP limitations components MSTP 46-16 MVR 46-16 differs from Internet standard multicast IGMP snooping IP address range STP 46-15 VLANs 46-15 VTP 46-14 state maintenance limitations SSM mapping 6-15 system message log 46-17 operations 29-10 18-12 switch clusters 46-15 46-16 31-2 13-7 14-7 stack master bridge ID (MAC address) 46-17 configuration guidelines 46-18 defined 5-1 5-4 configur
Index member number priority value provisioning a new member 5-21 partitioned 5-22 provisioning a new member auto-advise adding 5-11 auto-extract 5-11 auto-upgrade benefits configuration file bridge ID 5-14 default configuration description of 5-10 18-3 18-10 18-3 stack root switch election 5-19 5-24 remotely monitoring enabling persistent MAC address timer 5-19 31-1 31-2 system prompt consideration hardware compatibility and SDM mismatch mode 5-9 7-14 system-wide configuration
Index standby ip command standby links OSPF 42-6 21-2 standby router 42-1 standby timers, HSRP QoS ingress and egress 35-85 RMON group Ethernet 30-6 RMON group history 42-10 startup configuration VTP configuring C-20 configuration file automatically downloading default boot configuration 3-20 3-20 3-20 static access ports assigning to VLAN defined 25-3 described 25-2 disabling 25-5 displaying 25-20 support for 1-4 thresholds 25-2 STP 13-10 accelerating root port selection
Index switch priority limitations with IEEE 802.
Index stratum, NTP STP 7-2 stub areas, OSPF switch software features 38-31 stub routing, EIGRP See SVI 38-7 summer time synchronization, BGP 13-29 See system message logging 1-6 system capabilities TLV 38-8 supported port-based authentication methods 10-8 configuring manually time zones and IP unicast routing and router ACLs defined overview 7-12 7-1 system description TLV 12-5 27-2 system message logging 13-2 default configuration 39-2 switch clustering technology disabling
Index configuring the logging facility facilities supported 31-13 Layer 2 protocol tar files 31-14 creating system MTU and IS-IS LSPs C-6 displaying the contents of 38-70 system MTU and IEEE 802.
Index deleting types C-29 downloading tracked objects C-28 preparing the server uploading by Boolean expression C-27 32-17 by threshold weight 43-6 time See NTP and system clock tracking objects 44-1 tracking process 44-1 blocking flooded time-range command 34-17 fragmented time ranges in ACLs 34-17 fragmented IPv6 traffic policing TLVs 41-2 34-5 1-13 traffic suppression 25-2 transmit hold-count 27-1 see STP 27-2 LLDP-MED transparent mode, VTP 27-2 Token Ring VLANs tra
Index with ping type of service 49-14 with system message logging with traceroute See ToS 31-1 49-17 trunk failover U See link-state tracking trunking encapsulation 1-9 UDLD trunk ports configuration guidelines configuring defined 13-21 default configuration 12-3, 13-3 encapsulation 28-4 28-4 disabling 13-21, 13-26, 13-27 globally trunks 28-5 on fiber-optic interfaces allowed-VLAN list configuring ISL 13-22 per interface 13-21, 13-26, 13-27 globally setting STP path costs 1
Index See UDLD described UNIX syslog servers virtual IP address daemon configuration facilities supported 5-10 cluster standby group 31-13 command switch 31-14 message logging configuration 6-12 6-12 Virtual Private Network 31-13 unrecognized Type-Length-Value (TLV) support 14-4 See VPN virtual router upgrading software images See downloading 42-1, 42-2 virtual switches and PAgP UplinkFast vlan.
Index creating 34-32 limiting source traffic with SPAN defined 34-2 modifying denying access to a server example denying and permitting packets displaying multicast 34-36 examples of ACLs and VLAN maps parameters wiring closet configuration example supported 13-32 13-10 traffic between VLANs VTP modes 13-2 adding to VLAN database 13-8 See VTP aging dynamic addresses 18-10 VLAN trunks allowed on trunk configuration guidelines, normal-range VLANs configuring 13-1 13-11 features il
Index voice VLAN advertisements Cisco 7960 phone, port connections configuration guidelines and extended-range VLANs 15-1 and normal-range VLANs 15-3 configuring IP phones for data traffic override CoS of incoming frame client mode, configuring 15-7 configuring ports for voice traffic in 802.
Index Version enabling web-based authentication, interactions with other features 11-7 14-14 version, guidelines Version 1 Web Cache Communication Protocol 14-10 See WCCP 14-4 weighted tail drop Version 2 configuration guidelines overview See WTD 14-10 weight thresholds in tracked lists 14-4 wired location service Version 3 overview configuring 14-5 displaying W authentication 27-12 location TLV 27-3 understanding 27-3 wizards 45-3 configuration guidelines default configuration
Index Catalyst 3750 Switch Software Configuration Guide IN-78 OL-8550-09