Catalyst 3750-X and 3560-X Switch Software Configuration Guide Cisco IOS Release 12.2(53)SE2 May 2010 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface xlix Audience Purpose xlix xlix Conventions xlix Related Publications l Obtaining Documentation and Submitting a Service Request CHAPTER 1 Overview li 1-1 Features 1-1 Deployment Features 1-2 Performance Features 1-4 Management Options 1-5 Manageability Features 1-6 Availability and Redundancy Features VLAN Features 1-9 Security Features 1-9 QoS and CoS Features 1-12 Layer 3 Features 1-14 Power over Ethernet Features 1-15 Monitoring Features 1-15 1-8 Default Settings After I
Contents Understanding no and default Forms of Commands Understanding CLI Error Messages Using Configuration Logging 2-4 2-4 2-4 Using Command History 2-5 Changing the Command History Buffer Size 2-5 Recalling Commands 2-6 Disabling the Command History Feature 2-6 Using Editing Features 2-6 Enabling and Disabling Editing Features 2-6 Editing Commands through Keystrokes 2-7 Editing Command Lines that Wrap 2-8 Searching and Filtering Output of show and more Commands 2-9 Accessing the CLI 2-9 Accessing
Contents Modifying the Startup Configuration 3-16 Default Boot Configuration 3-17 Automatically Downloading a Configuration File 3-17 Specifying the Filename to Read and Write the System Configuration Booting Manually 3-18 Booting a Specific Software Image 3-19 Controlling Environment Variables 3-20 3-17 Scheduling a Reload of the Software Image 3-22 Configuring a Scheduled Reload 3-22 Displaying Scheduled Reload Information 3-23 CHAPTER 4 Configuring Cisco IOS Configuration Engine 4-1 Understanding
Contents Stack Member Priority Values 5-8 Switch Stack Offline Configuration 5-8 Effects of Adding a Provisioned Switch to a Switch Stack 5-9 Effects of Replacing a Provisioned Switch in a Switch Stack 5-10 Effects of Removing a Provisioned Switch from a Switch Stack 5-10 Hardware Compatibility and SDM Mismatch Mode in Switch Stacks 5-10 Switch Stack Software Compatibility Recommendations 5-11 Stack Protocol Version Compatibility 5-11 Major Version Number Incompatibility Among Switches 5-11 Minor Version N
Contents Hardware Loopback Example: LINK OK event 5-30 Hardware Loop Example: LINK NOT OK Event 5-31 Finding a Disconnected Stack Cable 5-32 Fixing a Bad Connection Between Stack Ports 5-33 CHAPTER 6 Clustering Switches 6-1 Understanding Switch Clusters 6-2 Cluster Command Switch Characteristics 6-3 Standby Cluster Command Switch Characteristics 6-3 Candidate Switch and Cluster Member Switch Characteristics 6-4 Planning a Switch Cluster 6-4 Automatic Discovery of Cluster Candidates and Members 6-5 D
Contents Configuring NTP 7-4 Default NTP Configuration 7-4 Configuring NTP Authentication 7-4 Configuring NTP Associations 7-5 Configuring NTP Broadcast Service 7-6 Configuring NTP Access Restrictions 7-8 Configuring the Source IP Address for NTP Packets 7-10 Displaying the NTP Configuration 7-11 Configuring Time and Date Manually 7-11 Setting the System Clock 7-11 Displaying the Time and Date Configuration 7-12 Configuring the Time Zone 7-12 Configuring Summer Time (Daylight Saving Time) 7-13 Configuring
Contents CHAPTER 8 Configuring SDM Templates 8-1 Understanding the SDM Templates 8-1 Dual IPv4 and IPv6 SDM Templates 8-2 SDM Templates and Switch Stacks 8-3 Configuring the Switch SDM Template 8-4 Default SDM Template 8-4 SDM Template Configuration Guidelines Setting the SDM Template 8-5 Displaying the SDM Templates CHAPTER 9 8-4 8-6 Configuring Catalyst 3750-X StackPower 9-1 Understanding StackPower 9-1 StackPower Modes 9-2 Power Priority 9-3 Load Shedding 9-3 Immediate Load Shedding Example
Contents Default TACACS+ Configuration 10-13 Identifying the TACACS+ Server Host and Setting the Authentication Key 10-13 Configuring TACACS+ Login Authentication 10-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting 10-17 Displaying the TACACS+ Configuration 10-17 10-16 Controlling Switch Access with RADIUS 10-17 Understanding RADIUS 10-18 RADIUS Operation 10-19 RADIUS Change of Authorization 10-19 Change-of-Authorization Requests 10-20 CoA R
Contents Configuring SSH 10-46 Configuration Guidelines 10-46 Setting Up the Switch to Run SSH 10-46 Configuring the SSH Server 10-47 Displaying the SSH Configuration and Status 10-48 Configuring the Switch for Secure Socket Layer HTTP 10-49 Understanding Secure HTTP Servers and Clients 10-49 Certificate Authority Trustpoints 10-49 CipherSuites 10-51 Configuring Secure HTTP Servers and Clients 10-51 Default SSL Configuration 10-51 SSL Configuration Guidelines 10-52 Configuring a CA Trustpoint 10-52 Configu
Contents 802.1x Authentication with Downloadable ACLs and Redirect URLs 11-17 Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL 11-17 Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs 11-18 VLAN ID-based MAC Authentication 11-18 802.1x Authentication with Guest VLAN 11-19 802.1x Authentication with Restricted VLAN 11-20 802.
Contents Configuring 802.1x Violation Modes 11-41 Configuring 802.
Contents Session Creation 12-3 Authentication Process 12-3 Local Web Authentication Banner 12-4 Web Authentication Customizable Web Pages 12-6 Guidelines 12-6 Web-based Authentication Interactions with Other Features Port Security 12-7 LAN Port IP 12-8 Gateway IP 12-8 ACLs 12-8 Context-Based Access Control 12-8 802.
Contents EtherChannel Port Groups 13-6 10-Gigabit Ethernet Interfaces 13-7 Power over Ethernet Ports 13-7 Supported Protocols and Standards 13-7 Powered-Device Detection and Initial Power Allocation Power Management Modes 13-9 Power Monitoring and Power Policing 13-10 Connecting Interfaces 13-12 13-8 Using the Switch USB Ports 13-13 USB Mini-Type B Console Port 13-13 Console Port Change Logs 13-13 Configuring the Console Media Type 13-14 Configuring the USB Inactivity Timeout 13-15 USB Type A Port 13-16
Contents Monitoring and Maintaining the Interfaces 13-45 Monitoring Interface Status 13-45 Clearing and Resetting Interfaces and Counters 13-46 Shutting Down and Restarting the Interface 13-47 CHAPTER 14 Configuring Auto Smartports Macros 14-1 Understanding Auto Smartports and Static Smartports Macros Auto Smartports and Cisco Medianet 14-2 14-1 Configuring Auto Smartports 14-3 Default Auto Smartports Configuration 14-3 Auto Smartports Configuration Guidelines 14-4 Enabling Auto Smartports 14-5 Conf
Contents Configuring Extended-Range VLANs 15-10 Default VLAN Configuration 15-10 Extended-Range VLAN Configuration Guidelines 15-10 Creating an Extended-Range VLAN 15-11 Creating an Extended-Range VLAN with an Internal VLAN ID Displaying VLANs 15-13 15-14 Configuring VLAN Trunks 15-14 Trunking Overview 15-14 Encapsulation Types 15-16 IEEE 802.
Contents VTP Advertisements 16-4 VTP Version 2 16-4 VTP Version 3 16-5 VTP Pruning 16-6 VTP and Switch Stacks 16-7 Configuring VTP 16-8 Default VTP Configuration 16-8 VTP Configuration Guidelines 16-9 Domain Names 16-9 Passwords 16-9 VTP Version 16-10 Configuration Requirements 16-11 Configuring VTP Mode 16-11 Configuring a VTP Version 3 Password 16-13 Configuring a VTP Version 3 Primary Server 16-14 Enabling the VTP Version 16-14 Enabling VTP Pruning 16-15 Configuring VTP on a Per-Port Basis 16-16 Adding
Contents Private-VLAN Interaction with Other Features 18-4 Private VLANs and Unicast, Broadcast, and Multicast Traffic Private VLANs and SVIs 18-5 Private VLANs and Switch Stacks 18-5 18-4 Configuring Private VLANs 18-5 Tasks for Configuring Private VLANs 18-6 Default Private-VLAN Configuration 18-6 Private-VLAN Configuration Guidelines 18-6 Secondary and Primary VLAN Configuration 18-6 Private-VLAN Port Configuration 18-8 Limitations with Other Features 18-8 Configuring and Associating VLANs in a Privat
Contents Spanning-Tree Topology and BPDUs 20-3 Bridge ID, Switch Priority, and Extended System ID 20-4 Spanning-Tree Interface States 20-5 Blocking State 20-6 Listening State 20-7 Learning State 20-7 Forwarding State 20-7 Disabled State 20-7 How a Switch or Port Becomes the Root Switch or Root Port 20-8 Spanning Tree and Redundant Connectivity 20-8 Spanning-Tree Address Management 20-8 Accelerated Aging to Retain Connectivity 20-9 Spanning-Tree Modes and Protocols 20-9 Supported Spanning-Tree Instances 20-
Contents CHAPTER 21 Configuring MSTP 21-1 Understanding MSTP 21-2 Multiple Spanning-Tree Regions 21-2 IST, CIST, and CST 21-2 Operations Within an MST Region 21-3 Operations Between MST Regions 21-3 IEEE 802.1s Terminology 21-5 Hop Count 21-5 Boundary Ports 21-6 IEEE 802.1s Implementation 21-6 Port Role Naming Change 21-6 Interoperation Between Legacy and Standard Switches Detecting Unidirectional Link Failure 21-7 MSTP and Switch Stacks 21-8 Interoperability with IEEE 802.
Contents CHAPTER 22 Configuring Optional Spanning-Tree Features 22-1 Understanding Optional Spanning-Tree Features 22-1 Understanding Port Fast 22-2 Understanding BPDU Guard 22-2 Understanding BPDU Filtering 22-3 Understanding UplinkFast 22-3 Understanding Cross-Stack UplinkFast 22-5 How CSUF Works 22-6 Events that Cause Fast Convergence 22-7 Understanding BackboneFast 22-7 Understanding EtherChannel Guard 22-10 Understanding Root Guard 22-10 Understanding Loop Guard 22-11 Configuring Optional Spanning
Contents Configuring Flex Links 23-8 Configuring VLAN Load Balancing on Flex Links 23-10 Configuring the MAC Address-Table Move Update Feature 23-12 Monitoring Flex Links and the MAC Address-Table Move Update CHAPTER 24 Configuring DHCP Features and IP Source Guard 23-14 24-1 Understanding DHCP Features 24-1 DHCP Server 24-2 DHCP Relay Agent 24-2 DHCP Snooping 24-2 Option-82 Data Insertion 24-3 Cisco IOS DHCP Server Database 24-6 DHCP Snooping Binding Database 24-6 DHCP Snooping and Switch Stacks 2
Contents Configuring DHCP Server Port-Based Address Allocation 24-26 Default Port-Based Address Allocation Configuration 24-26 Port-Based Address Allocation Configuration Guidelines 24-26 Enabling DHCP Server Port-Based Address Allocation 24-27 Displaying DHCP Server Port-Based Address Allocation CHAPTER 25 Configuring Dynamic ARP Inspection 24-29 25-1 Understanding Dynamic ARP Inspection 25-1 Interface Trust States and Network Security 25-3 Rate Limiting of ARP Packets 25-4 Relative Priority of ARP
Contents Configuring TCN-Related Commands 26-11 Controlling the Multicast Flooding Time After a TCN Event Recovering from Flood Mode 26-12 Disabling Multicast Flooding During a TCN Event 26-12 Configuring the IGMP Snooping Querier 26-13 Disabling IGMP Report Suppression 26-14 Displaying IGMP Snooping Information 26-15 Understanding Multicast VLAN Registration 26-16 Using MVR in a Multicast Television Application Configuring MVR 26-19 Default MVR Configuration 26-19 MVR Configuration Guidelines and Limita
Contents Enabling MLD Immediate Leave 27-9 Configuring MLD Snooping Queries 27-10 Disabling MLD Listener Message Suppression CHAPTER 28 Displaying MLD Snooping Information 27-12 Configuring Port-Based Traffic Control 28-1 27-11 Configuring Storm Control 28-1 Understanding Storm Control 28-1 Default Storm Control Configuration 28-3 Configuring Storm Control and Threshold Levels Configuring Small-Frame Arrival Rate 28-5 28-3 Configuring Protected Ports 28-6 Default Protected Port Configuration 28-6
Contents CHAPTER 30 Configuring LLDP, LLDP-MED, and Wired Location Service 30-1 Understanding LLDP, LLDP-MED, and Wired Location Service LLDP 30-1 LLDP-MED 30-2 Wired Location Service 30-3 30-1 Configuring LLDP, LLDP-MED, and Wired Location Service Default LLDP Configuration 30-5 Configuration Guidelines 30-5 Enabling LLDP 30-6 Configuring LLDP Characteristics 30-6 Configuring LLDP-MED TLVs 30-7 Configuring Network-Policy TLV 30-8 Configuring Location TLV and Wired Location Service 30-5 30-9 Monit
Contents SPAN and RSPAN Interaction with Other Features SPAN and RSPAN and Switch Stacks 32-10 Understanding Flow-Based SPAN 32-9 32-11 Configuring SPAN and RSPAN 32-12 Default SPAN and RSPAN Configuration 32-12 Configuring Local SPAN 32-12 SPAN Configuration Guidelines 32-12 Creating a Local SPAN Session 32-13 Creating a Local SPAN Session and Configuring Incoming Traffic 32-15 Specifying VLANs to Filter 32-16 Configuring RSPAN 32-17 RSPAN Configuration Guidelines 32-17 Configuring a VLAN as an RSPAN V
Contents Setting the Message Display Destination Device 34-5 Synchronizing Log Messages 34-6 Enabling and Disabling Time Stamps on Log Messages 34-8 Enabling and Disabling Sequence Numbers in Log Messages 34-8 Defining the Message Severity Level 34-9 Limiting Syslog Messages Sent to the History Table and to SNMP 34-10 Enabling the Configuration-Change Logger 34-11 Configuring UNIX Syslog Servers 34-12 Logging Messages to a UNIX Syslog Daemon 34-12 Configuring the UNIX System Logging Facility 34-13 Displayi
Contents Embedded Event Manager Environment Variables EEM 3.
Contents Configuring VLAN Maps 37-31 VLAN Map Configuration Guidelines 37-31 Creating a VLAN Map 37-32 Examples of ACLs and VLAN Maps 37-33 Applying a VLAN Map to a VLAN 37-35 Using VLAN Maps in Your Network 37-35 Wiring Closet Configuration 37-35 Denying Access to a Server on Another a VLAN 37-36 Using VLAN Maps with Router ACLs 37-37 VLAN Maps and Router ACL Configuration Guidelines 37-38 Examples of Router ACLs and VLAN Maps Applied to VLANs 37-39 ACLs and Switched Packets 37-39 ACLs and Bridged Packe
Contents Queueing and Scheduling Overview 39-14 Weighted Tail Drop 39-15 SRR Shaping and Sharing 39-15 Queueing and Scheduling on Ingress Queues 39-16 Queueing and Scheduling on Egress Queues 39-19 Packet Modification 39-22 Configuring Auto-QoS 39-23 Generated Auto-QoS Configuration 39-24 Effects of Auto-QoS on the Configuration 39-28 Auto-QoS Configuration Guidelines 39-28 Enabling Auto-QoS for VoIP 39-29 Auto-QoS Configuration Example 39-30 Displaying Auto-QoS Information 39-33 Configuring Standard QoS
Contents Configuring DSCP Maps 39-70 Configuring the CoS-to-DSCP Map 39-71 Configuring the IP-Precedence-to-DSCP Map 39-72 Configuring the Policed-DSCP Map 39-73 Configuring the DSCP-to-CoS Map 39-74 Configuring the DSCP-to-DSCP-Mutation Map 39-75 Configuring Ingress Queue Characteristics 39-76 Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds 39-77 Allocating Buffer Space Between the Ingress Queues 39-78 Allocating Bandwidth Between the Ingress Queues 39-78 Configuring the Ingress
Contents Configuring Layer 3 EtherChannels 40-15 Creating Port-Channel Logical Interfaces 40-15 Configuring the Physical Interfaces 40-16 Configuring EtherChannel Load-Balancing 40-18 Configuring the PAgP Learn Method and Priority 40-19 Configuring LACP Hot-Standby Ports 40-20 Configuring the LACP System Priority 40-21 Configuring the LACP Port Priority 40-22 Displaying EtherChannel, PAgP, and LACP Status Understanding Link-State Tracking 40-22 40-23 Configuring Link-State Tracking 40-25 Default Link-St
Contents Routing Assistance When IP Routing is Disabled 42-12 Proxy ARP 42-12 Default Gateway 42-12 ICMP Router Discovery Protocol (IRDP) 42-13 Configuring Broadcast Packet Handling 42-14 Enabling Directed Broadcast-to-Physical Broadcast Translation Forwarding UDP Broadcast Packets and Protocols 42-16 Establishing an IP Broadcast Address 42-17 Flooding IP Broadcasts 42-17 Monitoring and Maintaining IP Addressing 42-18 Enabling IP Unicast Routing 42-15 42-19 Configuring RIP 42-20 Default RIP Configuratio
Contents Managing Routing Policy Changes 42-50 Configuring BGP Decision Attributes 42-52 Configuring BGP Filtering with Route Maps 42-54 Configuring BGP Filtering by Neighbor 42-54 Configuring Prefix Lists for BGP Filtering 42-56 Configuring BGP Community Filtering 42-57 Configuring BGP Neighbors and Peer Groups 42-58 Configuring Aggregate Addresses 42-60 Configuring Routing Domain Confederations 42-61 Configuring BGP Route Reflectors 42-61 Configuring Route Dampening 42-62 Monitoring and Maintaining BGP 4
Contents Configuring Unicast Reverse Path Forwarding 42-89 Configuring Protocol-Independent Features 42-89 Configuring Distributed Cisco Express Forwarding 42-89 Configuring the Number of Equal-Cost Routing Paths 42-91 Configuring Static Unicast Routes 42-92 Specifying Default Routes and Networks 42-93 Using Route Maps to Redistribute Routing Information 42-93 Configuring Policy-Based Routing 42-97 PBR Configuration Guidelines 42-98 Enabling PBR 42-99 Filtering Routing Information 42-100 Setting Passive
Contents Unsupported IPv6 Unicast Routing Features Limitations 43-9 IPv6 and Switch Stacks 43-9 43-8 Configuring IPv6 43-10 Default IPv6 Configuration 43-11 Configuring IPv6 Addressing and Enabling IPv6 Routing 43-11 Configuring Default Router Preference 43-13 Configuring IPv4 and IPv6 Protocol Stacks 43-14 Configuring DHCP for IPv6 Address Assignment 43-15 Default DHCPv6 Address Assignment Configuration 43-15 DHCPv6 Address Assignment Configuration Guidelines 43-15 Enabling DHCPv6 Server Function 43-16
Contents CHAPTER 45 Configuring Cisco IOS IP SLAs Operations 45-1 Understanding Cisco IOS IP SLAs 45-1 Using Cisco IOS IP SLAs to Measure Network Performance IP SLAs Responder and IP SLAs Control Protocol 45-4 Response Time Computation for IP SLAs 45-4 IP SLAs Operation Scheduling 45-5 IP SLAs Operation Threshold Monitoring 45-5 45-3 Configuring IP SLAs Operations 45-6 Default Configuration 45-6 Configuration Guidelines 45-6 Configuring the IP SLAs Responder 45-7 Analyzing IP Service Levels by Using
Contents WCCP and Switch Stacks 47-4 Unsupported WCCP Features 47-5 Configuring WCCP 47-5 Default WCCP Configuration 47-5 WCCP Configuration Guidelines 47-5 Enabling the Web Cache Service 47-6 Monitoring and Maintaining WCCP CHAPTER 48 Configuring IP Multicast Routing 47-10 48-1 Understanding Cisco’s Implementation of IP Multicast Routing Understanding IGMP 48-3 IGMP Version 1 48-3 IGMP Version 2 48-3 Understanding PIM 48-4 PIM Versions 48-4 PIM Modes 48-4 PIM Stub Routing 48-5 IGMP Helper 48-6 Auto-
Contents Configuring Source Specific Multicast Mapping 48-17 SSM Mapping Configuration Guidelines and Restrictions 48-17 SSM Mapping Overview 48-18 Configuring SSM Mapping 48-20 Monitoring SSM Mapping 48-22 Configuring PIM Stub Routing 48-22 PIM Stub Routing Configuration Guidelines 48-22 Enabling PIM Stub Routing 48-23 Configuring a Rendezvous Point 48-24 Manually Assigning an RP to Multicast Groups 48-24 Configuring Auto-RP 48-26 Configuring PIMv2 BSR 48-30 Using Auto-RP and a BSR 48-34 Monitoring the RP
Contents Configuring Advanced DVMRP Interoperability Features 48-54 Enabling DVMRP Unicast Routing 48-54 Rejecting a DVMRP Nonpruning Neighbor 48-55 Controlling Route Exchanges 48-58 Limiting the Number of DVMRP Routes Advertised 48-58 Changing the DVMRP Route Threshold 48-58 Configuring a DVMRP Summary Address 48-59 Disabling DVMRP Autosummarization 48-61 Adding a Metric Offset to the DVMRP Route 48-61 Monitoring and Maintaining IP Multicast Routing 48-62 Clearing Caches, Tables, and Databases 48-62 Displ
Contents CHAPTER 50 Configuring Fallback Bridging 50-1 Understanding Fallback Bridging 50-1 Fallback Bridging Overview 50-1 Fallback Bridging and Switch Stacks 50-3 Configuring Fallback Bridging 50-3 Default Fallback Bridging Configuration 50-3 Fallback Bridging Configuration Guidelines 50-4 Creating a Bridge Group 50-4 Adjusting Spanning-Tree Parameters 50-5 Changing the VLAN-Bridge Spanning-Tree Priority 50-6 Changing the Interface Priority 50-6 Assigning a Path Cost 50-7 Adjusting BPDU Intervals 5
Contents Using Layer 2 Traceroute 51-16 Understanding Layer 2 Traceroute 51-16 Usage Guidelines 51-17 Displaying the Physical Path 51-17 Using IP Traceroute 51-18 Understanding IP Traceroute 51-18 Executing IP Traceroute 51-18 Using TDR 51-19 Understanding TDR 51-19 Running TDR and Displaying the Results 51-20 Using Debug Commands 51-20 Enabling Debugging on a Specific Feature 51-21 Enabling All-System Diagnostics 51-21 Redirecting Debug and Error Message Output 51-22 Using the show platform forward Comm
Contents APPENDIX A Supported MIBs MIB List A-1 A-1 Using FTP to Access the MIB Files APPENDIX B A-4 Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System B-1 Displaying Available File Systems B-2 Setting the Default File System B-3 Displaying Information about Files on a File System B-3 Changing Directories and Displaying the Working Directory Creating and Removing Directories B-5 Copying Files B-5 Deleting Files B-6 Creating, Displayi
Contents Working with Software Images B-25 Image Location on the Switch B-26 File Format of Images on a Server or Cisco.
Contents Fallback Bridging C-4 Unsupported Privileged EXEC Commands C-4 Unsupported Global Configuration Commands C-4 Unsupported Interface Configuration Commands C-5 HSRP C-5 Unsupported Global Configuration Commands C-5 Unsupported Interface Configuration Commands C-6 IGMP Snooping Commands C-6 Unsupported Global Configuration Commands C-6 Interface Commands C-6 Unsupported Privileged EXEC Commands C-6 Unsupported Global Configuration Commands C-6 Unsupported Interface Configuration Commands C-6 IP Mul
Contents QoS C-12 Unsupported Global Configuration Command C-12 Unsupported Interface Configuration Commands C-12 Unsupported Policy-Map Configuration Command C-12 RADIUS C-12 Unsupported Global Configuration Commands C-12 SNMP C-13 Unsupported Global Configuration Commands C-13 Spanning Tree C-13 Unsupported Global Configuration Command C-13 Unsupported Interface Configuration Command C-13 VLAN C-13 Unsupported Global Configuration Command Unsupported User EXEC Commands C-13 VTP C-13 C-14 Unsuppo
Preface Audience This guide is for the networking professional managing the standalone Catalyst 3750-X or 3560-X switch or the Catalyst 3750-X switch stack, referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking. Purpose This guide provides procedures for using the commands that have been created or changed for use with the Catalyst 3750-X or 3560-X switches.
Preface • Square brackets ([ ]) mean optional elements. • Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements. • Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional element. Interactive examples use these conventions: • Terminal sessions and system displays are in screen font. • Information you enter is in boldface screen font.
Preface • Cisco IOS Software Installation Document • Catalyst 3750-X and 3560-X Switch Getting Started Guide • Catalyst 3750-X and 3560-X Switch Hardware Installation Guide • Regulatory Compliance and Safety Information for the Catalyst 3750-X and 3560-X Switch • Installation Notes for the Catalyst 3750-X, Catalyst 3560-X Switch Power Supply Modules • Installation Notes for the Catalyst 3750-X and 3560-X Switch Fan Module • Installation Notes for the Catalyst 3750-X and 3560-X Switch Network M
Preface Catalyst 3750-X and 3560-X Switch Software Configuration Guide lii OL-21521-01
CH A P T E R 1 Overview This chapter provides these topics about the Catalyst 3750-X and 3560-X switch software: • Features, page 1-1 • Default Settings After Initial Switch Configuration, page 1-16 • Network Configuration Examples, page 1-19 • Where to Go Next, page 1-33 The term switch refers to a standalone switch and to a switch stack. In this document, IP refers to IP Version 4 (IPv4) unless there is a specific reference to IP Version 6 (IPv6).
Chapter 1 Overview Features • Note IP services feature set, which provides a richer set of enterprise-class intelligent services and full IPv6 support. It includes all IP base features plus full Layer 3 routing (IP unicast routing, IP multicast routing, and fallback bridging). The IP services feature set includes protocols such as the Enhanced Interior Gateway Routing Protocol (EIGRP) and the Open Shortest Path First (OSPF) Protocol.
Chapter 1 Overview Features – Interactive guide mode that guides you in configuring complex features such as VLANs, ACLs, and quality of service (QoS). – Configuration wizards that prompt you to provide only the minimum required information to configure complex features such as QoS priorities for video traffic, priority levels for data applications, and security. – Downloading an image to a switch.
Chapter 1 Overview Features • Smart Install to allow a single point of management (director) in a network. You can use Smart Install to provide zero touch image and configuration upgrade of newly deployed switches and image and configuration downloads for any client switches. For more information, see the Cisco Smart Install Configuration Guide on Cisco.com.
Chapter 1 Overview Features • IGMP snooping querier support to configure switch to generate periodic IGMP General Query messages • IIGMP Helper to allow the switch to forward a host request to join a multicast stream to a specific IP destination address • Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP Version 6 (IPv6) multicast data to clients and routers in a switched network.
Chapter 1 Overview Features station or PC. You can manage the switch stack by connecting to the console port or Ethernet management port of any stack member. For more information about the CLI, see Chapter 2, “Using the Command-Line Interface.” • SNMP—SNMP management applications such as CiscoWorks2000 LAN Management Suite (LMS) and HP OpenView. You can manage from an SNMP-compatible management station or a PC that is running platforms such as HP OpenView or SunNet Manager.
Chapter 1 Overview Features • Configuration logging to log and to view changes to the switch configuration • Configuration replacement and rollback to replace the running configuration on a switch with any saved Cisco IOS configuration file • Unique device identifier to provide product identification information through a show inventory user EXEC command display • In-band management access through the device manager over a Netscape Navigator or Microsoft Internet Explorer browser session • In-ban
Chapter 1 Overview Features • Note USB Type A port for external Cisco USB flash memory devices (thumb drives or USB keys). You can use standard Cisco CLI commands to read, write, erase, copy, or boot from the flash memory. For additional descriptions of the management interfaces, see the “Network Configuration Examples” section on page 1-19.
Chapter 1 Overview Features • Flex Link Layer 2 interfaces to back up one another as an alternative to STP for basic link redundancy • Link-state tracking to mirror the state of the ports that carry upstream traffic from connected hosts and servers and to allow the failover of the server traffic to an operational link on another Cisco Ethernet switch • StackPower redundancy option.
Chapter 1 Overview Features • Password-protected access (read-only and read-write access) to management interfaces (device manager, Network Assistant, and the CLI) for protection against unauthorized configuration changes • Multilevel security for a choice of security level, notification, and resulting actions • Static MAC addressing for ensuring security • Protected port option for restricting the forwarding of traffic to designated ports on the same switch • Port security option for limiting a
Chapter 1 Overview Features – IP phone detection enhancement to detect and recognize a Cisco IP phone – Guest VLAN to provide limited services to non-IEEE 802.1x-compliant users – Restricted VLAN to provide limited services to users who are IEEE 802.1x compliant, but do not have the credentials to authenticate via the standard IEEE 802.1x processes – IEEE 802.1x accounting to track network usage – IEEE 802.
Chapter 1 Overview Features • IEEE 802.1x readiness check to determine the readiness of connected end hosts before configuring IEEE 802.1x on the switch • Support for IP source guard on static hosts • RADIUS Change of Authorization (CoA) to change the attributes of a certain session after it is authenticated.
Chapter 1 Overview Features • Classification – IP type-of-service/Differentiated Services Code Point (IP ToS/DSCP) and IEEE 802.1p CoS marking priorities on a per-port basis for protecting the performance of mission-critical applications – IP ToS/DSCP and IEEE 802.
Chapter 1 Overview Features Layer 3 Features Note Features in this section are not supported on switches running the LAN base feature set. Some features noted are available only in the IP services feature set.
Chapter 1 Overview Features • IPv6 default router preference (DRP) for improving the ability of a host to select an appropriate router • Support for EIGRP IPv6, which utilizes IPv6 transport, communicates with IPv6 peers, and advertises IPv6 routes • IP unicast reverse path forwarding (unicast RPF) for confirming source packet IP addresses.
Chapter 1 Overview Default Settings After Initial Switch Configuration • Four groups (history, statistics, alarms, and events) of embedded RMON agents for network monitoring and traffic analysis • Syslog facility for logging system messages about authentication or authorization errors, resource issues, and time-out events • Layer 2 traceroute to identify the physical path that a packet takes from a source device to a destination device • Time Domain Reflector (TDR) to diagnose and resolve cabling
Chapter 1 Overview Default Settings After Initial Switch Configuration • Default domain name is not configured. For more information, see Chapter 3, “Assigning the Switch IP Address and Default Gateway.” • DHCP client is enabled, the DHCP server is enabled (only if the device acting as a DHCP server is configured and is enabled), and the DHCP relay agent is enabled (only if the device is acting as a DHCP relay agent is configured and is enabled).
Chapter 1 Overview Default Settings After Initial Switch Configuration – VTP version is Version 1. For more information, see Chapter 16, “Configuring VTP.” – No private VLANs are configured. For more information, see Chapter 18, “Configuring Private VLANs.” – Voice VLAN is disabled. For more information, see Chapter 17, “Configuring Voice VLAN.” • IEEE 802.1Q tunneling and Layer 2 protocol tunneling are disabled. For more information, see Chapter 19, “Configuring IEEE 802.
Chapter 1 Overview Network Configuration Examples • No ACLs are configured. For more information, see Chapter 37, “Configuring Network Security with ACLs.” • QoS is disabled. For more information, see Chapter 39, “Configuring QoS.” • No EtherChannels are configured. For more information, see Chapter 40, “Configuring EtherChannels and Link-State Tracking.” • IP unicast routing is disabled. For more information, see Chapter 42, “Configuring IP Unicast Routing.” • No HSRP groups are configured.
Chapter 1 Overview Network Configuration Examples Table 1-1 Increasing Network Performance Network Demands Suggested Design Methods Too many users on a single network segment and a growing number of users accessing the Internet • Increased power of new PCs, workstations, and servers • High bandwidth demand from networked applications (such as e-mail with large attached files) and from bandwidth-intensive applications (such as multimedia) • Create smaller network segments so that fewer users shar
Chapter 1 Overview Network Configuration Examples Table 1-2 Providing Network Services (continued) Network Demands Suggested Design Methods An evolving demand for IP telephony • Use QoS to prioritize applications such as IP telephony during congestion and to help control both delay and jitter within the network. • Use switches that support at least two queues per port to prioritize voice and data traffic as either high- or low-priority, based on IEEE 802.1p/Q.
Chapter 1 Overview Network Configuration Examples • High-performance wiring closet (Figure 1-2)—For high-speed access to network resources, you can use Catalyst 3750-X switches and switch stacks in the access layer to provide Gigabit Ethernet access to the desktop. To prevent congestion, use QoS DSCP marking priorities on these switches.
Chapter 1 Overview Network Configuration Examples Figure 1-3 High-Performance Workgroup (Gigabit-to-the-Desktop) with Catalyst 3560-X Standalone Switches Stacking-capable switches 200853 Access-layer standalone switches WAN Cisco 2600 router 200854 Access-layer standalone switches Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01 1-23
Chapter 1 Overview Network Configuration Examples • Redundant Gigabit backbone (Figure 1-4)—Using HSRP, you can create backup paths between two Catalyst 3750-X Gigabit switches to enhance network reliability and load-balancing for different VLANs and subnets. Using HSRP also provides faster network convergence if any network failure occurs. You can connect the Catalyst switches, again in a star configuration, to two Catalyst 3750-X backbone switches.
Chapter 1 Overview Network Configuration Examples Figure 1-5 Server Aggregation Campus core Catalyst 6500 switches Si Si Si Si Si Si Catalyst 4500 multilayer switches Server racks 86931 StackWise Plus switch stacks Campus core Catalyst 6500 switches StackWise switch stacks Server racks 200857 Access-layer standalone switches Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01 1-25
Chapter 1 Overview Network Configuration Examples Figure 1-6 Linux Server Cluster Redundant SFP module uplinks Linux cluster parallelprocessing server farm 32-Gbps ring EtherChannel across uplinks Campus core StackWise Plus switch stack Campus core StackWise Plus switch stack Si Si Si Si Si Si 200858 Catalyst 6500 switches Catalyst 4500 multilayer switches Small to Server racks 86931 StackWise Plus switch stacks Medium-Sized Network Using Catalyst 3750-X and 3560-X Switches Figure 1-
Chapter 1 Overview Network Configuration Examples This network uses VLANs to logically segment the network into well-defined broadcast groups and for security management. Data and multimedia traffic are configured on the same VLAN. Voice traffic from the Cisco IP Phones are configured on separate VVIDs. If data, multimedia, and voice traffic are assigned to the same VLAN, only one VLAN can be configured per wiring closet.
Chapter 1 Overview Network Configuration Examples Figure 1-8 Catalyst 3560-X Switches in a Collapsed Backbone Configuration Internet Cisco 2600 or 3700 routers IP Cisco IP phones IP Workstations running Cisco SoftPhone software Aironet wireless access points 200860 Gigabit servers Standalone switches Large Network Using Catalyst 3750-X and 3560-X Switches Switches in the wiring closet have traditionally been only Layer 2 devices, but as network traffic profiles evolve, switches in the wiring cl
Chapter 1 Overview Network Configuration Examples Figure 1-9 Catalyst 3750-X Switch Stacks in Wiring Closets in a Backbone Configuration WAN Cisco 7x00 routers Catalyst 6500 multilayer switches Mixed hardware stack, including the Catalyst 3750G Integrated Wireless LAN Controller Mixed hardware stack, including the Catalyst 3750G Integrated Wireless LAN Controller IEEE 802.3af-compliant powered device (such as a web cam) Aironet wireless access points IEEE 802.
Chapter 1 Overview Network Configuration Examples Figure 1-10 Catalyst 3560-X Switches in Wiring Closets in a Backbone Configuration WAN Cisco 7x00 routers Catalyst 6500 multilayer switches Standalone switches Standalone switches IEEE 802.3af-compliant powered device (such as a web cam) Aironet wireless access points IEEE 802.
Chapter 1 Overview Network Configuration Examples Multidwelling Network Using Catalyst 3750-X Switches A growing segment of residential and commercial customers are requiring high-speed access to Ethernet metropolitan-area networks (MANs). Figure 1-11 shows a configuration for a Gigabit Ethernet MAN ring using multilayer switch stacks as aggregation switches in the mini-point-of-presence (POP) location. These switches are connected through 1000BASE-X SFP module ports.
Chapter 1 Overview Network Configuration Examples Figure 1-11 Catalyst 3750-X Switches in a MAN Configuration Service Provider POP Cisco 12000 Gigabit switch routers Catalyst 6500 switches Si Si Mini-POP Gigabit MAN StackWise Plus switch stack Si Residential location Standalone switches Set-top box Residential gateway (hub) Set-top box 200863 TV PC TV Long-Distance, High-Bandwidth Transport Configuration Figure 1-12 shows a configuration for sending 8 Gigabits of data over a single fiber-
Chapter 1 Overview Where to Go Next Figure 1-12 Long-Distance, High-Bandwidth Transport Configuration Access layer Aggregation layer CWDM OADM modules Eight 1-Gbps connections CWDM OADM modules Catalyst 4500 multilayer switches 95750 8 Gbps Catalyst switches Where to Go Next Before configuring the switch, review these sections for startup information: • Chapter 2, “Using the Command-Line Interface” • Chapter 3, “Assigning the Switch IP Address and Default Gateway” Catalyst 3750-X and 3560-X
Chapter 1 Overview Where to Go Next Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-34 OL-21521-01
CH A P T E R 2 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your standalone Catalyst 3750-X or 3560-X switch or a Catalyst 3750-X switch stack, referred to as the switch.
Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the hostname Switch. Table 2-1 Command Mode Summary Mode Access Method Prompt User EXEC Begin a session with Switch> your switch. Exit Method About This Mode Enter logout or quit. Use this mode to • Change terminal settings. • Perform basic tests.
Chapter 2 Using the Command-Line Interface Understanding the Help System For more detailed information on the command modes, see the command reference guide for this release. Understanding the Help System You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table 2-2.
Chapter 2 Using the Command-Line Interface Understanding no and default Forms of Commands Understanding no and default Forms of Commands Almost every configuration command also has a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface.
Chapter 2 Using the Command-Line Interface Using Command History command was entered, and the parser return code for the command. This feature includes a mechanism for asynchronous notification to registered applications whenever the configuration changes. You can choose to have the notifications sent to the syslog. For more information, see the “Configuration Change Notification and Logging” section of the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4 at this URL: http://www.
Chapter 2 Using the Command-Line Interface Using Editing Features Recalling Commands To recall commands from the history buffer, perform one of the actions listed in Table 2-4. These actions are optional. Table 2-4 Recalling Commands Action1 Result Press Ctrl-P or the up arrow key. Recall commands in the history buffer, beginning with the most recent command. Repeat the key sequence to recall successively older commands. Press Ctrl-N or the down arrow key.
Chapter 2 Using the Command-Line Interface Using Editing Features To re-enable the enhanced editing mode for the current terminal session, enter this command in privileged EXEC mode: Switch# terminal editing To reconfigure a specific line to have enhanced editing mode, enter this command in line configuration mode: Switch(config-line)# editing Editing Commands through Keystrokes Table 2-5 shows the keystrokes that you need to edit command lines. These keystrokes are optional.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Press Esc L. Change the word at the cursor to lowercase. Press Esc U. Capitalize letters from the cursor to the end of the word. Press Ctrl-V or Esc Q. Designate a particular keystroke as an executable command, perhaps as a shortcut. Scroll down a line or screen on displays that are longer than the terminal screen can display.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands After you complete the entry, press Ctrl-A to check the complete syntax before pressing the Return key to execute the command. The dollar sign ($) appears at the end of the line to show that the line has been scrolled to the right: Switch(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1$ The software assumes you have a terminal screen that is 80 columns wide.
Chapter 2 Using the Command-Line Interface Accessing the CLI To debug a specific stack member, you can access it from the stack master by using the session stack-member-number privileged EXEC command. The stack member number is appended to the system prompt. For example, Switch-2# is the prompt in privileged EXEC mode for stack member 2, and where the system prompt for the stack master is Switch. Only the show and debug commands are available in a CLI session to a specific stack member.
CH A P T E R 3 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assigning the IP address and default gateway information) by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The normal boot process involves the operation of the boot loader software and includes these activities: • Performs low-level CPU initialization. It initializes the CPU registers, which control where physical memory is mapped, its quantity, its speed, and so forth. • Performs power-on self-test (POST) for the CPU subsystem.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Note Stack members retain their IP address when you remove them from a switch stack. To avoid a conflict by having two devices with the same IP address in your network, change the IP address of the switch that you removed from the switch stack. Use a DHCP server for centralized control and automatic assignment of IP information after the server is configured.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information With DHCP-based autoconfiguration, no DHCP client-side configuration is needed on your switch. However, you need to configure the DHCP server for various lease options associated with IP addresses. If you are using DHCP to relay the configuration file location on the network, you might also need to configure a Trivial File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The DHCP server sends the client a DHCPNAK denial broadcast message, which means that the offered configuration parameters have not been assigned, that an error has occurred during the negotiation of the parameters, or that the client has been slow in responding to the DHCPOFFER message (the DHCP server assigned the parameters to another client).
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Note For procedures to configure the switch as a DHCP server, see the “Configuring DHCP Autoconfiguration (Only Configuration File)” section on page 3-11 and the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 at this URL: http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfdhcp.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DHCP Server Configuration Guidelines Follow these guidelines if you are configuring a device as a DHCP server: • You should configure the DHCP server with reserved leases that are bound to each switch by the switch hardware address.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information For the switch to successfully download a configuration file, the TFTP server must contain one or more configuration files in its base directory. The files can include these files: • The configuration file named in the DHCP reply (the actual switch configuration file). • The network-confg or the cisconet.cfg file (known as the default configuration files). • The router-confg or the ciscortr.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Figure 3-2 Relay Device Used in Autoconfiguration Switch (DHCP client) Cisco router (Relay) 10.0.0.2 10.0.0.1 DHCP server 20.0.0.3 TFTP server 20.0.0.4 DNS server 49068 20.0.0.2 20.0.0.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Note The switch broadcasts TFTP server requests if the TFTP server is not obtained from the DHCP replies, if all attempts to read the configuration file through unicast transmissions fail, or if the TFTP server name cannot be resolved to an IP address. Example Configuration Figure 3-3 shows a sample network for retrieving IP information by using DHCP-based autoconfiguration.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method. This file contains the hostname to be assigned to the switch based on its IP address.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Step 4 Command Purpose network network-number mask prefix-length Specify the subnet network number and mask of the DHCP address pool. Note The prefix length specifies the number of bits that comprise the address prefix. The prefix is an alternative way of specifying the network mask of the client. The prefix length must be preceded by a forward slash (/).
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip dhcp pool name Create a name for the DHCP server address pool and enter DHCP pool configuration mode. Step 3 bootfile filename Specify the name of the file that is used as a boot image. Step 4 network network-number mask prefix-length Specify the subnet network number and mask of the DHCP address pool.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the Client Beginning in privileged EXEC mode, follow these steps to configure a switch to download a configuration file and new image from a DHCP server: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 boot host dhcp Enable autoconfiguration with a saved configuration.
Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs): Note If the switch is running the IP services feature set, you can also manually assign IP information to a port if you first put the port into Layer 3 mode by using the no switchport interface configuration command.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Stack1 ! enable secret 5 $1$ej9.$DMUvAUnZOAmvmgqBEzIxE0 ! .
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration See also Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images,” for information about switch configuration files. See the “Switch Stack Configuration Files” section on page 5-15 for information about switch stack configuration files. Default Boot Configuration Table 3-3 shows the default boot configuration.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show boot Verify your entries. The boot config-file global configuration command changes the setting of the CONFIG_FILE environment variable. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no boot config-file global configuration command.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Booting a Specific Software Image By default, the switch attempts to automatically boot up the system using information in the BOOT environment variable. If this variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Controlling Environment Variables With a normally operating switch, you enter the boot loader mode only through a switch console connection configured for 9600 b/s. Unplug the switch power cord, and press the switch Mode button while reconnecting the power cord. You can release the Mode button a second or two after the LED above port 1 turns off. Then the boot loader switch: prompt appears.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Table 3-4 Environment Variables (continued) Variable Boot Loader Command Cisco IOS Global Configuration Command MANUAL_BOOT set MANUAL_BOOT yes boot manual Enables manually booting the switch during the next boot cycle and changes the setting of the MANUAL_BOOT environment variable. Valid values are 1, yes, 0, and no.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Scheduling a Reload of the Software Image You can schedule a reload of the software image to occur on the switch at a later time (for example, late at night or during the weekend when the switch is used less), or you can synchronize a reload network-wide (for example, to perform a software upgrade on all switches in the network). Note A scheduled reload must take place within approximately 24 days.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image This example shows how to reload the software on the switch at a future time: Switch# reload at 02:00 jun 20 Reload scheduled for 02:00:00 UTC Thu Jun 20 1996 (in 344 hours and 53 minutes) Proceed with reload? [confirm] To cancel a previously scheduled reload, use the reload cancel privileged EXEC command.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Catalyst 3750-X and 3560-X Switch Software Configuration Guide 3-24 OL-21521-01
CH A P T E R 4 Configuring Cisco IOS Configuration Engine This chapter describes how to configure the feature on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. Note For complete configuration information for the Cisco Configuration Engine, go to http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.
Chapter 4 Configuring Cisco IOS Configuration Engine Understanding Cisco Configuration Engine Software Figure 4-1 Configuration Engine Architectural Overview Service provider network Configuration engine Data service directory Configuration server Event service 141327 Web-based user interface Order entry configuration management These sections contain this conceptual information: • Configuration Service, page 4-2 • Event Service, page 4-3 • What You Should Know About the CNS IDs and Device Ho
Chapter 4 Configuring Cisco IOS Configuration Engine Understanding Cisco Configuration Engine Software Event Service The Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine. The Event Service is a highly capable publish-and-subscribe communication method.
Chapter 4 Configuring Cisco IOS Configuration Engine Understanding Cisco Configuration Engine Software DeviceID Each configured switch participating on the event bus has a unique DeviceID, which is analogous to the switch source address so that the switch can be targeted as a specific destination on the bus. All switches configured with the cns config partial global configuration command must access the event bus.
Chapter 4 Configuring Cisco IOS Configuration Engine Understanding Cisco IOS Agents Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent.
Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Incremental (Partial) Configuration After the network is running, new services can be added by using the Cisco IOS agent. Incremental (partial) configurations can be sent to the switch. The actual configuration can be sent as an event payload by way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation.
Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Table 4-1 Prerequisites for Enabling Automatic Configuration Device Required Configuration Access switch Factory default (no configuration file) Distribution switch DHCP server TFTP server CNS Configuration Engine Note • IP helper address • Enable DHCP relay agent • IP routing (if used as default gateway) • IP address assignment • TFTP server IP address • Path to bootstrap configuration file on the TFTP
Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling the CNS Event Agent Note You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: • The cns config initial global configuration command enables the Cisco IOS agent and initiates an initial configuration on the switch.
Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Step 7 Command Purpose discover {controller controller-type | dlci [subinterface subinterface-number] | interface [interface-type] | line line-type} Specify the interface parameters in the CNS connect profile. • For controller controller-type, enter the controller type. • For dlci, enter the active data-link connection identifiers (DLCIs).
Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Step 13 Command Purpose cns id interface num {dns-reverse | ipaddress | mac-address} [event] [image] (Optional) Set the unique EventID or ConfigID used by the Configuration Engine. or • For interface num, enter the type of interface–for example, ethernet, group-async, loopback, or virtual-template. This setting specifies from which interface the IP or MAC address should be retrieved to define the unique ID.
Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Step 14 Command Purpose cns config initial {hostname | ip-address} [port-number] [event] [no-persist] [page page] [source ip-address] [syntax-check] Enable the Cisco IOS agent, and initiate an initial configuration. • For {hostname | ip-address}, enter the hostname or the IP address of the configuration server. • (Optional) For port-number, enter the port number of the configuration server.
Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents This example shows how to configure an initial configuration on a remote switch when the switch IP address is known. The Configuration Engine IP address is 172.28.129.22. Switch(config)# cns template connect template-dhcp Switch(config-tmpl-conn)# cli ip address dhcp Switch(config-tmpl-conn)# exit Switch(config)# cns template connect ip-route Switch(config-tmpl-conn)# cli ip route 0.0.0.0 0.0.0.
Chapter 4 Configuring Cisco IOS Configuration Engine Displaying CNS Configuration Displaying CNS Configuration You can use the privileged EXEC commands in Table 4-2 to display CNS configuration information. Table 4-2 Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed.
CH A P T E R 5 Managing Switch Stacks This chapter provides the concepts and procedures to manage Catalyst 3750-X switch stacks. Note The LAN base feature set supports switch stacks only when all switches in the stack are run the LAN base feature set. The switch command reference has command syntax and usage information.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Understanding Switch Stacks A switch stack is a set of up to nine stacking-capable switches connected through their StackWise Plus or StackWise ports. You can connect only one switch type in a stack, or you can connect a mix of Catalyst 3750-X, Catalyst 3750-E, and Catalyst 3750 switches in the stack. Catalyst 3750-X and Catalyst 3750-E stack members have StackWise Plus ports, and Catalyst 3750 members have StackWise ports.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks The system-level features supported on the stack master are supported on the entire switch stack. If a switch in the stack is running the IP base or IP services feature set and the cryptographic (that is, supporting encryption) universal software image, we recommend that this switch be the stack master.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks – Additional Considerations for System-Wide Configuration on Switch Stacks, page 5-16 – Switch Stack Management Connectivity, page 5-17 – Switch Stack Configuration Scenarios, page 5-18 Note A switch stack is different from a switch cluster. A switch cluster is a set of switches connected through their LAN ports, such as the 10/100/1000 ports.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks For more information about cabling and powering switch stacks, see the “Switch Installation” chapter in the hardware installation guide.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks 4. Note The switch with the higher priority feature set and software image combination. These combinations are listed from highest to lowest priority. The noncryptographic images apply only to mixed stacks that include Catalyst 3750-E or 3750 switches running Cisco IOS Release 12.2(53)SE or earlier. Catalyst 3750-X switches and Catalyst 3750-E or 3750 switches running later releases support only the cryprographic image.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks As described in the hardware installation guide, you can use the Master LED on the switch to see if the switch is the stack master. Switch Stack Bridge ID and Router MAC Address The bridge ID and router MAC address identify the switch stack in the network. When the switch stack initializes, the MAC address of the stack master determines the bridge ID and router MAC address.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks • If you merge switch stacks, the switches that join the switch stack of a new stack master select the the lowest available numbers in the stack. For more information about merging switch stacks, see the “Switch Stack Membership” section on page 5-4. As described in the hardware installation guide, you can use the switch port LEDs in Stack mode to visually determine the stack member number of each stack member.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Effects of Adding a Provisioned Switch to a Switch Stack When you add a provisioned switch to the switch stack, the stack applies either the provisioned configuration or the default configuration. Table 5-1 lists the events that occur when the switch stack compares the provisioned configuration with the provisioned switch.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Table 5-1 Results of Comparing the Provisioned Configuration with the Provisioned Switch (continued) Scenario Result The stack member number of the provisioned switch is not found in the provisioned configuration. The switch stack applies the default configuration to the provisioned switch and adds it to the stack.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Version-mismatch (VM) mode has priority over SDM-mismatch mode. If a VM-mode condition and an SDM-mismatch mode exist, the switch stack first attempts to resolve the VM-mode condition. You can use the show switch privileged EXEC command to see if any stack members are in SDM-mismatch mode. For more information about SDM templates and SDM-mismatch mode, see Chapter 8, “Configuring SDM Templates.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Minor Version Number Incompatibility Among Switches Switches with the same major version number but with a different minor version number are considered partially compatible. When connected to a switch stack, a partially compatible switch enters version-mismatch (VM) mode and cannot join the stack as a fully functioning member.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks • Automatic advise (auto-advise) occurs when the auto-upgrade process cannot find appropriate stack member software to copy to the switch in VM mode. This process tells you the command (archive copy-sw or archive download-sw privileged EXEC command) and the image name (tar filename) needed to manually upgrade the switch stack or the switch in VM mode.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Minimum Dram required:0x08000000 *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Image Suffix:ipservices-122-35.SE2 *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Image Directory:c3750e-universal-mz.122-35.SE2 *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Image Name:c3750e-universal-mz.122-35.SE2 *Mar 11 20:36:15.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:members have been scanned, and it has *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:been determined that the stack can be *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:repaired by issuing the following *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:command(s): *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW: *Mar 1 00:04:22.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks The interface-specific configuration of each stack member is associated with the stack member number. As mentioned in the “Stack Member Numbers” section on page 5-7, stack members retain their numbers unless they are manually changed or they are already used by another member in the same switch stack.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Switch Stack Management Connectivity You manage the switch stack and the stack member interfaces through the stack master. You can use the CLI, SNMP, Network Assistant, and CiscoWorks network management applications. You cannot manage stack members on an individual switch basis.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Be careful when using multiple CLI sessions to the stack master. Commands that you enter in one session are not displayed in the other sessions. Therefore, it is possible that you might not be able to identify the session from which you entered a command. We recommend using only one CLI session when managing the switch stack.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Table 5-2 Switch Stack Configuration Scenarios (continued) Scenario Result Stack master election Assuming that all stack members have the specifically determined same priority value: by the cryptographic 1.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Table 5-2 Switch Stack Configuration Scenarios (continued) Scenario Result Stack master failure Remove (or power off) the stack master. Add more than nine stack members 1. Through their StackWise Plus ports, connect ten switches. 2. Power on all switches. Based on the factors described in the “Stack Master Election and Re-Election” section on page 5-5, one of the remaining stack members becomes the new stack master.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack the previous stack master does not rejoin the stack during this period, the switch stack takes the MAC address of the new stack master as the stack MAC address.You can also configure stack MAC persistency so that the stack never switches to the MAC address of the new stack master. Note When you enter the command to configure this feature, a warning message appears containing the consequences of your configuration.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Step 4 Command Purpose show running-config Verify that the stack MAC address timer is enabled. If enabled, the output shows stack-mac persistent timer and the time in minutes. or Step 5 If enabled, the display includes: show switch Mac persistency wait time, the number of minutes configured, and the current stack MAC address. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Beginning in privileged EXEC mode, follow these steps to assign a member number to a stack member. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 switch current-stack-member-number renumber new-stack-member-number Specify the current stack member number and the new stack member number for the stack member. The range is 1 to 9.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Beginning in privileged EXEC mode, follow these steps to provision a new member for a switch stack. This procedure is optional. Command Purpose Step 1 show switch Display summary information about the switch stack. Step 2 configure terminal Enter global configuration mode. Step 3 switch stack-member-number provision type Specify the stack member number for the preconfigured switch. By default, no switches are provisioned.
Chapter 5 Managing Switch Stacks Accessing the CLI of a Specific Stack Member Accessing the CLI of a Specific Stack Member Note This task is only for debugging purposes, and is only available from the master. You can access all or specific members by using the remote command {all | stack-member-number} privileged EXEC command. The stack member number range is 1 to 9. You can access specific members by using the session stack-member-number privileged EXEC command.
Chapter 5 Managing Switch Stacks Troubleshooting Stacks • Finding a Disconnected Stack Cable, page 5-32 • Fixing a Bad Connection Between Stack Ports, page 5-33 Manually Disabling a Stack Port If a stack port is flapping and causing instability in the stack ring, to disable the port, enter the switch stack-member-number stack port port-number disable privileged EXEC command. To re-enable the port, enter the switch stack-member-number stack port port-number enable command.
Chapter 5 Managing Switch Stacks Troubleshooting Stacks Understanding the show switch stack-ports summary Output Only Port 1 on stack member 2 is disabled.
Chapter 5 Managing Switch Stacks Troubleshooting Stacks Identifying Loopback Problems • Software Loopback, page 5-28 • Software Loopback Example: No Connected Stack Cable, page 5-29 • Software Loopback Examples: Connected Stack Cables, page 5-29 • Hardware Loopback, page 5-30 • Hardware Loopback Example: LINK OK event, page 5-30 • Hardware Loop Example: LINK NOT OK Event, page 5-31 Software Loopback In a stack with three members, stack cables connect all the members.
Chapter 5 Managing Switch Stacks Troubleshooting Stacks Switch#/ Port# -------1/1 1/2 Stack Port Status -----Absent Absent Neighbor Cable Length Link OK Link Active Sync OK -------None None -------No cable No cable ---No No -----No No ---No No Link Active Sync OK -----No No ---Yes Yes Link Active Sync OK -----No No ---No No # Changes To LinkOK --------1 1 In Loopback # Changes To LinkOK --------1 1 In Loopback # Changes To LinkOK --------1 1 In Loopback -------Yes Yes Software L
Chapter 5 Managing Switch Stacks Troubleshooting Stacks Hardware Loopback The show platform stack ports buffer privileged EXEC command output shows the hardware loopback values.
Chapter 5 Managing Switch Stacks Troubleshooting Stacks On a Catalyst 3750-E or 3750-X switch: Switch# show platform stack ports buffer Stack Debug Event Data Trace ============================================================== Event type LINK: Link status change Event type RAC: RAC changes to Not OK Event type SYNC: Sync changes to Not OK ============================================================== Event Stack Stack PCS Info Count Port ========= ===== =================================== Event type: LIN
Chapter 5 Managing Switch Stacks Troubleshooting Stacks On a Catalyst 3750-E or 3750-X switch: Switch# show platform stack ports buffer Stack Debug Event Data Trace ============================================================== Event type LINK: Link status change Event type RAC: RAC changes to Not OK Event type SYNC: Sync changes to Not OK ============================================================== Event Stack Count Port ========= ===== Event type: LINK 0000000014 1 0000000014 2 Event type: RAC 000000
Chapter 5 Managing Switch Stacks Troubleshooting Stacks Switch#/ Port# -------1/1 1/2 2/1 2/2 Stack Port Status -----OK Absent Down OK Neighbor Cable Length Link OK Link Active Sync OK -------2 None None 1 -------50 cm No cable 50 cm 50 cm ---Yes No No Yes -----Yes No No Yes ---Yes No No Yes # Changes To LinkOK --------1 2 2 1 In Loopback -------No No No No Only one end of the cable connects to a stack port, Port 1 on Switch 2.
Chapter 5 Managing Switch Stacks Troubleshooting Stacks Catalyst 3750-X and 3560-X Switch Software Configuration Guide 5-34 OL-21521-01
C H A P T E R 6 Clustering Switches This chapter provides the concepts and procedures to create and manage Catalyst 3750-X and 3560-X switch clusters. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. You can create and manage switch clusters by using Cisco Network Assistant (hereafter known as Network Assistant), the command-line interface (CLI), or SNMP. For complete procedures, see the online help.
Chapter 6 Clustering Switches Understanding Switch Clusters Understanding Switch Clusters A switch cluster is a set of up to 16 connected, cluster-capable Catalyst switches that are managed as a single entity. The switches in the cluster use the switch clustering technology so that you can configure and troubleshoot a group of different Catalyst desktop switch platforms through a single IP address.
Chapter 6 Clustering Switches Understanding Switch Clusters Table 6-1 Switch Software and Cluster Capability (continued) Switch Cisco IOS Release Cluster Capability Catalyst 3550 12.1(4)EA1 or later Member or command switch Catalyst 2970 12.1(11)AX or later Member or command switch Catalyst 2960 12.2(25)FX or later Member or command switch Catalyst 2955 12.1(12c)EA1 or later Member or command switch Catalyst 2950 12.0(5.2)WC(1) or later Member or command switch Catalyst 2950 LRE 12.
Chapter 6 Clustering Switches Planning a Switch Cluster Note Standby cluster command switches must be the same type of switches as the cluster command switch. For example, if the cluster command switch is a Catalyst 3750-E switch, the standby cluster command switches must also be Catalyst 3750-E switches. See the switch configuration guide of other cluster-capable switches for their requirements on standby cluster command switches.
Chapter 6 Clustering Switches Planning a Switch Cluster • SNMP Community Strings, page 6-14 • Switch Clusters and Switch Stacks, page 6-14 • TACACS+ and RADIUS, page 6-16 • LRE Profiles, page 6-16 See the release notes for the list of Catalyst switches eligible for switch clustering, including which ones can be cluster command switches and which ones can only be cluster member switches, and for the required software versions and browser and Java plug-in configurations.
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-1 Discovery Through CDP Hops Command device VLAN 16 VLAN 62 Member device 8 Member device 10 Member device 9 Device 12 Device 11 candidate device Device 13 Edge of cluster Candidate devices Device 15 101321 Device 14 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices c
Chapter 6 Clustering Switches Planning a Switch Cluster Discovery Through Different VLANs If the cluster command switch is a Catalyst 3560-E, Catalyst 3750-E, Catalyst 3560-X, or Catalyst 3750-X switch, the cluster can have cluster member switches in different VLANs. As cluster member switches, they must be connected through at least one VLAN in common with the cluster command switch.
Chapter 6 Clustering Switches Planning a Switch Cluster Note If the switch cluster has a Catalyst 3750-E or Catalyst 3750-X switch or switch stack, that switch or switch stack must be the cluster command switch.
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-5 Discovery Through Routed Ports Command device VLAN 9 RP RP VLAN 62 VLAN 9 VLAN 62 VLAN 9 Member device 7 (management VLAN 62) 101324 VLAN 4 Discovery of Newly Installed Switches To join a cluster, the new, out-of-the-box switch must be connected to the cluster through one of its access ports. An access port (AP) carries the traffic of and belongs to only one VLAN.
Chapter 6 Clustering Switches Planning a Switch Cluster HSRP and Standby Cluster Command Switches The switch supports Hot Standby Router Protocol (HSRP) so that you can configure a group of standby cluster command switches.
Chapter 6 Clustering Switches Planning a Switch Cluster Virtual IP Addresses You need to assign a unique virtual IP address and group number and name to the cluster standby group. This information must be configured on a specific VLAN or routed port on the active cluster command switch. The active cluster command switch receives traffic destined for the virtual IP address.
Chapter 6 Clustering Switches Planning a Switch Cluster • Each standby-group member (Figure 6-7) must be connected to the cluster command switch through the same VLAN. In this example, the cluster command switch and standby cluster command switches are Catalyst 3560-E, Catalyst 3750-E, Catalyst 3560-X, or Catalyst 3750-X cluster command switches. Each standby-group member must also be redundantly connected to each other through at least one VLAN in common with the switch cluster.
Chapter 6 Clustering Switches Planning a Switch Cluster • This limitation applies to all clusters: If the active cluster command switch fails and there are more than two switches in the cluster standby group, the new cluster command switch does not discover any Catalyst 1900, Catalyst 2820, and Catalyst 2916M XL cluster member switches. You must re-add these cluster member switches to the cluster.
Chapter 6 Clustering Switches Planning a Switch Cluster Passwords You do not need to assign passwords to an individual switch if it will be a cluster member. When a switch joins a cluster, it inherits the command-switch password and retains it when it leaves the cluster. If no command-switch password is configured, the cluster member switch inherits a null password. Cluster member switches only inherit the command-switch password.
Chapter 6 Clustering Switches Planning a Switch Cluster Table 6-2 Basic Comparison of Switch Stacks and Switch Clusters (continued) Switch Stack Switch Cluster Can be a cluster command switch or a cluster member switch Cannot be a stack master or stack member Stack master is the single point of complete management for all stack members in a particular switch stack Cluster command switch is the single point of some management for all cluster members in a particular switch cluster Back-up stack master
Chapter 6 Clustering Switches Using the CLI to Manage Switch Clusters • If a cluster member switch stack reloads and a new stack master is elected, the switch stack loses connectivity with the cluster command switch. You must add the switch stack back to the switch cluster. • If a cluster command switch stack reloads, and the original stack master is not re-elected, you must rebuild the entire switch cluster.
Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Catalyst 1900 and Catalyst 2820 CLI Considerations If your switch cluster has Catalyst 1900 and Catalyst 2820 switches running standard edition software, the Telnet session accesses the management console (a menu-driven interface) if the cluster command switch is at privilege level 15. If the cluster command switch is at privilege level 1 to 14, you are prompted for the password to access the menu console.
Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Figure 6-8 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 33020 Trap Tr ap ap Tr Member 1 Member 2 Member 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 6-18 OL-21521-01
CH A P T E R 7 Administering the Switch This chapter describes how to perform one-time operations to administer the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Chapter 7 Administering the Switch Managing the System Time and Date Understanding the System Clock The heart of the time service is the system clock. This clock runs from the moment the system starts up and keeps track of the date and time.
Chapter 7 Administering the Switch Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet. Figure 7-1 shows a typical network example using NTP. Switch A is the NTP master, with the Switch B, C, and D configured in NTP server mode, in server association with Switch A.
Chapter 7 Administering the Switch Managing the System Time and Date Configuring NTP The switch does not have a hardware-supported clock and cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available. The switch also has no hardware support for a calendar. As a result, the ntp update-calendar and the ntp master global configuration commands are not available.
Chapter 7 Administering the Switch Managing the System Time and Date Step 3 Command Purpose ntp authentication-key number md5 value Define the authentication keys. By default, none are defined. • For number, specify a key number. The range is 1 to 4294967295. • md5 specifies that message authentication support is provided by using the message digest algorithm 5 (MD5). • For value, enter an arbitrary string of up to eight characters for the key.
Chapter 7 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to form an NTP association with another device: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp peer ip-address [version number] [key keyid] [source interface] [prefer] Configure the switch system clock to synchronize a peer or to be synchronized by a peer (peer association).
Chapter 7 Administering the Switch Managing the System Time and Date The switch can send or receive NTP broadcast packets on an interface-by-interface basis if there is an NTP broadcast server, such as a router, broadcasting time information on the network. The switch can send NTP broadcast packets to a peer so that the peer can synchronize to it. The switch can also receive NTP broadcast packets to synchronize its own clock.
Chapter 7 Administering the Switch Managing the System Time and Date Step 5 Command Purpose ntp broadcastdelay microseconds (Optional) Change the estimated round-trip delay between the switch and the NTP broadcast server. The default is 3000 microseconds; the range is 1 to 999999. Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 7 Administering the Switch Managing the System Time and Date Step 3 Command Purpose access-list access-list-number permit source [source-wildcard] Create the access list. • For access-list-number, enter the number specified in Step 2. • Enter the permit keyword to permit access if the conditions are matched. • For source, enter the IP address of the device that is permitted access to the switch. • (Optional) For source-wildcard, enter the wildcard bits to be applied to the source.
Chapter 7 Administering the Switch Managing the System Time and Date Disabling NTP Services on a Specific Interface NTP services are enabled on all interfaces by default. Beginning in privileged EXEC mode, follow these steps to disable NTP packets from being received on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to disable.
Chapter 7 Administering the Switch Managing the System Time and Date Displaying the NTP Configuration You can use two privileged EXEC commands to display NTP information: • show ntp associations [detail] • show ntp status For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 7 Administering the Switch Managing the System Time and Date Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command. The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source such as NTP, the flag is set. If the time is not authoritative, it is used only for display purposes.
Chapter 7 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 7 Administering the Switch Configuring a System Name and Prompt Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone date [month Configure summer time to start on the first date and end on the second date year hh:mm month date year hh:mm date.
Chapter 7 Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Chapter 7 Administering the Switch Configuring a System Name and Prompt To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the hostnames, specify the name server that is present on your network, and enable the DNS.
Chapter 7 Administering the Switch Creating a Banner Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.
Chapter 7 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day.
Chapter 7 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message.
Chapter 7 Administering the Switch Managing the MAC Address Table These sections contain this configuration information: • Building the Address Table, page 7-20 • MAC Addresses and VLANs, page 7-20 • MAC Addresses and Switch Stacks, page 7-21 • Default MAC Address Table Configuration, page 7-21 • Changing the Address Aging Time, page 7-21 • Removing Dynamic Address Entries, page 7-22 • Configuring MAC Address Change Notification Traps, page 7-22 • Configuring MAC Address Move Notification
Chapter 7 Administering the Switch Managing the MAC Address Table When private VLANs are configured, address learning depends on the type of MAC address: • Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the associated VLANs. For example, a MAC address learned in a private-VLAN secondary VLAN is replicated in the primary VLAN. • Static MAC addresses configured in a primary or secondary VLAN are not replicated in the associated VLANs.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the dynamic address table aging time: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table aging-time [0 | 10-1000000] [vlan vlan-id] Set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated. The range is 10 to 1000000 seconds. The default is 300.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address change notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message. | 2c | 3}} community-string notification-type • For host-addr, specify the name or address of the NMS.
Chapter 7 Administering the Switch Managing the MAC Address Table Step 9 Command Purpose show mac address-table notification change interface Verify your entries. show running-config Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable MAC address-change notification traps, use the no snmp-server enable traps mac-notification change global configuration command.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address-move notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 | 2c | 3}} community-string notification-type Specify the recipient of the trap message. • For host-addr, specify the name or address of the NMS.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address table threshold notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 | 2c | 3}} community-string notification-type Specify the recipient of the trap message. • For host-addr, specify the name or address of the NMS.
Chapter 7 Administering the Switch Managing the MAC Address Table You can verify your settings by entering the show mac address-table notification threshold privileged EXEC commands. Adding and Removing Static Address Entries A static address has these characteristics: • It is manually entered in the address table and must be manually removed. • It can be a unicast or multicast address. • It does not age and is retained when the switch restarts.
Chapter 7 Administering the Switch Managing the MAC Address Table This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packet is received in VLAN 4 with this MAC address as its destination address, the packet is forwarded to the specified port: Switch(config)# mac address-table static c2f3.220a.
Chapter 7 Administering the Switch Managing the MAC Address Table Command Purpose Step 4 show mac address-table static Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable unicast MAC address filtering, use the no mac address-table static mac-addr vlan vlan-id global configuration command.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to disable MAC address learning on a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no mac address-table learning vlan vlan-id Disable MAC address learning on the specified VLAN or VLANs. You can specify a single VLAN ID or a range of VLAN IDs separated by a hyphen or comma. Valid VLAN IDs s are 1 to 4094.
Chapter 7 Administering the Switch Managing the ARP Table Managing the ARP Table To communicate with a device (over Ethernet, for example), the software first must learn the 48-bit MAC address or the local data link address of that device. The process of learning the local data link address from an IP address is called address resolution. The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or MAC addresses and the VLAN ID.
Chapter 7 Administering the Switch Managing the ARP Table Catalyst 3750-X and 3560-X Switch Software Configuration Guide 7-32 OL-21521-01
CH A P T E R 8 Configuring SDM Templates This chapter describes how to configure the Switch Database Management (SDM) templates on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 8 Configuring SDM Templates Understanding the SDM Templates Note On switches running the LAN base feature set, routing values shown in the templates are not valid. The switch also supports multiple dual IPv4 and IP Version 6 (IPv6) templates for environments with both types of traffic. See the “Dual IPv4 and IPv6 SDM Templates” section on page 8-2. Table 8-1 lists the approximate numbers of each resource supported in each of the four IPv4 templates.
Chapter 8 Configuring SDM Templates Understanding the SDM Templates • Dual IPv4 and IPv6 routing template—supports Layer 2, multicast, routing (including policy-based routing), QoS, and ACLs for IPv4; and Layer 2, routing, ACLs, and QoS for IPv6 on the switch. • Dual IPv4 and IPv6 VLAN template—supports basic Layer 2, multicast, QoS, and ACLs for IPv4, and basic Layer 2, ACLs, and QoS for IPv6 on the switch. You must reload the switch with the dual IPv4 and IPv6 templates for switches running IPv6.
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template This is an example of a syslog message notifying the stack master that a stack member is in SDM mismatch mode: 2d23h:%STACKMGR-6-SWITCH_ADDED_SDM:Switch 2 has been ADDED to the stack (SDM_MISMATCH) 2d23h:%SDM-6-MISMATCH_ADVISE: 2d23h:%SDM-6-MISMATCH_ADVISE: 2d23h:%SDM-6-MISMATCH_ADVISE:System (#2) is incompatible with the SDM 2d23h:%SDM-6-MISMATCH_ADVISE:template currently running on the stack and 2d23h:%SDM-6-MISMATCH_ADVISE:will no
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template Setting the SDM Template Beginning in privileged EXEC mode, follow these steps to configure an SDM template: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 sdm prefer {access | default | Specify the SDM template to be used on the switch. The keywords have dual-ipv4-and-ipv6 {default | routing | these meanings: vlan} | routing | vlan} • access—Maximize system resources for ACLs.
Chapter 8 Configuring SDM Templates Displaying the SDM Templates To return to the default template, use the no sdm prefer global configuration command.
Chapter 8 Configuring SDM Templates Displaying the SDM Templates number of qos aces: number of security aces: 0.5K 1K This is an example of output from the show sdm prefer dual-ipv4-and-ipv6 routing command: Switch# show sdm prefer dual-ipv4-and-ipv6 routing The current template is "desktop IPv4 and IPv6 routing" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.
Chapter 8 Configuring SDM Templates Displaying the SDM Templates Catalyst 3750-X and 3560-X Switch Software Configuration Guide 8-8 OL-21521-01
C H A P T E R 9 Configuring Catalyst 3750-X StackPower The Catalyst 3750-X and 3560-X switches have two power supplies per system, allowing the power load to be split between them. This accommodates the increased maximum power of 30 watts per port provided to a powered device to meet the PoE+ standard (802.3at). With PoE+, a 48-port system would need 1440 Watts to provide 30 Watts per powered device for the PoE ports. Systems with fewer powered devices might require only one power supply.
Chapter 9 Configuring Catalyst 3750-X StackPower Understanding StackPower • System operation can become more green by maximizing power supply efficiency and working with the most efficient load (30 to 90% of their maximum load). StackPower uses these terms: • Available power is the total power available for PoE from all power supplies in the power stack. To see the available power in a stack, enter the show power inline privileged EXEC command.
Chapter 9 Configuring Catalyst 3750-X StackPower Understanding StackPower You can also configure a switch connected in a power stack to not participate in the power stack by setting the switch to standalone power mode. This mode shuts down both stack power ports. This is a switch parameter and is configurable by entering the stack-power switch global configuration command followed by a switch number to enter switch stack power configuration mode.
Chapter 9 Configuring Catalyst 3750-X StackPower Understanding StackPower Graceful load shedding is always enabled and immediate load shedding occurs only when necessary, so both can occur at the same time. Note Load shedding does not occur in redundant mode unless two or more power supplies fail, because the largest power supply is used as a backup power source. Notes on load shedding: • The method (immediate or graceful) is not user-configurable, but is based on the power budget.
Chapter 9 Configuring Catalyst 3750-X StackPower Understanding StackPower The output of the show stack-power privileged EXEC command shows the priorities of the powered devices and switches in the power stack. Switch# show stack-power Power stack name: Powerstack1 Stack mode: Power sharing Switch 1: Power budget: 206 Low port priority value: 17 High port priority value: 16 Switch priority value: 2 Port A status: Not shut Port B status: Not shut Neighbor on port A: 0022.bdcf.ab00 Neighbor on port B: 0022.
Chapter 9 Configuring Catalyst 3750-X StackPower Configuring Stack Power • Switch 4 (priority 4) • Switch 3 (priority 3) • Switch 1 (priority 2) Switch 2 would never have to be shut down because all power would have been lost by the time priority 1 devices were reached.
Chapter 9 Configuring Catalyst 3750-X StackPower Configuring Stack Power This is an example of setting the stack power mode for the stack named power1 to redundant power mode. The largest power supply in the stack is removed from the power budget and used as a backup in case of power supply failure.
Chapter 9 Configuring Catalyst 3750-X StackPower Configuring Stack Power Note Entering the write erase and reload privileged EXEC commands down not change the power priority or power mode non-default configuration saved in the switch flash memory. Configuring PoE Port Priority Beginning in privileged EXEC mode, follow these steps to configure the priority of a PoE port on a switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
CH A P T E R 10 Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Chapter 10 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands • If you want to use username and password pairs, but you want to store them centrally on a server instead of locally, you can store them in a database on a security server. Multiple networking devices can then use the same database to obtain user authentication (and, if necessary, authorization) information. For more information, see the “Controlling Switch Access with TACACS+” section on page 10-10.
Chapter 10 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 10 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable secret passwords: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password [level level] {password | encryption-type encrypted-password} Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 10 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2: Switch(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8 Disabling Password Recovery By default, any end user with physical access to the switch can recover from a lost password by interrupting the boot process while the switch is powering on and then by entering a new password.
Chapter 10 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting a Telnet Password for a Terminal Line When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use. The setup program also prompts you to configure your switch for Telnet access through a password.
Chapter 10 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username and a password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 username name [privilege level] {password encryption-type password} Enter the username, privilege level, and password for each user.
Chapter 10 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting the Privilege Level for a Command Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 privilege mode level level command Set the privilege level for a command.
Chapter 10 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line vty line Select the virtual terminal line on which to restrict access. Step 3 privilege level level Change the default privilege level for the line.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Controlling Switch Access with TACACS+ This section describes how to enable and configure Terminal Access Controller Access Control System Plus (TACACS+), which provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 10-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ server 1) Catalyst 6500 series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) 171.20.10.8 101230 Configure the switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers). Enable AAA. Create a login authentication method list. Apply the list to the terminal lines.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: 1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user. The user enters a username, and the switch then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ • Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 10-16 • Starting TACACS+ Accounting, page 10-17 Default TACACS+ Configuration TACACS+ and AAA are disabled by default. To prevent a lapse in security, you cannot configure TACACS+ through a network management application. When enabled, TACACS+ can authenticate users accessing the switch through the CLI.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 show tacacs Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the specified TACACS+ server name or address, use the no tacacs-server host hostname global configuration command.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Note To secure the switch for HTTP access by using AAA methods, you must configure the switch with the ip http authentication aaa global configuration command. Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Starting TACACS+ Accounting The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Understanding RADIUS RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco routers and switches. Clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Transitioning from RADIUS to TACACS+ Services Remote PC R1 RADIUS server R2 RADIUS server T1 TACACS+ server T2 TACACS+ server Workstation 86891 Figure 10-2 RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: 1. The user is prompted to enter a username and password. 2.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS • CoA Request Commands, page 10-22 • Session Reauthentication, page 10-23 • Stacking Guidelines for Session Termination, page 10-25 A standard RADIUS interface is typically used in a pulled model where the request originates from a network attached device and the response come from the queried servers.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Table 10-2 Supported IETF Attributes Attribute Number Attribute Name 24 State 31 Calling-Station-ID 44 Acct-Session-ID 80 Message-Authenticator 101 Error-Cause Table 10-3 shows the possible values for the Error-Cause attribute.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Session Identification For disconnect and CoA requests targeted at a particular session, the switch locates the session based on one or more of the following attributes: • Calling-Station-Id (IETF attribute #31 which contains the host MAC address) • Audit-Session-Id (Cisco VSA) • Acct-Session-Id (IETF attribute #44) Unless all session identification attributes included in the CoA message match the session, the
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS • Session Reauthentication in a Switch Stack • Session Termination • CoA Disconnect-Request • CoA Request: Disable Host Port • CoA Request: Bounce-Port Beginning with Cisco IOS Release 12.2(52)SE, the switch supports the commands shown in Table 10-4.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS • If authentication completes with either success or failure, the signal that triggered the reauthentication is removed from the stack member. • If the stack master fails before authentication completes, reauthentication is initiated after stack master switch-over based on the original command (which is subsequently removed).
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Note A Disconnect-Request failure following command re-sending could be the result of either a successful session termination before change-over (if the Disconnect-ACK was not sent) or a session termination by other means (for example, a link failure) that occurred after the original command was issued and before the standby switch became active.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS When the Auth Manager command handler on the stack master receives a valid disable-port command, it verifies this information before returning a CoA-ACK message: • the need for a port-disable • the port-id (found in the local session context) The switch attempts to disable the port. If the port-disable operation is successful, the signal that triggered the port-disable is removed from the standby stack master.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Default RADIUS Configuration RADIUS and AAA are disabled by default. To prevent a lapse in security, you cannot configure RADIUS through a network management application. When enabled, RADIUS can authenticate users accessing the switch through the CLI.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 8 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 10-29. Step 9 To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information). Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the switch and all RADIUS servers.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“ This example shows how to specify an authorized VLAN in the RADIUS server database: cisco-avpair= ”tunnel-type(#64)=VLAN(13)” cisco-avpair= ”tunnel-medium-type(#65)=802 media(6)” cisco-avpair= ”tunnel-private-group-ID(#81)=vlanid” This example shows how to apply an i
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with the switch. You specify the RADIUS host and secret text string by using the radius-server global configuration commands.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 4 client {ip-address | name} [vrf vrfname] Enter dynamic authorization local server configuration mode and specify [server-key string] a RADIUS client from which a device will accept CoA and disconnect requests. Step 5 server-key [0 | 7] string Configure the RADIUS key to be shared between a device and RADIUS clients.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Configuring RADIUS Server Load Balancing This feature allows access and authentication requests to be evenly across all RADIUS servers in a server group. For more information, see the “RADIUS Server Load Balancing” chapter of the “Cisco IOS Security Configuration Guide”, Release 12.2: http://www.ciscosystems.com/en/US/docs/ios/12_2sb/feature/guide/sbrdldbl.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Kerberos verifies that users are who they claim to be and the network services that they use are what the services claim to be. To do this, a KDC or trusted Kerberos server issues tickets to users. These tickets, which have a limited lifespan, are stored in user credential caches. The Kerberos server uses the tickets instead of usernames and passwords to authenticate users and network services.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 10-5 Kerberos Terms (continued) Term Definition Kerberized A term that describes applications and services that have been modified to support the Kerberos credential infrastructure. Kerberos realm A domain consisting of users, hosts, and network services that are registered to a Kerberos server.
Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Authenticating to a Boundary Switch This section describes the first layer of security through which a remote user must pass. The user must first authenticate to the boundary switch. This process then occurs: 1. The user opens an un-Kerberized Telnet connection to the boundary switch. 2. The switch prompts the user for a username and password. 3. The switch requests a TGT from the KDC for this user. 4.
Chapter 10 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization When you add or create entries for the hosts and users, follow these guidelines: Note • The Kerberos principal name must be in all lowercase characters. • The Kerberos instance name must be in all lowercase characters. • The Kerberos realm name must be in all uppercase characters.
Chapter 10 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Step 6 Command Purpose username name [privilege level] {password encryption-type password} Enter the local database, and establish a username-based authentication system. Repeat this command for each user. • For name, specify the user ID as one word. Spaces and quotation marks are not allowed. • (Optional) For level, specify the privilege level the user has after gaining access. The range is 0 to 15.
Chapter 10 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Note For complete syntax and usage information for the commands used in this section, see the command reference for this release and the “Secure Shell Commands” section of the “Other Security Features” chapter of the Cisco IOS Security Command Reference, Release 12.2 at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter0918 6a00800ca7d0.
Chapter 10 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Limitations These limitations apply to SSH: • The switch supports Rivest, Shamir, and Adelman (RSA) authentication. • SSH supports only the execution-shell application. • The SSH server and the SSH client are supported only on DES (56-bit) and 3DES (168-bit) data encryption software. • The switch does not support the Advanced Encryption Standard (AES) symmetric encryption algorithm.
Chapter 10 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell 3. Configure user authentication for local or remote access. This step is required. For more information, see the “Configuring the Switch for Local Authentication and Authorization” section on page 10-43. Beginning in privileged EXEC mode, follow these steps to configure a hostname and an IP domain name and to generate an RSA key pair. This procedure is required if you are configuring the switch as an SSH server.
Chapter 10 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Step 3 Command Purpose ip ssh {timeout seconds | authentication-retries number} Configure the SSH control parameters: • Specify the time-out value in seconds; the default is 120 seconds. The range is 0 to 120 seconds. This parameter applies to the SSH negotiation phase. After the connection is established, the switch uses the default time-out values of the CLI-based sessions.
Chapter 10 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Configuring the Switch for Secure Socket Layer HTTP This section describes how to configure Secure Socket Layer (SSL) Version 3.0 support for the HTTP 1.1 server and client. SSL provides server authentication, encryption, and message integrity, as well as HTTP client authentication, to allow secure HTTP communications.
Chapter 10 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP If you do not configure a CA trustpoint, when you enable a secure HTTP connection, either a temporary or a persistent self-signed certificate for the secure HTTP server (or client) is automatically generated. Note • If the switch is not configured with a hostname and a domain name, a temporary self-signed certificate is generated.
Chapter 10 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP CipherSuites A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection. When connecting to the HTTPS server, the client Web browser offers a list of supported CipherSuites, and the client and server negotiate the best encryption algorithm to use from those on the list that are supported by both. For example, Netscape Communicator 4.76 supports U.S.
Chapter 10 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP SSL Configuration Guidelines When SSL is used in a switch cluster, the SSL session terminates at the cluster commander. Cluster member switches must run standard HTTP. Before you configure a CA trustpoint, you should ensure that the system clock is set. If the clock is not set, the certificate is rejected due to an incorrect date. In a switch stack, the SSL session terminates at the stack master.
Chapter 10 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Use the no crypto ca trustpoint name global configuration command to delete all identity information and certificates associated with the CA. Configuring the Secure HTTP Server If you are using a certificate authority for certification, you should use the previous procedure to configure the CA trustpoint on the switch before enabling the HTTP server.
Chapter 10 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Command Step 11 Purpose ip http timeout-policy idle seconds life (Optional) Specify how long a connection to the HTTP server can remain seconds requests value open under the defined circumstances: • idle—the maximum time period when no data is received or response data cannot be sent. The range is 1 to 600 seconds. The default is 180 seconds (3 minutes).
Chapter 10 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Command Purpose Step 3 ip http client secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-md5] [rc4-128-sha] [des-cbc-sha]} (Optional) Specify the CipherSuites (encryption algorithms) to be used for encryption over the HTTPS connection. If you do not have a reason to specify a particular CipherSuite, you should allow the server and client to negotiate a CipherSuite that they both support.
Chapter 10 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Information About Secure Copy To configure the Secure Copy feature, you should understand these concepts. The behavior of SCP is similar to that of remote copy (rcp), which comes from the Berkeley r-tools suite, except that SCP relies on SSH for security.
CH A P T E R 11 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the Catalyst 3750-X or 3560-X switch. IEEE 802.1x authentication prevents unauthorized devices (clients) from gaining access to the network.Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Until the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port. These sections describe IEEE 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Device Roles With 802.1x port-based authentication, the devices in the network have specific roles as shown in Figure 11-1. Figure 11-1 802.1x Device Roles Authentication server (RADIUS) 101229 Workstations (clients) • Client—the device (workstation) that requests access to the LAN and switch services and responds to requests from the switch. The workstation must be running 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The devices that can act as intermediaries include the Catalyst 3750-X, Catalyst 3750-E, Catalyst 3750, Catalyst 3650-X, Catalyst 3560-E, Catalyst 3560, Catalyst 3550, Catalyst 2970, Catalyst 2960, Catalyst 2955, Catalyst 2950, Catalyst 2940 switches, or a wireless access point. These devices must be running software that supports the RADIUS client and IEEE 802.1x authentication.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 11-2 Authentication Flowchart Start IEEE 802.1x authentication process times out. Is MAC authentication bypass enabled? 1 Yes Yes Start IEEE 802.1x port-based authentication. Client identity is invalid The switch gets an EAPOL message, and the EAPOL message exchange begins. Client identity is valid No Use MAC authentication bypass. 1 Client MAC address identity is valid.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The Termination-Action RADIUS attribute (Attribute [29]) specifies the action to take during re-authentication. The actions are Initialize and ReAuthenticate. When the Initialize action is set (the attribute value is DEFAULT), the 802.1x session ends, and connectivity is lost during re-authentication.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 11-3 Message Exchange Authentication server (RADIUS) Client EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS Access-Request EAP-Request/OTP RADIUS Access-Challenge EAP-Response/OTP RADIUS Access-Request EAP-Success RADIUS Access-Accept Port Authorized 101228 EAPOL-Logoff Port Unauthorized If 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Authentication Manager In Cisco IOS Release 12.2(46)SE and earlier, you could not use the same authorization methods, including CLI commands and messages, on this switch and also on other network devices, such as a Catalyst 6000. You had to use separate authentication configurations. Cisco IOS Release 12.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Per-User ACLs and Filter-Ids ACLs configured on the switch are compatible with other devices running Cisco IOS releases. You can only set any as the source in the ACL. Note For any ACL configured for multiple-host mode, the source portion of statement must be any. (For example, permit icmp any host 10.10.1.1.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Table 11-2 Authentication Manager Commands and Earlier 802.1x Commands (continued) The authentication manager commands in Cisco IOS Release 12.2(50)SE or later The equivalent 802.1x commands in Cisco IOS Release 12.2(46)SE and earlier Description authentication order dot1x mac-auth-bypass Enable the MAC authentication bypass feature.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • auto—enables 802.1x authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port changes from down to up or when an EAPOL-start frame is received.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication 802.1x Host Mode You can configure an 802.1x port for single-host or for multiple-hosts mode. In single-host mode (see Figure 12-1 on page 12-2), only one client can be connected to the 802.1x-enabled switch port. The switch detects the client by sending an EAPOL frame when the port link state changes to the up state.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication MAC Move When a MAC address is authenticated on one switch port, that address is not allowed on another 802.1x port of the switch. If the switch detects that same MAC address on another 802.1x port, the address is not allowed. There are situations where a MAC address might need to move from one port to another on the same switch.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication 802.1x Authentication with VLAN Assignment The switch supports 802.1x authentication with VLAN assignment. After successful 802.1x authentication of a port, the RADIUS server sends the VLAN assignment to configure the switch port. The RADIUS server database maintains the username-to-VLAN mappings, assigning the VLAN based on the username of the client connected to the switch port.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication To configure VLAN assignment you need to perform these tasks: • Enable AAA authorization by using the network keyword to allow interface configuration from the RADIUS server. • Enable 802.1x authentication. (The VLAN assignment feature is automatically enabled when you configure 802.1x authentication on an access port). • Assign vendor-specific tunnel attributes in the RADIUS server.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Only one 802.1x-authenticated user is supported on a port. If the multiple-hosts mode is enabled on the port, the per-user ACL attribute is disabled for the associated port. The maximum size of the per-user ACL is 4000 ASCII characters but is limited by the maximum size of RADIUS-server per-user ACLs.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The switch uses the CiscoSecure-Defined-ACL AV pair to intercept an HTTP or HTTPS request from the endpoint device. The switch then forwards the client web browser to the specified redirect address. The url-redirect AV pair on the Cisco Secure ACS contains the URL to which the web browser is redirected.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication 802.1x Authentication with Guest VLAN You can configure a guest VLAN for each 802.1x port on the switch to provide limited services to clients, such as downloading the 802.1x client. These clients might be upgrading their system for 802.1x authentication, and some hosts, such as Windows 98 systems, might not be IEEE 802.1x-capable. When you enable a guest VLAN on an 802.1x802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication 802.1x Authentication with Restricted VLAN You can configure a restricted VLAN (also referred to as an authentication failed VLAN) for each IEEE 802.1x port on a switch stack or a switch to provide limited services to clients that cannot access the guest VLAN. These clients are 802.1x-compliant and cannot access another VLAN because they fail the authentication process.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication When a new host tries to connect to the critical port, that host is moved to a user-specified access VLAN, the critical VLAN. The administrator gives limited authentication to the hosts. When the switch tries to authenticate a host connected to a critical port, the switch checks the status of the configured RADIUS server. If a server is available, the switch can authenticate the host.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication – If all the RADIUS servers are not available and the client is not connected to a critical port, the switch might not assign clients to the guest VLAN if one is configured. – If all the RADIUS servers are not available and if a client is connected to a critical port and was previously assigned to a guest VLAN, the switch keeps the port in the guest VLAN.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication 802.1x User Distribution Configuration Guidelines • Confirm that at least one VLAN is mapped to the VLAN group. • You can map more than one VLAN to a VLAN group. • You can modify the VLAN group by adding or deleting a VLAN.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication IEEE 802.1x Authentication with Port Security You can configure an IEEE 802.1x port with port security in either single-host or multiple-hosts mode. (You also must configure port security on the port by using the switchport port-security interface configuration command.) When you enable port security and IEEE 802.1x authentication on a port, IEEE 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication When a host that uses WoL is attached through an IEEE 802.1x port and the host powers off, the IEEE 802.1x port becomes unauthorized. The port can only receive and send EAPOL packets, and WoL magic packets cannot reach the host. When the PC is powered off, it is not authorized, and the switch port is not opened. When the switch uses IEEE 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication If re-authentication is based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]) and if the Termination-Action RADIUS attribute (Attribute [29]) action is Initialize, (the attribute value is DEFAULT), the MAC authentication bypass session ends, and connectivity is lost during re-authentication.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Configuring NAC Layer 2 IEEE 802.1x validation is similar to configuring IEEE 802.1x port-based authentication except that you must configure a posture token on the RADIUS server. For information about configuring NAC Layer 2 IEEE 802.1x validation, see the “Configuring NAC Layer 2 IEEE 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Note If you use a dynamic VLAN to assign a voice VLAN on an MDA-enabled switch port, the voice device fails authorization. • To authorize a voice device, the AAA server must be configured to send a Cisco Attribute-Value (AV) pair attribute with a value of device-traffic-class=voice. Without this value, the switch treats the voice device as a data device.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication 802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT) The Network Edge Access Topology (NEAT) feature extends identity to areas outside the wiring closet (such as conference rooms). This allows any type of device to authenticate on the port. • 802.1x switch supplicant: You can configure a switch to act as a supplicant to another switch by using the 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • The VSA changes the authenticator switch port mode from access to trunk and enables 802.1x trunk encapsulation and the access VLAN if any would be converted to a native trunk VLAN.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The session ID is used by the NAD, the AAA server, and other report-analyzing applications to identify the client. The ID appears automatically. No configuration is required. Understanding Media Access Control Security and MACsec Key Agreement Media Access Control Security (MACsec), defined in 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication MKA Policies You apply a defined MKA policy to an interface to enable MKA on the interface. Removing the MKA policy disables MKA on that interface. You can configure these options: • Policy name, not to exceed 16 ASCII characters. • Confidentiality (encryption) offset of 0, 30, or 50 bytes for each physical interface. • Replay protection.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication MACsec, MKA and 802.1x Host Modes You can use MACsec and the MKA Protocol with 802.1x single-host mode, multiple-host mode, or Multi Domain Authentication (MDA) mode. Multiple authentication mode is not supported. Note Although the software supports MDA mode, there are no IP phones that support MACsec and MKA.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication MKA Statistics Some MKA counters are aggregated globally, while others are updated both globally and per session. You can also obtain information about the status of MKA sessions. Configuring 802.1x Authentication These sections contain this configuration information: • Default 802.1x Authentication Configuration, page 11-35 • 802.1x Authentication Configuration Guidelines, page 11-36 • Configuring 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication • Configuring a Web Authentication Local Banner, page 11-65 (optional) • Disabling 802.1x Authentication on the Port, page 11-66 (optional) • Resetting the 802.1x Authentication Configuration to the Default Values, page 11-66 (optional) • Configuring MKA and MACsec, page 11-67 (optional) Default 802.1x Authentication Configuration Table 11-4 Default 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Table 11-4 Default 802.1x Authentication Configuration (continued) Feature Default Setting Restricted VLAN None specified. Authenticator (switch) mode None specified. MAC authentication bypass Disabled. MACsec and MKA Disabled. No MKA policies are configured. 802.1x Authentication Configuration Guidelines These section has configuration guidelines for these features: • 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication – EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an 802.1x port. If you try to enable 802.1x authentication on an EtherChannel port, an error message appears, and 802.1x authentication is not enabled. – Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication – If the Windows XP client is configured for DHCP and has an IP address from the DHCP server, receiving an EAP-Success message on a critical port might not re-initiate the DHCP configuration process. – You can configure the inaccessible authentication bypass feature and the restricted VLAN on an 802.1x port.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Follow these guidelines to enable the readiness check on the switch: • The readiness check is typically used before 802.1x is enabled on the switch. • If you use the dot1x test eapol-capable privileged EXEC command without specifying an interface, all the ports on the switch stack are tested. • When you configure the dot1x test eapol-capable command on an 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Note If you do not include the shutdown vlan keywords, the entire port is shut down when it enters the error-disabled state. • If you use the errdisable recovery cause security-violation global configuration command to configure error-disabled recovery, the port is automatically re-enabled.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring 802.1x Violation Modes You can configure an 802.1x port so that it shuts down, generates a syslog error, or discards packets from a new device when: • a device connects to an 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication This is the 802.1x AAA process: Step 1 A user connects to a port on the switch. Step 2 Authentication is performed. Step 3 VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration. Step 4 The switch sends a start message to an accounting server. Step 5 Re-authentication is performed, as necessary.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 10 Command Purpose dot1x port-control auto Enable 802.1x authentication on the port. For feature interaction information, see the “802.1x Authentication Configuration Guidelines” section on page 11-36. Step 11 end Return to privileged EXEC mode. Step 12 show dot1x Verify your entries. Step 13 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server: Switch(config)# radius-server host 172.l20.39.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 5 Command Purpose show authentication interface interface-id Verify your entries. or show dot1x interface interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable multiple hosts on the port, use the no authentication host-mode or the no dot1x host-mode multi-host interface configuration command. This example shows how to enable 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Step 4 Purpose authentication timer {{[inactivity | Set the number of seconds between re-authentication attempts.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Changing the Quiet Period When the switch cannot authenticate the client, the switch remains idle for a set period of time and then tries again. The dot1x timeout quiet-period interface configuration command controls the idle period. A failed authentication of the client might occur because the client provided an invalid password.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 3 Command Purpose dot1x timeout tx-period seconds Set the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request. The range is 1 to 65535 seconds; the default is 5. Step 4 end Return to privileged EXEC mode. Step 5 show authentication interface-id Verify your entries.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication This example shows how to set 5 as the number of times that the switch sends an EAP-request/identity request before restarting the authentication process: Switch(config-if)# dot1x max-req 5 Setting the Re-Authentication Number You can also change the number of times that the switch restarts the authentication process before the port changes to the unauthorized state.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose show run Verify your entries. copy running-config startup-config (Optional) Save your entries in the configuration file. This example shows how to globally enable MAC move on a switch: Switch(config)# authentication mac-move permit Configuring 802.1x Accounting Enabling AAA system accounting with 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication This example shows how to configure 802.1x accounting. The first command configures the RADIUS server, specifying 1813 as the UDP port for accounting: Switch(config)# radius-server host 172.120.39.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication This example shows how to set 3 as the quiet time on the switch, to set 15 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before re-sending the request, and to enable VLAN 2 as an 802.1x guest VLAN when an 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication You can configure the maximum number of authentication attempts allowed before a user is assigned to the restricted VLAN by using the dot1x auth-fail max-attempts interface configuration command. The range of allowable authentication attempts is 1 to 3. The default is 3 attempts. Beginning in privileged EXEC mode, follow these steps to configure the maximum number of allowed authentication attempts.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure the port as a critical port and enable the inaccessible authentication bypass feature. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Step 5 Purpose dot1x critical {eapol | recovery (Optional) Configure the parameters for inaccessible authentication bypass: delay milliseconds} eapol—Specify that the switch sends an EAPOL-Success message when the switch successfully authenticates the critical port.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# dot1x critical dot1x critical recovery action reinitialize dot1x critical vlan 20 end Configuring 802.1x Authentication with WoL Beginning in privileged EXEC mode, follow these steps to enable 802.1x authentication with WoL. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 3 Command Purpose authentication port-control auto Enable 802.1x authentication on the port. or dot1x port-control auto Step 4 dot1x mac-auth-bypass [eap] Enable MAC authentication bypass. (Optional) Use the eap keyword to configure the switch to use EAP for authorization. Step 5 end Return to privileged EXEC mode. Step 6 show authentication interface-id Verify your entries.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Step 5 Purpose dot1x timeout reauth-period {seconds | Set the number of seconds between re-authentication attempts. server} The keywords have these meanings: • seconds—Sets the number of seconds from 1 to 65535; the default is 3600 seconds.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 7 spanning-tree portfast Enable Port Fast on an access port connected to a single workstation or server.. Step 8 end Return to privileged EXEC mode. Step 9 show running-config interface interface-id Verify your configuration. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 7 Command Purpose ip access-group acl-id in Configure the default ACL on the port in the input direction. Note The acl-id is an access list name or number. Step 8 show running-config interface interface-id Verify your configuration. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Step 9 Step 10 Command Purpose ip device tracking probe count count (Optional) Configures the IP device tracking table: • count count–Sets the number of times that the switch sends the ARP probe. The range is from 1 to 5. The default is 3. • interval interval–Sets the number of seconds that the switch waits for a response before resending the ARP probe. The range is from 30 to 300 seconds.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication This example shows how to globally enable VLAN ID-based MAC authentication on a switch: Switch# config terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 8 authentication periodic (Optional) Enable or disable reauthentication on a port. Step 9 authentication port-control {auto | force-authorized | force-un authorized} (Optional) Enable manual control of the port authorization state. Step 10 show authentication (Optional) Verify your entries.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Disabling 802.1x Authentication on the Port You can disable 802.1x authentication on the port by using the no dot1x pae interface configuration command. Beginning in privileged EXEC mode, follow these steps to disable 802.1x authentication on the port. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring MKA and MACsec • Configuring an MKA Policy, page 11-67 • Configuring MACsec on an Interface, page 11-67 Configuring an MKA Policy Beginning in privileged EXEC mode, follow these steps to create an MKA Protocol policy: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mka policy policy name Identify an MKA policy, and enter MKA policy configuration mode.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 7 authentication host-mode multi-domain Configure authentication manager mode on the port to allow both a host and a voice device to be authenticated on the 802.1x-authorized port. If not configured, the default host mode is single. Step 8 authentication linksec policy must-secure Set the LinkSec security policy to secure the session with MACsec if the peer is available.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Displaying 802.1x Statistics and Status Oper control dir: both Authorized By: Authentication Server Vlan Policy: 10 Session timeout: 3600s (server), Remaining: 3567s Timeout action: Reauthenticate Idle timeout: N/A Common Session ID: 0A05783B0000001700448BA8 Acct Session ID: 0x00000019 Handle: 0x06000017 Runnable methods list: Method State dot1x Authc Success Displaying 802.1x Statistics and Status To display 802.
Chapter 11 Configuring IEEE 802.1x Port-Based Authentication Displaying 802.
CH A P T E R 12 Configuring Web-Based Authentication This chapter describes how to configure web-based authentication on the Catalyst 3750-X or 3560-X switch. It contains these sections: Note • Understanding Web-Based Authentication, page 12-1 • Configuring Web-Based Authentication, page 12-9 • Displaying Web-Based Authentication Status, page 12-17 For complete syntax and usage information for the switch commands used in this chapter, refer to the command reference for this release.
Chapter 12 Configuring Web-Based Authentication Understanding Web-Based Authentication • Authentication Process, page 12-3 • Web Authentication Customizable Web Pages, page 12-6 • Web-based Authentication Interactions with Other Features, page 12-7 Device Roles With web-based authentication, the devices in the network have these specific roles: • Client—The device (workstation) that requests access to the LAN and the services and responds to requests from the switch.
Chapter 12 Configuring Web-Based Authentication Understanding Web-Based Authentication Session Creation When web-based authentication detects a new host, it creates a session as follows: • Reviews the exception list. If the host IP is included in the exception list, the policy from the exception list entry is applied, and the session is established.
Chapter 12 Configuring Web-Based Authentication Understanding Web-Based Authentication Local Web Authentication Banner You can create a banner that will appear when you log in to a switch by using web authentication. The banner appears on both the login page and the authentication-result pop-up pages. • Authentication Successful • Authentication Failed • Authentication Expired You create a banner by using the ip admission auth-proxy-banner http global configuration command.
Chapter 12 Configuring Web-Based Authentication Understanding Web-Based Authentication Figure 12-3 Customized Web Banner If you do not enable a banner, only the username and password dialog boxes appear in the web authentication login screen, and no banner appears when you log into the switch, as shown in Figure 12-4. Figure 12-4 Login Screen With No Banner For more information, see the Cisco IOS Security Command Reference and the “Configuring a Web Authentication Local Banner” section on page 12-16.
Chapter 12 Configuring Web-Based Authentication Understanding Web-Based Authentication Web Authentication Customizable Web Pages During the web-based authentication process, the switch internal HTTP server hosts four HTML pages to deliver to an authenticating client. The server uses these pages to notify you of these four-authentication process states: • Login—Your credentials are requested. • Success—The login was successful. • Fail—The login failed.
Chapter 12 Configuring Web-Based Authentication Understanding Web-Based Authentication Figure 12-5 Customizeable Authentication Page For more information, see the “Customizing the Authentication Proxy Web Pages” section on page 12-13. Web-based Authentication Interactions with Other Features • Port Security, page 12-7 • LAN Port IP, page 12-8 • Gateway IP, page 12-8 • ACLs, page 12-8 • Context-Based Access Control, page 12-8 • 802.
Chapter 12 Configuring Web-Based Authentication Understanding Web-Based Authentication LAN Port IP You can configure LAN port IP (LPIP) and Layer 2 web-based authentication on the same port. The host is authenticated by using web-based authentication first, followed by LPIP posture validation. The LPIP host policy overrides the web-based authentication host policy. If the web-based authentication idle timer expires, the NAC policy is removed. The host is authenticated, and posture is validated again.
Chapter 12 Configuring Web-Based Authentication Configuring Web-Based Authentication Configuring Web-Based Authentication • Default Web-Based Authentication Configuration, page 12-9 • Web-Based Authentication Configuration Guidelines and Restrictions, page 12-9 • Web-Based Authentication Configuration Task List, page 12-10 • Configuring the Authentication Rule and Interfaces, page 12-10 • Configuring AAA Authentication, page 12-11 • Configuring Switch-to-RADIUS-Server Communication, page 12-11
Chapter 12 Configuring Web-Based Authentication Configuring Web-Based Authentication • Hosts that are more than one hop away might experience traffic disruption if an STP topology change results in the host traffic arriving on a different port. This occurs because the ARP and DHCP updates might not be sent after a Layer 2 (STP) topology change. • Web-based authentication does not support VLAN assignment as a downloadable-host policy. • Web-based authentication is not supported for IPv6 traffic.
Chapter 12 Configuring Web-Based Authentication Configuring Web-Based Authentication Authentication global absolute time is 0 minutes Authentication global init state time is 2 minutes Authentication Proxy Watch-list is disabled Authentication Proxy Rule Configuration Auth-proxy name webauth1 http list not specified inactivity-time 60 minutes Authentication Proxy Auditing is disabled Max Login attempts per user is 5 Configuring AAA Authentication Command Purpose Step 1 aaa new-model Enables AAA funct
Chapter 12 Configuring Web-Based Authentication Configuring Web-Based Authentication To configure the RADIUS server parameters, perform this task: Command Purpose Step 1 ip radius source-interface interface_name Specify that the RADIUS packets have the IP address of the indicated interface. Step 2 radius-server host {hostname | ip-address} test username username Specify the host name or IP address of the remote RADIUS server.
Chapter 12 Configuring Web-Based Authentication Configuring Web-Based Authentication This example shows how to configure the RADIUS server parameters on a switch: Switch(config)# Switch(config)# Switch(config)# Switch(config)# ip radius source-interface Vlan80 radius-server host 172.l20.39.46 test username user1 radius-server key rad123 radius-server dead-criteria tries 2 Configuring the HTTP Server To use web-based authentication, you must enable the HTTP server within the switch.
Chapter 12 Configuring Web-Based Authentication Configuring Web-Based Authentication When configuring customized authentication proxy web pages, follow these guidelines: • To enable the custom web pages feature, specify all four custom HTML files. If you specify fewer than four files, the internal default HTML pages are used. • The four custom HTML files must be present on the flash memory of the switch. The maximum size of each HTML file is 8 KB.
Chapter 12 Configuring Web-Based Authentication Configuring Web-Based Authentication Specifying a Redirection URL for Successful Login You can specify a URL to which the user is redirected after authentication, effectively replacing the internal Success HTML page. Command Purpose ip admission proxy http success redirect url-string Specify a URL for redirection of the user in place of the default login success page.
Chapter 12 Configuring Web-Based Authentication Configuring Web-Based Authentication This example shows how to determine whether any connected hosts are in the AAA Down state: Switch# show ip admission cache Authentication Proxy Cache Client IP 209.165.201.11 Port 0, timeout 60, state ESTAB (AAA Down) This example shows how to view detailed information about a particular session based on the host IP address: Switch# show ip admission cache 209.165.201.11 Address : 209.165.201.11 MAC Address : 0000.0000.
Chapter 12 Configuring Web-Based Authentication Displaying Web-Based Authentication Status Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 12 Configuring Web-Based Authentication Displaying Web-Based Authentication Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 12-18 OL-21521-01
CH A P T E R 13 Configuring Interface Characteristics This chapter defines the types of interfaces on the Catalyst 3750-X or 3560-X switch and describes how to configure them. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Chapter 13 Configuring Interface Characteristics Interface Types These sections describe the interface types: • Port-Based VLANs, page 13-2 • Switch Ports, page 13-2 • Routed Ports, page 13-4 • Switch Virtual Interfaces, page 13-5 • EtherChannel Port Groups, page 13-6 • 10-Gigabit Ethernet Interfaces, page 13-7 • Power over Ethernet Ports, page 13-7 • Connecting Interfaces, page 13-12 Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or applicati
Chapter 13 Configuring Interface Characteristics Interface Types configure tunnel ports as part of an asymmetric link connected to an IEEE 802.1Q trunk port. Switch ports are used for managing the physical interface and associated Layer 2 protocols and do not handle routing or bridging. Configure switch ports by using the switchport interface configuration commands. Use the switchport command with no keywords to put an interface that is in Layer 3 mode into Layer 2 mode.
Chapter 13 Configuring Interface Characteristics Interface Types Although by default, a trunk port is a member of every VLAN known to the VTP, you can limit VLAN membership by configuring an allowed list of VLANs for each trunk port. The list of allowed VLANs does not affect any other port but the associated trunk port. By default, all possible VLANs (VLAN ID 1 to 4094) are in the allowed list.
Chapter 13 Configuring Interface Characteristics Interface Types The number of routed ports that you can configure is not limited by software. However, the interrelationship between this number and the number of other features being configured might impact CPU performance because of hardware limitations. See the “Configuring Layer 3 Interfaces” section on page 13-37 for information about what happens when hardware resource limitations are reached.
Chapter 13 Configuring Interface Characteristics Interface Types Note The LAN base feature set does not support routing. The IP base feature set supports static routing and RIP. For more advanced routing or for fallback bridging, enable the IP services feature set on the standalone switch or the stack master. For information about using the software activation feature to install a software license for a specific feature set, see the Cisco IOS Software Activation document.
Chapter 13 Configuring Interface Characteristics Interface Types 10-Gigabit Ethernet Interfaces The Catalyst 3750-X and 3560-X switches have a network module slot into which you can insert a 10-Gigabit Ethernet network module, a 1-Gigabit Ethernet network module, or a blank module. A 10-Gigabit Ethernet interface operates only in full-duplex mode. The interface can be configured as a switched or routed port.
Chapter 13 Configuring Interface Characteristics Interface Types Cisco intelligent power management is backward-compatible with CDP with power consumption; the switch responds according to the CDP message that it receives. CDP is not supported on third-party powered devices; therefore, the switch uses the IEEE classification to determine the power usage of the device. • IEEE 802.
Chapter 13 Configuring Interface Characteristics Interface Types With PoE+, powered devices use IEEE 802.3at and LLDP power with media dependent interface (MDI) type, length, and value descriptions (TLVs), Power-via-MDA TLVs, for negotiating power up to 30 W. Cisco pre-standard devices and Cisco IEEE powered devices can use CDP or the IEEE 802.3at power-via-MDI power negotiation mechanism to request power levels up to 30 W.
Chapter 13 Configuring Interface Characteristics Interface Types • static—The switch pre-allocates power to the port (even when no powered device is connected) and guarantees that power will be available for the port. The switch allocates the port configured maximum wattage, and the amount is never adjusted through the IEEE class or by CDP messages from the powered device.
Chapter 13 Configuring Interface Characteristics Interface Types Maximum Power Allocation (Cutoff Power) on a PoE Port When power policing is enabled, the switch determines one of the these values as the cutoff power on the PoE port in this order: 1. Manually when you set the user-defined power level that the switch budgets for the port by using the power inline consumption default wattage global or interface configuration command 2.
Chapter 13 Configuring Interface Characteristics Interface Types (6300 mW). The switch provides power to the connected devices on the port if the device needs up to 6.3 W. If the CDP-power negotiated value or the IEEE classification value exceeds the configured cutoff value, the switch does not provide power to the connected device.
Chapter 13 Configuring Interface Characteristics Using the Switch USB Ports possible, to maintain high performance, forwarding is done by the switch hardware. However, only IPv4 packets with Ethernet II encapsulation are routed in hardware. Non-IP traffic and traffic with other encapsulation methods are fallback-bridged by hardware. Note • The routing function can be enabled on all SVIs and routed ports. The switch routes only IP traffic.
Chapter 13 Configuring Interface Characteristics Using the Switch USB Ports switch-stack-1 *Mar 1 00:01:00.171: %USB_CONSOLE-6-MEDIA_RJ45: Console media-type is RJ45. *Mar 1 00:01:00.431: %USB_CONSOLE-6-MEDIA_USB: Console media-type is USB. switch-stack-2 *Mar 1 00:01:09.835: %USB_CONSOLE-6-MEDIA_RJ45: Console media-type is RJ45. switch-stack-3) *Mar 1 00:01:10.523: %USB_CONSOLE-6-MEDIA_RJ45: Console media-type is RJ45.
Chapter 13 Configuring Interface Characteristics Using the Switch USB Ports This example reverses the previous configuration and immediately activates any USB console that is connected. Switch# configure terminal Switch(config)# line console 0 Switch(config-line)# no media-type rj45 Configuring the USB Inactivity Timeout The configurable inactivity timeout reactivates the RJ-45 console if the USB console is activated but no input activity occurs on it for a specified time period.
Chapter 13 Configuring Interface Characteristics Using the Switch USB Ports USB Type A Port The USB Type A port provides access to external Cisco USB flash devices, also known as thumb drives or USB keys. The switch supports Cisco 64 MB, 256 MB, 512 MB, and 1 GB flash drives. You can use standard Cisco IOS command- line interface (CLI) commands to read, write, erase, and copy to or from the flash device. You can also configure the switch to boot from the USB flash drive.
Chapter 13 Configuring Interface Characteristics Using Interface Configuration Mode Interface: Number: 0 Description: Bulk Class Code: 8 Subclass: 6 Protocol: 80 Number of Endpoints: 2 Endpoint: Number: 1 Transfer Type: BULK Transfer Direction: Device to Host Max Packet: 512 Interval: 0 Endpoint: Number: 2 Transfer Type: BULK Transfer Direction: Host to Device Max Packet: 512 Interval: 0 This is sample output from the show usb port command: Switch# show usb port Port Number: 0 Status: Enabled Connection
Chapter 13 Configuring Interface Characteristics Using Interface Configuration Mode • Module number—The module or slot number on the switch that is always 0. • Port number—The interface number on the switch. The 10/100/1000 port numbers always begin at 1, starting with the far left port when facing the front of the switch, for example, gigabitethernet1/0/1 or gigabitethernet1/0/8.
Chapter 13 Configuring Interface Characteristics Using Interface Configuration Mode Step 3 Follow each interface command with the interface configuration commands that the interface requires. The commands that you enter define the protocols and applications that will run on the interface. The commands are collected and applied to the interface when you enter another interface command or enter end to return to privileged EXEC mode.
Chapter 13 Configuring Interface Characteristics Using Interface Configuration Mode – gigabitethernet module/{first port} - {last port} (for 3560-X switches), where the module is always 0 – gigabitethernet stack member/module/{first port} - {last port} (for 3750-X switches), where the module is always 0 tengigabitethernet module/{first port} - {last port} (for 3560-X switches), where the module is always 0 – tengigabitethernet stack member/module/{first port} - {last port} (for 3750-X switches), where
Chapter 13 Configuring Interface Characteristics Using Interface Configuration Mode Configuring and Using Interface Range Macros You can create an interface range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface range macro global configuration command string, you must use the define interface-range global configuration command to define the macro.
Chapter 13 Configuring Interface Characteristics Using the Ethernet Management Port • You must add a space between the first interface number and the hyphen when entering an interface-range. For example, gigabitethernet1/0/1 - 4 is a valid range; gigabitethernet1/0/1-4 is not a valid range. • The VLAN interfaces must have been configured with the interface vlan command. The show running-config privileged EXEC command displays the configured VLAN interfaces.
Chapter 13 Configuring Interface Characteristics Using the Ethernet Management Port Understanding the Ethernet Management Port The Ethernet management port, also referred to as the Fa0 or fastethernet0 port, is a Layer 3 host port to which you can connect a PC. You can use the Ethernet management port instead of the switch console port for network management. When managing a switch stack, connect the PC to the Ethernet management port on a Catalyst 3750-X or Catalyst 3750-E stack member.
Chapter 13 Configuring Interface Characteristics Using the Ethernet Management Port Figure 13-3 Connecting a Switch Stack to a PC Switch stack Stack member 1 Stack member 2 Hub Stack member 3 PC Stack member 4 Stack member 5 Stack member 6 Stack member 7 Catalyst 3750 switches do not have Ethernet management ports. Catalyst 3750 switches in a mixed stack are not connected to the hub. 157550 Ethernet management ports By default, the Ethernet management port is enabled.
Chapter 13 Configuring Interface Characteristics Using the Ethernet Management Port Supported Features on the Ethernet Management Port The Ethernet management port supports these features: • Express Setup (only in switch stacks) • Network Assistant • Telnet with passwords • TFTP • Secure Shell (SSH) • DHCP-based autoconfiguration • SMNP (only the ENTITY-MIB and the IF-MIB) • IP ping • Interface features – Speed—10 Mb/s, 100 Mb/s, and autonegotiation – Duplex mode—Full, half, and autonegot
Chapter 13 Configuring Interface Characteristics Configuring Ethernet Interfaces TFTP and the Ethernet Management Port Use the commands in Table 13-2 when using TFTP to download or upload a configuration file to the boot loader. Table 13-2 Boot Loader Commands Command Description arp [ip_address] Displays the currently cached ARP1 table when this command is entered without the ip_address parameter.
Chapter 13 Configuring Interface Characteristics Configuring Ethernet Interfaces Default Ethernet Interface Configuration Table 13-3 shows the Ethernet interface default configuration, including some features that apply only to Layer 2 interfaces. For more details on the VLAN parameters listed in the table, see Chapter 15, “Configuring VLANs.” For details on controlling traffic to the port, see Chapter 28, “Configuring Port-Based Traffic Control.
Chapter 13 Configuring Interface Characteristics Configuring Ethernet Interfaces Table 13-3 Default Layer 2 Ethernet Interface Configuration (continued) Feature Default Setting Auto-MDIX Enabled. Note Power over Ethernet (PoE) The switch might not support a pre-standard powered device—such as Cisco IP phones and access points that do not fully support IEEE 802.3af—if that powered device is connected to the switch through a crossover cable.
Chapter 13 Configuring Interface Characteristics Configuring Ethernet Interfaces Caution Changing the interface speed and duplex mode configuration might shut down and re-enable the interface during the reconfiguration. Setting the Interface Speed and Duplex Parameters Beginning in privileged EXEC mode, follow these steps to set the speed and duplex mode for a physical interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 13 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to set the interface speed to 100 Mb/s and the duplex mode to half on a 10/100/1000 Mb/s port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/3 Switch(config-if)# speed 10 Switch(config-if)# duplex half This example shows how to set the interface speed to 100 Mb/s on a 10/100/1000 Mb/s port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/2 Switch(confi
Chapter 13 Configuring Interface Characteristics Configuring Ethernet Interfaces To disable flow control, use the flowcontrol receive off interface configuration command.
Chapter 13 Configuring Interface Characteristics Configuring Ethernet Interfaces To disable auto-MDIX, use the no mdix auto interface configuration command.
Chapter 13 Configuring Interface Characteristics Configuring Ethernet Interfaces Step 3 Command Purpose power inline {auto [max max-wattage] | never | static [max max-wattage]} Configure the PoE mode on the port. The keywords have these meanings: • auto—Enable powered-device detection. If enough power is available, automatically allocate power to the PoE port after device detection. This is the default setting. • (Optional) max max-wattage—Limit the power allowed on the port.
Chapter 13 Configuring Interface Characteristics Configuring Ethernet Interfaces Caution Note You should carefully plan your switch power budget, enable the power monitoring feature, and make certain not to oversubscribe the power supply. When you manually configure the power budget, you must also consider the power loss over the cable between the switch and the powered device.
Chapter 13 Configuring Interface Characteristics Configuring Ethernet Interfaces Step 4 Command Purpose power inline consumption wattage Configure the power consumption of a powered device connected to a PoE port on the switch. The range for each device is 4000 to 15400 mW. The default is 15400 mW. Note When you use this command, we recommend you also enable power policing. Step 5 end Return to privileged EXEC mode. Step 6 show power inline consumption Display the power consumption data.
Chapter 13 Configuring Interface Characteristics Configuring Ethernet Interfaces Command Purpose Step 4 exit Return to global configuration mode. Step 5 errdisable detect cause inline-power (Optional) Enable error recovery from the PoE error-disabled state, and configure the PoE recover mechanism variables. and errdisable recovery cause inline-power By default, the recovery interval is 300 seconds. For interval interval, specify the time in seconds to recover from the error-disabled state.
Chapter 13 Configuring Interface Characteristics Configuring Layer 3 Interfaces This example shows how to add a description on a port and how to verify the description: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 13 Configuring Interface Characteristics Configuring Layer 3 Interfaces • If the switch is notified by VLAN Trunking Protocol (VTP) of a new VLAN, it sends a message that there are not enough hardware resources available and shuts down the VLAN. The output of the show vlan user EXEC command shows the VLAN in a suspended state.
Chapter 13 Configuring Interface Characteristics Configuring the System MTU Configuring SVI Autostate Exclude Configuring SVI autostate exclude on an access or trunk port in an SVI excludes that port in the calculation of the status of the SVI line state (up or down) status even if it belongs to the same VLAN. When the excluded port is in the up state, and all other ports in the VLAN are in the down state, the SVI state is changed to down.
Chapter 13 Configuring Interface Characteristics Configuring the System MTU • You can enter the system mtu bytes global configuration command on a Catalyst 3750-X switch, but the command does not take effect on the switch. This command only affects the system MTU size on Fast Ethernet ports on Catalyst 3750 members in a mixed hardware switch stack.
Chapter 13 Configuring Interface Characteristics Configuring the System MTU Table 13-5 System MTU Values (continued) Configuration system mtu command system jumbo mtu command system routing mtu command Catalyst 3750-only stack Use the system mtu bytes command. Use the system mtu jumbo bytes command. Use the system mtu routing bytes command. Catalyst 3750 switch The range is from 1500 to 1998 The range is from 1500 to 9000 The range is from 1500 to the bytes. bytes. system MTU value (in bytes).
Chapter 13 Configuring Interface Characteristics Configuring the Cisco RPS 2300 in a Mixed Stack If you enter a value that is outside the allowed range for the specific type of interface, the value is not accepted.
Chapter 13 Configuring Interface Characteristics Configuring the Cisco RPS 2300 in a Mixed Stack Beginning in user EXEC mode, follow these steps to configure and manage the RPS 2300: Step 1 Command Purpose power rps switch-number name {string | serialnumber} Specify the name of the RPS 2300. The keywords have these meanings: • switch-number—Specify the stack member to which the RPS 2300 is connected. The range is 1 to 9, depending on the switch member numbers in the stack.
Chapter 13 Configuring Interface Characteristics Configuring the Power Supplies To return to the RPS 2300 default settings, use these commands: • To return to the default name setting (no name is configured), use the power rps switch-number port rps-port-id name ““ user EXEC command with no space between the quotation marks. • To return to the default port mode, use the power rps switch-number port rps-port-id active command.
Chapter 13 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Monitoring and Maintaining the Interfaces These sections contain interface monitoring and maintenance information: • Monitoring Interface Status, page 13-45 • Clearing and Resetting Interfaces and Counters, page 13-46 • Shutting Down and Restarting the Interface, page 13-47 Monitoring Interface Status Commands entered at the privileged EXEC prompt display information about the interface, including the versions
Chapter 13 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Table 13-6 Show Commands for Interfaces (continued) Command Purpose show interfaces [interface-id] description Display the description configured on an interface or all interfaces and the interface status. show ip interface [interface-id] Display the usability status of all interfaces configured for IP routing or the specified interface.
Chapter 13 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Note The clear counters privileged EXEC command does not clear counters retrieved by using Simple Network Management Protocol (SNMP), but only those seen with the show interface privileged EXEC command. Shutting Down and Restarting the Interface Shutting down an interface disables all functions on the specified interface and marks the interface as unavailable on all monitoring command displays.
Chapter 13 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 3750-X and 3560-X Switch Software Configuration Guide 13-48 OL-21521-01
CH A P T E R 14 Configuring Auto Smartports Macros This chapter describes how to configure and apply Auto Smartports and static Smartports macros on the Catalyst 3750-X or 3560-X switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 14 Configuring Auto Smartports Macros Understanding Auto Smartports and Static Smartports Macros Auto Smartports uses events to map macros to the source port of the event. The most common event triggers are based on Cisco Discovery Protocol (CDP) messages received from a connected device.
Chapter 14 Configuring Auto Smartports Macros Configuring Auto Smartports Figure 14-1 Cisco Medianet Deployment Example Device Identified through CDP, 802.
Chapter 14 Configuring Auto Smartports Macros Configuring Auto Smartports Table 14-1 Auto Smartports Built-In Macros (continued) Macro Name Description CISCO_ROUTER_AUTO_ SMARTPORT This macro applies the router macro for Cisco routers. It enables QoS and trunking with 802.1Q encapsulation, and spanning-tree BPDU protection. CISCO_AP_AUTO_ SMARTPORT This macro applies the wireless access point macro for Cisco APs. It enables QoS and trunking with 802.1Q encapsulation.
Chapter 14 Configuring Auto Smartports Macros Configuring Auto Smartports • For 802.1x authentication or MAB, configure the RADIUS server to support the Cisco attribute-value (av) pair auto-smart-port=event trigger to detect non-Cisco devices. • For stationary devices that do not support CDP, MAB, or 802.1x authentication, such as network printers, you can configure a MAC-address group with a MAC OUI-based trigger and map it to a user-defined macro containing the desired configuration.
Chapter 14 Configuring Auto Smartports Macros Configuring Auto Smartports Configuring Auto Smartports Default Parameter Values The switch automatically maps from event triggers to built-in macros. You can follow this procedure to replace Auto Smartports macro default parameter values with values that are specific to your switch. This procedure is optional. Beginning in privileged EXEC mode: Command Purpose Step 1 show macro auto device Display the macro default parameter values.
Chapter 14 Configuring Auto Smartports Macros Configuring Auto Smartports Default Macro:CISCO_PHONE_AUTO_SMARTPORT Current Macro:CISCO_PHONE_AUTO_SMARTPORT Configurable Parameters:ACCESS_VLAN VOICE_VLAN Defaults Parameters:ACCESS_VLAN=1 VOICE_VLAN=2 Current Parameters:voice_vlan=20 Configuring Auto Smartports MAC-Address Groups For devices such as printers that do not support neighbor discovery protocols such as CDP or LLDP, use the MAC-address-based trigger configurations for Auto Smartports.
Chapter 14 Configuring Auto Smartports Macros Configuring Auto Smartports This example shows how to create a MAC-address-group event trigger called address_trigger and how to verify your entries: Switch# configure terminal Switch(config)# macro auto address-group mac address_trigger Switch(config-addr-grp-mac)# mac-address list 2222.3333.3334 22.33.44 a.b.
Chapter 14 Configuring Auto Smartports Macros Configuring Auto Smartports Configuring Auto Smartports Built-In Macro Options Use this procedure to map event triggers to built-in macros and to replace the built-in macro default parameter values with values that are specific to your switch. If you need to replace default parameters values in a macro, use the macro auto device global configuration command. All commands in this procedure are optional.
Chapter 14 Configuring Auto Smartports Macros Configuring Auto Smartports Step 3 Command Purpose remote url Specify a remote server location for the remote macro file: • The syntax for the local flash file system on the standalone switch or the stack master: flash: • The syntax for the local flash file system on a stack member: flash member number: • The syntax for the FTP: ftp:[[//username[:password]@location]/directory]/filename • The syntax for an HTTP server: http://[[username:password]@]{
Chapter 14 Configuring Auto Smartports Macros Configuring Auto Smartports Current configuration : 284 bytes ! interface GigabitEthernet1/0/1 interface GigabitEthernet0/1 switchport trunk encapsulation dot1q switchport trunk native vlan 10 switchport mode trunk srr-queue bandwidth share 10 10 60 20 queue-set 2 priority-queue out mls qos trust cos auto qos voip trust macro description CISCO_SWITCH_EVENT end This example shows how to configure the remote macro with the setting for native VLAN 5. a.
Chapter 14 Configuring Auto Smartports Macros Configuring Auto Smartports Beginning in privileged EXEC mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 shell trigger identifier description Specify the event trigger identifier and description. The identifier should have no spaces or hyphens between words. Step 3 end Return to privileged EXEC mode. Step 4 show shell triggers Display the event triggers on the switch.
Chapter 14 Configuring Auto Smartports Macros Configuring Auto Smartports This example shows how to use the show shell triggers privileged EXEC command to view the event triggers in the switch software: Switch# show shell triggers User defined triggers --------------------Built-in triggers ----------------Trigger Id: CISCO_DMP_EVENT Trigger description: Digital media-player device event to apply port configuration Trigger environment: Parameters that can be set in the shell - $ACCESS_VLAN=(1), The value i
Chapter 14 Configuring Auto Smartports Macros Configuring Auto Smartports switchport trunk native vlan $NATIVE_VLAN switchport trunk allowed vlan ALL switchport mode trunk switchport nonegotiate auto qos voip trust mls qos trust cos exit end fi if [[ $LINKUP -eq NO ]]; then conf t interface $INTERFACE no macro description no switchport nonegotiate no switchport trunk native vlan $NATIVE_VLAN no switchport trunk allowed vlan ALL no auto qos voip trust no mls qos trust cos if [[ $AUTH_ENABLED -eq NO ]]; th
Chapter 14 Configuring Auto Smartports Macros Configuring Auto Smartports Configuring Auto Smartports User-Defined Macros The Cisco IOS shell provides basic scripting capabilities for configuring the user-defined Auto Smartports macros. These macros can contain multiple lines and can include any CLI command. You can also define variable substitution, conditionals, functions, and triggers within the macro. This procedure is optional.
Chapter 14 Configuring Auto Smartports Macros Configuring Auto Smartports conf t interface $INTERFACE no macro description $TRIGGER no switchport access vlan 1 if [[ $AUTH_ENABLED -eq NO ]]; then no switchport mode access fi no switchport port-security no switchport port-security maximum 1 no switchport port-security violation restrict no switchport port-security aging time 2 no switchport port-security aging type inactivity no spanning-tree portfast no spanning-tree bpduguard enable exit fi } Switch(con
Chapter 14 Configuring Auto Smartports Macros Configuring Static Smartports Macros Table 14-3 Unsupported Cisco IOS Shell Reserved Keywords (continued) Command Description until Looping construct. while Looping construct.
Chapter 14 Configuring Auto Smartports Macros Configuring Static Smartports Macros • Applying a macro to an interface range is the same as applying a macro to a single interface. When you use an interface range, the macro is applied sequentially to each interface within the range. If a macro command fails on one interface, it is still applied to the remaining interfaces. • When you apply a macro to a switch or a switch interface, the macro name is automatically added to the switch or interface.
Chapter 14 Configuring Auto Smartports Macros Configuring Static Smartports Macros Step 7 Command Purpose macro {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Apply each individual command defined in the macro to the port by entering macro global apply macro-name. Specify macro global trace macro-name to apply and to debug a macro to find any syntax or configuration errors. Append the macro with the required values by using the parameter value keywords.
Chapter 14 Configuring Auto Smartports Macros Displaying Auto Smartports and Static Smartports Macros Switch(config)# interface gigabitethernet1/0/4 Switch(config)# interface gigabitethernet0/4 Switch(config-if)# macro apply cisco-desktop $AVID 25 Displaying Auto Smartports and Static Smartports Macros To display the Auto Smartports and static Smartports macros, use one or more of the privileged EXEC commands in Table 14-5.
CH A P T E R 15 Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 3750-X or 3560-X switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS). Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Chapter 15 Configuring VLANs Understanding VLANs Figure 15-1 shows an example of VLANs segmented into logically defined networks. Figure 15-1 VLANs as Logically Defined Networks Switch A Trunk port 2 VLANs 8 – 10 (path cost 30) VLANs 2 – 4 (path cost 19) 90573 Trunk port 1 VLANs 2 – 4 (path cost 30) VLANs 8 – 10 (path cost 19) Switch B VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Chapter 15 Configuring VLANs Understanding VLANs The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN. See the “Normal-Range VLAN Configuration Guidelines” section on page 15-5 for more information about the number of spanning-tree instances and the number of VLANs. The switch supports both Inter-Switch Link (ISL) and IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
Chapter 15 Configuring VLANs Configuring Normal-Range VLANs For more detailed definitions of access and trunk modes and their functions, see Table 15-4 on page 15-16. When a port belongs to a VLAN, the switch learns and manages the addresses associated with the port on a per-VLAN basis. For more information, see the “Managing the MAC Address Table” section on page 7-19. Configuring Normal-Range VLANs Normal-range VLANs are VLANs with VLAN IDs 1 to 1005.
Chapter 15 Configuring VLANs Configuring Normal-Range VLANs Note This section does not provide configuration details for most of these parameters. For complete information on the commands and parameters that control VLAN configuration, see the command reference for this release.
Chapter 15 Configuring VLANs Configuring Normal-Range VLANs • The switch supports 128 spanning-tree instances. If a switch has more active VLANs than supported spanning-tree instances, spanning tree can be enabled on 128 VLANs and is disabled on the remaining VLANs. If you have already used all available spanning-tree instances on a switch, adding another VLAN anywhere in the VTP domain creates a VLAN on that switch that is not running spanning-tree.
Chapter 15 Configuring VLANs Configuring Normal-Range VLANs In VTP versions 1 and 2, if VTP mode is server, the domain name and VLAN configuration for only the first 1005 VLANs use the VLAN database information. VTP version 3 also supports VLANs 1006 to 4094. • Default Ethernet VLAN Configuration Table 15-2 shows the default configuration for Ethernet VLANs. Note Table 15-2 The switch supports Ethernet interfaces exclusively.
Chapter 15 Configuring VLANs Configuring Normal-Range VLANs Beginning in privileged EXEC mode, follow these steps to create or modify an Ethernet VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan vlan-id Enter a VLAN ID, and enter VLAN configuration mode. Enter a new VLAN ID to create a VLAN, or enter an existing VLAN ID to modify that VLAN. Note The available VLAN ID range for this command is 1 to 4094.
Chapter 15 Configuring VLANs Configuring Normal-Range VLANs Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no vlan vlan-id Remove the VLAN by entering the VLAN ID. Step 3 end Return to privileged EXEC mode. Step 4 show vlan brief Verify the VLAN removal.
Chapter 15 Configuring VLANs Configuring Extended-Range VLANs Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 2 Switch(config-if)# end Configuring Extended-Range VLANs With VTP version 1 and version 2, when the switch is in VTP transparent mode (VTP disabled), you can create extended-range VLANs (in the range 1006 to 4094). VTP version supports extended-range VLANs in server or transparent move.
Chapter 15 Configuring VLANs Configuring Extended-Range VLANs • For VTP version 1 or 2, you can set the VTP mode to transparent in global configuration mode. See the “Configuring VTP Mode” section on page 16-11. You should save this configuration to the startup configuration so that the switch boots up in VTP transparent mode. Otherwise, you lose the extended-range VLAN configuration if the switch resets. If you create extended-range VLANs in VTP version 3, you cannot convert to VTP version 1 or 2.
Chapter 15 Configuring VLANs Configuring Extended-Range VLANs In VTP version 1 and 2, extended-range VLANs are not saved in the VLAN database; they are saved in the switch running configuration file. You can save the extended-range VLAN configuration in the switch startup configuration file by using the copy running-config startup-config privileged EXEC command. VTP version 3 saves extended-range VLANs in the VLAN database.
Chapter 15 Configuring VLANs Configuring Extended-Range VLANs Creating an Extended-Range VLAN with an Internal VLAN ID If you enter an extended-range VLAN ID that is already assigned to an internal VLAN, an error message is generated, and the extended-range VLAN is rejected. To manually free an internal VLAN ID, you must temporarily shut down the routed port that is using the internal VLAN ID. Note Routing is not supported on switches running the LAN base feature set.
Chapter 15 Configuring VLANs Displaying VLANs Displaying VLANs Use the show vlan privileged EXEC command to display a list of all VLANs on the switch, including extended-range VLANs. The display includes VLAN status, ports, and configuration information. Table 15-3 lists the commands for monitoring VLANs.
Chapter 15 Configuring VLANs Configuring VLAN Trunks Figure 15-2 shows a network of switches that are connected by ISL trunks. Figure 15-2 Switches in an ISL Trunking Environment Catalyst 6500 series switch ISL trunk ISL trunk ISL trunk ISL trunk Switch Switch Switch VLAN1 Switch VLAN3 VLAN1 VLAN3 45828 VLAN2 VLAN2 You can configure a trunk on a single Ethernet interface or on an EtherChannel bundle.
Chapter 15 Configuring VLANs Configuring VLAN Trunks Table 15-4 Layer 2 Interface Modes Mode Function switchport mode access Puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface regardless of whether or not the neighboring interface is a trunk interface. switchport mode dynamic auto Makes the interface able to convert the link to a trunk link.
Chapter 15 Configuring VLANs Configuring VLAN Trunks IEEE 802.1Q Configuration Considerations The IEEE 802.1Q trunks impose these limitations on the trunking strategy for a network: • In a network of Cisco switches connected through IEEE 802.1Q trunks, the switches maintain one spanning-tree instance for each VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.
Chapter 15 Configuring VLANs Configuring VLAN Trunks Note • Changing the Pruning-Eligible List, page 15-20 • Configuring the Native VLAN for Untagged Traffic, page 15-21 By default, an interface is in Layer 2 mode. The default mode for Layer 2 interfaces is switchport mode dynamic auto.
Chapter 15 Configuring VLANs Configuring VLAN Trunks Step 4 Command Purpose switchport mode {dynamic {auto | desirable} | trunk} Configure the interface as a Layer 2 trunk (required only if the interface is a Layer 2 access port or tunnel port or to specify the trunking mode). • dynamic auto—Set the interface to a trunk link if the neighboring interface is set to trunk or desirable mode. This is the default.
Chapter 15 Configuring VLANs Configuring VLAN Trunks To reduce the risk of spanning-tree loops or storms, you can disable VLAN 1 on any individual VLAN trunk port by removing VLAN 1 from the allowed list. When you remove VLAN 1 from a trunk port, the interface continues to sent and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), DTP, and VTP in VLAN 1.
Chapter 15 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to remove VLANs from the pruning-eligible list on a trunk port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Select the trunk port for which VLANs should be pruned, and enter interface configuration mode.
Chapter 15 Configuring VLANs Configuring VLAN Trunks Step 3 Command Purpose switchport trunk native vlan vlan-id Configure the VLAN that is sending and receiving untagged traffic on the trunk port. For vlan-id, the range is 1 to 4094. Step 4 end Return to privileged EXEC mode. Step 5 show interfaces interface-id switchport Verify your entries in the Trunking Native Mode VLAN field. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 15 Configuring VLANs Configuring VLAN Trunks Figure 15-3 Load Sharing by Using STP Port Priorities Switch A Trunk 2 VLANs 3 – 6 (priority 16) VLANs 8 – 10 (priority 128) 93370 Trunk 1 VLANs 8 – 10 (priority 16) VLANs 3 – 6 (priority 128) Switch B Note If your switch is a member of a switch stack, you must use the spanning-tree [vlan vlan-id] cost cost interface configuration command instead of the spanning-tree [vlan vlan-id] port-priority priority interface configuration command to select
Chapter 15 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 15 show vlan When the trunk links come up, VTP passes the VTP and VLAN information to Switch B. Verify that Switch B has learned the VLAN configuration. Step 16 configure terminal Enter global configuration mode on Switch A. Step 17 interface gigabitethernet 0/1 Define the interface to set the STP port priority, and enter interface configuration mode.
Chapter 15 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 15-4: Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A. Step 2 interface gigabitethernet0/1 Define the interface to be configured as a trunk, and enter interface configuration mode. Step 3 switchport trunk encapsulation {isl | dot1q | negotiate} Configure the port to support ISL or IEEE 802.1Q encapsulation.
Chapter 15 Configuring VLANs Configuring VMPS These sections contain this information: • “Understanding VMPS” section on page 15-26 • “Default VMPS Client Configuration” section on page 15-27 • “VMPS Configuration Guidelines” section on page 15-27 • “Configuring the VMPS Client” section on page 15-28 • “Monitoring the VMPS” section on page 15-30 • “Troubleshooting Dynamic-Access Port VLAN Membership” section on page 15-31 • “VMPS Configuration Example” section on page 15-31 Understanding VM
Chapter 15 Configuring VLANs Configuring VMPS If there is a match, the VMPS sends the VLAN number for that port. If the client switch was not previously configured, it uses the domain name from the first VTP packet it receives on its trunk port from the VMPS. If the client switch was previously configured, it includes its domain name in the query packet to the VMPS to obtain its VLAN number.
Chapter 15 Configuring VLANs Configuring VMPS • Secure ports cannot be dynamic-access ports. You must disable port security on a port before it becomes dynamic. • Private VLAN ports cannot be dynamic-access ports. • Dynamic-access ports cannot be members of an EtherChannel group. • Port channels cannot be configured as dynamic-access ports. • A dynamic-access port can participate in fallback bridging. • The VTP management domain of the VMPS client and the VMPS server must be the same.
Chapter 15 Configuring VLANs Configuring VMPS Caution Dynamic-access port VLAN membership is for end stations or hubs connected to end stations. Connecting dynamic-access ports to other switches can cause a loss of connectivity. Beginning in privileged EXEC mode, follow these steps to configure a dynamic-access port on a VMPS client switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 15 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to change the reconfirmation interval: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vmps reconfirm minutes Enter the number of minutes between reconfirmations of the dynamic VLAN membership. The range is 1 to 120. The default is 60 minutes. Step 3 end Return to privileged EXEC mode.
Chapter 15 Configuring VLANs Configuring VMPS This is an example of output for the show vmps privileged EXEC command: Switch# show vmps VQP Client Status: -------------------VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.
Chapter 15 Configuring VLANs Configuring VMPS Figure 15-5 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6500 series switch A Primary VMPS Server 1 Router 172.20.26.150 172.20.22.7 Client switch B End station 1 Dynamic-access port 172.20.26.151 Trunk port Switch C 172.20.26.152 Switch D 172.20.26.153 Switch E 172.20.26.154 Switch F 172.20.26.155 Switch G 172.20.26.156 Switch H 172.20.26.
CH A P T E R 16 Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 16 Configuring VTP Understanding VTP The switch supports 1005 VLANs, but the number of routed ports, SVIs, and other configured features affects the usage of the switch hardware. If the switch is notified by VTP of a new VLAN and the switch is already using the maximum available hardware resources, it sends a message that there are not enough hardware resources available and shuts down the VLAN. The output of the show vlan user EXEC command shows the VLAN in a suspended state.
Chapter 16 Configuring VTP Understanding VTP If you configure a switch for VTP transparent mode, you can create and modify VLANs, but the changes are not sent to other switches in the domain, and they affect only the individual switch. However, configuration changes made when the switch is in this mode are saved in the switch running configuration and can be saved to the switch startup configuration file. For domain name and password configuration guidelines, see the “Domain Names” section on page 16-9.
Chapter 16 Configuring VTP Understanding VTP VTP Advertisements Each switch in the VTP domain sends periodic global configuration advertisements from each trunk port to a reserved multicast address. Neighboring switches receive these advertisements and update their VTP and VLAN configurations as necessary.
Chapter 16 Configuring VTP Understanding VTP • Consistency Checks—In VTP version 2, VLAN consistency checks (such as VLAN names and values) are performed only when you enter new information through the CLI or SNMP. Consistency checks are not performed when new information is obtained from a VTP message or when information is read from NVRAM. If the MD5 digest on a received VTP message is correct, its information is accepted.
Chapter 16 Configuring VTP Understanding VTP VTP Pruning VTP pruning increases network available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to reach the destination devices. Without VTP pruning, a switch floods broadcast, multicast, and unknown unicast traffic across all trunk links within a VTP domain even though receiving switches might discard them. VTP pruning is disabled by default.
Chapter 16 Configuring VTP Understanding VTP Figure 16-2 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch A is not forwarded to Switches C, E, and F because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch B and Port 4 on Switch D). Figure 16-2 Optimized Flooded Traffic with VTP Pruning Switch D Port 2 Flooded traffic is pruned. Port 4 Switch B Red VLAN Switch E Flooded traffic is pruned.
Chapter 16 Configuring VTP Configuring VTP • When VTP mode is changed in a switch in the stack, the other switches in the stack also change VTP mode, and the switch VLAN database remains consistent. VTP version 3 functions the same on a standalone switch or a stack except when the switch stack is the primary server for the VTP database. In this case, the MAC address of the stack master is used as the primary server ID. If the master switch reloads or is powered off, a new stack master is elected.
Chapter 16 Configuring VTP Configuring VTP VTP Configuration Guidelines You use the vtp global configuration command to set the VTP password, the version, the VTP file name, the interface providing updated VTP information, the domain name, and the mode, and to disable or enable pruning. For more information about available keywords, see the command descriptions in the command reference for this release. The VTP information is saved in the VTP VLAN database.
Chapter 16 Configuring VTP Configuring VTP Caution When you configure a VTP domain password, the management domain does not function properly if you do not assign a management domain password to each switch in the domain. VTP Version Follow these guidelines when deciding which VTP version to implement: • All switches in a VTP domain must have the same domain name, but they do not need to run the same VTP version.
Chapter 16 Configuring VTP Configuring VTP Configuration Requirements When you configure VTP, you must configure a trunk port so that the switch can send and receive VTP advertisements to and from other switches in the domain. For more information, see the “Configuring VLAN Trunks” section on page 15-14. If you are configuring VTP on a cluster member switch to a VLAN, use the rcommand privileged EXEC command to log in to the member switch.
Chapter 16 Configuring VTP Configuring VTP • Caution If you configure the switch for VTP client mode, the switch does not create the VLAN database file (vlan.dat). If the switch is then powered off, it resets the VTP configuration to the default. To keep the VTP configuration with VTP client mode after the switch restarts, you must first configure the VTP domain name before the VTP mode. If all switches are operating in VTP client mode, do not configure a VTP domain name.
Chapter 16 Configuring VTP Configuring VTP To return a switch in another mode to VTP server mode, use the no vtp mode global configuration command. To return the switch to a no-password state, use the no vtp password global configuration command. This example shows how to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch(config)# vtp domain eng_group Setting VTP domain name to eng_group.
Chapter 16 Configuring VTP Configuring VTP Configuring a VTP Version 3 Primary Server Beginning in privileged EXEC mode, follow these steps on a VTP server to configure it as a VTP primary server (version 3 only), which starts a takeover operation: Step 1 Command Purpose vtp primary-server [vlan | mst] [force] Change the operational state of a switch from a secondary server (the default) to a primary server and advertise the configuration to the domain.
Chapter 16 Configuring VTP Configuring VTP Caution In VTP version 3, both the primary and secondary servers can exist on an instance in the domain. For more information on VTP version configuration guidelines, see the “VTP Version” section on page 16-10. Beginning in privileged EXEC mode, follow these steps to configure the VTP version: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp version {1 | 2 | 3} Enable the VTP version on the switch.
Chapter 16 Configuring VTP Configuring VTP Configuring VTP on a Per-Port Basis With VTP version 3, you can enable or disable VTP on a per-port basis. You can enable VTP only on ports that are in trunk mode. Incoming and outgoing VTP traffic are blocked, not forwarded. Beginning in privileged EXEC mode, follow these steps to enable VTP on a port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 16 Configuring VTP Monitoring VTP Command Purpose Step 5 show vtp status Verify that the configuration revision number has been reset to 0. Step 6 configure terminal Enter global configuration mode. Step 7 vtp domain domain-name Enter the original domain name on the switch. Step 8 end The VLAN information on the switch is updated, and you return to privileged EXEC mode.
Chapter 16 Configuring VTP Monitoring VTP Catalyst 3750-X and 3560-X Switch Software Configuration Guide 16-18 OL-21521-01
CH A P T E R 17 Configuring Voice VLAN This chapter describes how to configure the voice VLAN feature on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. Voice VLAN is referred to as an auxiliary VLAN in some Catalyst 6500 family switch documentation. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 17 Configuring Voice VLAN Understanding Voice VLAN Figure 17-1 shows one way to connect a Cisco 7960 IP Phone. Figure 17-1 Cisco 7960 IP Phone Connected to a Switch Cisco IP Phone 7960 Phone ASIC P2 3-port switch P3 Access port 101351 P1 PC Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone.
Chapter 17 Configuring Voice VLAN Configuring Voice VLAN Note Untagged traffic from the device attached to the Cisco IP Phone passes through the phone unchanged, regardless of the trust state of the access port on the phone.
Chapter 17 Configuring Voice VLAN Configuring Voice VLAN • The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled. • If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the same IP subnet. These conditions indicate that they are in the same VLAN: – They both use IEEE 802.1p or untagged frames. – The Cisco IP Phone uses IEEE 802.
Chapter 17 Configuring Voice VLAN Configuring Voice VLAN Configuring Cisco IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value. It can use IEEE 802.1p priority tagging to give voice traffic a higher priority and forward all voice traffic through the native (access) VLAN.
Chapter 17 Configuring Voice VLAN Configuring Voice VLAN This example shows how to configure a port connected to a Cisco IP Phone to use the CoS value to classify incoming traffic, to use IEEE 802.1p priority tagging for voice traffic, and to use the default native VLAN (VLAN 0) to carry all traffic: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 17 Configuring Voice VLAN Displaying Voice VLAN Step 3 Command Purpose switchport priority extend {cos value | trust} Set the priority of data traffic received from the Cisco IP Phone access port: • cos value—Configure the phone to override the priority received from the PC or the attached device with the specified CoS value. The value is a number from 0 to 7, with 7 as the highest priority. The default priority is cos 0.
Chapter 17 Configuring Voice VLAN Displaying Voice VLAN Catalyst 3750-X and 3560-X Switch Software Configuration Guide 17-8 OL-21521-01
CH A P T E R 18 Configuring Private VLANs This chapter describes how to configure private VLANs on the Catalyst 3750- or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. Note Private VLANs are not supported on switches running the LAN base feature set. For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 18 Configuring Private VLANs Understanding Private VLANs Figure 18-1 Private-VLAN Domain Private VLAN domain Subdomain Subdomain Secondary isolated VLAN 116083 Secondary community VLAN Primary VLAN There are two types of secondary VLANs: • Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.
Chapter 18 Configuring Private VLANs Understanding Private VLANs Primary and secondary VLANs have these characteristics: • Primary VLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports. • Isolated VLAN —A private VLAN has only one isolated VLAN.
Chapter 18 Configuring Private VLANs Understanding Private VLANs Private VLANs across Multiple Switches As with regular VLANs, private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. The trunk port treats the private VLAN as any other VLAN. A feature of private VLANs across multiple switches is that traffic from an isolated port in switch A does not reach an isolated port on Switch B. See Figure 18-2.
Chapter 18 Configuring Private VLANs Configuring Private VLANs Private VLANs and SVIs In a Layer 3 switch, a switch virtual interface (SVI) represents the Layer 3 interface of a VLAN. Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs. Configure Layer 3 VLAN interfaces (SVIs) only for primary VLANs. You cannot configure Layer 3 VLAN interfaces for secondary VLANs.
Chapter 18 Configuring Private VLANs Configuring Private VLANs Tasks for Configuring Private VLANs To configure a private VLAN, perform these steps: Step 1 Set VTP mode to transparent. Step 2 Create the primary and secondary VLANs and associate them. See the “Configuring and Associating VLANs in a Private VLAN” section on page 18-9. Note If the VLAN is not created already, the private-VLAN configuration process creates it.
Chapter 18 Configuring Private VLANs Configuring Private VLANs • With VTP version 1 or 2, after you have configured private VLANs, use the copy running-config startup config privileged EXEC command to save the VTP transparent mode configuration and private-VLAN configuration in the switch startup configuration file. Otherwise, if the switch resets, it defaults to VTP server mode, which does not support private VLANs. VTP version 3 does support private VLANs.
Chapter 18 Configuring Private VLANs Configuring Private VLANs To filter out specific IP traffic for a private VLAN, you should apply the VLAN map to both the primary and secondary VLANs. • You can apply router ACLs only on the primary-VLAN SVIs. The ACL is applied to both primary and secondary VLAN Layer 3 traffic. • Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other at Layer 3.
Chapter 18 Configuring Private VLANs Configuring Private VLANs – Link Aggregation Control Protocol (LACP) – Multicast VLAN Registration (MVR) – voice VLAN – Web Cache Communication Protocol (WCCP) • You can configure IEEE 802.1x port-based authentication on a private-VLAN port, but do not configure 802.1x with port security, voice VLAN, or per-user ACL on private-VLAN ports. • A private-VLAN host or promiscuous port cannot be a SPAN destination port.
Chapter 18 Configuring Private VLANs Configuring Private VLANs Step 9 Command Purpose vlan vlan-id (Optional) Enter VLAN configuration mode and designate or create a VLAN that will be a community VLAN. The VLAN ID range is 2 to 1001 and 1006 to 4094. Step 10 private-vlan community Designate the VLAN as a community VLAN. Step 11 exit Return to global configuration mode. Step 12 vlan vlan-id Enter VLAN configuration mode for the primary VLAN designated in Step 2.
Chapter 18 Configuring Private VLANs Configuring Private VLANs Switch(config-vlan)# end Switch(config)# show vlan private vlan Primary Secondary Type Ports ------- --------- ----------------- -----------------------------------------20 501 isolated 20 502 community 20 503 community 20 504 non-operational Configuring a Layer 2 Interface as a Private-VLAN Host Port Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN host port and to associate it with pri
Chapter 18 Configuring Private VLANs Configuring Private VLANs Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: 20 501 Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN promiscuous port and map it to primary and secondary VLANs:
Chapter 18 Configuring Private VLANs Configuring Private VLANs Use the show vlan private-vlan or the show interface status privileged EXEC command to display primary and secondary VLANs and private-VLAN ports on the switch. Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface If the private VLAN will be used for inter-VLAN routing, you configure an SVI for the primary VLAN and map secondary VLANs to the SVI. Note Isolated and community VLANs are both secondary VLANs.
Chapter 18 Configuring Private VLANs Monitoring Private VLANs --------- -------------- ----------------vlan10 501 isolated vlan10 502 community Monitoring Private VLANs Table 18-1 shows the privileged EXEC commands for monitoring private-VLAN activity. Table 18-1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces, including the VLANs to which they belongs.
CH A P T E R 19 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Virtual private networks (VPNs) provide enterprise-scale connectivity on a shared infrastructure, often Ethernet-based, with the same security, prioritization, reliability, and manageability requirements of private networks.
Chapter 19 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling tagged packets. A port configured to support IEEE 802.1Q tunneling is called a tunnel port. When you configure tunneling, you assign a tunnel port to a VLAN ID that is dedicated to tunneling. Each customer requires a separate service-provider VLAN ID, but that VLAN ID supports all of the customer’s VLANs. Customer traffic tagged in the normal way with appropriate VLAN IDs comes from an IEEE 802.
Chapter 19 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling Original (Normal), IEEE 802.1Q, and Double-Tagged Ethernet Packet Formats Source address Destination Length/ address EtherType DA SA Len/Etype DA SA Etype DA SA Etype Frame Check Sequence Data Tag Tag FCS Len/Etype Etype Tag Original Ethernet frame Data Len/Etype FCS IEE 802.
Chapter 19 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling These sections contain this configuration information: • Default IEEE 802.1Q Tunneling Configuration, page 19-4 • IEEE 802.1Q Tunneling Configuration Guidelines, page 19-4 • IEEE 802.1Q Tunneling and Other Features, page 19-6 • Configuring an IEEE 802.1Q Tunneling Port, page 19-7 Default IEEE 802.1Q Tunneling Configuration By default, IEEE 802.
Chapter 19 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling These are some ways to solve this problem: • Use ISL trunks between core switches in the service-provider network. Although customer interfaces connected to edge switches must be IEEE 802.1Q trunks, we recommend using ISL trunks for connecting switches in the core layer. • Use the vlan dot1q tag native global configuration command to configure the edge switch so that all packets going out an IEEE 802.
Chapter 19 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling For example, the switch supports a maximum frame size of 1496 bytes with one of these configurations: • The switch has a system jumbo MTU value of 1500 bytes, and the switchport mode dot1q tunnel interface configuration command is configured on a 10-Gigabit or Gigabit Ethernet switch port.
Chapter 19 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling Configuring an IEEE 802.1Q Tunneling Port Beginning in privileged EXEC mode, follow these steps to configure a port as an IEEE 802.1Q tunnel port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode for the interface to be configured as a tunnel port.
Chapter 19 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling Customers at different sites connected across a service-provider network need to use various Layer 2 protocols to scale their topologies to include all remote sites, as well as the local sites. STP must run properly, and every VLAN should build a proper spanning tree that includes the local site and all remote sites across the service-provider network.
Chapter 19 Configuring IEEE 802.
Chapter 19 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling For example, in Figure 19-6, Customer A has two switches in the same VLAN that are connected through the SP network. When the network tunnels PDUs, switches on the far ends of the network can negotiate the automatic creation of EtherChannels without needing dedicated lines. See the “Configuring Layer 2 Tunneling for EtherChannels” section on page 19-14 for instructions.
Chapter 19 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling See Figure 19-4, with Customer X and Customer Y in access VLANs 30 and 40, respectively. Asymmetric links connect the customers in Site 1 to edge switches in the service-provider network. The Layer 2 PDUs (for example, BPDUs) coming into Switch B from Customer Y in Site 1 are forwarded to the infrastructure as double-tagged packets with the well-known MAC address as the destination MAC address.
Chapter 19 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Layer 2 Protocol Tunneling Configuration Guidelines These are some configuration guidelines and operating characteristics of Layer 2 protocol tunneling: • The switch supports tunneling of CDP, STP, including multiple STP (MSTP), and VTP. Protocol tunneling is disabled by default but can be enabled for the individual protocols on IEEE 802.1Q tunnel ports or access ports.
Chapter 19 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Beginning in privileged EXEC mode, follow these steps to configure a port for Layer 2 protocol tunneling: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the interface to be configured as a tunnel port.
Chapter 19 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Use the no l2protocol-tunnel [cdp | stp | vtp] interface configuration command to disable protocol tunneling for one of the Layer 2 protocols or for all three. Use the no l2protocol-tunnel shutdown-threshold [cdp | stp | vtp] and the no l2protocol-tunnel drop-threshold [cdp | stp | vtp] commands to return the shutdown and drop thresholds to the default settings.
Chapter 19 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Step 5 Command Purpose l2protocol-tunnel shutdown-threshold [point-to-point [pagp | lacp | udld]] value (Optional) Configure the threshold for packets-per-second accepted for encapsulation. The interface is disabled if the configured threshold is exceeded. If no protocol option is specified, the threshold applies to each of the tunneled Layer 2 protocol types. The range is 1 to 4096.
Chapter 19 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Configuring the Customer Switch After configuring the SP edge switch, begin in privileged EXEC mode and follow these steps to configure a customer switch for Layer 2 protocol tunneling for EtherChannels: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter the interface configuration mode. This should be the customer switch port.
Chapter 19 Configuring IEEE 802.
Chapter 19 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status Monitoring and Maintaining Tunneling Status Table 19-2 shows the privileged EXEC commands for monitoring and maintaining IEEE 802.1Q and Layer 2 protocol tunneling. Table 19-2 Commands for Monitoring and Maintaining Tunneling Command Purpose clear l2protocol-tunnel counters Clear the protocol counters on Layer 2 protocol tunneling ports. show dot1q-tunnel Display IEEE 802.
CH A P T E R 20 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the Catalyst 3750-X or 3560-X switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.
Chapter 20 Configuring STP Understanding Spanning-Tree Features • Spanning-Tree Modes and Protocols, page 20-9 • Supported Spanning-Tree Instances, page 20-10 • Spanning-Tree Interoperability and Backward Compatibility, page 20-10 • STP and IEEE 802.1Q Trunks, page 20-10 • VLAN-Bridge Spanning Tree, page 20-11 • Spanning Tree and Switch Stacks, page 20-11 For configuration information, see the “Configuring Spanning-Tree Features” section on page 20-12.
Chapter 20 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch. In a switch stack, all switches use the same bridge ID for a given spanning-tree instance. • The spanning-tree path cost to the root switch.
Chapter 20 Configuring STP Understanding Spanning-Tree Features Only one outgoing port on the stack root switch is selected as the root port. The remaining switches in the stack become its designated switches (Switch 2 and Switch 3) as shown in Figure 20-1 on page 20-4. • The shortest distance to the root switch is calculated for each switch based on the path cost. • A designated switch for each LAN segment is selected.
Chapter 20 Configuring STP Understanding Spanning-Tree Features The switch supports the IEEE 802.1t spanning-tree extensions, and some of the bits previously used for the switch priority are now used as the VLAN identifier. The result is that fewer MAC addresses are reserved for the switch, and a larger range of VLAN IDs can be supported, all while maintaining the uniqueness of the bridge ID.
Chapter 20 Configuring STP Understanding Spanning-Tree Features • From learning to forwarding or to disabled • From forwarding to disabled Figure 20-2 illustrates how an interface moves through the states.
Chapter 20 Configuring STP Understanding Spanning-Tree Features • Does not learn addresses • Receives BPDUs Listening State The listening state is the first state a Layer 2 interface enters after the blocking state. Theinterface enters this state when the spanning tree decides that the interface should participate in frame forwarding.
Chapter 20 Configuring STP Understanding Spanning-Tree Features How a Switch or Port Becomes the Root Switch or Root Port If all switches in a network are enabled with default spanning-tree settings, the switch with the lowest MAC address becomes the root switch. In Figure 20-3, Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768) and Switch A has the lowest MAC address.
Chapter 20 Configuring STP Understanding Spanning-Tree Features Regardless of the spanning-tree state, each switch in the stack receives but does not forward packets destined for addresses between 0x0180C2000000 and 0x0180C200000F. If spanning tree is enabled, the CPU on the switch or on each switch in the stack receives packets destined for 0x0180C2000000 and 0x0180C2000010. If spanning tree is disabled, the switch or each switch in the stack forwards those packets as unknown multicast addresses.
Chapter 20 Configuring STP Understanding Spanning-Tree Features forward delay and by quickly transitioning root ports and designated ports to the forwarding state. In a switch stack, the cross-stack rapid transition (CSRT) feature performs the same function as RSTP. You cannot run MSTP without RSTP or CSRT. The most common initial deployment of MSTP is in the backbone and distribution layers of a Layer 2 switched network. For more information, see Chapter 21, “Configuring MSTP.
Chapter 20 Configuring STP Understanding Spanning-Tree Features When you connect a Cisco switch toa non-Cisco device through an IEEE 802.1Q trunk, the Ciscoswitch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+. The switch combines the spanning-tree instance of the IEEE 802.1Q VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q switch.
Chapter 20 Configuring STP Configuring Spanning-Tree Features For more information about switch stacks, see Chapter 5, “Managing Switch Stacks.” Configuring Spanning-Tree Features These sections contain this configuration information: • Default Spanning-Tree Configuration, page 20-12 • Spanning-Tree Configuration Guidelines, page 20-13 • Changing the Spanning-Tree Mode.
Chapter 20 Configuring STP Configuring Spanning-Tree Features Table 20-3 Default Spanning-Tree Configuration (continued) Feature Default Setting Spanning-tree VLAN port cost (configurable on a per-VLAN basis) 1000 Mb/s: 4. 100 Mb/s: 19. 10 Mb/s: 100. Spanning-tree timers Hello time: 2 seconds. Forward-delay time: 15 seconds. Maximum-aging time: 20 seconds.
Chapter 20 Configuring STP Configuring Spanning-Tree Features Spanning-tree commands control the configuration of VLAN spanning-tree instances. You create a spanning-tree instance when you assign an interface to a VLAN. The spanning-tree instance is removed when the last interface is moved to another VLAN. You can configure switch and port parameters before a spanning-tree instance is created; these parameters are applied when the spanning-tree instance is created.
Chapter 20 Configuring STP Configuring Spanning-Tree Features Step 6 Command Purpose clear spanning-tree detected-protocols (Recommended for rapid-PVST+ mode only) If any port on the switch is connected to a port on a legacy IEEE 802.1D switch, restart the protocol migration process on the entire switch. This step is optional if the designated switch detects that this switch is running rapid PVST+. Step 7 show spanning-tree summary Verify your entries.
Chapter 20 Configuring STP Configuring Spanning-Tree Features To configure a switch to become the root for the specified VLAN, use the spanning-tree vlan vlan-id root global configuration command to modify the switch priority from the default value (32768) to a significantly lower value. When you enter this command, the software checks the switch priority of the root switches for each VLAN.
Chapter 20 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure a switch to become the root for the specified VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root primary [diameter net-diameter [hello-time seconds]] Configure a switch to become the root for the specified VLAN.
Chapter 20 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure a switch to become the secondary root for the specified VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root secondary [diameter net-diameter [hello-time seconds]] Configure a switch to become the secondary root for the specified VLAN.
Chapter 20 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure the port priority of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports and port-channel logical interfaces (port-channel port-channel-number).
Chapter 20 Configuring STP Configuring Spanning-Tree Features Configuring Path Cost The spanning-tree path cost default value is derived from the media speed of an interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 20 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree path costs, see the “Configuring Trunk Ports for Load Sharing” section on page 15-22.
Chapter 20 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 20-4 describes the timers that affect the entire spanning-tree performance. Table 20-4 Spanning-Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches. Forward-delay timer Controls how long each of the listening and learning states last before the interface begins forwarding.
Chapter 20 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id forward-time seconds Configure the forward time of a VLAN.
Chapter 20 Configuring STP Displaying the Spanning-Tree Status Configuring the Transmit Hold-Count You can configure the BPDU burst size by changing the transmit hold count value. Note Changing this parameter to a higher value can have a significant impact on CPU utilization, especially in Rapid-PVST mode. Lowering this value can slow down convergence in certain scenarios. We recommend that you maintain the default setting.
CH A P T E R 21 Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Catalyst 3750-X or 3560-X switch. Note The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard. The MSTP enables multiple VLANs to be mapped to the same spanning-tree instance, reducing the number of spanning-tree instances needed to support a large number of VLANs.
Chapter 21 Configuring MSTP Understanding MSTP Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic, enables load-balancing, and reduces the number of spanning-tree instances required to support a large number of VLANs.
Chapter 21 Configuring MSTP Understanding MSTP The IST is the only spanning-tree instance that sends and receives BPDUs. All of the other spanning-tree instance information is contained in M-records, which are encapsulated within MSTP BPDUs. Because the MSTP BPDU carries information for all instances, the number of BPDUs that need to be processed to support multiple spanning-tree instances is significantly reduced.
Chapter 21 Configuring MSTP Understanding MSTP The IST connects all the MSTP switches in the region and appears as a subtree in the CIST that encompasses the entire switched domain. The root of the subtree is the CIST regional root. The MST region appears as a virtual switch to adjacent STP switches and MST regions. Figure 21-1 shows a network with three MST regions and a legacy IEEE 802.1D switch (D). The CIST regional root for region 1 (A) is also the CIST root.
Chapter 21 Configuring MSTP Understanding MSTP IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network.
Chapter 21 Configuring MSTP Understanding MSTP Boundary Ports In the Cisco prestandard implementation, a boundary port connects an MST region to a single spanning-tree region running RSTP, to a single spanning-tree region running PVST+ or rapid PVST+, or to another MST region with a different MST configuration. A boundary port also connects to a LAN, the designated switch of which is either a single spanning-tree switch or a switch with a different MST configuration.
Chapter 21 Configuring MSTP Understanding MSTP • The boundary port is not the root port of the CIST regional root—The MSTI ports follow the state and role of the CIST port. The standard provides less information, and it might be difficult to understand why an MSTI port can be alternately blocking when it receives no BPDUs (MRecords). In this case, although the boundary role no longer exists, the show commands identify a port as boundary in the type column of the output.
Chapter 21 Configuring MSTP Understanding MSTP Figure 21-3 illustrates a unidirectional link failure that typically creates a bridging loop. Switch A is the root switch, and its BPDUs are lost on the link leading to switch B. RSTP and MST BPDUs include the role and state of the sending port. With this information, switch A can detect that switch B does not react to the superior BPDUs it sends and that switch B is the designated, not root switch.
Chapter 21 Configuring MSTP Understanding RSTP to a port when the switch to which this switch is connected has joined the region. To restart the protocol migration process (force the renegotiation with neighboring switches), use the clear spanning-tree detected-protocols privileged EXEC command. If all the legacy switches on the link are RSTP switches, they can process MSTP BPDUs as if they are RSTP BPDUs.
Chapter 21 Configuring MSTP Understanding RSTP In a stable topology with consistent port roles throughout the network, the RSTP ensures that every root port and designated port immediately transition to the forwarding state while all alternate and backup ports are always in the discarding state (equivalent to blocking in IEEE 802.1D). The port state controls the operation of the forwarding and learning processes. Table 21-2 provides a comparison of IEEE 802.1D and RSTP port states.
Chapter 21 Configuring MSTP Understanding RSTP When Switch C is connected to Switch B, a similar set of handshaking messages are exchanged. Switch C selects the port connected to Switch B as its root port, and both ends immediately transition to the forwarding state. With each iteration of this handshaking process, one more switch joins the active topology. As the network converges, this proposal-agreement handshaking progresses from the root toward the leaves of the spanning tree.
Chapter 21 Configuring MSTP Understanding RSTP After ensuring that all of the ports are synchronized, the switch sends an agreement message to the designated switch corresponding to its root port. When the switches connected by a point-to-point link are in agreement about their port roles, the RSTP immediately transitions the port states to forwarding. The sequence of events is shown in Figure 21-5. Figure 21-5 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5.
Chapter 21 Configuring MSTP Understanding RSTP The sending switch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN. The port role in the proposal message is always set to the designated port. The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal. The port role in the agreement message is always set to the root port. The RSTP does not have a separate topology change notification (TCN) BPDU.
Chapter 21 Configuring MSTP Configuring MSTP Features • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them. • Protocol migration—For backward compatibility with IEEE 802.1D switches, RSTP selectively sends IEEE 802.
Chapter 21 Configuring MSTP Configuring MSTP Features Table 21-4 Default MSTP Configuration (continued) Feature Default Setting Spanning-tree port priority (configurable on a per-CIST port basis) 128. Spanning-tree port cost (configurable on a per-CIST port basis) 1000 Mb/s: 4. 100 Mb/s: 19. 10 Mb/s: 100. Hello time 2 seconds. Forward-delay time 15 seconds. Maximum-aging time 20 seconds. Maximum hop count 20 hops.
Chapter 21 Configuring MSTP Configuring MSTP Features • All MST boundary ports must be forwarding for load-balancing between a PVST+ and an MST cloud or between a rapid-PVST+ and an MST cloud. For this to occur, the IST master of the MST cloud should also be the root of the CST.
Chapter 21 Configuring MSTP Configuring MSTP Features Step 3 Command Purpose instance instance-id vlan vlan-range Map VLANs to an MST instance. • For instance-id, the range is 0 to 4094. • For vlan vlan-range, the range is 1 to 4094. When you map VLANs to an MST instance, the mapping is incremental, and the VLANs specified in the command are added to or removed from the VLANs that were previously mapped.
Chapter 21 Configuring MSTP Configuring MSTP Features Instance Vlans Mapped -------- --------------------0 1-9,21-4094 1 10-20 ------------------------------Switch(config-mst)# exit Switch(config)# Configuring the Root Switch The switch maintains a spanning-tree instance for the group of VLANs mapped to it. A switch ID, consisting of the switch priority and the switch MAC address, is associated with each instance. For a group of VLANs, the switch with the lowest switch ID becomes the root switch.
Chapter 21 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure a switch as the root switch. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst instance-id root primary [diameter net-diameter [hello-time seconds]] Configure a switch as the root switch.
Chapter 21 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure a switch as the secondary root switch. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst instance-id root secondary [diameter net-diameter [hello-time seconds]] Configure a switch as the secondary root switch.
Chapter 21 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the MSTP port priority of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports and port-channel logical interfaces. The port-channel range is 1 to 48.
Chapter 21 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the MSTP cost of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports and port-channel logical interfaces. The port-channel range is 1 to 48.
Chapter 21 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the switch priority. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst instance-id priority priority Configure the switch priority. • For instance-id, you can specify a single instance, a range of instances separated by a hyphen, or a series of instances separated by a comma. The range is 0 to 4094.
Chapter 21 Configuring MSTP Configuring MSTP Features Configuring the Forwarding-Delay Time Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst forward-time seconds Configure the forward time for all MST instances.
Chapter 21 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Hop Count Beginning in privileged EXEC mode, follow these steps to configure the maximum-hop count for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-hops hop-count Specify the number of hops in a region before the BPDU is discarded, and the information held for a port is aged.
Chapter 21 Configuring MSTP Configuring MSTP Features Designating the Neighbor Type A topology could contain both prestandard and IEEE 802.1s standard compliant devices. By default, ports can automatically detect prestandard devices, but they can still receive both standard and prestandard BPDUs. When there is a mismatch between a device and its neighbor, only the CIST runs on the interface. You can choose to set a port to send only prestandard BPDUs.
Chapter 21 Configuring MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 21-5: Table 21-5 Commands for Displaying MST Status Command Purpose show spanning-tree mst configuration Displays the MST region configuration. show spanning-tree mst configuration digest Displays the MD5 digest included in the current MSTCI.
Chapter 21 Configuring MSTP Displaying the MST Configuration and Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 21-28 OL-21521-01
CH A P T E R 22 Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Catalyst 3750-X or 3560-X switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+). You can configure only the noted features when your switch or switch stack is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol.
Chapter 22 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states.
Chapter 22 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features At the interface level, you enable BPDU guard on any port by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature. When the port receives a BPDU, it is put in the error-disabled state. The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service.
Chapter 22 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 22-2 Switches in a Hierarchical Network Backbone switches Root bridge 101231 Distribution switches Active link Blocked link Access switches If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port.
Chapter 22 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 22-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B L1 L2 L3 43575 Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure
Chapter 22 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root. As shown in Figure 22-5, the stack-root port on Switch 1 provides the path to the root of the spanning tree. The alternate stack-root ports on Switches 2 and 3 can provide an alternate path to the spanning-tree root if the current stack-root switch fails or if its link to the spanning-tree root fails.
Chapter 22 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Each switch in the stack decides if the sending switch is a better choice than itself to be the stack root of this spanning-tree instance by comparing the root, cost, and bridge ID. If the sending switch is the best choice as the stack root, each switch in the stack returns an acknowledgement; otherwise, it sends a fast-transition request.
Chapter 22 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features BackboneFast, which is enabled by using the spanning-tree backbonefast global configuration command, starts when a root port or blocked interface on a switch receives inferior BPDUs from its designated switch. An inferior BPDU identifies a switch that declares itself as both the root bridge and the designated switch.
Chapter 22 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If link L1 fails as shown in Figure 22-7, Switch C cannot detect this failure because it is not connected directly to link L1. However, because Switch B is directly connected to the root switch over L1, it detects the failure, elects itself the root, and begins sending BPDUs to Switch C, identifying itself as the root.
Chapter 22 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding EtherChannel Guard You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device. A misconfiguration can occur if the switch interfaces are configured in an EtherChannel, but the interfaces on the other device are not. A misconfiguration can also occur if the channel parameters are not the same at both ends of the EtherChannel.
Chapter 22 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Figure 22-9 Root Guard in a Service-Provider Network Service-provider network Customer network Potential spanning-tree root without root guard enabled Desired root switch 101232 Enable the root-guard feature on these interfaces to prevent switches in the customer network from becoming the root switch or being in the path to the root.
Chapter 22 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features • Enabling BackboneFast, page 22-16 (optional) • Enabling EtherChannel Guard, page 22-17 (optional) • Enabling Root Guard, page 22-18 (optional) • Enabling Loop Guard, page 22-18 (optional) Default Optional Spanning-Tree Configuration Table 22-1 shows the default optional spanning-tree configuration.
Chapter 22 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP. Beginning in privileged EXEC mode, follow these steps to enable Port Fast. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Chapter 22 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features The BPDU guard feature provides a secure response to invalid configurations because you must manually put the port back in service. Use the BPDU guard feature in a service-provider network to prevent an access port from participating in the spanning tree.
Chapter 22 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU filtering on any interface without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs. Caution Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.
Chapter 22 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to enable UplinkFast and CSUF. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree uplinkfast [max-update-rate Enable UplinkFast. pkts-per-second] (Optional) For pkts-per-second, the range is 0 to 32000 packets per second; the default is 150.
Chapter 22 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Note If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not supported on Token Ring VLANs. This feature is supported for use with third-party switches. You can configure the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
Chapter 22 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Root Guard Root guard enabled on an interface applies to all the VLANs to which the interface belongs. Do not enable the root guard on interfaces to be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in the blocked state) replace the root port in the case of a failure.
Chapter 22 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Step 3 Command Purpose spanning-tree loopguard default Enable loop guard. By default, loop guard is disabled. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To globally disable loop guard, use the no spanning-tree loopguard default global configuration command.
Chapter 22 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 22-20 OL-21521-01
CH A P T E R 23 Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the Catalyst 3750-X or 3560-X switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature.
Chapter 23 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature typically configured in service provider or enterprise networks where customers do not want to run STP on the switch. If the switch is running STP, Flex Links is not necessary because STP already provides link-level redundancy or backup.
Chapter 23 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Figure 23-2 VLAN Flex Links Load Balancing Configuration Example Uplink switch B Uplink switch C Forwarding (1-50) gi2/0/6 Forwarding (51-100) 201398 gi2/0/8 Switch A Flex Link Multicast Fast Convergence Flex Link Multicast Fast Convergence reduces the multicast traffic convergence time after a Flex Link failure.
Chapter 23 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature Leaking IGMP Reports To achieve multicast traffic convergence with minimal loss, a redundant data path must be set up before the Flex Link active link goes down. This can be achieved by leaking only IGMP report packets on the Flex Link backup link.
Chapter 23 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Similarly, both Flex Link ports are part of learned groups. In this example, GigabitEthernet2/0/11 is a receiver/host in VLAN 1, which is interested in two multicast groups: Switch# show ip igmp snooping groups Vlan Group Type Version Port List ----------------------------------------------------------------------1 228.1.5.
Chapter 23 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature Whenever a host responds to the general query, the switch forwards this report on all the mrouter ports. When you turn on this feature through the command-line port, and when a report is forwarded by the switch on GigabitEthernet1/0/11, it is also leaked to the backup port GigabitEthernet1/0/12.
Chapter 23 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Figure 23-3 MAC Address-Table Move Update Example Server Switch C Port 4 Port 3 Switch B Switch D Port 1 Port 2 141223 Switch A PC Configuring Flex Links and MAC Address-Table Move Update These sections contain this information: • Configuration Guidelines, page 23-7 • Default Configuration, page 23-8 • Configuring Flex Links, page 23-8 • Configuring V
Chapter 23 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update • An interface can belong to only one Flex Link pair. An interface can be a backup link for only one active link. An active link cannot belong to another Flex Link pair. • Neither of the links can be a port that belongs to an EtherChannel.
Chapter 23 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show interface [interface-id] switchport backup Verify the configuration. Step 6 copy running-config startup config (Optional) Save your entries in the switch startup configuration file.
Chapter 23 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Command Purpose Step 7 show interface [interface-id] switchport backup Verify the configuration. Step 8 copy running-config startup config (Optional) Save your entries in the switch startup configuration file. To remove a preemption scheme, use the no switchport backup interface interface-id preemption mode interface configuration command.
Chapter 23 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update In the following example, VLANs 1 to 50, 60, and 100 to 120 are configured on the switch: Switch(config)#interface gigabitethernet 2/0/6 Switch(config-if)#switchport backup interface gigabitethernet 2/0/8 prefer vlan 60,100-120 When both interfaces are up, Gi2/0/8 forwards traffic for VLANs 60 and 100 to 120 and Gi2/0/6 forwards traffic for VLANs 1 to 50.
Chapter 23 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring the MAC Address-Table Move Update Feature This section contains this information: • Configuring a switch to send MAC address-table move updates • Configuring a switch to get MAC address-table move updates Beginning in privileged EXEC mode, follow these steps to configure an access switch to send MAC address-table move updates: Command Purpose Step 1 c
Chapter 23 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update This example shows how to verify the configuration: Switch# show mac-address-table move update Switch-ID : 010b.4630.1780 Dst mac-address : 0180.c200.
Chapter 23 Configuring Flex Links and the MAC Address-Table Move Update Feature Monitoring Flex Links and the MAC Address-Table Move Update Monitoring Flex Links and the MAC Address-Table Move Update Table 23-1 shows the privileged EXEC commands for monitoring the Flex Links configuration and the MAC address-table move update information.
CH A P T E R 24 Configuring DHCP Features and IP Source Guard This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the Catalyst 3750-X or 3560-X switch. It also describes how to configure the IP source guard feature.Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Chapter 24 Configuring DHCP Features and IP Source Guard Understanding DHCP Features • Cisco IOS DHCP Server Database, page 24-6 • DHCP Snooping Binding Database, page 24-6 For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them.
Chapter 24 Configuring DHCP Features and IP Source Guard Understanding DHCP Features When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware address. If the addresses match (the default), the switch forwards the packet. If the addresses do not match, the switch drops the packet.
Chapter 24 Configuring DHCP Features and IP Source Guard Understanding DHCP Features Figure 24-1 DHCP Relay Agent in a Metropolitan Ethernet Network DHCP server Catalyst switch (DHCP relay agent) Access layer VLAN 10 Subscribers Host B (DHCP client) 98813 Host A (DHCP client) When you enable the DHCP snooping information option 82 on the switch, this sequence of events occurs: • The host (DHCP client) generates a DHCP request and broadcasts it on the network.
Chapter 24 Configuring DHCP Features and IP Source Guard Understanding DHCP Features In the port field of the circuit ID suboption, the port numbers start at 3. For example, on a Catalyst 3750-E switch with 24 10/100/1000 ports and four small form-factor pluggable (SFP) module slots, port 3 is the Gigabit Ethernet 1/0/1 port, port 4 is the Gigabit Ethernet 1/0/2 port, and so forth. Port 27 is the SFP module slot Gigabit Ethernet1/0/25, and so forth.
Chapter 24 Configuring DHCP Features and IP Source Guard Understanding DHCP Features Figure 24-3 User-Configured Suboption Packet Formats Circuit ID Suboption Frame Format (for user-configured string): Suboption Circuit type ID type Length Length 1 N+2 1 N 1 byte 1 byte 1 byte 1 byte ASCII Circuit ID string N bytes (N = 3-63) Remote ID Suboption Frame Format (for user-configured string): 2 N+2 1 N 1 byte 1 byte 1 byte 1 byte ASCII Remote ID string or hostname 145774 Suboption Remote type
Chapter 24 Configuring DHCP Features and IP Source Guard Understanding DHCP Features When reloading, the switch reads the binding file to build the DHCP snooping binding database. The switch updates the file when the database changes. When a switch learns of new bindings or when it loses bindings, the switch immediately updates the entries in the database. The switch also updates the entries in the binding file.
Chapter 24 Configuring DHCP Features and IP Source Guard Configuring DHCP Features When a stack merge occurs, all DHCP snooping bindings in the stack master are lost if it is no longer the stack master. With a stack partition, the existing stack master is unchanged, and the bindings belonging to the partitioned switches age out. The new master of the partitioned stack begins processing the new incoming DHCP packets. For more information about switch stacks, see Chapter 5, “Managing Switch Stacks.
Chapter 24 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Table 24-1 Default DHCP Configuration (continued) Feature Default Setting Cisco IOS DHCP server binding database Enabled in Cisco IOS software, requires configuration. Note DHCP snooping binding database agent The switch gets network addresses and configuration parameters only from a device configured as a DHCP server. Enabled in Cisco IOS software, requires configuration.
Chapter 24 Configuring DHCP Features and IP Source Guard Configuring DHCP Features • Follow these guidelines when configuring the DHCP snooping binding database: – Because both NVRAM and the flash memory have limited storage capacity, we recommend that you store the binding file on a TFTP server. – For network-based URLs (such as TFTP and FTP), you must create an empty file at the configured URL before the switch can write bindings to the binding file at that URL.
Chapter 24 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Configuring the DHCP Relay Agent Beginning in privileged EXEC mode, follow these steps to enable the DHCP relay agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service dhcp Enable the DHCP server and relay agent on your switch. By default, this feature is enabled. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries.
Chapter 24 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Command Purpose interface range port-range Configure multiple physical ports that are connected to the DHCP clients, and enter interface range configuration mode. or or interface interface-id Configure a single physical port that is connected to the DHCP client, and enter interface configuration mode. Step 7 switchport mode access Define the VLAN membership mode for the port.
Chapter 24 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Step 6 Command Purpose ip dhcp snooping information option allow-untrusted (Optional) If the switch is an aggregation switch connected to an edge switch, enable the switch to accept incoming DHCP snooping packets with option-82 information from the edge switch. The default setting is disabled. Note Enter this command only on aggregation switches that are connected to trusted devices.
Chapter 24 Configuring DHCP Features and IP Source Guard Configuring DHCP Features This example shows how to enable DHCP snooping globally and on VLAN 10 and to configure a rate limit of 100 packets per second on a port: Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 10 Switch(config)# ip dhcp snooping information option Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ip dhcp snooping limit rate 100 Enabling DHCP Snooping on Private VLANs You can enable DHCP snoop
Chapter 24 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Enabling the DHCP Snooping Binding Database Agent Beginning in privileged EXEC mode, follow these steps to enable and configure the DHCP snooping binding database agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 24 Configuring DHCP Features and IP Source Guard Displaying DHCP Snooping Information Displaying DHCP Snooping Information Table 24-2 Commands for Displaying DHCP Information Command Purpose show ip dhcp snooping Displays the DHCP snooping configuration for a switch show ip dhcp snooping binding Displays only the dynamically configured bindings in the DHCP snooping binding database, also referred to as a binding table.
Chapter 24 Configuring DHCP Features and IP Source Guard Understanding IP Source Guard Source IP Address Filtering When IPSG is enabled with this option, IP traffic is filtered based on the source IP address. The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table.
Chapter 24 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Note Some IP hosts with multiple network interfaces can inject some invalid packets into a network interface. The invalid packets contain the IP or MAC address for another network interface of the host as the source address. The invalid packets can cause IPSG for static hosts to connect to the host, to learn the invalid IP or MAC address bindings, and to reject the valid bindings.
Chapter 24 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard • If you enable IP source guard with source IP and MAC address filtering, DHCP snooping and port security must be enabled on the interface. You must also enter the ip dhcp snooping information option global configuration command and ensure that the DHCP server supports option 82. When IP source guard is enabled with MAC address filtering, the DHCP host MAC address is not learned until the host is granted a lease.
Chapter 24 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Command Purpose ip source binding mac-address vlan vlan-id ip-address inteface interface-id Add a static IP source binding. Step 6 end Return to privileged EXEC mode. Step 7 show ip verify source [interface interface-id] Verify the IP source guard configuration.
Chapter 24 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Beginning in privileged EXEC mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip device tracking Turn on the IP host table, and globally enable IP device tracking. Step 3 interface interface-id Enter interface configuration mode. Step 4 switchport mode access Configure a port as access. Step 5 switchport access vlan vlan-id Configure the VLAN for this port.
Chapter 24 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard This example shows how to enable IPSG with static hosts on a port.
Chapter 24 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard IP Address MAC Address Vlan Interface STATE --------------------------------------------------------------------200.1.1.8 0001.0600.0000 8 GigabitEthernet1/0/1 INACTIVE 200.1.1.9 0001.0600.0000 8 GigabitEthernet1/0/1 INACTIVE 200.1.1.10 0001.0600.0000 8 GigabitEthernet1/0/1 INACTIVE 200.1.1.1 0001.0600.0000 9 GigabitEthernet1/0/2 ACTIVE 200.1.1.1 0001.0600.0000 8 GigabitEthernet1/0/1 INACTIVE 200.1.1.2 0001.0600.
Chapter 24 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Configuring IP Source Guard for Static Hosts on a Private VLAN Host Port Note You must globally configure the ip device tracking maximum limit-number interface configuration command globally for IPSG for static hosts to work.
Chapter 24 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information This example shows how to enable IPSG for static hosts with IP filters on a private VLAN host port: Switch(config)# vlan 200 Switch(config-vlan)# private-vlan primary Switch(config-vlan)# exit Switch(config)# vlan 201 Switch(config-vlan)# private-vlan isolated Switch(config-vlan)# exit Switch(config)# vlan 200 Switch(config-vlan)# private-vlan association 201 Switch(config-vlan)# exit Switch(config)# int gigabi
Chapter 24 Configuring DHCP Features and IP Source Guard Understanding DHCP Server Port-Based Address Allocation Understanding DHCP Server Port-Based Address Allocation DHCP server port-based address allocation is a feature that enables DHCP to maintain the same IP address on an Ethernet switch port regardless of the attached device client identifier or client hardware address. When Ethernet switches are deployed in the network, they offer connectivity to the directly connected devices.
Chapter 24 Configuring DHCP Features and IP Source Guard Configuring DHCP Server Port-Based Address Allocation Enabling DHCP Server Port-Based Address Allocation Beginning in privileged EXEC mode, follow these steps to globally enable port-based address allocation and to automatically generate a subscriber identifier on an interface. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 24 Configuring DHCP Features and IP Source Guard Configuring DHCP Server Port-Based Address Allocation Command Purpose Step 5 reserved-only (Optional) Use only reserved addresses in the DHCP address pool. The default is to not restrict pool addresses. Step 6 end Return to privileged EXEC mode. Step 7 show ip dhcp pool Verify DHCP pool configuration. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 24 Configuring DHCP Features and IP Source Guard Displaying DHCP Server Port-Based Address Allocation For more information about configuring the DHCP server port-based address allocation feature, go to Cisco.com, and enter Cisco IOS IP Addressing Services in the Search field to access the Cisco IOS software documentation. You can also access the documentation here: http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_book.
Chapter 24 Configuring DHCP Features and IP Source Guard Displaying DHCP Server Port-Based Address Allocation Catalyst 3750-X and 3560-X Switch Software Configuration Guide 24-30 OL-21521-01
CH A P T E R 25 Configuring Dynamic ARP Inspection This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 3750-X or 3560-X switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Chapter 25 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Figure 25-1 Host A (IA, MA) ARP Cache Poisoning A B Host B (IB, MB) Host C (man-in-the-middle) (IC, MC) 111750 C Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA.
Chapter 25 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header. Use the ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command. For more information, see the “Performing Validation Checks” section on page 25-12.
Chapter 25 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a switch running dynamic ARP inspection.
Chapter 25 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Logging of Dropped Packets When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
Chapter 25 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Table 25-1 Default Dynamic ARP Inspection Configuration (continued) Feature Default Setting Log buffer When dynamic ARP inspection is enabled, all denied or dropped ARP packets are logged. The number of entries in the log is 32. The number of system messages is limited to 5 per second. The logging-rate interval is 1 second. Per-VLAN logging All denied or dropped ARP packets are logged.
Chapter 25 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection • The operating rate for the port channel is cumulative across all the physical ports within the channel. For example, if you configure the port channel with an ARP rate-limit of 400 pps, all the interfaces combined on the channel receive an aggregate 400 pps. The rate of incoming ARP packets on EtherChannel ports is equal to the sum of the incoming rate of packets from all the channel members.
Chapter 25 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 3 Command Purpose ip arp inspection vlan vlan-range Enable dynamic ARP inspection on a per-VLAN basis. By default, dynamic ARP inspection is disabled on all VLANs. For vlan-range, specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094. Specify the same VLAN ID for both switches.
Chapter 25 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and Host 1 could be attacked by either Switch B or Host 2. To prevent this possibility, you must configure port 1 on Switch A as untrusted. To permit ARP packets from Host 2, you must set up an ARP ACL and apply it to VLAN 1.
Chapter 25 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 7 Command Purpose no ip arp inspection trust Configure the Switch A interface that is connected to Switch B as untrusted. By default, all interfaces are untrusted. For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination.
Chapter 25 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection For configuration guidelines for rate limiting trunk ports and EtherChannel ports, see the “Dynamic ARP Inspection Configuration Guidelines” section on page 25-6. Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 25 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Performing Validation Checks Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can configure the switch to perform additional checks on the destination MAC address, the sender and target IP addresses, and the source MAC address. Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP packets. This procedure is optional.
Chapter 25 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Configuring the Log Buffer When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
Chapter 25 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Step 3 Command Purpose ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {all | none | permit}} Control the type of packets that are logged per VLAN. By default, all denied or all dropped packets are logged. The term logged means the entry is placed in the log buffer and a system message is generated.
Chapter 25 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Table 25-3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics. show ip arp inspection statistics [vlan vlan-range] Displays statistics for forwarded, dropped, MAC validation failure, IP validation failure, ACL permitted and denied, and DHCP permitted and denied packets for the specified VLAN.
Chapter 25 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Catalyst 3750-X and 3560-X Switch Software Configuration Guide 25-16 OL-21521-01
CH A P T E R 26 Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on the Catalyst 3750-X or 3560-X switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action.
Chapter 26 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Understanding IGMP Snooping Layer 2 switches can use IGMP snooping to constrain the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with IP multicast devices.
Chapter 26 Configuring IGMP Snooping and MVR Understanding IGMP Snooping IGMP Versions The switch supports IGMP Version 1, IGMP Version 2, and IGMP Version 3. These versions are interoperable on the switch. For example, if IGMP snooping is enabled on an IGMPv2 switch and the switch receives an IGMPv3 report from a host, the switch can forward the IGMPv3 report to the multicast router. Note The switch supports IGMPv3 snooping based only on the destination multicast MAC address.
Chapter 26 Configuring IGMP Snooping and MVR Understanding IGMP Snooping The switch hardware can distinguish IGMP information packets from other packets for the multicast group. The information in the table tells the switching engine to send frames addressed to the 224.1.2.3 multicast IP address that are not IGMP packets to the router and to the host that has joined the group.
Chapter 26 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Immediate Leave Immediate Leave is only supported on IGMP Version 2 hosts. The switch uses IGMP snooping Immediate Leave to remove from the forwarding table an interface that sends a leave message without the switch sending group-specific queries to the interface. The VLAN interface is pruned from the multicast tree for the multicast group specified in the original leave message.
Chapter 26 Configuring IGMP Snooping and MVR Configuring IGMP Snooping IGMP Snooping and Switch Stacks IGMP snooping functions across the switch stack; that is, IGMP control information from one switch is distributed to all switches in the stack. (See Chapter 5, “Managing Switch Stacks,” for more information about switch stacks.) Regardless of the stack member through which IGMP multicast data enters the stack, the data reaches the hosts that have registered for that group.
Chapter 26 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Enabling or Disabling IGMP Snooping By default, IGMP snooping is globally enabled on the switch. When globally enabled or disabled, it is also enabled or disabled in all existing VLAN interfaces. IGMP snooping is by default enabled on all VLANs, but can be enabled and disabled on a per-VLAN basis. Global IGMP snooping overrides the VLAN IGMP snooping. If global snooping is disabled, you cannot enable VLAN snooping.
Chapter 26 Configuring IGMP Snooping and MVR Configuring IGMP Snooping You can configure the switch either to snoop on IGMP queries and PIM/DVMRP packets or to listen to CGMP self-join or proxy-join packets. By default, the switch snoops on PIM/DVMRP packets on all VLANs. To learn of multicast router ports through only CGMP packets, use the ip igmp snooping vlan vlan-id mrouter learn cgmp global configuration command.
Chapter 26 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to enable a static connection to a multicast router: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id mrouter interface interface-id Specify the multicast router VLAN ID and the interface to the multicast router. • The VLAN ID range is 1 to 1001 and 1006 to 4094.
Chapter 26 Configuring IGMP Snooping and MVR Configuring IGMP Snooping This example shows how to statically configure a host on a port: Switch# configure terminal Switch(config)# ip igmp snooping vlan 105 static 224.2.4.12 interface gigabitethernet1/0/1 Switch(config)# end Enabling IGMP Immediate Leave When you enable IGMP Immediate Leave, the switch immediately removes a port when it detects an IGMP Version 2 leave message on that port.
Chapter 26 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to enable the IGMP configurable-leave timer: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping last-member-query-interval time Configure the IGMP leave timer globally. The range is 100 to 32768 milliseconds. The default is 1000 seconds.
Chapter 26 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show ip igmp snooping Verify the TCN settings. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default flooding query count, use the no ip igmp snooping tcn flood query count global configuration command.
Chapter 26 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Step 3 Command Purpose no ip igmp snooping tcn flood Disable the flooding of multicast traffic during a spanning-tree TCN event. By default, multicast flooding is enabled on an interface. Step 4 exit Return to privileged EXEC mode. Step 5 show ip igmp snooping Verify the TCN settings. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 26 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 4 ip igmp snooping querier query-interval interval-count (Optional) Set the interval between IGMP queriers. The range is 1 to 18000 seconds. Step 5 ip igmp snooping querier tcn query [count (Optional) Set the time between Topology Change Notification count | interval interval] (TCN) queries. The count range is 1 to 10. The interval range is 1 to 255 seconds.
Chapter 26 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Beginning in privileged EXEC mode, follow these steps to disable IGMP report suppression: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no ip igmp snooping report-suppression Disable IGMP report suppression. Step 3 end Return to privileged EXEC mode. Step 4 show ip igmp snooping Verify that IGMP report suppression is disabled.
Chapter 26 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Table 26-4 Commands for Displaying IGMP Snooping Information (continued) Command Purpose show ip igmp snooping mrouter [vlan vlan-id] Display information on dynamically learned and manually configured multicast router interfaces. Note When you enable IGMP snooping, the switch automatically learns the interface to which a multicast router is connected. These are dynamically learned interfaces.
Chapter 26 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration You can set the switch for compatible or dynamic mode of MVR operation: • In compatible mode, multicast data received by MVR hosts is forwarded to all MVR data ports, regardless of MVR host membership on those ports. The multicast data is forwarded only to those receiver ports that MVR hosts have joined, either by IGMP reports or by MVR static configuration.
Chapter 26 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Figure 26-3 Multicast VLAN Registration Example Multicast VLAN Cisco router Multicast server SP Switch B SP SP SP SP SP SP1 SP2 Multicast data Multicast data Switch A RP1 RP2 RP3 RP4 RP5 RP6 RP7 Customer premises Hub IGMP join Set-top box Set-top box TV data TV RP = Receiver Port SP = Source Port TV 101364 PC Note: All source ports belong to the multicast VLAN.
Chapter 26 Configuring IGMP Snooping and MVR Configuring MVR Layer 3 device. The access layer switch, Switch A, modifies the forwarding behavior to allow the traffic to be forwarded from the multicast VLAN to the subscriber port in a different VLAN, selectively allowing traffic to cross between two VLANs. IGMP reports are sent to the same IP multicast group address as the multicast data.
Chapter 26 Configuring IGMP Snooping and MVR Configuring MVR • MVR can coexist with IGMP snooping on a switch. • MVR data received on an MVR receiver port is not forwarded to MVR source ports. • MVR does not support IGMPv3 messages. Configuring MVR Global Parameters You do not need to set the optional MVR parameters if you choose to use the default settings. If you do want to change the default parameters (except for the MVR VLAN), you must first enable MVR.
Chapter 26 Configuring IGMP Snooping and MVR Configuring MVR This example shows how to enable MVR, configure the group address, set the query time to 1 second (10 tenths), specify the MVR multicast VLAN as VLAN 22, and set the MVR mode as dynamic: Switch(config)# Switch(config)# Switch(config)# Switch(config)# Switch(config)# Switch(config)# mvr mvr mvr mvr mvr end group 228.1.23.
Chapter 26 Configuring IGMP Snooping and MVR Displaying MVR Information Step 8 Command Purpose show mvr Verify the configuration. show mvr interface or show mvr members Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the interface to its default settings, use the no mvr [type | immediate | vlan vlan-id | group] interface configuration commands.
Chapter 26 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Configuring IGMP Filtering and Throttling In some environments, for example, metropolitan or multiple-dwelling unit (MDU) installations, you might want to control the set of multicast groups to which a user on a switch port can belong. You can control the distribution of multicast services, such as IP/TV, based on some type of subscription or service plan.
Chapter 26 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling When the maximum number of groups is in forwarding table, the default IGMP throttling action is to deny the IGMP report. For configuration guidelines, see the “Configuring the IGMP Throttling Action” section on page 26-26.
Chapter 26 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling This example shows how to create IGMP profile 4 allowing access to the single IP multicast address and how to verify the configuration. If the action was to deny (the default), it would not appear in the show ip igmp profile output display. Switch(config)# ip igmp profile 4 Switch(config-igmp-profile)# permit Switch(config-igmp-profile)# range 229.9.9.
Chapter 26 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Setting the Maximum Number of IGMP Groups You can set the maximum number of IGMP groups that a Layer 2 interface can join by using the ip igmp max-groups interface configuration command. Use the no form of this command to set the maximum back to the default, which is no limit. This restriction can be applied to Layer 2 ports only; you cannot set a maximum number of IGMP groups on routed ports or SVIs.
Chapter 26 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling • If you configure the throttling action and set the maximum group limitation after an interface has added multicast entries to the forwarding table, the forwarding-table entries are either aged out or removed, depending on the throttling action. – If you configure the throttling action as deny, the entries that were previously in the forwarding table are not removed but are aged out.
Chapter 26 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Displaying IGMP Filtering and Throttling Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface. You can also display the IGMP throttling configuration for all interfaces on the switch or for a specified interface.
CH A P T E R 27 Configuring IPv6 MLD Snooping You can use Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP Version 6 (IPv6) multicast data to clients and routers in a switched network on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. To use IPv6, you must configure the dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
Chapter 27 Configuring IPv6 MLD Snooping Understanding MLD Snooping MLD is a protocol used by IPv6 multicast routers to discover the presence of multicast listeners (nodes wishing to receive IPv6 multicast packets) on the links that are directly attached to the routers and to discover which multicast packets are of interest to neighboring nodes. MLD is derived from IGMP; MLD Version 1 (MLDv1) is equivalent to IGMPv2, and MLD Version 2 (MLDv2) is equivalent to IGMPv3.
Chapter 27 Configuring IPv6 MLD Snooping Understanding MLD Snooping MLD Messages MLDv1 supports three types of messages: • Listener Queries are the equivalent of IGMPv2 queries and are either General Queries or Multicast-Address-Specific Queries (MASQs). • Multicast Listener Reports are the equivalent of IGMPv2 reports • Multicast Listener Done messages are the equivalent of IGMPv2 leave messages. MLDv2 supports MLDv2 queries and reports, as well as MLDv1 Report and Done messages.
Chapter 27 Configuring IPv6 MLD Snooping Understanding MLD Snooping Multicast Router Discovery Like IGMP snooping, MLD snooping performs multicast router discovery, with these characteristics: • Ports configured by a user never age out. • Dynamic port learning results from MLDv1 snooping queries and IPv6 PIMv2 packets. • If there are multiple routers on the same Layer 2 interface, MLD snooping tracks a single multicast router on the port (the router that most recently sent a router control packet).
Chapter 27 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping The number of MASQs generated is configured by using the ipv6 mld snooping last-listener-query count global configuration command. The default number is 2. The MASQ is sent to the IPv6 multicast address for which the Done message was sent.
Chapter 27 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Default MLD Snooping Configuration Table 27-1 Default MLD Snooping Configuration Feature Default Setting MLD snooping (Global) Disabled. MLD snooping (per VLAN) Enabled. MLD snooping must be globally enabled for VLAN MLD snooping to take place. IPv6 Multicast addresses None configured. IPv6 Multicast router ports None configured. MLD snooping Immediate Leave Disabled.
Chapter 27 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Enabling or Disabling MLD Snooping By default, IPv6 MLD snooping is globally disabled on the switch and enabled on all VLANs. When MLD snooping is globally disabled, it is also disabled on all VLANs. When you globally enable MLD snooping, the VLAN configuration overrides the global configuration. That is, MLD snooping is enabled only on VLAN interfaces in the default state (enabled).
Chapter 27 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Configuring a Static Multicast Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure an IPv6 multicast address and member ports for a VLAN.
Chapter 27 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Beginning in privileged EXEC mode, follow these steps to add a multicast router port to a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 mld snooping vlan vlan-id mrouter interface interface-id Specify the multicast router VLAN ID, and specify the interface to the multicast router. • The VLAN ID range is 1 to 1001 and 1006 to 4094.
Chapter 27 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Configuring MLD Snooping Queries When Immediate Leave is not enabled and a port receives an MLD Done message, the switch generates MASQs on the port and sends them to the IPv6 multicast address for which the Done message was sent. You can optionally configure the number of MASQs that are sent and the length of time the switch waits for a response before deleting the port from the multicast group.
Chapter 27 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping This example shows how to set the MLD snooping global robustness variable to 3: Switch# configure terminal Switch(config)# ipv6 mld snooping robustness-variable 3 Switch(config)# exit This example shows how to set the MLD snooping last-listener query count for a VLAN to 3: Switch# configure terminal Switch(config)# ipv6 mld snooping vlan 200 last-listener-query-count 3 Switch(config)# exit This example shows how to set the MLD snoopi
Chapter 27 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information To re-enable MLD message suppression, use the ipv6 mld snooping listener-message-suppression global configuration command. Displaying MLD Snooping Information You can display MLD snooping information for dynamically learned and statically configured router ports and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for MLD snooping.
CH A P T E R 28 Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 28 Configuring Port-Based Traffic Control Configuring Storm Control Storm control uses one of these methods to measure traffic activity: • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received • Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received • Traffic rate in pack
Chapter 28 Configuring Port-Based Traffic Control Configuring Storm Control Note Because packets do not arrive at uniform intervals, the 1-second time interval during which traffic activity is measured can affect the behavior of storm control. You use the storm-control interface configuration commands to set the threshold value for each traffic type.
Chapter 28 Configuring Port-Based Traffic Control Configuring Storm Control Step 3 Command Purpose storm-control {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]} Configure broadcast, multicast, or unicast storm control. By default, storm control is disabled. The keywords have these meanings: • For level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage (up to two decimal places) of the bandwidth.
Chapter 28 Configuring Port-Based Traffic Control Configuring Storm Control Command Purpose Step 6 show storm-control [interface-id] [broadcast | Verify the storm control suppression levels set on the interface for multicast | unicast] the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 28 Configuring Port-Based Traffic Control Configuring Protected Ports Command Purpose Step 5 interface interface-id Enter interface configuration mode, and specify the interface to be configured. Step 6 small violation-rate pps Configure the threshold rate for the interface to drop incoming packets and error disable the port. The range is 1 to 10,000 packets per second (pps) Step 7 end Return to privileged EXEC mode. Step 8 show interfaces interface-id Verify the configuration.
Chapter 28 Configuring Port-Based Traffic Control Configuring Port Blocking Protected Port Configuration Guidelines You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group. Do not configure a private-VLAN port as a protected port. Do not configure a protected port as a private-VLAN port.
Chapter 28 Configuring Port-Based Traffic Control Configuring Port Security Default Port Blocking Configuration The default is to not block flooding of unknown multicast and unicast traffic out of a port, but to flood these packets to all ports. Blocking Flooded Traffic on an Interface Note The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group.
Chapter 28 Configuring Port-Based Traffic Control Configuring Port Security If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs. Also, if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged.
Chapter 28 Configuring Port-Based Traffic Control Configuring Port Security If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration. The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum number of available MAC addresses allowed in the system. This number is determined by the active Switch Database Management (SDM) template.
Chapter 28 Configuring Port-Based Traffic Control Configuring Port Security Table 28-1 Security Violation Mode Actions Violation Mode Traffic is forwarded1 Sends SNMP trap Sends syslog message Displays error message2 Violation counter increments Shuts down port protect No No No No No No restrict No Yes Yes No Yes No shutdown No Yes Yes No Yes Yes shutdown vlan No Yes Yes No Yes No3 1.
Chapter 28 Configuring Port-Based Traffic Control Configuring Port Security VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
Chapter 28 Configuring Port-Based Traffic Control Configuring Port Security Enabling and Configuring Port Security Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Chapter 28 Configuring Port-Based Traffic Control Configuring Port Security Step 7 Command Purpose switchport port-security violation {protect | restrict | shutdown | shutdown vlan} (Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these: • Note protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC
Chapter 28 Configuring Port-Based Traffic Control Configuring Port Security Step 8 Command Purpose switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}] (Optional) Enter a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
Chapter 28 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table. All addresses are now dynamically learned.
Chapter 28 Configuring Port-Based Traffic Control Configuring Port Security Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# switchport switchport switchport switchport switchport port-security port-security port-security port-security port-security mac-address 0000.0000.0003 mac-address sticky 0000.0000.0001 vlan voice mac-address 0000.0000.
Chapter 28 Configuring Port-Based Traffic Control Configuring Port Security To disable port security aging for all secure addresses on a port, use the no switchport port-security aging time interface configuration command. To disable aging for only statically configured secure addresses, use the no switchport port-security aging static interface configuration command.
Chapter 28 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings This example shows how to configure port security on a PVLAN host and promiscuous ports Switch(config)# interface gigabitethernet 0/8 Switch(config-if)# switchport private-vlan mapping 2061 2201-2206,3101 Switch(config-if)# switchport mode private-vlan promiscuous Switch(config-if)# switchport port-security maximum 288 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security viol
Chapter 28 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Catalyst 3750-X and 3560-X Switch Software Configuration Guide 28-20 OL-21521-01
CH A P T E R 29 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Chapter 29 Configuring CDP Configuring CDP CDP and Switch Stacks A switch stack appears as a single switch in the network. Therefore, CDP discovers the switch stack, not the individual stack members. The switch stack sends CDP messages to neighboring network devices when there are changes to the switch stack membership, such as stack members being added or removed.
Chapter 29 Configuring CDP Configuring CDP Step 4 Command Purpose cdp advertise-v2 (Optional) Configure CDP to send Version-2 advertisements. This is the default state. Step 5 end Return to privileged EXEC mode. Step 6 show cdp Verify your settings. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure CDP characteristics.
Chapter 29 Configuring CDP Configuring CDP Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and to receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on a port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you are disabling CDP, and enter interface configuration mode.
Chapter 29 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP Table 29-2 Commands for Displaying CDP Information Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors. show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent. show cdp entry entry-name [protocol | version] Display information about a specific neighbor.
Chapter 29 Configuring CDP Monitoring and Maintaining CDP Catalyst 3750-X and 3560-X Switch Software Configuration Guide 29-6 OL-21521-01
CH A P T E R 30 Configuring LLDP, LLDP-MED, and Wired Location Service This chapter describes how to configure the Link Layer Discovery Protocol (LLDP), LLDP Media Endpoint Discovery (LLDP-MED) and wired location service on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Chapter 30 Configuring LLDP, LLDP-MED, and Wired Location Service Understanding LLDP, LLDP-MED, and Wired Location Service LLDP supports a set of attributes that it uses to discover neighbor devices. These attributes contain type, length, and value descriptions and are referred to asTLVs. LLDP supported devices can use TLVs to receive and send information to their neighbors. This protocol can advertise details such as configuration information, device capabilities, and device identity.
Chapter 30 Configuring LLDP, LLDP-MED, and Wired Location Service Understanding LLDP, LLDP-MED, and Wired Location Service LLDP-MED also supports an extended power TLV to advertise fine-grained power requirements, end-point power priority, and end-point and network connectivity-device power status. However, it does not provide for power negotiation between the endpoint and the network connectivity devices.
Chapter 30 Configuring LLDP, LLDP-MED, and Wired Location Service Understanding LLDP, LLDP-MED, and Wired Location Service Depending on the device capabilities, the switch obtains this client information at link up: • Slot and port specified in port connection • MAC address specified in the client MAC address • IP address specified in port connection • 802.
Chapter 30 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service • Default LLDP Configuration, page 30-5 • Configuration Guidelines, page 30-5 • Enabling LLDP, page 30-6 • Configuring LLDP Characteristics, page 30-6 • Configuring LLDP-MED TLVs, page 30-7 • Configuring Network-Policy TLV, page 30-8 • Configuring Location TLV and Wired Location Service, page 30-9 Default LLDP Configur
Chapter 30 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Enabling LLDP Beginning in privileged EXEC mode, follow these steps to enable LLDP: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 lldp run Enable LLDP globally on the switch. Step 3 interface interface-id Specify the interface on which you are enabling LLDP, and enter interface configuration mode.
Chapter 30 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Step 3 Command Purpose lldp reinit delay (Optional) Specify the delay time in seconds for LLDP to initialize on an interface. The range is 2 to 5 seconds; the default is 2 seconds. Step 4 (Optional) Set the sending frequency of LLDP updates in seconds. lldp timer rate The range is 5 to 65534 seconds; the default is 30 seconds.
Chapter 30 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Command Purpose Step 3 lldp med-tlv-select tlv Specify the TLV to enable. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 30 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Command Purpose Step 7 lldp med-tlv-select network-policy Specify the network-policy TLV. Step 8 end Return to privileged EXEC mode. Step 9 show network-policy profile Verify the configuration. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of each command to return to the default setting.
Chapter 30 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Command Step 5 Purpose location {additional-location-information Enter location information for an interface: word | civic-location-id id | elin-location-id additional-location-information—Specify additional information id} for a location or place. civic-location-id—Specify global civic location information for an interface.
Chapter 30 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service This example shows how to enable NMSP on a switch and to set the location notification time to 10 seconds: Switch(config)# nmsp enable Switch(config)# nmsp notification interval location 10 Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Command Description clear lldp counters Reset the traffic counters to zero.
Chapter 30 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Catalyst 3750-X and 3560-X Switch Software Configuration Guide 30-12 OL-21521-01
CH A P T E R 31 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 31 Configuring UDLD Understanding UDLD A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection.
Chapter 31 Configuring UDLD Understanding UDLD • Event-driven detection and echoing UDLD relies on echoing as its detection mechanism. Whenever a UDLD device learns about a new neighbor or receives a resynchronization request from an out-of-sync neighbor, it restarts the detection window on its side of the connection and sends echo messages in reply. Because this behavior is the same on all UDLD neighbors, the sender of the echoes expects to receive an echo in reply.
Chapter 31 Configuring UDLD Configuring UDLD Configuring UDLD • Default UDLD Configuration, page 31-4 • Configuration Guidelines, page 31-4 • Enabling UDLD Globally, page 31-5 • Enabling UDLD on an Interface, page 31-6 • Resetting an Interface Disabled by UDLD, page 31-6 Default UDLD Configuration Table 31-1 Default UDLD Configuration Feature Default Setting UDLD global enable state Globally disabled UDLD per-port enable state for fiber-optic media Disabled on all Ethernet fiber-optic po
Chapter 31 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch and all members in the switch stack: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 31 Configuring UDLD Configuring UDLD Enabling UDLD on an Interface Beginning in privileged EXEC mode, follow these steps either to enable UDLD in the aggressive or normal mode or to disable UDLD on a port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be enabled for UDLD, and enter interface configuration mode. Step 3 udld port [aggressive] UDLD is disabled by default.
Chapter 31 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release.
Chapter 31 Configuring UDLD Displaying UDLD Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 31-8 OL-21521-01
CH A P T E R 32 Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 32 Configuring SPAN and RSPAN Understanding SPAN and RSPAN These sections contain this conceptual information: • Local SPAN, page 32-2 • Remote SPAN, page 32-3 • SPAN and RSPAN Concepts and Terminology, page 32-4 • SPAN and RSPAN Interaction with Other Features, page 32-9 • SPAN and RSPAN and Switch Stacks, page 32-10 Local SPAN Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and destination ports are in the same switch or switch stack.
Chapter 32 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 32-2 is an example of a local SPAN in a switch stack, where the source and destination ports reside on different stack members.
Chapter 32 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 32-3 Example of RSPAN Configuration RSPAN destination ports RSPAN destination session Switch C Intermediate switches must support RSPAN VLAN RSPAN VLAN RSPAN source session A Switch B RSPAN source ports RSPAN source session B RSPAN source ports 101366 Switch A SPAN and RSPAN Concepts and Terminology • SPAN Sessions, page 32-4 • Monitored Traffic, page 32-6 • Source Ports, page 32-7 • Source VLANs, page 32-7 • V
Chapter 32 Configuring SPAN and RSPAN Understanding SPAN and RSPAN RSPAN consists of at least one RSPAN source session, an RSPAN VLAN, and at least one RSPAN destination session. You separately configure RSPAN source sessions and RSPAN destination sessions on different network devices. To configure an RSPAN source session on a device, you associate a set of source ports or source VLANs with an RSPAN VLAN. The output of this session is the stream of SPAN packets that are sent to the RSPAN VLAN.
Chapter 32 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Monitored Traffic SPAN sessions can monitor these traffic types: • Receive (Rx) SPAN—The goal of receive (or ingress) SPAN is to monitor as much as possible all the packets received by the source interface or VLAN before any modification or processing is performed by the switch. A copy of each packet received by the source is sent to the destination port for that SPAN session.
Chapter 32 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Source Ports A source port (also called a monitored port) is a switched or routed port that you monitor for network traffic analysis. In a local SPAN session or RSPAN source session, you can monitor source ports or VLANs for traffic in one or both directions.
Chapter 32 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • When a VLAN filter list is specified, only those VLANs in the list are monitored on trunk ports or on voice VLAN access ports. • SPAN traffic coming from other port types is not affected by VLAN filtering; that is, all VLANs are allowed on other ports. • VLAN filtering affects only traffic forwarded to the destination SPAN port and does not affect the switching of normal traffic.
Chapter 32 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Local SPAN and RSPAN destination ports behave differently regarding VLAN tagging and encapsulation: • For local SPAN, if the encapsulation replicate keywords are specified for the destination port, these packets appear with the original encapsulation (untagged, ISL, or IEEE 802.1Q). If these keywords are not specified, packets appear in the untagged format.
Chapter 32 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • VLAN and trunking—You can modify VLAN membership or trunk settings for source or destination ports at any time. However, changes in VLAN membership or trunk settings for a destination port do not take effect until you remove the SPAN destination configuration. Changes in VLAN membership or trunk settings for a source port immediately take effect, and the respective SPAN sessions automatically adjust accordingly.
Chapter 32 Configuring SPAN and RSPAN Understanding Flow-Based SPAN Understanding Flow-Based SPAN You can control the type of network traffic to be monitored in SPAN or RSPAN sessions by using flow-based SPAN (FSPAN) or flow-based RSPAN (FRSPAN), which apply access control lists (ACLs) to the monitored traffic on the source ports. The FSPAN ACLs can be configured to filter IPv4, IPv6, and non-IP monitored traffic. You apply an ACL to a SPAN session through the interface.
Chapter 32 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Configuring SPAN and RSPAN • Default SPAN and RSPAN Configuration, page 32-12 • Configuring Local SPAN, page 32-12 • Configuring RSPAN, page 32-17 Default SPAN and RSPAN Configuration Table 32-1 Default SPAN and RSPAN Configuration Feature Default Setting SPAN state (SPAN and RSPAN) Disabled. Source port traffic to monitor Both received and sent traffic (both).
Chapter 32 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • For local SPAN, outgoing packets through the SPAN destination port carry the original encapsulation headers—untagged, ISL, or IEEE 802.1Q—if the encapsulation replicate keywords are specified. If the keywords are not specified, the packets are sent in native form.
Chapter 32 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 4 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]} Specify the SPAN session and the destination port (monitoring port). For session_number, specify the session number entered in step 3. Note For local SPAN, you must use the same session number for the source and destination interfaces. For interface-id, specify the destination port.
Chapter 32 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination Gigabit Ethernet port 2. The configuration is then modified to also monitor all traffic on all ports belonging to VLAN 10.
Chapter 32 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command.
Chapter 32 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 5 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]} Specify the SPAN session and the destination port (monitoring port). For session_number, specify the session number entered in Step 3. For interface-id, specify the destination port. The destination interface must be a physical port; it cannot be an EtherChannel, and it cannot be a VLAN.
Chapter 32 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • For RSPAN configuration, you can distribute the source ports and the destination ports across multiple switches in your network. • RSPAN does not support BPDU packet monitoring or other Layer 2 switch protocols. • The RSPAN VLAN is configured only on trunk ports and not on access ports. To avoid unwanted traffic in RSPAN VLANs, make sure that the VLAN remote-span feature is supported in all the participating switches.
Chapter 32 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to create RSPAN VLAN 901. Switch(config)# vlan 901 Switch(config-vlan)# remote span Switch(config-vlan)# end Creating an RSPAN Source Session Beginning in privileged EXEC mode, follow these steps to start an RSPAN source session and to specify the monitored source and the destination RSPAN VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 32 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 6 Command Purpose show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command.
Chapter 32 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 5 Command Purpose monitor session session_number destination remote vlan vlan-id Specify the RSPAN session and the destination remote VLAN (RSPAN VLAN). For session_number, enter the session number specified in Step 3. For vlan-id, specify the RSPAN VLAN to carry the monitored traffic to the destination port.rt group {a | b | c} to specify the ports that carry RSPAN traffic. Step 6 end Return to privileged EXEC mode.
Chapter 32 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 6 Command Purpose monitor session session_number source remote vlan vlan-id Specify the RSPAN session and the source RSPAN VLAN. For session_number, the range is 1 to 66. For vlan-id, specify the source RSPAN VLAN to monitor. Step 7 monitor session session_number destination interface interface-id Specify the RSPAN session and the destination interface. For session_number, enter the number defined in Step 6.
Chapter 32 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 3 Command Purpose monitor session session_number source remote vlan vlan-id Specify the RSPAN session and the source RSPAN VLAN. For session_number, the range is 1 to 66. For vlan-id, specify the source RSPAN VLAN to monitor. Step 4 monitor session session_number Specify the SPAN session, the destination port, the packet destination {interface interface-id [, | -] encapsulation, and the incoming VLAN and encapsulation.
Chapter 32 Configuring SPAN and RSPAN Configuring FSPAN and FRSPAN Configuring FSPAN and FRSPAN • FSPAN and FRSPAN Configuration Guidelines, page 32-24 • Configuring an FSPAN Session, page 32-25 • Configuring an FRSPAN Session, page 32-26 FSPAN and FRSPAN Configuration Guidelines • You can attach ACLs to only one SPAN or RSPAN session at a time. • When no FSPAN ACLs are attached, FSPAN is disabled, and all traffic is copied to the SPAN destination ports.
Chapter 32 Configuring SPAN and RSPAN Configuring FSPAN and FRSPAN Configuring an FSPAN Session Beginning in privileged EXEC mode, follow these steps to create a SPAN session, specify the source (monitored) ports or VLANs and the destination (monitoring) ports, and configure FSPAN for the session: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Remove any existing SPAN configuration for the session.
Chapter 32 Configuring SPAN and RSPAN Configuring FSPAN and FRSPAN Step 4 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]} Specify the SPAN session and the destination port (monitoring port). For session_number, specify the session number entered in Step 3. For local SPAN, you must use the same session number for the source and destination interfaces. Note • For interface-id, specify the destination port.
Chapter 32 Configuring SPAN and RSPAN Configuring FSPAN and FRSPAN Step 3 Command Purpose monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx] Specify the RSPAN session and the source port (monitored port). For session_number, the range is 1 to 66. Enter a source port or source VLAN for the RSPAN session: • For source interface-id, specify the source port to monitor. Only physical interfaces are valid.
Chapter 32 Configuring SPAN and RSPAN Displaying SPAN, RSPAN. FSPAN, and FRSPAN Status Displaying SPAN, RSPAN. FSPAN, and FRSPAN Status To display the current SPAN, RSPAN, FSPAN, or FRSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured sessions.
CH A P T E R 33 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes.
Chapter 33 Configuring RMON Configuring RMON Figure 33-1 Remote Monitoring Example Network management station with generic RMON console application RMON alarms and events configured. SNMP configured. Workstations Workstations 101233 RMON history and statistic collection enabled.
Chapter 33 Configuring RMON Configuring RMON • Collecting Group Ethernet Statistics on an Interface, page 33-5 (optional) Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station.
Chapter 33 Configuring RMON Configuring RMON Command Step 3 Purpose rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535. • (Optional) For description string, specify a description of the event. • (Optional) Use the log keyword to generate an RMON log entry when the event is triggered.
Chapter 33 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 33 Configuring RMON Displaying RMON Status Command Step 3 Purpose rmon collection stats index [owner ownername] Enable RMON statistic collection on the interface. • For index, specify the RMON group of statistics. The range is from 1 to 65535. • (Optional) For owner ownername, enter the name of the owner of the RMON group of statistics. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries.
CH A P T E R 34 Configuring System Message Logging This chapter describes how to configure system message logging on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. Note Caution For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 34 Configuring System Message Logging Configuring System Message Logging You can set the severity level of the messages to control the type of messages displayed on the consoles and each of the destinations. You can time-stamp log messages or set the syslog source address to enhance real-time debugging and management. For information on possible messages, see the system message guide for this release.
Chapter 34 Configuring System Message Logging Configuring System Message Logging Table 34-1 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages” section on page 34-8. Date and time of the message or event.
Chapter 34 Configuring System Message Logging Configuring System Message Logging This example shows a partial switch system message on a Catalyst 3560-X switch: 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down 00:00:48: %LINEPROTO-5-UPDOWN: Line pr
Chapter 34 Configuring System Message Logging Configuring System Message Logging Step 4 Command Purpose show running-config Verify your entries. or show logging Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Disabling the logging process can slow down the switch because a process must wait until the messages are written to the console before continuing.
Chapter 34 Configuring System Message Logging Configuring System Message Logging Step 4 Command Purpose logging file flash:filename [max-file-size [min-file-size]] [severity-level-number | type] Store log messages in a file in flash memory on a standalone switch or, in the case of a switch stack, on the stack master. • For filename, enter the log message filename. • (Optional) For max-file-size, specify the maximum logging file size. The range is 4096 to 2147483647. The default is 4096 bytes.
Chapter 34 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to configure synchronous logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line [console | vty] line-number [ending-line-number] Specify the line to be configured for synchronous logging of messages.
Chapter 34 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Time Stamps on Log Messages By default, log messages are not time-stamped. Beginning in privileged EXEC mode, follow these steps to enable time-stamping of log messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log time stamps.
Chapter 34 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable sequence numbers, use the no service sequence-numbers global configuration command. This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.
Chapter 34 Configuring System Message Logging Configuring System Message Logging Table 34-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level.
Chapter 34 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to change the level and history table size defaults. This procedure is optional. Command Step 1 Step 2 Purpose Enter global configuration mode. configure terminal logging history level 1 Change the default level of syslog messages stored in the history file and sent to the SNMP server. See Table 34-3 on page 34-10 for a list of level keywords.
Chapter 34 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to enable configuration logging: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 archive Enter archive configuration mode. Step 3 log config Enter configuration-change logger configuration mode. Step 4 logging enable Enable configuration change logging.
Chapter 34 Configuring System Message Logging Configuring System Message Logging Log in as root, and perform these steps: Note Step 1 Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network. If this is the case with your system, use the UNIX man syslogd command to decide what options must be added to or removed from the syslog command line to enable logging of remote syslog messages. Add a line such as the following to the file /etc/syslog.conf: local7.
Chapter 34 Configuring System Message Logging Displaying the Logging Configuration Command Purpose Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a syslog server, use the no logging host global configuration command, and specify the syslog server IP address. To disable logging to syslog servers, enter the no logging trap global configuration command.
CH A P T E R 35 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS Network Management Command Reference, Release 12.4 from the Cisco.
Chapter 35 Configuring SNMP Understanding SNMP These sections contain this conceptual information: • SNMP Versions, page 35-2 • SNMP Manager Functions, page 35-3 • SNMP Agent Functions, page 35-4 • SNMP Community Strings, page 35-4 • Using SNMP to Access MIB Variables, page 35-4 • SNMP Notifications, page 35-5 • SNMP ifIndex MIB Object Values, page 35-5 SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standar
Chapter 35 Configuring SNMP Understanding SNMP Table 35-1 identifies the characteristics of the different combinations of security models and levels. Table 35-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication.
Chapter 35 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. • Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Chapter 35 Configuring SNMP Understanding SNMP NMS SNMP Manager SNMP Network Get-request, Get-next-request, Get-bulk, Set-request Get-response, traps Network device MIB SNMP Agent 43581 Figure 35-1 For information on supported MIBs and how to access them, see Appendix A, “Supported MIBs.” SNMP Notifications SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP notifications can be sent as traps or inform requests.
Chapter 35 Configuring SNMP Configuring SNMP Table 35-3 ifIndex Values Interface Type ifIndex Range Tunnel 5078–5142 2 Physical (such as Gigabit Ethernet or SFP -module interfaces) 10000–14500 Null 14501 1. SVI = switch virtual interface 2. SFP = small form-factor pluggable Note The switch might not use sequential values within a range.
Chapter 35 Configuring SNMP Configuring SNMP SNMP Configuration Guidelines If the switch starts and the switch startup configuration has at least one snmp-server global configuration command, the SNMP agent is enabled. An SNMP group is a table that maps SNMP users to SNMP views. An SNMP user is a member of an SNMP group. An SNMP host is the recipient of an SNMP trap operation. An SNMP engine ID is a name for the local or remote SNMP engine.
Chapter 35 Configuring SNMP Configuring SNMP Configuring Community Strings You use the SNMP community string to define the relationship between the SNMP manager and the agent. The community string acts like a password to permit access to the agent on the switch.
Chapter 35 Configuring SNMP Configuring SNMP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] (Optional) If you specified an IP standard access list number in Step 2, then create the list, repeating the command as many times as necessary. • For access-list-number, enter the access list number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 35 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure SNMP on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID {local engineid-string Configure a name for either the local or remote copy of SNMP. | remote ip-address [udp-port port-number] • The engineid-string is a 24-character ID string with the name engineid-string} of the copy of SNMP.
Chapter 35 Configuring SNMP Configuring SNMP Command Step 4 Purpose snmp-server user username groupname Add a new user for an SNMP group. {remote host [udp-port port]} {v1 [access • The username is the name of the user on the host that connects access-list] | v2c [access access-list] | v3 to the agent. [encrypted] [access access-list] [auth {md5 | • The groupname is the name of the group to which the user is sha} auth-password]} [priv {des | 3des | aes associated.
Chapter 35 Configuring SNMP Configuring SNMP Configuring SNMP Notifications A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Note Many commands use the word traps in the command syntax.
Chapter 35 Configuring SNMP Configuring SNMP Table 35-5 Switch Notification Types (continued) Notification Type Keyword port-security Description Generates SNMP port security traps. You can also set a maximum trap rate per second. The range is from 0 to 1000; the default is 0, which means that there is no rate limit.
Chapter 35 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure the switch to send traps or informs to a host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID remote ip-address engineid-string Specify the engine ID for the remote host.
Chapter 35 Configuring SNMP Configuring SNMP Step 6 Command Purpose snmp-server enable traps notification-types Enable the switch to send traps or informs and specify the type of notifications to be sent. For a list of notification types, see Table 35-5 on page 35-12, or enter snmp-server enable traps ? To enable multiple types of traps, you must enter a separate snmp-server enable traps command for each trap type.
Chapter 35 Configuring SNMP Configuring SNMP Setting the CPU Threshold Notification Types and Values Beginning in privileged EXEC mode, follow these steps to set the CPU threshold notification types and values: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 35 Configuring SNMP Configuring SNMP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 35 Configuring SNMP Configuring SNMP SNMP Examples This example shows how to enable all versions of SNMP. The configuration permits any SNMP manager to access all objects with read-only permissions using the community string public. This configuration does not cause the switch to send any traps. Switch(config)# snmp-server community public This example shows how to permit any SNMP manager to access all objects with read-only permission using the community string public.
Chapter 35 Configuring SNMP Displaying SNMP Status Displaying SNMP Status To display SNMP input and output statistics, including the number of illegal community string entries, errors, and requested variables, use the show snmp privileged EXEC command. You also can use the other privileged EXEC commands in Table 35-6 to display SNMP information. For information about the fields in the displays, see the Cisco IOS Configuration Fundamentals Command Reference.
Chapter 35 Configuring SNMP Displaying SNMP Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 35-20 OL-21521-01
CH A P T E R 36 Configuring Embedded Event Manager Embedded Event Manager (EEM) is a distributed and customized approach to event detection and recovery within a Cisco IOS device. EEM offers the ability to monitor events and take informational, corrective, or any other EEM action when the monitored events occur or when a threshold is reached. An EEM policy defines an event and the actions to be taken when that event occurs.
Chapter 36 Configuring Embedded Event Manager Understanding Embedded Event Manager because some problems compromise communication between the switch and the external network management device. Network availability is improved if automatic recovery actions are performed without rebooting the switch. Figure 36-1 shows the relationship between the EEM server, the core event publishers (event detectors), and the event subscribers (policies).
Chapter 36 Configuring Embedded Event Manager Understanding Embedded Event Manager Event Detectors EEM software programs known as event detectors determine when an EEM event occurs. Event detectors are separate systems that provide an interface between the agent being monitored, for example SNMP, and the EEM polices where an action can be implemented. Event detectors are generated only by the master switch. CLI and routing processes also run only from the master switch.
Chapter 36 Configuring Embedded Event Manager Understanding Embedded Event Manager • Syslog event detector—Allows for screening syslog messages for a regular expression pattern match. The selected messages can be further qualified, requiring that a specific number of occurrences be logged within a specified time. A match on a specified event criteria triggers a configured policy action.
Chapter 36 Configuring Embedded Event Manager Understanding Embedded Event Manager You use EEM to write and implement your own policies using the EEM policy tool command language (TCL) script. When you configure a TCL script on the master switch and the file is automatically sent to the member switches. The user-defined TCL scripts must be available in the member switches so that if the master switch changes, the TCL scripts policies continue to work.
Chapter 36 Configuring Embedded Event Manager Configuring Embedded Event Manager • Mac-Address-Table—Mac-Address-Table event detector generates an event when a MAC address is learned in the MAC address table. The Mac-Address-Table event detector is supported only on switch platforms and can be used only on Layer 2 interfaces where MAC addresses are learned.
Chapter 36 Configuring Embedded Event Manager Configuring Embedded Event Manager Step 4 Step 5 Command Purpose action label syslog [priority priority-level] msg msg-text Specify the action when an EEM applet is triggered. Repeat this action to add other CLI commands to the applet. • (Optional) The priority keyword specifies the priority level of the syslog messages. If selected, you need to define the priority-level argument.
Chapter 36 Configuring Embedded Event Manager Displaying Embedded Event Manager Information 4 5 _config_cmd1 _config_cmd2 interface Ethernet1/0 no shut This example shows a CRON timer environment variable, which is assigned by the software, to be set to every second minute, every hour of every day: Switch(config)# event manager environment_cron_entry 0-59/2 0-23/1 * * 0-6 This example shows the sample EEM policy named tm_cli_cmd.tcl registered as a system policy.
CH A P T E R 37 Configuring Network Security with ACLs This chapter describes how to configure network security on the Catalyst 3750-X or 3560-X switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists.Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. Note Information in this chapter about IP ACLs is specific to IP Version 4 (IPv4).
Chapter 37 Configuring Network Security with ACLs Understanding ACLs Understanding ACLs Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs filter traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or VLANs. An ACL is a sequential collection of permit and deny conditions that apply to packets.
Chapter 37 Configuring Network Security with ACLs Understanding ACLs • VLAN ACLs or VLAN maps access-control all packets (bridged and routed). You can use VLAN maps to filter traffic between devices in the same VLAN. VLAN maps are configured to provide access control based on Layer 3 addresses for IPv4. Unsupported protocols are access-controlled through MAC addresses using Ethernet ACEs.
Chapter 37 Configuring Network Security with ACLs Understanding ACLs Figure 37-1 Using ACLs to Control Traffic to a Network Host A Host B Research & Development network = ACL denying traffic from Host B and permitting traffic from Host A = Packet 101365 Human Resources network When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
Chapter 37 Configuring Network Security with ACLs Understanding ACLs As with port ACLs, the switch examines ACLs associated with features configured on a given interface. However, router ACLs are supported in both directions. As packets enter the switch on an interface, ACLs associated with all inbound features configured on that interface are examined.
Chapter 37 Configuring Network Security with ACLs Understanding ACLs Some ACEs do not check Layer 4 information and therefore can be applied to all packet fragments. ACEs that do test Layer 4 information cannot be applied in the standard manner to most of the fragments in a fragmented IP packet.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs • If packets must be forwarded by software for any reason (for example, not enough hardware resources), the master switch forwards the packets only after applying ACLs on the packets. • It programs its hardware with the ACL information it processes. Stack members perform these ACL functions: • They receive the ACL information from the master switch and program their hardware.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs Creating Standard and Extended IPv4 ACLs This section describes IP ACLs. An ACL is a sequential collection of permit and deny conditions. One by one, the switch tests packets against the conditions in an access list. The first match determines whether the switch accepts or rejects the packet. Because the switch stops testing after the first match, the order of the conditions is critical.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs Table 37-1 Note Access List Numbers (continued) Access List Number Type Supported 1200–1299 IPX summary address access list No 1300–1999 IP standard access list (expanded range) Yes 2000–2699 IP extended access list (expanded range) Yes In addition to numbered standard and extended ACLs, you can also create standard and extended named IP ACLs by using the supported numbers.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs Creating a Numbered Standard ACL Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} Define a standard IPv4 access list by using a source address and source [source-wildcard] [log] wildcard. The access-list-number is a decimal number from 1 to 99 or 1300 to 1999.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs The switch always rewrites the order of standard access lists so that entries with host matches and entries with matches having a don’t care mask of 0.0.0.0 are moved to the top of the list, above any entries with non-zero don’t care masks. Therefore, in show command output and in the configuration file, the ACEs do not necessarily appear in the order in which they were entered.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs or or Step 2b Command Purpose access-list access-list-number {deny | permit} protocol any any [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] In access-list configuration mode, define an extended IP access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and an abbreviation for a destination and destination wildcard of 0.0.0.0 255.255.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs Step 2d Command Purpose access-list access-list-number {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] (Optional) Define an extended ICMP access list and the access conditions. Enter icmp for Internet Control Message Protocol.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs After creating a numbered extended ACL, you can apply it to terminal lines (see the “Applying an IPv4 ACL to a Terminal Line” section on page 37-19), to interfaces (see the “Applying an IPv4 ACL to an Interface” section on page 37-20), or to VLANs (see the “Configuring VLAN Maps” section on page 37-31).
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create a standard ACL using names: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip access-list standard name Define a standard IPv4 access list using a name, and enter access-list configuration mode. The name can be a number from 1 to 99.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs When you are creating standard extended ACLs, remember that, by default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end. For standard ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask. After you create an ACL, any additions are placed at the end of the list.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to configure a time-range parameter for an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 time-range time-range-name Assign a meaningful name (for example, workhours) to the time range to be created, and enter time-range configuration mode. The name cannot contain a space or quotation mark and must begin with a letter.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs This example uses named ACLs to permit and deny the same traffic.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line [console | vty] line-number Identify a specific line to configure, and enter in-line configuration mode. • console—Specify the console terminal line. The console port is DCE.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to control access to an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Identify a specific interface for configuration, and enter interface configuration mode. The interface can be a Layer 2 interface (port ACL), or a Layer 3 interface (router ACL).
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs Hardware and Software Treatment of IP ACLs ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to the CPU for software processing. If the hardware reaches its capacity to store ACL configurations, packets are sent to the CPU for forwarding. The forwarding rate for software-forwarded traffic is substantially less than for hardware-forwarded traffic.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs Use one of these workarounds: • Modify the ACL configuration to use fewer resources. • Rename the ACL with a name or number that alphanumerically precedes the ACL names or numbers. To determine the specialized hardware resources, enter the show platform layer4 acl map privileged EXEC command. If the switch does not have available resources, the output shows that index 0 to index 15 are not available.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs ACLs in a Small Networked Office Figure 37-3 shows a small networked office environment with routed Port 2 connected to Server A, containing benefits and other information that all employees can access, and routed Port 1 connected to Server B, containing confidential payroll data. All users can access Server A, but Server B has restricted access.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs Extended IP access list 106 10 permit ip any 172.20.128.64 0.0.0.31 Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip access-group 106 in Numbered ACLs In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs Named ACLs This example creates a standard ACL named internet_filter and an extended ACL named marketing_group. The internet_filter ACL allows all traffic from the source address 1.2.3.4. Switch(config)# ip access-list standard Internet_filter Switch(config-ext-nacl)# permit 1.2.3.4 Switch(config-ext-nacl)# exit The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.
Chapter 37 Configuring Network Security with ACLs Configuring IPv4 ACLs In this example of a numbered ACL, the Winter and Smith workstations are not allowed to browse the web: Switch(config)# Switch(config)# Switch(config)# Switch(config)# access-list access-list access-list access-list 100 100 100 100 remark Do deny host remark Do deny host not allow Winter to browse the web 171.69.3.85 any eq www not allow Smith to browse the web 171.69.3.
Chapter 37 Configuring Network Security with ACLs Creating Named MAC Extended ACLs This is a an example of a log for an extended ACL: 01:24:23:%SEC-6-IPACCESSLOGDP:list ext1 permitted packet 01:25:14:%SEC-6-IPACCESSLOGDP:list ext1 permitted packets 01:26:12:%SEC-6-IPACCESSLOGP:list ext1 denied udp packet 01:31:33:%SEC-6-IPACCESSLOGP:list ext1 denied udp packets icmp 10.1.1.15 -> 10.1.1.61 (0/0), 1 icmp 10.1.1.15 -> 10.1.1.61 (0/0), 7 0.0.0.0(0) -> 255.255.255.255(0), 1 0.0.0.0(0) -> 255.255.255.
Chapter 37 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Define an extended MAC access list using a name.
Chapter 37 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Applying a MAC ACL to a Layer 2 Interface After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that interface. When you apply the MAC ACL, consider these guidelines: • If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied to the VLAN.
Chapter 37 Configuring Network Security with ACLs Configuring VLAN Maps Configuring VLAN Maps Note VLAN maps are not supported on switches running the LAN base feature set. This section describes how to configure VLAN maps, which is the only way to control filtering within a VLAN. VLAN maps have no direction. To filter traffic in a specific direction by using a VLAN map, you need to include an ACL with specific source or destination addresses.
Chapter 37 Configuring Network Security with ACLs Configuring VLAN Maps • If the VLAN map has at least one match clause for the type of packet (IP or MAC) and the packet does not match any of these match clauses, the default is to drop the packet. If there is no match clause for that type of packet in the VLAN map, the default is to forward the packet. • The system might take longer to boot up if you have configured a very large number of ACLs. • Logging is not supported for VLAN maps.
Chapter 37 Configuring Network Security with ACLs Configuring VLAN Maps Command Purpose Step 4 match {ip | mac} address {name | number} [name | number] Match the packet (using either the IP or MAC address) against one or more standard or extended access lists. Note that packets are only matched against access lists of the correct protocol type. IP packets are matched against standard or extended IP access lists. Non-IP packets are only matched against named MAC extended access lists.
Chapter 37 Configuring Network Security with ACLs Configuring VLAN Maps Example 2 In this example, the VLAN map has a default action of drop for IP packets and a default action of forward for MAC packets.
Chapter 37 Configuring Network Security with ACLs Configuring VLAN Maps Example 4 In this example, the VLAN map has a default action of drop for all packets (IP and non-IP). Used with access lists tcp-match and good-hosts from Examples 2 and 3, the map will have the following results: • Forward all TCP packets • Forward MAC packets from hosts 0000.0c00.0111 and 0000.0c00.
Chapter 37 Configuring Network Security with ACLs Configuring VLAN Maps Figure 37-4 Wiring Closet Configuration Switch B Switch A Switch C VLAN map: Deny HTTP from X to Y. HTTP is dropped at entry point. Host Y 10.1.1.34 101355 VLAN 1 VLAN 2 Packet Host X 10.1.1.32 If you do not want HTTP traffic switched from Host X to Host Y, you can configure a VLAN map on Switch A to drop all HTTP traffic from Host X (IP address 10.1.1.32) to Host Y (IP address 10.1.1.
Chapter 37 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 37-5 Deny Access to a Server on Another VLAN VLAN map 10.1.1.100 Subnet 10.1.2.0/8 Server (VLAN 10) 10.1.1.4 Host (VLAN 10) Layer 3 switch Host (VLAN 20) Packet Host (VLAN 10) 101356 10.1.1.8 This example shows how to deny access to a server on another VLAN by creating the VLAN map SERVER 1 that denies access to hosts in subnet 10.1.2.0.8, host 10.1.1.4, and host 10.1.1.8 and permits other IP traffic.
Chapter 37 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs If a packet flow matches a VLAN-map deny clause in the ACL, regardless of the router ACL configuration, the packet flow is denied. Note When you use router ACLs with VLAN maps, packets that require logging on the router ACLs are not logged if they are denied by a VLAN map. If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match the type, the default is to drop the packet.
Chapter 37 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Examples of Router ACLs and VLAN Maps Applied to VLANs This section gives examples of applying router ACLs and VLAN maps to a VLAN for switched, bridged, routed, and multicast packets. Although the following illustrations show packets being forwarded to their destination, each time the packet’s path crosses a line indicating a VLAN map or an ACL, it is also possible that the packet might be dropped, rather than forwarded.
Chapter 37 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 37-7 Applying ACLs on Bridged Packets VLAN 10 map VLAN 20 map Frame Host A (VLAN 10) Host B (VLAN 20) VLAN 10 101358 Fallback bridge VLAN 20 Packet ACLs and Routed Packets Figure 37-8 shows how ACLs are applied on routed packets. The ACLs are applied in this order: 1. VLAN map for input VLAN 2. Input router ACL 3. Output router ACL 4.
Chapter 37 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration ACLs and Multicast Packets Figure 37-9 shows how ACLs are applied on packets that are replicated for IP multicasting. A multicast packet being routed has two different kinds of filters applied: one for destinations that are other ports in the input VLAN and another for each of the destinations that are in other VLANs to which the packet has been routed.
Chapter 37 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Table 37-2 Commands for Displaying Access Lists and Access Groups (continued) Command Purpose show ip interface interface-id Display detailed configuration and status of an interface. If IP is enabled on the interface and ACLs have been applied by using the ip access-group interface configuration command, the access groups are included in the display.
CH A P T E R 38 Configuring IPv6 ACLs You can filter IP Version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces similarly to the way that you create and apply IP Version 4 (IPv4) named ACLs. You can also create and apply input router ACLs to filter Layer 3 management traffic when the switch is running the IP base feature set. Note IPv6 ACLs are not supported on switches running the LAN base feature set.
Chapter 38 Configuring IPv6 ACLs Understanding IPv6 ACLs Understanding IPv6 ACLs A switch supports two types of IPv6 ACLs: • IPv6 router ACLs are supported on outbound or inbound traffic on Layer 3 interfaces, which can be routed ports, switch virtual interfaces (SVIs), or Layer 3 EtherChannels. IPv6 router ACLs apply only to IPv6 packets that are routed. • IPv6 port ACLs are supported on inbound traffic on Layer 2 interfaces only. IPv6 port ACLs are applied to all IPv6 packets entering the interface.
Chapter 38 Configuring IPv6 ACLs Understanding IPv6 ACLs • Routed or bridged packets with hop-by-hop options have IPv6 ACLs applied in software. • Logging is supported for router ACLs, but not for port ACLs. • The switch supports IPv6 address-matching for a full range of prefix-lengths. IPv6 ACL Limitations With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs.
Chapter 38 Configuring IPv6 ACLs Configuring IPv6 ACLs Configuring IPv6 ACLs Before configuring IPv6 ACLs, you must select one of the dual IPv4 and IPv6 SDM templates. To filter IPv6 traffic, you perform these steps: Step 1 Create an IPv6 ACL, and enter IPv6 access list configuration mode. Step 2 Configure the IPv6 ACL to block (deny) or pass (permit) traffic. Step 3 Apply the IPv6 ACL to an interface.
Chapter 38 Configuring IPv6 ACLs Configuring IPv6 ACLs Creating IPv6 ACLs Beginning in privileged EXEC mode, follow these steps to create an IPv6 ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 access-list access-list-name Use a name to define an IPv6 access list and enter IPv6 access-list configuration mode.
Chapter 38 Configuring IPv6 ACLs Configuring IPv6 ACLs Command Purpose Step 3b {deny | permit} tcp (Optional) Define a TCP access list and the access conditions. {source-ipv6-prefix/prefix-l Enter tcp for Transmission Control Protocol. The parameters are the same as those ength | any | host described in Step 3a, with these additional optional parameters: source-ipv6-address} • ack—Acknowledgment bit set. [operator [port-number]] {destination-ipv6• established—An established connection.
Chapter 38 Configuring IPv6 ACLs Configuring IPv6 ACLs Command Purpose Step 5 show ipv6 access-list Verify the access list configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no {deny | permit} IPv6 access-list configuration commands with keywords to remove the deny or permit conditions from the specified access list. This example configures the IPv6 access list named CISCO.
Chapter 38 Configuring IPv6 ACLs Displaying IPv6 ACLs Use the no ipv6 traffic-filter access-list-name interface configuration command to remove an access list from an interface.
CH A P T E R 39 Configuring QoS This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the Catalyst 3750-X or 3560-X switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size.
Chapter 39 Configuring QoS Understanding QoS Understanding QoS Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Chapter 39 Configuring QoS Understanding QoS Figure 39-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 header IP header Data Layer 2 ISL Frame ISL header (26 bytes) Encapsulated frame 1... (24.5 KB) FCS (4 bytes) 3 bits used for CoS Layer 2 802.1Q and 802.
Chapter 39 Configuring QoS Understanding QoS Basic QoS Model To implement QoS, the switch must distinguish packets or flows from one another (classify), assign a label to indicate the given quality of service as the packets move through the switch, make the packets comply with the configured resource usage limits (police and mark), and provide different treatment (queue and schedule) in all situations where resource contention exists.
Chapter 39 Configuring QoS Understanding QoS Figure 39-2 Basic QoS Model Classification Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification is enabled only if QoS is globally enabled on the switch. By default, QoS is globally disabled, so no classification occurs. During classification, the switch performs a lookup and assigns a QoS label to the packet.
Chapter 39 Configuring QoS Understanding QoS For IP traffic, you have these classification options as shown in Figure 39-3: • Trust the DSCP value in the incoming packet (configure the port to trust DSCP), and assign the same DSCP value to the packet. The IETF defines the 6 most-significant bits of the 1-byte ToS field as the DSCP. The priority represented by a particular DSCP value is configurable. DSCP values range from 0 to 63. You can also classify IP traffic based on IPv6 DSCP.
Chapter 39 Configuring QoS Understanding QoS Figure 39-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface configuration for classification. Trust DSCP (IP traffic). IP and non-IP traffic Trust DSCP or IP precedence (non-IP traffic). Trust IP precedence (IP traffic). Assign DSCP identical to DSCP in packet. Check if packet came with CoS label (tag). Yes (Optional) Modify the DSCP by using the DSCP-to-DSCP-mutation map.
Chapter 39 Configuring QoS Understanding QoS In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: Note • If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken. • If a match with a deny action is encountered, the ACL being processed is skipped, and the next ACL is processed.
Chapter 39 Configuring QoS Understanding QoS To enable the policy map, you attach it to a port by using the service-policy interface configuration command. You can apply a nonhierarchical policy map to a physical port or an SVI. However, a hierarchical policy map can only be applied to an SVI. A hierarchical policy map contains two levels. The first level, the VLAN level, specifies the actions to be taken against a traffic flow on the SVI.
Chapter 39 Configuring QoS Understanding QoS Policing on Physical Ports In policy maps on physical ports, you can create these types of policers: • Individual—QoS applies the bandwidth limits specified in the policer separately to each matched traffic class. You configure this type of policer within a policy map by using the police policy-map class configuration command. • Aggregate—QoS applies the bandwidth limits specified in an aggregate policer cumulatively to all matched traffic flows.
Chapter 39 Configuring QoS Understanding QoS Figure 39-4 Policing and Marking Flowchart on Physical Ports Start Get the clasification result for the packet. No Is a policer configured for this packet? Yes Check if the packet is in profile by querying the policer. No Yes Pass through Check out-of-profile action configured for this policer. Drop Drop packet. Mark Done 86835 Modify DSCP according to the policed-DSCP map. Generate a new QoS label.
Chapter 39 Configuring QoS Understanding QoS When configuring policing on an SVI, you can create and configure a hierarchical policy map with these two levels: • VLAN level—Create this primary level by configuring class maps and classes that specify the port trust state or set a new DSCP or IP precedence value in the packet. The VLAN-level policy map applies only to the VLAN in an SVI and does not support policers.
Chapter 39 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with a QoS label based on the DSCP or CoS value from the classification stage: • During classification, QoS uses configurable mapping tables to derive a corresponding DSCP or CoS value from a received CoS, DSCP, or IP precedence value. These maps include the CoS-to-DSCP map and the IP-precedence-to-DSCP map.
Chapter 39 Configuring QoS Understanding QoS Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 39-6 and Figure 39-7.
Chapter 39 Configuring QoS Understanding QoS Weighted Tail Drop Both the ingress and egress queues use an enhanced version of the tail-drop congestion-avoidance mechanism called weighted tail drop (WTD). WTD is implemented on queues to manage the queue lengths and to provide drop precedences for different traffic classifications. As a frame is enqueued to a particular queue, WTD uses the frame’s assigned QoS label to subject it to different thresholds.
Chapter 39 Configuring QoS Understanding QoS In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue is empty and no longer requires a share of the link, the remaining queues can expand into the unused bandwidth and share it among them. With sharing, the ratio of the weights controls the frequency of dequeuing; the absolute values are meaningless.
Chapter 39 Configuring QoS Understanding QoS Figure 39-10 Queueing and Scheduling Flowchart for Ingress Ports on Catalyst 3560-X Switches Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds. Are thresholds being exceeded? Yes No Drop packet. Send packet to the internal ring. Note 90564 Queue the packet. Service the queue according to the SRR weights.
Chapter 39 Configuring QoS Understanding QoS You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Chapter 39 Configuring QoS Understanding QoS Queueing and Scheduling on Egress Queues Figure 39-11 and Figure 39-12 show the queueing and scheduling flowcharts for egress ports. Note If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Figure 39-11 Queueing and Scheduling Flowchart for Egress Ports on Catalyst 3750-X Switches Start Receive packet from the stack ring. Read QoS label (DSCP or CoS value).
Chapter 39 Configuring QoS Understanding QoS Figure 39-12 Queueing and Scheduling Flowchart for Egress Ports on Catalyst 3560-X Switches Start Receive packet from the internal ring. Read QoS label (DSCP or CoS value). Determine egress queue number and threshold based on the label. Are thresholds being exceeded? Yes No Drop packet. Queue the packet. Service the queue according to the SRR weights. Rewrite DSCP and/or CoS value as appropriate. Done 90565 Send the packet out the port.
Chapter 39 Configuring QoS Understanding QoS buffers) or not empty (free buffers). If the queue is not over-limit, the switch can allocate buffer space from the reserved pool or from the common pool (if it is not empty). If there are no free buffers in the common pool or if the queue is over-limit, the switch drops the frame.
Chapter 39 Configuring QoS Understanding QoS The queues use WTD to support distinct drop percentages for different traffic classes. Each queue has three drop thresholds: two configurable (explicit) WTD thresholds and one nonconfigurable (implicit) threshold preset to the queue-full state. You assign the two WTD threshold percentages for threshold ID 1 and ID 2. The drop threshold for threshold ID 3 is preset to the queue-full state, and you cannot modify it.
Chapter 39 Configuring QoS Configuring Auto-QoS • Depending on the QoS label assigned to a frame and the mutation chosen, the DSCP and CoS values of the frame are rewritten. If you do not configure the mutation map and if you configure the port to trust the DSCP of the incoming frame, the DSCP value in the frame is not changed, but the CoS is rewritten according to the DSCP-to-CoS map.
Chapter 39 Configuring QoS Configuring Auto-QoS Generated Auto-QoS Configuration By default, auto-QoS is disabled on all ports. When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress and egress queues as shown in Table 39-2.
Chapter 39 Configuring QoS Configuring Auto-QoS trust the QoS label received in the packet. The switch also uses policing to determine whether a packet is in or out of profile and to specify the action on the packet. If the packet does not have a DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet.
Chapter 39 Configuring QoS Configuring Auto-QoS Table 39-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically maps DSCP values to an ingress queue and to a threshold ID.
Chapter 39 Configuring QoS Configuring Auto-QoS Table 39-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically configures the egress queue buffer sizes. It configures the bandwidth and the SRR mode (shaped or shared) on the egress queues mapped to the port.
Chapter 39 Configuring QoS Configuring Auto-QoS Table 39-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command If you entered the auto qos voip cisco-phone command, the switch automatically creates class maps and policy maps.
Chapter 39 Configuring QoS Configuring Auto-QoS • To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other QoS commands. If necessary, you can fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoS configuration is completed. For more information, see the “Effects of Auto-QoS on the Configuration” section on page 39-28.
Chapter 39 Configuring QoS Configuring Auto-QoS To display the QoS commands that are automatically generated when auto-QoS is enabled or disabled, enter the debug auto qos privileged EXEC command before enabling auto-QoS. For more information, see the debug autoqos command in the command reference for this release. To disable auto-QoS on a port, use the no auto qos voip interface configuration command. Only the auto-QoS-generated interface configuration commands for this port are removed.
Chapter 39 Configuring QoS Configuring Auto-QoS Figure 39-14 Auto-QoS Configuration Example Network Cisco router To Internet Trunk link Trunk link Video server 172.20.10.
Chapter 39 Configuring QoS Configuring Auto-QoS Beginning in privileged EXEC mode, follow these steps to configure the switch at the edge of the QoS domain to prioritize the VoIP traffic over all other traffic: Command Purpose Step 1 debug auto qos Enable debugging for auto-QoS. When debugging is enabled, the switch displays the QoS configuration that is automatically generated when auto-QoS is enabled. Step 2 configure terminal Enter global configuration mode.
Chapter 39 Configuring QoS Displaying Auto-QoS Information Displaying Auto-QoS Information To display the initial auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings.
Chapter 39 Configuring QoS Configuring Standard QoS Default Standard QoS Configuration QoS is disabled. There is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
Chapter 39 Configuring QoS Configuring Standard QoS Default Egress Queue Configuration Table 39-9 shows the default egress queue configuration for each queue-set when QoS is enabled. All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited.
Chapter 39 Configuring QoS Configuring Standard QoS Default Mapping Table Configuration Table 39-12 on page 39-70 shows the default CoS-to-DSCP map. Table 39-13 on page 39-71 shows the default IP-precedence-to-DSCP map. Table 39-14 on page 39-73 shows the default DSCP-to-CoS map. The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value. The default policed-DSCP map is a null map, which maps an incoming DSCP value to the same DSCP value (no markdown).
Chapter 39 Configuring QoS Configuring Standard QoS Applying QoS on Interfaces These are the guidelines for configuring QoS on physical ports and SVIs (Layer 3 VLAN interfaces): • You can configure QoS on physical ports and SVIs. When configuring QoS on physical ports, you create and apply nonhierarchical policy maps. When configuring QoS on SVIs, you can create and apply nonhierarchical and hierarchical policy maps.
Chapter 39 Configuring QoS Configuring Standard QoS • QoS policies that include IPv6-specific classification (such as an IPv6 ACL or the match protocol ipv6 command) are supported on Catalyst 3750-X and Catalyst 3750-E interfaces and on any SVI when a Catalyst 3750-X or Catalyst 3750-E switch is part of the stack. • QoS policies that include common IPv4 and IPv6 classifications are supported on all Catalyst 3750-X and Catalyst 3750-E interfaces in the stack.
Chapter 39 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to enable QoS. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS globally.
Chapter 39 Configuring QoS Configuring Standard QoS Configuring Classification Using Port Trust States These sections describe how to classify incoming traffic by using port trust states.
Chapter 39 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be trusted, and enter interface configuration mode. Valid interfaces are physical ports. Step 3 mls qos trust [cos | dscp | ip-precedence] Configure the port trust state.
Chapter 39 Configuring QoS Configuring Standard QoS Step 3 Command Purpose mls qos cos {default-cos | override} Configure the default CoS value for the port. • For default-cos, specify a default CoS value to be assigned to a port. If the packet is untagged, the default CoS value becomes the packet CoS value. The CoS range is 0 to 7. The default is 0.
Chapter 39 Configuring QoS Configuring Standard QoS In some situations, you can prevent a PC connected to the Cisco IP Phone from taking advantage of a high-priority data queue. You can use the switchport priority extend cos interface configuration command to configure the telephone through the switch CLI to override the priority of the traffic received from the PC.
Chapter 39 Configuring QoS Configuring Standard QoS Regardless of the DSCP transparency configuration, the switch modifies the internal DSCP value of the packet, which the switch uses to generate a class of service (CoS) value that represents the priority of the traffic. The switch also uses the internal DSCP value to select an egress queue and threshold.
Chapter 39 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the DSCP-trusted state on a port and modify the DSCP-to-DSCP-mutation map. To ensure a consistent mapping strategy across both QoS domains, you must perform this procedure on the ports in both domains: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 39 Configuring QoS Configuring Standard QoS Configuring a QoS Policy Configuring a QoS policy typically requires classifying traffic into classes, configuring policies applied to those traffic classes, and attaching policies to ports. For background information, see the “Classification” section on page 39-5 and the “Policing and Marking” section on page 39-9. For configuration guidelines, see the “Standard QoS Configuration Guidelines” section on page 39-36.
Chapter 39 Configuring QoS Configuring Standard QoS Command Purpose Step 4 show access-lists Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete an access list, use the no access-list access-list-number global configuration command. This example shows how to allow access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses.
Chapter 39 Configuring QoS Configuring Standard QoS Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show access-lists Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete an access list, use the no access-list access-list-number global configuration command.
Chapter 39 Configuring QoS Configuring Standard QoS Step 3 Command Purpose {deny | permit} protocol Enter deny or permit to specify whether to deny or permit the packet if conditions are matched. These are the conditions: {source-ipv6-prefix/prefix-len • For protocol, enter the name or number of an Internet protocol: ahp, esp, icmp, gth | any | host ipv6, pcp, stcp, tcp, or udp, or an integer in the range 0 to 255 representing an source-ipv6-address} IPv6 protocol number.
Chapter 39 Configuring QoS Configuring Standard QoS This example shows how to create an ACL that permits IPv6 traffic from any source to any destination that has the DSCP value set to 32: Switch(config)# ipv6 access-list 100 permit ip any any dscp 32 This example shows how to create an ACL that permits IPv6 traffic from a source host at 10.1.1.1 to a destination host at 10.1.1.2 with a precedence value of 5: Switch(config)# ipv6 access-list ipv6_Name_ACL permit ip host 10::1 host 10.1.1.
Chapter 39 Configuring QoS Configuring Standard QoS This example shows how to create a Layer 2 MAC ACL with two permit statements. The first statement allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001. The second statement allows only Ethertype XNS-IDP traffic from the host with MAC address 0001.0000.0002 to the host with MAC address 0002.0000.0002. Switch(config)# mac access-list extended maclist1 Switch(config-ext-macl)# permit 0001.0000.0001 0.0.
Chapter 39 Configuring QoS Configuring Standard QoS Step 3 Command Purpose class-map [match-all | match-any] class-map-name Create a class map, and enter class-map configuration mode. By default, no class maps are defined. • (Optional) Use the match-all keyword to perform a logical-AND of all matching statements under this class map. All match criteria in the class map must be matched. • (Optional) Use the match-any keyword to perform a logical-OR of all matching statements under this class map.
Chapter 39 Configuring QoS Configuring Standard QoS Step 5 Command Purpose match {access-group acl-index-or-name | ip dscp dscp-list | ip precedence ip-precedence-list} Define the match criterion to classify traffic. By default, no match criterion is defined. Only one match criterion per class map is supported, and only one ACL per class map is supported. • For access-group acl-index-or-name, specify the number or name of the ACL created in Step 2.
Chapter 39 Configuring QoS Configuring Standard QoS Classifying Traffic by Using Class Maps and Filtering IPv6 Traffic The switch supports both IPv4 and IPv6 QoS when a dual-ipv4-and-ipv6 SDM template is configured. When the dual IP SDM template is configured, the match ip dscp and match ip precedence classifications match both IPv4 and IPv6 traffic. The match protocol command allows you to create a secondary match classification that filters traffic by IP version (IPv4 or IPv6).
Chapter 39 Configuring QoS Configuring Standard QoS Command Purpose Step 6 show class-map Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete an existing policy map, use the no policy-map policy-map-name global configuration command. To delete an existing class map, use the no class-map [match-all | match-any] class-map-name global configuration command.
Chapter 39 Configuring QoS Configuring Standard QoS Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps You can configure a nonhierarchical policy map on a physical port that specifies which traffic class to act on.
Chapter 39 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a nonhierarchical policy map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 class-map [match-all | match-any] class-map-name Create a class map, and enter class-map configuration mode. By default, no class maps are defined. • (Optional) Use the match-all keyword to perform a logical-AND of all matching statements under this class map.
Chapter 39 Configuring QoS Configuring Standard QoS Step 5 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, go to Step 6. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 39 Configuring QoS Configuring Standard QoS Command Purpose Step 8 exit Return to policy map configuration mode. Step 9 exit Return to global configuration mode. Step 10 interface interface-id Specify the port to attach to the policy map, and enter interface configuration mode. Valid interfaces include physical ports. Step 11 service-policy input policy-map-name Specify the policy-map name, and apply it to an ingress port. Only one policy map per ingress port is supported.
Chapter 39 Configuring QoS Configuring Standard QoS Switch(config-ext-mac)# exit Switch(config)# class-map macclass1 Switch(config-cmap)# match access-group maclist1 Switch(config-cmap)# exit Switch(config)# policy-map macpolicy1 Switch(config-pmap)# class macclass1 Switch(config-pmap-c)# set dscp 63 Switch(config-pmap-c)# exit Switch(config-pmap)# class macclass2 maclist2 Switch(config-pmap-c)# set dscp 45 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet1/0
Chapter 39 Configuring QoS Configuring Standard QoS • In a switch stack, you cannot use the match input-interface class-map configuration command to specify interfaces across stack members in a policy-map class. • A policy-map and a port trust state can both run on a physical interface. The policy-map is applied before the port trust state. • If you configure the IP-precedence-to-DSCP map by using the mls qos map ip-prec-dscp dscp1...
Chapter 39 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a hierarchical policy map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 class-map [match-all | match-any] class-map-name Create a VLAN-level class map, and enter class-map configuration mode. For information about creating a class map, see the “Classifying Traffic by Using Class Maps” section on page 39-51. By default, no class maps are defined.
Chapter 39 Configuring QoS Configuring Standard QoS Step 4 Command Purpose match protocol [ip | ipv6] (Optional) Specify the IP protocol to which the class map applies. • Use the argument ip to specify IPv4 traffic, and ipv6 to specify IPv6 traffic. • When you use the match protocol command, only the match-all keyword is supported for the first level class map. Note This command is available only when the dual IPv4 and IPv6 SDM template is configured.
Chapter 39 Configuring QoS Configuring Standard QoS Step 11 Command Purpose policy-map policy-map-name Create an interface-level policy map by entering the policy-map name, and enter policy-map configuration mode. By default, no policy maps are defined, and no policing is performed. Step 12 class-map class-map-name Define an interface-level traffic classification, and enter policy-map configuration mode. By default, no policy-map class-maps are defined.
Chapter 39 Configuring QoS Configuring Standard QoS Step 18 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, omit Step 18. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 39 Configuring QoS Configuring Standard QoS Step 24 Command Purpose service-policy input policy-map-name Specify the VLAN-level policy-map name, and apply it to the SVI. Repeat the previous step and this command to apply the policy map to other SVIs. If the hierarchical VLAN-level policy map has more than one interface-level policy map, all class maps must be configured to the same VLAN-level policy map specified in the service-policy policy-map-name command. Return to privileged EXEC mode.
Chapter 39 Configuring QoS Configuring Standard QoS Switch(config-pmap-c)# exit Switch(config-pmap)# class-map cm-2 Switch(config-pmap-c)# match ip dscp 2 Switch(config-pmap-c)# service-policy port-plcmap-1 Switch(config-pmap)# exit Switch(config-pmap)# class-map cm-3 Switch(config-pmap-c)# match ip dscp 3 Switch(config-pmap-c)# service-policy port-plcmap-2 Switch(config-pmap)# exit Switch(config-pmap)# class-map cm-4 Switch(config-pmap-c)# trust dscp Switch(config-pmap)# exit Switch(config)# interface vl
Chapter 39 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an aggregate policer: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos aggregate-policer aggregate-policer-name rate-bps burst-byte exceed-action {drop | policed-dscp-transmit} Define the policer parameters that can be applied to multiple traffic classes within the same policy map. By default, no aggregate policer is defined.
Chapter 39 Configuring QoS Configuring Standard QoS Command Purpose Step 10 end Return to privileged EXEC mode. Step 11 show mls qos aggregate-policer [aggregate-policer-name] Verify your entries. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the specified aggregate policer from a policy map, use the no police aggregate aggregate-policer-name policy map configuration mode.
Chapter 39 Configuring QoS Configuring Standard QoS Configuring the CoS-to-DSCP Map You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. Table 39-12 shows the default CoS-to-DSCP map. Table 39-12 Default CoS-to-DSCP Map CoS Value DSCP Value 0 0 1 8 2 16 3 24 4 32 5 40 6 48 7 56 If these values are not appropriate for your network, you need to modify them.
Chapter 39 Configuring QoS Configuring Standard QoS Configuring the IP-Precedence-to-DSCP Map You use the IP-precedence-to-DSCP map to map IP precedence values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic.
Chapter 39 Configuring QoS Configuring Standard QoS Configuring the Policed-DSCP Map You use the policed-DSCP map to mark down a DSCP value to a new value as the result of a policing and marking action. The default policed-DSCP map is a null map, which maps an incoming DSCP value to the same DSCP value. Beginning in privileged EXEC mode, follow these steps to modify the policed-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 39 Configuring QoS Configuring Standard QoS Configuring the DSCP-to-CoS Map You use the DSCP-to-CoS map to generate a CoS value, which is used to select one of the four egress queues. Table 39-14 shows the default DSCP-to-CoS map. Table 39-14 Default DSCP-to-CoS Map DSCP Value CoS Value 0–7 0 8–15 1 16–23 2 24–31 3 32–39 4 40–47 5 48–55 6 56–63 7 If these values are not appropriate for your network, you need to modify them.
Chapter 39 Configuring QoS Configuring Standard QoS 3 4 5 6 Note : : : : 03 00 00 07 03 05 06 07 00 05 06 07 04 04 04 04 04 04 04 05 05 05 05 05 00 06 06 06 06 07 07 07 07 07 In the above DSCP-to-CoS map, the CoS values are shown in the body of the matrix. The d1 column specifies the most-significant digit of the DSCP; the d2 row specifies the least-significant digit of the DSCP. The intersection of the d1 and d2 values provides the CoS value.
Chapter 39 Configuring QoS Configuring Standard QoS To return to the default map, use the no mls qos dscp-mutation dscp-mutation-name global configuration command. This example shows how to define the DSCP-to-DSCP-mutation map.
Chapter 39 Configuring QoS Configuring Standard QoS Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and to set WTD thresholds. This procedure is optional.
Chapter 39 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent.
Chapter 39 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to allocate bandwidth between the ingress queues. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input bandwidth weight1 weight2 Assign shared round robin weights to the ingress queues. The default setting for weight1 and weight2 is 4 (1/2 of the bandwidth is equally shared between the two queues).
Chapter 39 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the priority queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input priority-queue queue-id bandwidth weight Assign a queue as the priority queue and guarantee bandwidth on the stack or internal ring if the ring is congested.
Chapter 39 Configuring QoS Configuring Standard QoS These sections contain this configuration information: • Configuration Guidelines, page 39-80 • Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set, page 39-80 (optional) • Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID, page 39-82 (optional) • Configuring SRR Shaped Weights on Egress Queues, page 39-84 (optional) • Configuring SRR Shared Weights on Egress Queues, page 39-85 (optional) • Configur
Chapter 39 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and to drop thresholds for a queue-set. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos queue-set output qset-id buffers allocation1 ... allocation4 Allocate buffers to a queue-set. By default, all allocation values are equally mapped among the four queues (25, 25, 25, 25).
Chapter 39 Configuring QoS Configuring Standard QoS Command Purpose Step 7 show mls qos interface [interface-id] buffers Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos queue-set output qset-id buffers global configuration command.
Chapter 39 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an egress queue and to a threshold ID. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue output dscp-map queue queue-id threshold threshold-id dscp1...dscp8 Map DSCP or CoS values to an egress queue and to a threshold ID.
Chapter 39 Configuring QoS Configuring Standard QoS Configuring SRR Shaped Weights on Egress Queues You can specify how much of the available bandwidth is allocated to each queue. The ratio of the weights is the ratio of frequency in which the SRR scheduler sends packets from each queue. You can configure the egress queues for shaped or shared weights, or both. Use shaping to smooth bursty traffic or to provide a smoother output over time.
Chapter 39 Configuring QoS Configuring Standard QoS Configuring SRR Shared Weights on Egress Queues In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue empties and does not require a share of the link, the remaining queues can expand into the unused bandwidth and share it among them.
Chapter 39 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on a switch. Step 3 interface interface-id Specify the egress port, and enter interface configuration mode. Step 4 priority-queue out Enable the egress expedite queue, which is disabled by default.
Chapter 39 Configuring QoS Displaying Standard QoS Information Command Purpose Step 5 show mls qos interface [interface-id] queueing Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no srr-queue bandwidth limit interface configuration command.
Chapter 39 Configuring QoS Displaying Standard QoS Information Catalyst 3750-X and 3560-X Switch Software Configuration Guide 39-88 OL-21521-01
CH A P T E R 40 Configuring EtherChannels and Link-State Tracking This chapter describes how to configure EtherChannels on Layer 2 and Layer 3 ports on the Catalyst 3750-X or 3560-X switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Chapter 40 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels • Load-Balancing and Forwarding Methods, page 40-8 • EtherChannel and Switch Stacks, page 40-10 EtherChannel Overview An EtherChannel consists of individual Gigabit Ethernet links bundled into a single logical link as shown in Figure 40-1.
Chapter 40 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels You can configure an EtherChannel in one of these modes: Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), or On. Configure both ends of the EtherChannel in the same mode: • When you configure one end of an EtherChannel in either PAgP or LACP mode, the system negotiates with the other end of the channel to determine which ports should become active.
Chapter 40 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Figure 40-3 Cross-Stack EtherChannel Switch stack Switch 1 StackWise Plus port connections Switch A Switch 2 Switch 3 159894 Channel group 1 Port-Channel Interfaces When you create an EtherChannel, a port-channel logical interface is involved: • With Layer 2 ports, use the channel-group interface configuration command to dynamically create the port-channel logical interface.
Chapter 40 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Figure 40-4 Relationship of Physical Ports, Logical Port Channels, and Channel Groups Logical port-channel Physical ports 101238 Channel-group binding After you configure an EtherChannel, configuration changes applied to the port-channel interface apply to all the physical ports assigned to the port-channel interface.
Chapter 40 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels PAgP Modes Table 40-1 shows the user-configurable EtherChannel PAgP modes for the channel-group interface configuration command. Table 40-1 EtherChannel PAgP Modes Mode Description auto Places a port into a passive negotiating state, in which the port responds to PAgP packets it receives but does not start PAgP packet negotiation. This setting minimizes the transmission of PAgP packets.
Chapter 40 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels To prevent a dual-active situation, the core switches send PAgP protocol data units (PDUs) through the RSLs to the remote switches. The PAgP PDUs identify the active switch, and the remote switches forward the PDUs to core switches so that the core switches are in sync. If the active switch fails or resets, the standby switch takes over as the active switch.
Chapter 40 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Ports can form an EtherChannel when they are in different LACP modes as long as the modes are compatible. For example: • A port in the active mode can form an EtherChannel with another port that is in the active or passive mode. • A port in the passive mode cannot form an EtherChannel with another port that is also in the passive mode because neither port starts LACP negotiation.
Chapter 40 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels With destination-MAC address forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the channel based on the destination host’s MAC address of the incoming packet. Therefore, packets to the same destination are forwarded over the same port, and packets to a different destination are sent on a different port in the channel.
Chapter 40 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Figure 40-5 Load Distribution and Forwarding Methods Switch with source-based forwarding enabled EtherChannel 101239 Cisco router with destination-based forwarding enabled EtherChannel and Switch Stacks If a stack member that has ports participating in an EtherChannel fails or leaves the stack, the stack master removes the failed stack member switch ports from the EtherChannel.
Chapter 40 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels For more information about switch stacks, see Chapter 5, “Managing Switch Stacks.
Chapter 40 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels EtherChannel Configuration Guidelines If improperly configured, some EtherChannel ports are automatically disabled to avoid network loops and other problems. Follow these guidelines to avoid configuration problems: • Do not try to configure more than 48 EtherChannels on the switch or switch stack. • Configure a PAgP EtherChannel with up to eight Ethernet ports of the same type.
Chapter 40 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels – Ports with different spanning-tree path costs can form an EtherChannel if they are otherwise compatibly configured. Setting different spanning-tree path costs does not, by itself, make ports incompatible for the formation of an EtherChannel. • For Layer 3 EtherChannels, assign the Layer 3 address to the port-channel logical interface, not to the physical ports in the channel.
Chapter 40 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Step 4 Command Purpose channel-group channel-group-number mode {auto [non-silent] | desirable [non-silent] | on} | {active | passive} Assign the port to a channel group, and specify the PAgP or the LACP mode. For channel-group-number, the range is 1 to 48. For mode, select one of these keywords: • auto—Enables PAgP only if a PAgP device is detected.
Chapter 40 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels This example shows how to configure an EtherChannel on a single switch in the stack.
Chapter 40 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to create a port-channel interface for a Layer 3 EtherChannel. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface port-channel port-channel-number Specify the port-channel logical interface, and enter interface configuration mode. For port-channel-number, the range is 1 to 48.
Chapter 40 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Step 5 Command Purpose channel-group channel-group-number mode {auto [non-silent] | desirable [non-silent] | on} | {active | passive} Assign the port to a channel group, and specify the PAgP or the LACP mode. For channel-group-number, the range is 1 to 48. This number must be the same as the port-channel-number (logical port) configured in the “Creating Port-Channel Logical Interfaces” section on page 40-15.
Chapter 40 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels This example shows how to configure an EtherChannel. It assigns two ports to channel 5 with the LACP mode active: Switch# configure terminal Switch(config)# interface range gigabitethernet2/0/1 -2 Switch(config-if-range)# no ip address Switch(config-if-range)# no switchport Switch(config-if-range)# channel-group 5 mode active Switch(config-if-range)# end This example shows how to configure a cross-stack EtherChannel.
Chapter 40 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load-balancing to the default configuration, use the no port-channel load-balance global configuration command.
Chapter 40 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to configure your switch as a PAgP physical-port learner and to adjust the priority so that the same port in the bundle is selected for sending packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port for transmission, and enter interface configuration mode.
Chapter 40 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels If you configure more than eight links for an EtherChannel group, the software automatically decides which of the hot-standby ports to make active based on the LACP priority.
Chapter 40 Configuring EtherChannels and Link-State Tracking Displaying EtherChannel, PAgP, and LACP Status Configuring the LACP Port Priority By default, all ports use the same port priority. If the local system has a lower value for the system priority and the system ID than the remote system, you can affect which of the hot-standby links become active first by changing the port priority of LACP EtherChannel ports to a lower value than the default.
Chapter 40 Configuring EtherChannels and Link-State Tracking Understanding Link-State Tracking Table 40-4 Commands for Displaying EtherChannel, PAgP, and LACP Status (continued) Command Description show pagp [channel-group-number] dual-active Displays the dual-active detection status. show lacp [channel-group-number] {counters | internal | neighbor} Displays LACP information such as traffic information, the internal LACP configuration, and neighbor information.
Chapter 40 Configuring EtherChannels and Link-State Tracking Understanding Link-State Tracking Figure 40-6 Typical Link-State Tracking Configuration Network Layer 3 link Distribution switch 1 Link-state group 1 Link-state group 1 Port 5 Switch A Port Port 1 2 Distribution switch 2 Link-state group 2 Port Port 6 7 Port 8 Port 3 Link-state group 2 Port Port 6 7 Port 8 Port 1 Port 4 Port 2 Port 5 Switch B Port Port 3 4 Linkstate group 2 Linkstate group 1 Linkstate group 1 Linkstate group 2
Chapter 40 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking • Link-state group 2 on switch A – Switch A provides secondary links to server 3 and server 4 through link-state group 2. Port 3 is connected to server 3, and port 4 is connected to server 4. Port 3 and port 4 are the downstream interfaces in link-state group 2. – Port 7 and port 8 are connected to distribution switch 2 through link-state group 2.
Chapter 40 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Default Link-State Tracking Configuration There are no link-state groups defined, and link-state tracking is not enabled for any group. Link-State Tracking Configuration Guidelines • An interface that is defined as an upstream interface cannot also be defined as a downstream interface in the same or a different link-state group. The reverse is also true.
Chapter 40 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# Note interface gigabitethernet1/0/3 link state group 1 downstream interface gigabitethernet1/0/5 link state group 1 downstream end If the interfaces are part of an EtherChannel, you must specify the port channel name as part of the link-state group, not the individual port members.
Chapter 40 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Catalyst 3750-X and 3560-X Switch Software Configuration Guide 40-28 OL-21521-01
CH A P T E R 41 Configuring TelePresence E911 IP Phone Support Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note This feature is not supported on switches running the LAN base feature set. The Catalyst 3750-X and 3560-X switch command reference has command syntax and usage information.
Chapter 41 Configuring TelePresence E911 IP Phone Support Configuring TelePresence E911 IP Phone Support Use the TelePresence E911 IP phone support feature to ensure that the IP phone is always on and available for emergency calls. When a CDP-enabled IP phone is connected to the codec through a switch, you can configure the switch to forward CDP packets from the IP phone only to the codec in the Cisco TelePresence System. The switch adds ingress-egress port pairs to the CDP forwarding table.
Chapter 41 Configuring TelePresence E911 IP Phone Support Configuring TelePresence E911 IP Phone Support Enabling TelePresence E911 IP Phone Support Beginning in privileged EXEC mode: Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 cdp forward ingress port-id egress port-id Configures an ingress-egress port pair. • ingress port -id—Specifies the port connected to the CDP-enabled IP phone.
Chapter 41 Configuring TelePresence E911 IP Phone Support Configuring TelePresence E911 IP Phone Support Switch# show cdp forward Ingress Egress # packets # packets Port Port forwarded dropped ------------------------------------------------------------Gi2/0/2 Gi2/0/13 0 0 Switch# Catalyst 3750-X and 3560-X Switch Software Configuration Guide 41-4 OL-21521-01
CH A P T E R 42 Configuring IP Unicast Routing This chapter describes how to configure IP Version 4 (IPv4) unicast routing on the Catalyst 3750-X or 3560-X switch. Note Routing is not supported on switches running the LAN base feature set. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. A switch stack operates and appears as a single router to the rest of the routers in the network.
Chapter 42 Configuring IP Unicast Routing Understanding IP Routing Note • Configuring Multi-VRF CE, page 42-74 • Configuring Protocol-Independent Features, page 42-89 • Monitoring and Maintaining the IP Network, page 42-104 When configuring routing parameters on the switch and to allocate system resources to maximize the number of unicast routes allowed, you can use the sdm prefer routing global configuration command to set the Switch Database Management (sdm) feature to the routing template.
Chapter 42 Configuring IP Unicast Routing Understanding IP Routing Types of Routing Routers and Layer 3 switches can route packets in three different ways: • By using default routing • By using preprogrammed static routes for the traffic • By dynamically calculating routes by using a routing protocol Default routing refers to sending traffic with a destination unknown to the router to a default outlet or destination.
Chapter 42 Configuring IP Unicast Routing Understanding IP Routing • The MAC address of the stack master is used as the router MAC address for the whole stack, and all outside devices use this address to send IP packets to the stack. • All IP packets that require software forwarding or processing go through the CPU of the stack master.
Chapter 42 Configuring IP Unicast Routing Steps for Configuring Routing Caution Partitioning of the switch stack into two or more stacks might lead to undesirable behavior in the network. Steps for Configuring Routing By default, IP routing is disabled on the switch, and you must enable it before routing can take place. For detailed IP routing configuration information, see the Cisco IOS IP Configuration Guide, Release 12.
Chapter 42 Configuring IP Unicast Routing Configuring IP Addressing Configuring IP Addressing A required task for configuring IP routing is to assign IP addresses to Layer 3 network interfaces to enable the interfaces and allow communication with the hosts on those interfaces that use IP. These sections describe how to configure various IP addressing features. Assigning IP addresses to the interface is required; the other procedures are optional.
Chapter 42 Configuring IP Unicast Routing Configuring IP Addressing Table 42-1 Default Addressing Configuration (continued) Feature Default Setting IRDP Disabled. Defaults when enabled: • Broadcast IRDP advertisements. • Maximum interval between advertisements: 600 seconds. • Minimum interval between advertisements: 0.75 times max interval • Preference: 0. IP proxy ARP Enabled. IP routing Disabled. IP subnet-zero Disabled.
Chapter 42 Configuring IP Unicast Routing Configuring IP Addressing You can use the all ones subnet (131.108.255.0) and even though it is discouraged, you can enable the use of subnet zero if you need the entire subnet space for your IP address. Beginning in privileged EXEC mode, follow these steps to enable subnet zero: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip subnet-zero Enable the use of subnet zero for interface addresses and routing updates.
Chapter 42 Configuring IP Unicast Routing Configuring IP Addressing Figure 42-3 No IP Classless Routing 128.0.0.0/8 128.20.4.1 128.20.0.0 Bit bucket 128.20.1.0 128.20.3.0 128.20.4.1 Host 45748 128.20.2.0 To prevent the switch from forwarding packets destined for unrecognized subnets to the best supernet route possible, you can disable classless routing behavior.
Chapter 42 Configuring IP Unicast Routing Configuring IP Addressing The switch can use these forms of address resolution: • Address Resolution Protocol (ARP) is used to associate IP address with MAC addresses. Taking an IP address as input, ARP learns the associated MAC address and then stores the IP address/MAC address association in an ARP cache for rapid retrieval. Then the IP datagram is encapsulated in a link-layer frame and sent over the network.
Chapter 42 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 3 arp ip-address hardware-address type [alias] (Optional) Specify that the switch respond to ARP requests as if it were the owner of the specified IP address. Step 4 interface interface-id Enter interface configuration mode, and specify the interface to configure. Step 5 arp timeout seconds (Optional) Set the length of time an ARP cache entry will stay in the cache. The default is 14400 seconds (4 hours).
Chapter 42 Configuring IP Unicast Routing Configuring IP Addressing Enable Proxy ARP By default, the switch uses proxy ARP to help hosts learn MAC addresses of hosts on other networks or subnets. Beginning in privileged EXEC mode, follow these steps to enable proxy ARP if it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure.
Chapter 42 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to define a default gateway (router) when IP routing is disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip default-gateway ip-address Set up a default gateway (router). Step 3 end Return to privileged EXEC mode. Step 4 show ip redirects Display the address of the default gateway router to verify the setting.
Chapter 42 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 6 ip irdp maxadvertinterval seconds (Optional) Set the IRDP maximum interval between advertisements. The default is 600 seconds. Step 7 ip irdp minadvertinterval seconds (Optional) Set the IRDP minimum interval between advertisements. The default is 0.75 times the maxadvertinterval. If you change the maxadvertinterval, this value changes to the new default (0.75 of maxadvertinterval).
Chapter 42 Configuring IP Unicast Routing Configuring IP Addressing Enabling Directed Broadcast-to-Physical Broadcast Translation By default, IP directed broadcasts are dropped; they are not forwarded. Dropping IP-directed broadcasts makes routers less susceptible to denial-of-service attacks. You can enable forwarding of IP-directed broadcasts on an interface where the broadcast becomes a physical (MAC-layer) broadcast.
Chapter 42 Configuring IP Unicast Routing Configuring IP Addressing Forwarding UDP Broadcast Packets and Protocols User Datagram Protocol (UDP) is an IP host-to-host layer protocol, as is TCP. UDP provides a low-overhead, connectionless session between two end systems and does not provide for acknowledgment of received datagrams. Network hosts occasionally use UDP broadcasts to find address, configuration, and name information.
Chapter 42 Configuring IP Unicast Routing Configuring IP Addressing Establishing an IP Broadcast Address The most popular IP broadcast address (and the default) is an address consisting of all ones (255.255.255.255). However, the switch can be configured to generate any form of IP broadcast address. Beginning in privileged EXEC mode, follow these steps to set the IP broadcast address on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 42 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to use the bridging spanning-tree database to flood UDP datagrams: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip forward-protocol spanning-tree Use the bridging spanning-tree database to flood UDP datagrams. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entry.
Chapter 42 Configuring IP Unicast Routing Enabling IP Unicast Routing Table 42-3 Commands to Display Caches, Tables, and Databases Command Purpose show arp Display the entries in the ARP table. show hosts Display the default domain name, style of lookup service, name server hosts, and the cached list of hostnames and addresses. show ip aliases Display IP addresses mapped to TCP ports (aliases). show ip arp Display the IP ARP cache.
Chapter 42 Configuring IP Unicast Routing Configuring RIP This example shows how to enable IP routing using RIP as the routing protocol: Switch# configure terminal Enter configuration commands, one per line. Switch(config)# ip routing Switch(config)# router rip Switch(config-router)# network 10.0.0.0 Switch(config-router)# end End with CNTL/Z.
Chapter 42 Configuring IP Unicast Routing Configuring RIP Default RIP Configuration Table 42-4 Default RIP Configuration Feature Default Setting Auto summary Enabled. Default-information originate Disabled. Default metric Built-in; automatic metric translations. IP RIP authentication key-chain No authentication. Authentication mode: clear text. IP RIP receive version According to the version router configuration command.
Chapter 42 Configuring IP Unicast Routing Configuring RIP Step 4 Command Purpose network network number Associate a network with a RIP routing process. You can specify multiple network commands. RIP routing updates are sent and received through interfaces only on these networks. Note You must configure a network number for the RIP commands to take effect. Step 5 neighbor ip-address (Optional) Define a neighboring router with which to exchange routing information.
Chapter 42 Configuring IP Unicast Routing Configuring RIP To turn off the RIP routing process, use the no router rip global configuration command. To display the parameters and current state of the active routing protocol process, use the show ip protocols privileged EXEC command. Use the show ip rip database privileged EXEC command to display summary address entries in the RIP database. Configuring RIP Authentication RIP Version 1 does not support authentication.
Chapter 42 Configuring IP Unicast Routing Configuring RIP If you want to configure an interface running RIP to advertise a summarized local IP address pool on a network access server for dial-up clients, use the ip summary-address rip interface configuration command. Note If split horizon is enabled, neither autosummary nor interface IP summary addresses are advertised.
Chapter 42 Configuring IP Unicast Routing Configuring OSPF Configuring Split Horizon Routers connected to broadcast-type IP networks and using distance-vector routing protocols normally use the split-horizon mechanism to reduce the possibility of routing loops. Split horizon blocks information about routes from being advertised by a router on any interface from which that information originated. This feature can optimize communication among multiple routers, especially when links are broken.
Chapter 42 Configuring IP Unicast Routing Configuring OSPF • Plain text and MD5 authentication among neighboring routers within an area is supported. • Configurable routing interface parameters include interface output cost, retransmission interval, interface transmit delay, router priority, router dead and hello intervals, and authentication key. • Virtual links are supported. • Not-so-stubby-areas (NSSAs) per RFC 1587are supported.
Chapter 42 Configuring IP Unicast Routing Configuring OSPF Default OSPF Configuration Table 42-5 Default OSPF Configuration Feature Default Setting Interface parameters Cost: No default cost predefined. Retransmit interval: 5 seconds. Transmit delay: 1 second. Priority: 1. Hello interval: 10 seconds. Dead interval: 4 times the hello interval. No authentication. No password specified. MD5 authentication disabled. Area Authentication type: 0 (no authentication). Default cost: 1. Range: Disabled.
Chapter 42 Configuring IP Unicast Routing Configuring OSPF Table 42-5 Default OSPF Configuration (continued) Feature Default Setting Timers shortest path first (spf) spf delay: 5 seconds.; spf-holdtime: 10 seconds. Virtual link No area ID or router ID defined. Hello interval: 10 seconds. Retransmit interval: 5 seconds. Transmit delay: 1 second. Dead interval: 40 seconds. Authentication key: no key predefined. Message-digest key (MD5): no key predefined. 1. NSF = Nonstop forwarding 2.
Chapter 42 Configuring IP Unicast Routing Configuring OSPF When the neighbor relationships are reestablished, the NSF-capable stack master resynchronizes its database with its NSF-aware neighbors, and routing information is exchanged between the OSPF neighbors. The new stack master uses this routing information to remove stale routes, to update the routing information database (RIB), and to update the forwarding information base (FIB) with the new information. The OSPF protocols then fully converge.
Chapter 42 Configuring IP Unicast Routing Configuring OSPF Configuring OSPF Interfaces You can use the ip ospf interface configuration commands to modify interface-specific OSPF parameters. You are not required to modify any of these parameters, but some interface parameters (hello interval, dead interval, and authentication key) must be consistent across all routers in an attached network. If you modify these parameters, be sure all routers in the network have compatible values.
Chapter 42 Configuring IP Unicast Routing Configuring OSPF Step 14 Command Purpose show ip ospf neighbor detail Display NSF awareness status of neighbor switch. The output matches one of these examples: • Options is 0x52 LLS Options is 0x1 (LR) When both of these lines appear, the neighbor switch is NSF aware. • Step 15 copy running-config startup-config Options is 0x42—This means the neighbor switch is not NSF aware. (Optional) Save your entries in the configuration file.
Chapter 42 Configuring IP Unicast Routing Configuring OSPF Step 6 Command Purpose area area-id nssa [no-redistribution] [default-information-originate] [no-summary] (Optional) Defines an area as a not-so-stubby-area. Every router within the same area must agree that the area is NSSA. Select one of these keywords: • no-redistribution—Select when the router is an NSSA ABR and you want the redistribute command to import routes into normal areas, but not into the NSSA.
Chapter 42 Configuring IP Unicast Routing Configuring OSPF • Administrative distance is a rating of the trustworthiness of a routing information source, an integer between 0 and 255, with a higher value meaning a lower trust rating. An administrative distance of 255 means the routing information source cannot be trusted at all and should be ignored.
Chapter 42 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 12 end Return to privileged EXEC mode. Step 13 show ip ospf [process-id [area-id]] database Display lists of information related to the OSPF database for a specific router. For some of the keyword options, see the “Monitoring OSPF” section on page 42-35. Step 14 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 42 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show ip interface Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no interface loopback 0 global configuration command to disable the loopback interface. Monitoring OSPF You can display specific statistics such as the contents of IP routing tables, caches, and databases.
Chapter 42 Configuring IP Unicast Routing Configuring EIGRP IP EIGRP provides increased network width. With RIP, the largest possible width of your network is 15 hops. Because the EIGRP metric is large enough to support thousands of hops, the only barrier to expanding the network is the transport-layer hop counter. EIGRP increments the transport control field only when an IP packet has traversed 15 routers and the next hop to the destination was learned through EIGRP.
Chapter 42 Configuring IP Unicast Routing Configuring EIGRP These sections contain this configuration information: Note • Default EIGRP Configuration, page 42-37 • Configuring Basic EIGRP Parameters, page 42-39 • Configuring EIGRP Interfaces, page 42-40 • Configuring EIGRP Route Authentication, page 42-41 • EIGRP Stub Routing, page 42-42 • Monitoring and Maintaining EIGRP, page 42-43 To enable EIGRP, the switch or stack master must be running the IP services feature set.
Chapter 42 Configuring IP Unicast Routing Configuring EIGRP Table 42-7 Default EIGRP Configuration (continued) Feature Default Setting Network None specified. 1 NSF Awareness Enabled2. Allows Layer 3 switches to continue forwarding packets from a neighboring NSF-capable router during hardware or software changes. NSF capability Disabled. Note The switch supports EIGRP NSF-capable routing for IPv4. Offset-list Disabled. Router EIGRP Disabled. Set metric No metric set in the route map.
Chapter 42 Configuring IP Unicast Routing Configuring EIGRP EIGRP NSF Capability The IP-services feature set also supports EIGRP NSF-capable routing for IPv4 for better convergence and lower traffic loss following a stack master change. When an EIGRP NSF-capable stack master restarts or a new stack master starts up and NSF restarts, the switch has no neighbors, and the topology table is empty.
Chapter 42 Configuring IP Unicast Routing Configuring EIGRP Step 6 Command Purpose metric weights tos k1 k2 k3 k4 k5 (Optional) Adjust the EIGRP metric. Although the defaults have been carefully set to provide excellent operation in most networks, you can adjust them. Caution Setting metrics is complex and is not recommended without guidance from an experienced network designer.
Chapter 42 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 5 ip hello-interval eigrp autonomous-system-number seconds (Optional) Change the hello time interval for an EIGRP routing process. The range is 1 to 65535 seconds. The default is 60 seconds for low-speed NBMA networks and 5 seconds for all other networks. Step 6 ip hold-time eigrp autonomous-system-number seconds (Optional) Change the hold time interval for an EIGRP routing process. The range is 1 to 65535 seconds.
Chapter 42 Configuring IP Unicast Routing Configuring EIGRP Command Step 9 Purpose accept-lifetime start-time {infinite | end-time | duration (Optional) Specify the time period during which the key seconds} can be received. The start-time and end-time syntax can be either hh:mm:ss Month date year or hh:mm:ss date Month year. The default is forever with the default start-time and the earliest acceptable date as January 1, 1993. The default end-time and duration is infinite.
Chapter 42 Configuring IP Unicast Routing Configuring BGP Figure 42-4 EIGRP Stub Router Configuration Routed to WAN Switch B Switch C 145776 Switch A Host A Host B Host C For more information about EIGRP stub routing, see “Configuring EIGRP Stub Routing” section of the Cisco IOS IP Configuration Guide, Volume 2 of 3: Routing Protocols, Release 12.2. Monitoring and Maintaining EIGRP You can delete neighbors from the neighbor table. You can also display various EIGRP routing statistics.
Chapter 42 Configuring IP Unicast Routing Configuring BGP For details about BGP commands and keywords, see the “IP Routing Protocols” part of the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. For a list of BGP commands that are visible but not supported by the switch, see Appendix C, “Unsupported Commands in Cisco IOS Release 12.2(53)SE2.
Chapter 42 Configuring IP Unicast Routing Configuring BGP In BGP, each route consists of a network number, a list of autonomous systems that information has passed through (the autonomous system path), and a list of other path attributes. The primary function of a BGP system is to exchange network reachability information, including information about the list of AS paths, with other BGP systems.
Chapter 42 Configuring IP Unicast Routing Configuring BGP Table 42-9 Default BGP Configuration Feature Default Setting Aggregate address Disabled: None defined. AS path access list None defined. Auto summary Enabled. Best path BGP community list BGP confederation identifier/peers • The router considers as-path in choosing a route and does not compare similar routes from external BGP peers. • Compare router ID: Disabled. • Number: None defined.
Chapter 42 Configuring IP Unicast Routing Configuring BGP Table 42-9 Default BGP Configuration (continued) Feature Default Setting Neighbor • Advertisement interval: 30 seconds for external peers; 5 seconds for internal peers. • Change logging: Enabled. • Conditional advertisement: Disabled. • Default originate: No default route is sent to the neighbor. • Description: None. • Distribute list: None defined. • External BGP multihop: Only directly connected neighbors are allowed.
Chapter 42 Configuring IP Unicast Routing Configuring BGP neighboring router during the interval between the primary Route Processor (RP) in a router failing and the backup RP taking over, or while the primary RP is manually reloaded for a nondisruptive software upgrade. For more information, see the “BGP Nonstop Forwarding (NSF) Awareness” section of the Cisco IOS IP Routing Protocols Configuration Guide, Release 12.4 at this URL: http://www.cisco.
Chapter 42 Configuring IP Unicast Routing Configuring BGP Step 5 Command Purpose neighbor {ip-address | peer-group-name} remote-as number Add an entry to the BGP neighbor table specifying that the neighbor identified by the IP address belongs to the specified AS. For EBGP, neighbors are usually directly connected, and the IP address is the address of the interface at the other end of the connection. For IBGP, the IP address can be the address of any of the router interfaces.
Chapter 42 Configuring IP Unicast Routing Configuring BGP Router B: Switch(config)# router bgp 200 Switch(config-router)# neighbor 129.213.1.2 remote-as 100 Switch(config-router)# neighbor 175.220.1.2 remote-as 200 Router C: Switch(config)# router bgp 200 Switch(config-router)# neighbor 175.220.212.1 remote-as 200 Switch(config-router)# neighbor 192.208.10.1 remote-as 300 Router D: Switch(config)# router bgp 300 Switch(config-router)# neighbor 192.208.10.
Chapter 42 Configuring IP Unicast Routing Configuring BGP establish a TCP session. A soft reset allows the dynamic exchange of route refresh requests and routing information between BGP routers and the subsequent re-advertisement of the respective outbound routing table. • When soft reset generates inbound updates from a neighbor, it is called dynamic inbound soft reset. • When soft reset sends a set of updates to a neighbor, it is called outbound soft reset.
Chapter 42 Configuring IP Unicast Routing Configuring BGP Configuring BGP Decision Attributes When a BGP speaker receives updates from multiple autonomous systems that describe different paths to the same destination, it must choose the single best path for reaching that destination. When chosen, the selected path is entered into the BGP routing table and propagated to its neighbors. The decision is based on the value of attributes that the update contains and other BGP-configurable factors.
Chapter 42 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, follow these steps to configure some decision attributes: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enable a BGP routing process, assign it an AS number, and enter router configuration mode. Step 3 bgp best-path as-path ignore (Optional) Configure the router to ignore AS path length in selecting a route.
Chapter 42 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 14 show ip bgp show ip bgp neighbors Verify the reset by checking information about the routing table and about BGP neighbors. Step 15 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of each command to return to the default state.
Chapter 42 Configuring IP Unicast Routing Configuring BGP path, community, and network numbers. Autonomous system path matching requires the match as-path access-list route-map command, community based matching requires the match community-list route-map command, and network-based matching requires the ip access-list global configuration command.
Chapter 42 Configuring IP Unicast Routing Configuring BGP Configuring Prefix Lists for BGP Filtering You can use prefix lists as an alternative to access lists in many BGP route filtering commands, including the neighbor distribute-list router configuration command. The advantages of using prefix lists include performance improvements in loading and lookup of large lists, incremental update support, easier CLI configuration, and greater flexibility.
Chapter 42 Configuring IP Unicast Routing Configuring BGP sequence number command; to reenable automatic generation, use the ip prefix-list sequence number command. To clear the hit-count table of prefix list entries, use the clear ip prefix-list privileged EXEC command. Configuring BGP Community Filtering One way that BGP controls the distribution of routing information based on the value of the COMMUNITIES attribute.
Chapter 42 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 5 set comm-list list-num delete (Optional) Remove communities from the community attribute of an inbound or outbound update that match a standard or extended community list specified by a route map. Step 6 exit Return to global configuration mode. Step 7 ip bgp-community new-format (Optional) Display and parse BGP communities in the format AA:NN. A BGP community is displayed in a two-part format 2 bytes long.
Chapter 42 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 7 neighbor {ip-address | peer-group-name} default-originate [route-map map-name] (Optional) Allow a BGP speaker (the local router) to send the default route 0.0.0.0 to a neighbor for use as a default route. Step 8 neighbor {ip-address | peer-group-name} send-community (Optional) Specify that the COMMUNITIES attribute be sent to the neighbor at this IP address.
Chapter 42 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 23 neighbor {ip-address | peer-group-name} soft-reconfiguration inbound (Optional) Configure the software to start storing received updates. Step 24 end Return to privileged EXEC mode. Step 25 show ip bgp neighbors Verify the configuration. Step 26 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 42 Configuring IP Unicast Routing Configuring BGP To delete an aggregate entry, use the no aggregate-address address mask router configuration command. To return options to the default values, use the command with keywords. Configuring Routing Domain Confederations One way to reduce the IBGP mesh is to divide an autonomous system into multiple subautonomous systems and to group them into a single confederation that appears as a single autonomous system.
Chapter 42 Configuring IP Unicast Routing Configuring BGP When the route reflector receives an advertised route, it takes one of these actions, depending on the neighbor: • A route from an external BGP speaker is advertised to all clients and nonclient peers. • A route from a nonclient peer is advertised to all clients. • A route from a client is advertised to all clients and nonclient peers. Hence, the clients need not be fully meshed.
Chapter 42 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, use these commands to configure BGP route dampening: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enter BGP router configuration mode. Step 3 bgp dampening Enable BGP route dampening. Step 4 bgp dampening half-life reuse suppress max-suppress [route-map map] (Optional) Change the default values of route dampening factors.
Chapter 42 Configuring IP Unicast Routing Configuring ISO CLNS Routing Table 42-11 IP BGP Clear and Show Commands (continued) Command Purpose show ip bgp prefix Display peer groups and peers not in peer groups to which the prefix has been advertised. Also display prefix attributes such as the next hop and the local prefix. show ip bgp cidr-only Display all BGP routes that contain subnet and supernet network masks.
Chapter 42 Configuring IP Unicast Routing Configuring ISO CLNS Routing When dynamically routing, you use IS-IS. This routing protocol supports the concept of areas. Within an area, all routers know how to reach all the system IDs. Between areas, routers know how to reach the proper area. IS-IS supports two levels of routing: station routing (within an area) and area routing (between areas). The key difference between the ISO IGRP and IS-IS NSAP addressing schemes is in the definition of area addresses.
Chapter 42 Configuring IP Unicast Routing Configuring ISO CLNS Routing These sections briefly describes how to configure IS-IS routing. • Default IS-IS Configuration, page 42-66 • Enabling IS-IS Routing, page 42-67 • Configuring IS-IS Global Parameters, page 42-69 • Configuring IS-IS Interface Parameters, page 42-71 Default IS-IS Configuration Table 42-12 Default IS-IS Configuration Feature Default Setting Ignore link-state PDU (LSP) errors Enabled.
Chapter 42 Configuring IP Unicast Routing Configuring ISO CLNS Routing Nonstop Forwarding Awareness The integrated IS-IS NSF Awareness feature is supported for IPv4, beginning with Cisco IOS Release 12.2(25)SEG. The feature allows customer premises equipment (CPE) routers that are NSF-aware to help NSF-capable routers perform nonstop forwarding of packets.
Chapter 42 Configuring IP Unicast Routing Configuring ISO CLNS Routing Command Purpose Step 9 clns router isis [area tag] Enable ISO CLNS on the interface. Step 10 ip address ip-address-mask Define the IP address for the interface. An IP address is required on all interfaces in an area enabled for IS-IS if any one interface is configured for IS-IS routing. Step 11 end Return to privileged EXEC mode. Step 12 show isis [area tag] database detail Verify your entries.
Chapter 42 Configuring IP Unicast Routing Configuring ISO CLNS Routing Configuring IS-IS Global Parameters These are some optional IS-IS global parameters that you can configure: • You can force a default route into an IS-IS routing domain by configuring a default route controlled by a route map. You can also specify other filtering options configurable under a route map.
Chapter 42 Configuring IP Unicast Routing Configuring ISO CLNS Routing Step 9 Command Purpose set-overload-bit [on-startup {seconds | wait-for-bgp}] (Optional) Set an overload bit (a hippity bit) to allow other routers to ignore the router in their shortest path first (SPF) calculations if the router is having problems. • (Optional) on-startup—sets the overload bit only on startup.
Chapter 42 Configuring IP Unicast Routing Configuring ISO CLNS Routing Step 14 Command Purpose prc-interval prc-max-wait [prc-initial-wait prc-second-wait] (Optional) Sets IS-IS partial route computation (PRC) throttling timers. • prc-max-wait—the maximum interval (in seconds) between two consecutive PRC calculations. The range is 1 to 120; the default is 5. • prc-initial-wait—the initial PRC calculation delay (in milliseconds) after a topology change. The range is 1 to 10,000; the default is 2000.
Chapter 42 Configuring IP Unicast Routing Configuring ISO CLNS Routing frequently and IS-IS adjacencies are failing unnecessarily. You can raise the hello multiplier and lower the hello interval correspondingly to make the hello protocol more reliable without increasing the time required to detect a link failure. • Other time intervals: – Complete sequence number PDU (CSNP) interval. CSNPs are sent by the designated router to maintain database synchronization – Retransmission interval.
Chapter 42 Configuring IP Unicast Routing Configuring ISO CLNS Routing Command Purpose Step 7 isis retransmit-interval seconds (Optional) Configure the number of seconds between retransmission of IS-IS LSPs for point-to-point links. The value you specify should be an integer greater than the expected round-trip delay between any two routers on the network. The range is from 0 to 65535. The default is 5 seconds.
Chapter 42 Configuring IP Unicast Routing Configuring Multi-VRF CE Table 42-13 ISO CLNS and IS-IS Clear and Show Commands Command Purpose clear clns cache Clear and reinitialize the CLNS routing cache. clear clns es-neighbors Remove end system (ES) neighbor information from the adjacency database. clear clns is-neighbors Remove intermediate system (IS) neighbor information from the adjacency database. clear clns neighbors Remove CLNS neighbor information from the adjacency database.
Chapter 42 Configuring IP Unicast Routing Configuring Multi-VRF CE Note The switch does not use Multiprotocol Label Switching (MPLS) to support VPNs. For information about MPLS VRF, see the Cisco IOS Switching Services Configuration Guide, Release 12.2.
Chapter 42 Configuring IP Unicast Routing Configuring Multi-VRF CE Figure 42-6 shows a configuration using Catalyst 3750-X or 3560-X switches as multiple virtual CEs. This scenario is suited for customers who have low bandwidth requirements for their VPN service, for example, small companies. In this case, multi-VRF CE support is required in the Catalyst 3750-X or 3560-X switches. Because multi-VRF CE is a Layer 3 feature, each interface in a VRF must be a Layer 3 interface.
Chapter 42 Configuring IP Unicast Routing Configuring Multi-VRF CE To configure VRF, you create a VRF table and specify the Layer 3 interface associated with the VRF. Then configure the routing protocols in the VPN and between the CE and the PE. BGP is the preferred routing protocol used to distribute VPN routing information across the provider’s backbone. The multi-VRF CE network has three major components: • VPN route target communities—lists of all other members of a VPN community.
Chapter 42 Configuring IP Unicast Routing Configuring Multi-VRF CE • A customer can use multiple VLANs as long as they do not overlap with those of other customers. A customer’s VLANs are mapped to a specific routing table ID that is used to identify the appropriate routing tables stored on the switch. • The switch supports one global network and up to 26 VRFs. • Most routing protocols (BGP, OSPF, RIP, and static routing) can be used between the CE and the PE.
Chapter 42 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 10 show ip vrf [brief | detail | interfaces] [vrf-name] Verify the configuration. Display information about the configured VRFs. Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no ip vrf vrf-name global configuration command to delete a VRF and to remove all interfaces from it.
Chapter 42 Configuring IP Unicast Routing Configuring Multi-VRF CE User Interface for PING Beginning in privileged EXEC mode, follow these steps to configure VRF-aware services for ping. For complete syntax and usage information for the commands, refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2. Command Purpose ping vrf vrf-name ip-host Display the ARP table in the specified VRF.
Chapter 42 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 6 standby 1 ip ip-address Enable HSRP and configure the virtual IP address. Step 7 end Return to privileged EXEC mode. User Interface for uRPF uRPF can be configured on an interface assigned to a VRF, and source lookup is done in the VRF table. Beginning in privileged EXEC mode, follow these steps to configure VRF-aware services for uRPF.
Chapter 42 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 6 logging facility facility Send system logging messages to a logging facility. Step 7 end Return to privileged EXEC mode. User Interface for Traceroute Beginning in privileged EXEC mode, follow these steps to configure VRF-aware services for traceroute.
Chapter 42 Configuring IP Unicast Routing Configuring Multi-VRF CE Configuring Multicast VRFs Beginning in privileged EXEC mode, follow these steps to configure a multicast within a VRF table. For complete syntax and usage information for the commands, see the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip routing Enable IP routing mode.
Chapter 42 Configuring IP Unicast Routing Configuring Multi-VRF CE Beginning in privileged EXEC mode, follow these steps to configure OSPF in the VPN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router ospf process-id vrf vrf-name Enable OSPF routing, specify a VPN forwarding table, and enter router configuration mode. Step 3 log-adjacency-changes (Optional) Log changes in the adjacency state. This is the default state.
Chapter 42 Configuring IP Unicast Routing Configuring Multi-VRF CE Multi-VRF CE Configuration Example Figure 42-7 is a simplified example of the physical connections in a network similar to that in Figure 42-6. OSPF is the protocol used in VPN1, VPN2, and the global network. BGP is used in the CE to PE connections. The examples following the illustration show how to configure a switch as CE Switch A, and the VRF configuration for customer switches D and F.
Chapter 42 Configuring IP Unicast Routing Configuring Multi-VRF CE Configure the loopback and physical interfaces on Switch A. Gigabit Ethernet port 1 is a trunk connection to the PE. Gigabit Ethernet ports 8 and 11 connect to VPNs: Switch(config)# interface loopback1 Switch(config-if)# ip vrf forwarding v11 Switch(config-if)# ip address 8.8.1.8 255.255.255.0 Switch(config-if)# exit Switch(config)# interface loopback2 Switch(config-if)# ip vrf forwarding v12 Switch(config-if)# ip address 8.8.2.8 255.255.
Chapter 42 Configuring IP Unicast Routing Configuring Multi-VRF CE Configure BGP for CE to PE routing. Switch(config)# router bgp 800 Switch(config-router)# address-family ipv4 vrf vl2 Switch(config-router-af)# redistribute ospf 2 match internal Switch(config-router-af)# neighbor 83.0.0.3 remote-as 100 Switch(config-router-af)# neighbor 83.0.0.3 activate Switch(config-router-af)# network 8.8.2.0 mask 255.255.255.
Chapter 42 Configuring IP Unicast Routing Configuring Multi-VRF CE Router(config-vrf)# Router(config-vrf)# Router(config-vrf)# Router(config-vrf)# rd 100:1 route-target export 100:1 route-target import 100:1 exit Router(config)# ip vrf v2 Router(config-vrf)# rd 100:2 Router(config-vrf)# route-target export 100:2 Router(config-vrf)# route-target import 100:2 Router(config-vrf)# exit Router(config)# ip cef Router(config)# interface Loopback1 Router(config-if)# ip vrf forwarding v1 Router(config-if)# ip a
Chapter 42 Configuring IP Unicast Routing Configuring Unicast Reverse Path Forwarding For more information about the information in the displays, see the Cisco IOS Switching Services Command Reference, Release 12.2.
Chapter 42 Configuring IP Unicast Routing Configuring Protocol-Independent Features more CPU processing power to be dedicated to packet forwarding. In a switch stack, the hardware uses distributed CEF (dCEF) in the stack. In dynamic networks, fast switching cache entries are frequently invalidated because of routing changes, which can cause traffic to be process switched using the routing table, instead of fast switched using the route cache.
Chapter 42 Configuring IP Unicast Routing Configuring Protocol-Independent Features Step 7 Command Purpose show cef linecard [detail] Display CEF-related interface information on a Catalyst 3560-X switch, or or show cef linecard [slot-number] [detail] Display CEF-related interface information on a Catalyst 3750-X switch by stack member for all switches in the stack or for the specified switch. (Optional) For slot-number, enter the stack member switch number.
Chapter 42 Configuring IP Unicast Routing Configuring Protocol-Independent Features Configuring Static Unicast Routes Static unicast routes are user-defined routes that cause packets moving between a source and a destination to take a specified path. Static routes can be important if the router cannot build a route to a particular destination and are useful for specifying a gateway of last resort to which all unroutable packets are sent.
Chapter 42 Configuring IP Unicast Routing Configuring Protocol-Independent Features When an interface goes down, all static routes through that interface are removed from the IP routing table. When the software can no longer find a valid next hop for the address specified as the forwarding router's address in a static route, the static route is also removed from the IP routing table. Specifying Default Routes and Networks A router might not be able to learn the routes to all other networks.
Chapter 42 Configuring IP Unicast Routing Configuring Protocol-Independent Features You can also conditionally control the redistribution of routes between routing domains by defining enhanced packet filters or route maps between the two domains. The match and set route-map configuration commands define the condition portion of a route map. The match command specifies that a criterion must be matched.
Chapter 42 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 3 match as-path path-list-number Match a BGP AS path access list. Step 4 match community-list community-list-number [exact] Match a BGP community list. Step 5 match ip address {access-list-number | Match a standard access list by specifying the name or number. It can be access-list-name} [...access-list-number | an integer from 1 to 199. ...
Chapter 42 Configuring IP Unicast Routing Configuring Protocol-Independent Features Step 18 Command Purpose set metric bandwidth delay reliability loading mtu Set the metric value to give the redistributed routes (for EIGRP only): • bandwidth—Metric value or IGRP bandwidth of the route in kilobits per second in the range 0 to 4294967295 • delay—Route delay in tens of microseconds in the range 0 to 4294967295.
Chapter 42 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 7 show route-map Display all route maps configured or only the one specified to verify configuration. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable redistribution, use the no form of the commands. The metrics of one routing protocol do not necessarily translate into the metrics of another.
Chapter 42 Configuring IP Unicast Routing Configuring Protocol-Independent Features If match clauses are satisfied, you can use a set clause to specify the IP addresses identifying the next hop router in the path. For details about PBR commands and keywords, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. For a list of PBR commands that are visible but not supported by the switch, see Appendix C, “Unsupported Commands in Cisco IOS Release 12.2(53)SE2.
Chapter 42 Configuring IP Unicast Routing Configuring Protocol-Independent Features • The switch supports QoS DSCP and IP precedence matching in PBR route maps, with these limitations: – You cannot apply QoS DSCP mutation maps and PBR route maps to the same interface. – You cannot configure DSCP transparency and PBR DSCP route maps on the same switch.
Chapter 42 Configuring IP Unicast Routing Configuring Protocol-Independent Features Step 3 Command Purpose match ip address {access-list-number | access-list-name} [...access-list-number | ...access-list-name] Match the source and destination IP address that is permitted by one or more standard or extended access lists. Note Do not enter an ACL with a deny ACE or an ACL that permits a packet destined for a local address. If you do not specify a match command, the route map applies to all packets.
Chapter 42 Configuring IP Unicast Routing Configuring Protocol-Independent Features Note When routes are redistributed between OSPF processes, no OSPF metrics are preserved. Setting Passive Interfaces To prevent other routers on a local network from dynamically learning about routes, you can use the passive-interface router configuration command to keep routing update messages from being sent through a router interface.
Chapter 42 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to control the advertising or processing of routing updates: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router {bgp | rip | eigrp} Enter router configuration mode.
Chapter 42 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 5 show ip protocols Display the default administrative distance for a specified routing process. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a distance definition, use the no distance router configuration command. Managing Authentication Keys Key management is a method of controlling authentication keys used by routing protocols.
Chapter 42 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Command Purpose Step 7 end Return to privileged EXEC mode. Step 8 show key chain Display authentication key information. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the key chain, use the no key chain name-of-chain global configuration command.
CH A P T E R 43 Configuring IPv6 Unicast Routing This chapter describes how to configure IPv6 unicast routing on the Catalyst 3750-X or 3560-X switch. For information about configuring IPv4 unicast routing, see Chapter 42, “Configuring IP Unicast Routing.”For information about configuring IPv6 Multicast Listener Discovery (MLD) snooping, see Chapter 27, “Configuring IPv6 MLD Snooping.” For information on configuring IPv6 access control lists (ACLs) see Chapter 38, “Configuring IPv6 ACLs.
Chapter 43 Configuring IPv6 Unicast Routing Understanding IPv6 For information about IPv6 and other features in this chapter • See the Cisco IOS IPv6 Configuration Library at this URL: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/12_4t/ipv6_12_4t.html • Use the Search field to locate the Cisco IOS software documentation.
Chapter 43 Configuring IPv6 Unicast Routing Understanding IPv6 Supported IPv6 Unicast Routing Features These sections describe the IPv6 protocol features supported by the switch: • 128-Bit Wide Unicast Addresses, page 43-3 • DNS for IPv6, page 43-4 • Path MTU Discovery for IPv6 Unicast, page 43-4 • ICMPv6, page 43-4 • Neighbor Discovery, page 43-4 • Default Router Preference, page 43-4 • IPv6 Stateless Autoconfiguration and Duplicate Address Detection, page 43-5 • IPv6 Applications, page 43
Chapter 43 Configuring IPv6 Unicast Routing Understanding IPv6 process. Nodes on a local link use link-local addresses and do not require globally unique addresses to communicate. IPv6 routers do not forward packets with link-local source or destination addresses to other links. For more information, see the section about IPv6 unicast addresses in the “Implementing IPv6 Addressing and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
Chapter 43 Configuring IPv6 Unicast Routing Understanding IPv6 reachability is unknown or suspect. For reachable or probably reachable routers, NDP can either select the same router every time or cycle through the router list. By using DRP, you can configure an IPv6 host to prefer one router over another, provided both are reachable or probably reachable.
Chapter 43 Configuring IPv6 Unicast Routing Understanding IPv6 Figure 43-1 Dual IPv4 and IPv6 Support on an Interface IPv4 122379 10.1.1.1 IPv6 3ffe:yyyy::1 Use the dual IPv4 and IPv6 switch database management (SDM) template to enable IPv6 routing dual stack environments (supporting both IPv4 and IPv6). For more information about the dual IPv4 and IPv6 SDM template, see Chapter 8, “Configuring SDM Templates.” The dual IPv4 and IPv6 templates allow the switch to be used in dual stack environments.
Chapter 43 Configuring IPv6 Unicast Routing Understanding IPv6 For more information about static routes, see the “Implementing Static Routes for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. RIP for IPv6 Routing Information Protocol (RIP) for IPv6 is a distance-vector protocol that uses hop count as a routing metric. It includes support for IPv6 addresses and prefixes and the all-RIP-routers multicast group address FF02::9 as the destination address for RIP update messages.
Chapter 43 Configuring IPv6 Unicast Routing Understanding IPv6 SNMP and syslog over IPv6 provide these features: • Support for both IPv4 and IPv6 • IPv6 transport for SNMP and to modify the SNMP agent to support traps for an IPv6 host • SNMP- and syslog-related MIBs to support IPv6 addressing • Configuration of IPv6 hosts as trap receivers For support over IPv6, SNMP modifies the existing IP transport mapping to simultaneously support IPv4 and IPv6.
Chapter 43 Configuring IPv6 Unicast Routing Understanding IPv6 • The switch as a tunnel endpoint supporting IPv4-to-IPv6 or IPv6-to-IPv4 tunneling protocols • IPv6 unicast reverse-path forwarding • IPv6 general prefixes Limitations Because IPv6 is implemented in switch hardware, some limitations occur due to the IPv6 compressed addresses in the hardware memory. These hardware limitations result in some loss of functionality and limits some features. These are feature limitations.
Chapter 43 Configuring IPv6 Unicast Routing Configuring IPv6 If a new switch becomes the stack master, it recomputes the IPv6 routing tables and distributes them to the member switches. While the new stack master is being elected and is resetting, the switch stack does not forward IPv6 packets. The stack MAC address changes, which also changes the IPv6 address.
Chapter 43 Configuring IPv6 Unicast Routing Configuring IPv6 Default IPv6 Configuration Table 43-1 Default IPv6 Configuration Feature Default Setting SDM template Default desktop. IPv6 routing Disabled globally and on all interfaces CEFv6 or dCEFv6 Disabled (IPv4 CEF and dCEF are enabled by default) Note IPv6 addresses When IPv6 routing is enabled, CEFv6 and dCEF6 are automatically enabled.
Chapter 43 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these steps to assign an IPv6 address to a Layer 3 interface and enable IPv6 routing: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 sdm prefer dual-ipv4-and-ipv6 {default | routing | vlan} Select an SDM template that supports IPv4 and IPv6. • default—Set the switch to the default template to balance system resources.
Chapter 43 Configuring IPv6 Unicast Routing Configuring IPv6 without arguments. To disable IPv6 processing on an interface that has not been explicitly configured with an IPv6 address, use the no ipv6 enable interface configuration command. To globally disable IPv6 routing, use the no ipv6 unicast-routing global configuration command. This example shows how to enable IPv6 with both a link-local address and a global address based on the IPv6 prefix 2001:0DB8:c18:1::/64.
Chapter 43 Configuring IPv6 Unicast Routing Configuring IPv6 Use the no ipv6 nd router-preference interface configuration command to disable an IPv6 DRP. This example shows how to configure a DRP of high for the router on an interface.
Chapter 43 Configuring IPv6 Unicast Routing Configuring IPv6 To disable IPv4 routing, use the no ip routing global configuration command. To disable IPv6 routing, use the no ipv6 unicast-routing global configuration command. To remove an IPv4 address from an interface, use the no ip address ip-address mask interface configuration command.
Chapter 43 Configuring IPv6 Unicast Routing Configuring IPv6 Enabling DHCPv6 Server Function Beginning in privileged EXEC mode, follow these steps to enable the DHCPv6 server function on an interface. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 dhcp pool poolname Enter DHCP pool configuration mode, and define the name for the IPv6 DHCP pool. The pool name can be a symbolic string (such as Engineering) or an integer (such as 0).
Chapter 43 Configuring IPv6 Unicast Routing Configuring IPv6 Step 10 Command Purpose ipv6 dhcp server [poolname | automatic] [rapid-commit] [preference value] [allow-hint] Enable DHCPv6 server function on an interface. • poolname—(Optional) User-defined name for the IPv6 DHCP pool. The pool name can be a symbolic string (such as Engineering) or an integer (such as 0). • automatic—(Optional) Enables the system to automatically determine which pool to use when allocating addresses for a client.
Chapter 43 Configuring IPv6 Unicast Routing Configuring IPv6 This example shows how to configure a pool called 350 with vendor-specific options: Switch# configure terminal Switch(config)# ipv6 dhcp pool 350 Switch(config-dhcpv6)# address prefix 2001:1005::0/48 Switch(config-dhcpv6)# vendor-specific 9 Switch(config-dhcpv6-vs)# suboption 1 address 1000:235D::1 Switch(config-dhcpv6-vs)# suboption 2 ascii "IP-Phone" Switch(config-dhcpv6-vs)# end Enabling DHCPv6 Client Function Beginning in privileged EXEC m
Chapter 43 Configuring IPv6 Unicast Routing Configuring IPv6 Configuring IPv6 ICMP Rate Limiting ICMP rate limiting is enabled by default with a default interval between error messages of 100 milliseconds and a bucket size (maximum number of tokens to be stored in a bucket) of 10. Beginning in privileged EXEC mode, follow these steps to change the ICMP rate-limiting parameters: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 43 Configuring IPv6 Unicast Routing Configuring IPv6 Configuring Static Routing for IPv6 Before configuring a static IPv6 route, you must enable routing by using the ip routing global configuration command, enable the forwarding of IPv6 packets by using the ipv6 unicast-routing global configuration command, and enable IPv6 on at least one Layer 3 interface by configuring an IPv6 address on the interface.
Chapter 43 Configuring IPv6 Unicast Routing Configuring IPv6 Step 4 Command Purpose show ipv6 static [ipv6-address | ipv6-prefix/prefix length] [interface interface-id] [recursive] [detail] Verify your entries by displaying the contents of the IPv6 routing table. or • interface interface-id—(Optional) Display only those static routes with the specified interface as an egress interface. • recursive—(Optional) Display only recursive static routes.
Chapter 43 Configuring IPv6 Unicast Routing Configuring IPv6 Step 7 Command Purpose ipv6 rip name default-information {only | originate} (Optional) Originate the IPv6 default route (::/0) into the RIP routing process updates sent from the specified interface. Note To avoid routing loops after the IPv6 default route (::/0) is originated from any interface, the routing process ignores all default routes received on any interface.
Chapter 43 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these required and optional steps to configure IPv6 OSPF: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 router ospf process-id Enable OSPF router configuration mode for the process. The process ID is the number assigned administratively when enabling the OSPF for IPv6 routing process. It is locally assigned and can be a positive integer from 1 to 65535.
Chapter 43 Configuring IPv6 Unicast Routing Configuring IPv6 To disable an OSPF routing process, use the no ipv6 router ospf process-id global configuration command. To disable the OSPF routing process for an interface, use the no ipv6 ospf process-id area area-id interface configuration command. For more information about configuring OSPF routing for IPv6, see the “Implementing OSPF for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
Chapter 43 Configuring IPv6 Unicast Routing Configuring IPv6 Enabling HSRP Version 2 Beginning in privileged EXEC mode, follow these steps to enable HSRP version 2 on a Layer 3 interface. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the Layer 3 interface on which you want to specify the standby version. Step 3 standby version {1 | 2} Enter 2 to change the HSRP version. The default is 1.
Chapter 43 Configuring IPv6 Unicast Routing Configuring IPv6 Step 4 Command Purpose standby [group-number] preempt [delay {minimum seconds | reload seconds | sync seconds}] Configure the router to preempt, which means that when the local router has a higher priority than the active router, it assumes control as the active router. • (Optional) group-number—The group number to which the command applies.
Chapter 43 Configuring IPv6 Unicast Routing Displaying IPv6 Displaying IPv6 For complete syntax and usage information on these commands, see the Cisco IOS command reference publications. Table 43-2 Commands for Monitoring IPv6 Command Purpose show ipv6 access-list Display a summary of access lists. show ipv6 cef Display Cisco Express Forwarding for IPv6. show ipv6 interface interface-id Display IPv6 interface status and configuration. show ipv6 mtu Display IPv6 MTU per destination cache.
Chapter 43 Configuring IPv6 Unicast Routing Displaying IPv6 This is an example of the output from the show ipv6 interface privileged EXEC command: Switch# show ipv6 interface Vlan1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::20B:46FF:FE2F:D940 Global unicast address(es): 3FFE:C000:0:1:20B:46FF:FE2F:D940, subnet is 3FFE:C000:0:1::/64 [EUI] Joined group address(es): FF02::1 FF02::2 FF02::1:FF2F:D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP
CH A P T E R 44 Configuring HSRP This chapter describes how to use Hot Standby Router Protocol (HSRP) on the Catalyst 3750-X or 3560-X switch to provide routing redundancy for routing IP traffic without being dependent on the availability of any single router.Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Chapter 44 Configuring HSRP Understanding HSRP Note Routers in an HSRP group can be any router interface that supports HSRP, including Catalyst 3750-X or 3560-X routed ports and switch virtual interfaces (SVIs). Router interfaces are not supported when the switch is running the LAN base feature set. HSRP provides high network availability by providing redundancy for IP traffic from hosts on networks.
Chapter 44 Configuring HSRP Understanding HSRP Figure 44-1 Typical HSRP Configuration Host B 172.20.130.5 172.20.128.1 Virtual router Standby router 172.20.128.3 172.20.128.2 Router A Router B 172.20.128.55 172.20.128.32 Host C Host A 101361 Active router HSRP Versions The switch supports these HSRP versions: • HSRPv1—Version 1 of the HSRP, the default version of HSRP. It has these features: – The HSRP group number can be from 0 to 255. – HSRPv1 uses the multicast address 224.0.0.
Chapter 44 Configuring HSRP Understanding HSRP HSRPv2 has a different packet format than HSRPv1. A HSRPv2 packet uses the type-length-value (TLV) format and has a 6-byte identifier field with the MAC address of the physical router that sent the packet. If an interface running HSRPv1 gets an HSRPv2 packet, the type field is ignored. Multiple HSRP The switch supports Multiple HSRP (MHSRP), an extension of HSRP that allows load sharing between two or more HSRP groups.
Chapter 44 Configuring HSRP Configuring HSRP HSRP and Switch Stacks HSRP hello messages are generated by the stack master. If an HSRP-active stack master fails, a flap in the HSRP active state might occur. This is because HSRP hello messages are not generated while a new stack master is elected and initialized, and the standby router might become active after the stack master fails.
Chapter 44 Configuring HSRP Configuring HSRP HSRP Configuration Guidelines • HSRPv2 and HSRPv1 are mutually exclusive. HSRPv2 is not interoperable with HSRPv1 on an interface and the reverse. • In the procedures, the specified interface must be one of these Layer 3 interfaces: – Routed port: a physical port configured as a Layer 3 port by entering the no switchport interface configuration command.
Chapter 44 Configuring HSRP Configuring HSRP Beginning in privileged EXEC mode, follow these steps to create or enable HSRP on a Layer 3 interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the Layer 3 interface on which you want to enable HSRP. Step 3 standby version {1 | 2} (Optional) Configure the HSRP version on the interface. • 1— Select HSRPv1. • 2— Select HSRPv2.
Chapter 44 Configuring HSRP Configuring HSRP Configuring HSRP Priority The standby priority, standby preempt, and standby track interface configuration commands are all used to set characteristics for finding active and standby routers and behavior regarding when a new active router takes over. When configuring HSRP priority, follow these guidelines: • Assigning a priority allows you to select the active and standby routers.
Chapter 44 Configuring HSRP Configuring HSRP Step 3 Command Purpose standby [group-number] priority priority [preempt [delay delay]] Set a priority value used in choosing the active router. The range is 1 to 255; the default priority is 100. The highest number represents the highest priority. • (Optional) group-number—The group number to which the command applies.
Chapter 44 Configuring HSRP Configuring HSRP This example activates a port, sets an IP address and a priority of 120 (higher than the default value), and waits for 300 seconds (5 minutes) before attempting to become the active router: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# no switchport Switch(config-if)# standby ip 172.20.128.
Chapter 44 Configuring HSRP Configuring HSRP When configuring these attributes, follow these guidelines: • The authentication string is sent unencrypted in all HSRP messages. You must configure the same authentication string on all routers and access servers on a cable to ensure interoperation. Authentication mismatch prevents a device from learning the designated Hot Standby IP address and timer values from other routers configured with HSRP.
Chapter 44 Configuring HSRP Configuring HSRP This example shows how to set the timers on standby group 1 with the time between hello packets at 5 seconds and the time after which a router is considered down to be 15 seconds: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# no switchport Switch(config-if)# standby 1 ip Switch(config-if)# standby 1 timers 5 15 Switch(config-if)# end Enabling HSRP Support for ICMP Redirect Messages ICMP redirect messages are auto
Chapter 44 Configuring HSRP Displaying HSRP Configurations Troubleshooting HSRP for Mixed Stacks of Catalyst 3750-X, 3750-E and 3750 Switches If one of the situations in Table 44-2 occurs, this message appears: %FHRP group not consistent with already configured groups on the switch stack - virtual MAC reservation failed Table 44-2 Troubleshooting HSRP Situation Action You configure more than 32 HSRP group instances. Remove HSRP groups so that up to 32 group instances are configured.
Chapter 44 Configuring HSRP Displaying HSRP Configurations Catalyst 3750-X and 3560-X Switch Software Configuration Guide 44-14 OL-21521-01
CH A P T E R 45 Configuring Cisco IOS IP SLAs Operations This chapter describes how to use Cisco IOS IP Service Level Agreements (SLAs) on the Catalyst 3750-X or 3560-X switch. Cisco IP SLAs is a part of Cisco IOS software that allows Cisco customers to analyze IP service levels for IP applications and services by using active traffic monitoring—the generation of traffic in a continuous, reliable, and predictable manner—for measuring network performance.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs Depending on the specific Cisco IOS IP SLAs operation, various network performance statistics are monitored within the Cisco device and stored in both command-line interface (CLI) and Simple Network Management Protocol (SNMP) MIBs.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs Using Cisco IOS IP SLAs to Measure Network Performance You can use IP SLAs to monitor the performance between any area in the network—core, distribution, and edge—without deploying a physical probe. It uses generated traffic to measure network performance between two networking devices. Figure 45-1 shows how IP SLAs begins when the source device sends a generated packet to the destination device.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs IP SLAs Responder and IP SLAs Control Protocol The IP SLAs responder is a component embedded in the destination Cisco device that allows the system to anticipate and respond to IP SLAs request packets. The responder provides accurate measurements without the need for dedicated probes.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs Cisco IOS IP SLAs Responder Time Stamping Source router T2 T1 Target router Responder T3 T4 =T3-T2 RTT (Round-trip time) = T4 (Time stamp 4) - T1 (Time stamp 1) - 121380 Figure 45-2 An additional benefit of the two time stamps at the target device is the ability to track one-way delay, jitter, and directional packet loss. Because much network behavior is asynchronous, it is critical to have these statistics.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations An IP SLAs threshold violation can also trigger another IP SLAs operation for further analysis. For example, the frequency could be increased or an ICMP path echo or ICMP path jitter operation could be initiated for troubleshooting. Determining the type of threshold and the level to set can be complex, and depends on the type of IP service being used in the network.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Before configuring any IP SLAs application, you can use the show ip sla application privileged EXEC command to verify that the operation type is supported on your software image. This is an example of the output from the command: Switch# show ip sla application IP SLAs Version: 2.2.0 Round Trip Time MIB, Infrastructure Engine-II Time of last change in whole IP SLAs: 22:17:39.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Command Purpose Step 4 show ip sla responder Verify the IP SLAs responder configuration on the device. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the IP SLAs responder, enter the no ip sla responder global configuration command.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Beginning in privileged EXEC mode, follow these steps to configure UDP jitter operation on the source device: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip sla operation-number Create an IP SLAs operation, and enter IP SLAs configuration mode.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Command Step 6 Purpose ip sla monitor schedule Configure the scheduling parameters for an individual IP SLAs operation. operation-number [life {forever | • operation-number—Enter the RTR entry number. seconds}] [start-time {hh:mm [:ss] [month day | day month] | pending • (Optional) life—Set the operation to run indefinitely (forever) or for a specific number of seconds. The range is from 0 to 2147483647.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Schedule: Operation frequency (seconds): 30 Next Scheduled Start Time: Pending trigger Group Scheduled : FALSE Randomly Scheduled : FALSE Life (seconds): 3600 Entry Ageout (seconds): never Recurring (Starting Everyday): FALSE Status of entry (SNMP RowStatus): notInService Threshold (milliseconds): 5000 Distribution Statistics: Number of statistic hours kept: 2 Number of statistic distribution buckets kept: 1 Statistic distr
Chapter 45 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Step 6 Command Purpose ip sla schedule operation-number [life {forever | seconds}] [start-time {hh:mm [:ss] [month day | day month] | pending | now | after hh:mm:ss] [ageout seconds] [recurring] Configure the scheduling parameters for an individual IP SLAs operation. • operation-number—Enter the RTR entry number. • (Optional) life—Set the operation to run indefinitely (forever) or for a specific number of seconds.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Monitoring IP SLAs Operations Next Scheduled Start Time: Pending trigger Group Scheduled : FALSE Randomly Scheduled : FALSE Life (seconds): 3600 Entry Ageout (seconds): never Recurring (Starting Everyday): FALSE Status of entry (SNMP RowStatus): notInService Threshold (milliseconds): 5000 Distribution Statistics: Number of statistic hours kept: 2 Number of statistic distribution buckets kept: 1 Statistic distribution interval (milliseconds): 20 History S
Chapter 45 Configuring Cisco IOS IP SLAs Operations Monitoring IP SLAs Operations Catalyst 3750-X and 3560-X Switch Software Configuration Guide 45-14 OL-21521-01
CH A P T E R 46 Configuring Enhanced Object Tracking This chapter describes how to configure enhanced object tracking on the Catalyst 3750-X or 3560-X switch. This feature provides a more complete alternative to the Hot Standby Routing Protocol (HSRP) tracking mechanism. which allows you to track the line-protocol state of an interface. If the line protocol state of an interface goes down, the HSRP priority of the interface is reduced and another HSRP device with a higher priority becomes active.
Chapter 46 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features You can also track a combination of objects in a list by using either a weight threshold or a percentage threshold to measure the state of the list. You can combine objects using Boolean logic. A tracked list with a Boolean “AND” function requires that each object in the list be in an up state for the tracked object to be up.
Chapter 46 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Step 5 Command Purpose track object-number interface interface-id ip routing (Optional) Create a tracking list to track the IP routing state of an interface, and enter tracking configuration mode. IP-route tracking tracks an IP route in the routing table and the ability of an interface to route IP packets. • The object-number identifies the tracked object and can be from 1 to 500.
Chapter 46 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring a Tracked List with a Boolean Expression Configuring a tracked list with a Boolean expression enables calculation by using either “AND” or “OR” operators. For example, when tracking two interfaces using the “AND” operator, up means that both interfaces are up, and down means that either interface is down.
Chapter 46 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring a Tracked List with a Weight Threshold To track by weight threshold, configure a tracked list of objects, specify that weight is used as the threshold, and configure a weight for each of its objects. The state of each object is determined by comparing the total weight of all objects that are up against a threshold weight for each object.
Chapter 46 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring a Tracked List with a Percentage Threshold To track by percentage threshold, configure a tracked list of objects, specify that a percentage will be used as the threshold, and specify a percentage for all objects in the list. Thestate of the list is determined by comparing the assigned percentage of each object to the list. You cannot use the Boolean “NOT” operator in a percentage threshold list.
Chapter 46 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring HSRP Object Tracking Beginning in privileged EXEC mode, follow these steps to configure a standby HSRP group to track an object and change the HSRP priority based on the object state: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 46 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Step 6 Command Purpose standby [group-number] track object-number [decrement [priority-decrement]] Configure HSRP to track an object and change the hot standby priority based on the state of the object. • (Optional) group-number—Enter the group number to which the tracking applies. • object-number—Enter a number representing the object to be tracked. The range is from 1 to 500; the default is 1.
Chapter 46 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Object tracking of IP SLAs operations allows clients to track the output from IP SLAs objects and use this information to trigger an action. Every IP SLAs operation maintains an SNMP operation return-code value, such as OK or OverThreshold, that can be interpreted by the tracking process. You can track two aspects of IP SLAs operation: state and reachability.
Chapter 46 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features This example output shows whether a route is reachable: Switch(config)# track 3 500 reachability Switch(config)# end Switch# show track 3 Track 3 Response Time Reporter 1 reachability Reachability is Up 1 change, last change 00:00:47 Latest operation return code: over threshold Latest RTT (millisecs) 4 Tracked by: HSRP Ethernet0/1 3 Configuring Static Routing Support Switches that are running the IP services fe
Chapter 46 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Beginning in privileged EXEC mode, follow these steps to configure a primary interface for DHCP: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Select a primary or secondary interface and enter interface configuration mode. Step 3 description string Add a description to the interface.
Chapter 46 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking Configuring a Routing Policy and Default Route Beginning in privileged EXEC mode, follow these steps to configure a routing policy for backup static routing by using object tracking. For more details about the commands in the procedure, see this URL: http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html : Step 1 configure terminal Enter global configuration mode.
Chapter 46 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking Table 46-1 Commands for Displaying Tracking Information (continued) Command Purpose show track resolution Display the resolution of tracked parameters. show track timers Display tracked polling interval timers.
Chapter 46 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking Catalyst 3750-X and 3560-X Switch Software Configuration Guide 46-14 OL-21521-01
CH A P T E R 47 Configuring Web Cache Services By Using WCCP This chapter describes how to configure your Catalyst 3750-X or 3560-X switch to redirect traffic to wide-area application engines (such as the Cisco Cache Engine 550) by using the Web Cache Communication Protocol (WCCP). This software release supports only WCCP version 2 (WCCPv2). Note WCCP is not supported on switches running the LAN base feature set.
Chapter 47 Configuring Web Cache Services By Using WCCP Understanding WCCP Understanding WCCP The WCCP and Cisco cache engines (or other application engines running WCCP) localize traffic patterns in the network, enabling content requests to be fulfilled locally. WCCP enables supported Cisco routers and switches to transparently redirect content requests. With transparent redirection, users do not have to configure their browsers to use a web proxy.
Chapter 47 Configuring Web Cache Services By Using WCCP Understanding WCCP WCCP Negotiation In the exchange of WCCP protocol messages, the designated application engine and the WCCP-enabled switch negotiate these items: • Forwarding method (the method by which the switch forwards packets to the application engine). The switch rewrites the Layer 2 header by replacing the packet destination MAC address with the target application engine MAC address. It then forwards the packet to the application engine.
Chapter 47 Configuring Web Cache Services By Using WCCP Understanding WCCP You can configure up to 8 service groups on a switch or switch stack and up to 32 cache engines per service group. WCCP maintains the priority of the service group in the group definition. WCCP uses the priority to configure the service groups in the switch hardware.
Chapter 47 Configuring Web Cache Services By Using WCCP Configuring WCCP • It distributes the WCCP information to any switch that joins the stack. • It programs its hardware with the WCCP information it processes. Stack members receive the WCCP information from the master switch and program their hardware.
Chapter 47 Configuring Web Cache Services By Using WCCP Configuring WCCP • WCCP entries and PBR entries use the same TCAM region. WCCP is supported only on the templates that support PBR: access, routing, and dual IPv4/v6 routing. • When TCAM entries are not available to add WCCP entries, packets are not redirected and are forwarded by using the standard routing tables.
Chapter 47 Configuring Web Cache Services By Using WCCP Configuring WCCP Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip wccp {web-cache | service-number} [group-address groupaddress] [group-list access-list] [redirect-list access-list] [password encryption-number password] Enable the web cache service, and specify the service number which corresponds to a dynamic service that is defined by the application engine. By default, this feature is disabled.
Chapter 47 Configuring Web Cache Services By Using WCCP Configuring WCCP Step 16 Command Purpose show ip wccp web-cache Verify your entries. and show running-config Step 17 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the web cache service, use the no ip wccp web-cache global configuration command. To disable inbound packet redirection, use the no ip wccp web-cache redirect in interface configuration command.
Chapter 47 Configuring Web Cache Services By Using WCCP Configuring WCCP This example shows how to configure SVIs and how to enable the web cache service with a multicast group list. VLAN 299 is created and configured with an IP address of 175.20.20.10. Gigabit Ethernet port 1 is connected through the Internet to the web server and is configured as an access port in VLAN 299. VLAN 300 is created and configured with an IP address of 172.20.10.30.
Chapter 47 Configuring Web Cache Services By Using WCCP Monitoring and Maintaining WCCP Monitoring and Maintaining WCCP To monitor and maintain WCCP, use one or more of the privileged EXEC commands in Table 47-2: Table 47-2 Commands for Monitoring and Maintaining WCCP Command Purpose clear ip wccp web-cache Removes statistics for the web-cache service. show ip wccp web-cache Displays global information related to WCCP.
CH A P T E R 48 Configuring IP Multicast Routing This chapter describes how to configure IP multicast routing on the Catalyst 3750-X or 3560-X switch. IP multicasting is a more efficient way to use network resources, especially for bandwidth-intensive services such as audio and video. IP multicast routing enables a host (source) to send packets to a group of hosts (receivers) anywhere within the IP network by using a special form of IP address called the IP multicast group address.
Chapter 48 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing The Cisco IOS software supports these protocols to implement IP multicast routing: • Internet Group Management Protocol (IGMP) is used among hosts on a LAN and the routers (and multilayer switches) on that LAN to track the multicast groups of which hosts are members.
Chapter 48 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding IGMP To participate in IP multicasting, multicast hosts, routers, and multilayer switches must have the IGMP operating. This protocol defines the querier and host roles: • A querier is a network device that sends query messages to discover which network devices are members of a given multicast group.
Chapter 48 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding PIM PIM is called protocol-independent: regardless of the unicast routing protocols used to populate the unicast routing table, PIM uses this information to perform multicast forwarding instead of maintaining a separate multicast routing table. PIM is defined in RFC 2362, Protocol-Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification.
Chapter 48 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing When a new receiver on a previously pruned branch of the tree joins a multicast group, the PIM DM device detects the new receiver and immediately sends a graft message up the distribution tree toward the source.
Chapter 48 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing The redundant PIM stub router topology is not supported. The redundant topology exists when there is more than one PIM router forwarding multicast traffic to a single access domain. PIM messages are blocked, and the PIM asset and designated router election mechanisms are not supported on the PIM passive interfaces. Only the nonredundant access router topology is supported by the PIM stub feature.
Chapter 48 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Auto-RP This proprietary feature eliminates the need to manually configure the RP information in every router and multilayer switch in the network. For auto-RP to work, you configure a Cisco router or multilayer switch as the mapping agent. It uses IP multicast to learn which routers or switches in the network are possible candidate RPs to receive candidate RP announcements.
Chapter 48 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Multicast Forwarding and Reverse Path Check With unicast routing, routers and multilayer switches forward traffic through the network along a single path from the source to the destination host whose IP address appears in the destination address field of the IP packet.
Chapter 48 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing PIM uses both source trees and RP-rooted shared trees to forward datagrams (described in the “PIM DM” section on page 48-4 and the “PIM-SM” section on page 48-5).
Chapter 48 Configuring IP Multicast Routing Multicast Routing and Switch Stacks CGMP is necessary because the Layer 2 switch cannot distinguish between IP multicast data packets and IGMP report messages, which are both at the MAC-level and are addressed to the same group address. CGMP is mutually exclusive with HSRPv1. You cannot enable CGMP leaving processing and HSRPv1 at the same time. However, you can enable CGMP and HSRPv2 at the same time.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing Default Multicast Routing Configuration Table 48-2 Default Multicast Routing Configuration Feature Default Setting Multicast routing Disabled on all interfaces. PIM version Version 2. PIM mode No mode is defined. PIM stub routing None configured. PIM RP address None configured. PIM domain border Disabled. PIM multicast boundary None. Candidate BSRs Disabled. Candidate RPs Disabled.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing Sparse-mode groups in a mixed PIMv1 and PIMv2 region are possible because the Auto-RP feature in PIMv1 interoperates with the PIMv2 RP feature. Although all PIMv2 devices can also use PIMv1, we recommend that the RPs be upgraded to PIMv2. To ease the transition to PIMv2, we have these recommendations: • Use Auto-RP throughout the region. • Configure sparse-dense mode throughout the region.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing In populating the multicast routing table, dense-mode interfaces are always added to the table. Sparse-mode interfaces are added to the table only when periodic join messages are received from downstream devices or when there is a directly connected member on the interface. When forwarding from a LAN, sparse-mode operation occurs if there is an RP known for the group. If so, the packets are encapsulated and sent toward the RP.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable multicasting, use the no ip multicast-routing distributed global configuration command. To return to the default PIM version, use the no ip pim version interface configuration command.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing the IP addresses of sources from which they receive their traffic. The proposed standard approach for channel subscription signalling use IGMP include mode membership reports, which are supported only in IGMP version 3. SSM IP Address Range SSM can coexist with the ISM service by applying the SSM delivery model to a configured subset of the IP multicast group address range.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuration Guidelines This section contains the guidelines for configuring SSM. Legacy Applications Within the SSM Range Restrictions Existing applications in a network predating SSM do not work within the SSM range unless they are modified to support (S, G) channel subscriptions. Therefore, enabling SSM in a network can cause problems for existing applications if they use addresses within the designated SSM range.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring SSM Beginning in privileged EXEC mode, follow these steps to configure SSM. This procedure is optional. Command Purpose Step 1 ip pim ssm [default | range access-list] Define the SSM range of IP multicast addresses. Step 2 interface type number Select an interface that is connected to hosts on which IGMPv3 can be enabled, and enter the interface configuration mode.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing • Before you can configure and use SSM mapping with DNS lookups, you must be able to add records to a running DNS server. If you do not already have a DNS server running, you need to install one. You can use a product such as Cisco Network Registrar. Go to this URL for more information: http://www.cisco.com/warp/public/cc/pd/nemnsw/nerr/index.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing DNS-Based SSM Mapping You can use DNS-based SSM mapping to configure the last hop router to perform a reverse DNS lookup to determine sources sending to groups. When DNS-based SSM mapping is configured, the router constructs a domain name that includes the group address and performs a reverse lookup into the DNS. The router looks up IP address resource records and uses them as the source addresses associated with this group.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring SSM Mapping • Configuring Static SSM Mapping, page 48-20 (required) • Configuring DNS-Based SSM Mapping, page 48-20 (required) • Configuring Static Traffic Forwarding with SSM Mapping, page 48-21 (optional) Configuring Static SSM Mapping Beginning in privileged EXEC mode, follow these steps to configure static SSM mapping: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to configure DNS-based SSM mapping: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp ssm-map enable Enable SSM mapping for groups in a configured SSM range. Step 3 ip igmp ssm-map query dns (Optional) Enable DNS-based SSM mapping. By default, the ip igmp ssm-map command enables DNS-based SSM mapping.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing Monitoring SSM Mapping Use the privileged EXEC commands in Table 48-3 to monitor SSM mapping. Table 48-3 SSM Mapping Monitoring Commands Command Purpose show ip igmp ssm-mapping Display information about SSM mapping. show ip igmp ssm-mapping group-address Display the sources that SSM mapping uses for a particular group.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing Enabling PIM Stub Routing Beginning in privileged EXEC mode, follow these steps to enable PIM stub routing on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you want to enable PIM stub routing, and enter interface configuration mode.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing Use these privileged EXEC commands to display information about PIM stub configuration and status: • show ip pim interface displays the PIM stub that is enabled on each interface. • show ip igmp detail displays the interested clients that have joined the specific multicast source group. • show ip igmp mroute verifies that the multicast stream forwards from the source to the interested clients.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to manually configure the address of the RP. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip pim rp-address ip-address [access-list-number] [override] Configure the address of a PIM RP. By default, no PIM RP address is configured.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Auto-RP Auto-RP uses IP multicast to automate the distribution of group-to-RP mappings to all Cisco routers and multilayer switches in a PIM network. It has these benefits: • It is easy to use multiple RPs within a network to serve different group ranges. • It provides load splitting among different RPs and arrangement of RPs according to the location of group participants.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to deploy Auto-RP in an existing sparse-mode cloud. This procedure is optional. Step 1 Command Purpose show running-config Verify that a default RP is already configured on all PIM devices and the RP in the sparse-mode network. It was previously configured with the ip pim rp-address global configuration command. This step is not required for spare-dense-mode environments.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 5 Command Purpose ip pim send-rp-discovery scope ttl Find a switch whose connectivity is not likely to be interrupted, and assign it the role of RP-mapping agent. For scope ttl, specify the time-to-live value in hops to limit the RP discovery packets. All devices within the hop count from the source device receive the Auto-RP discovery messages.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to filter incoming RP announcement messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip pim rp-announce-filter rp-list access-list-number group-list access-list-number Filter incoming RP announcement messages. Enter this command on each mapping agent in the network.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing Switch(config)# access-list 20 deny 239.0.0.0 0.0.255.255 Switch(config)# access-list 20 permit 224.0.0.0 15.255.255.255 In this example, the mapping agent accepts candidate RP announcements from only two devices, 172.16.5.1 and 172.16.2.1. The mapping agent accepts candidate RP announcements from these two devices only for multicast groups that fall in the group range of 224.0.0.0 to 239.255.255.255.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing Figure 48-5 Constraining PIMv2 BSR Messages PIMv2 sparse-mode network Configure the ip pim bsr-border command on this interface. Layer 3 switch BSR messages BSR Layer 3 switch Neighboring PIMv2 domain 101243 Neighboring PIMv2 domain BSR messages Configure the ip pim bsr-border command on this interface.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows a portion of an IP multicast boundary configuration that denies Auto-RP information: Switch(config)# access-list 1 deny 224.0.1.39 Switch(config)# access-list 1 deny 224.0.1.40 Switch(config)# access-list 1 permit all Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip multicast boundary 1 Configuring Candidate BSRs You can configure one or more candidate BSRs.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Candidate RPs You can configure one or more candidate RPs. Similar to BSRs, the RPs should also have good connectivity to other devices and be in the backbone portion of the network. An RP can serve the entire IP multicast address space or a portion of it. Candidate RPs send candidate RP advertisements to the BSR.
Chapter 48 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows how to configure the switch to advertise itself as a candidate RP to the BSR in its PIM domain. Standard access list number 4 specifies the group prefix associated with the RP that has the address identified by a port. That RP is responsible for the groups with the prefix 239. Switch(config)# ip pim rp-candidate gigabitethernet1/0/2 group-list 4 Switch(config)# access-list 4 permit 239.0.0.0 0.255.255.
Chapter 48 Configuring IP Multicast Routing Configuring Advanced PIM Features Monitoring the RP Mapping Information To monitor the RP mapping information, use these commands in privileged EXEC mode: • show ip pim bsr displays information about the elected BSR. • show ip pim rp-hash group displays the RP that was selected for the specified group. • show ip pim rp [group-name | group-address | mapping] displays how the switch learns of the RP (through the BSR or the Auto-RP mechanism).
Chapter 48 Configuring IP Multicast Routing Configuring Advanced PIM Features Figure 48-6 Shared Tree and Source Tree (Shortest-Path Tree) Source Source tree (shortest path tree) Router A Router B Shared tree from RP RP 44967 Router C Receiver If the data rate warrants, leaf routers (routers without any downstream connections) on the shared tree can use the data distribution tree rooted at the source. This type of distribution tree is called a shortest-path tree or source tree.
Chapter 48 Configuring IP Multicast Routing Configuring Advanced PIM Features Delaying the Use of PIM Shortest-Path Tree The change from shared to source tree happens when the first data packet arrives at the last-hop router (Router C in Figure 48-6). This change occurs because the ip pim spt-threshold global configuration command controls that timing. The shortest-path tree requires more memory than the shared tree but reduces delay. You might want to postpone its use.
Chapter 48 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip pim spt-threshold {kbps | infinity} global configuration command.
Chapter 48 Configuring IP Multicast Routing Configuring Optional IGMP Features • Changing the IGMP Query Timeout for IGMPv2, page 48-42 (optional) • Changing the Maximum Query Response Time for IGMPv2, page 48-43 (optional) • Configuring the Switch as a Statically Connected Member, page 48-44 (optional) Default IGMP Configuration Table 48-4 Default IGMP Configuration Feature Default Setting Multilayer switch as a member of a multicast group No group memberships are defined.
Chapter 48 Configuring IP Multicast Routing Configuring Optional IGMP Features Beginning in privileged EXEC mode, follow these steps to configure the switch to be a member of a group. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode. Step 3 ip igmp join-group group-address Configure the switch to join a multicast group.
Chapter 48 Configuring IP Multicast Routing Configuring Optional IGMP Features Step 5 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list. • For access-list-number, specify the access list created in Step 3. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched. • For source, specify the multicast group that hosts on the subnet can join.
Chapter 48 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 5 show ip igmp interface [interface-id] Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip igmp version interface configuration command.
Chapter 48 Configuring IP Multicast Routing Configuring Optional IGMP Features You can configure the query interval by entering the show ip igmp interface interface-id privileged EXEC command. Beginning in privileged EXEC mode, follow these steps to change the IGMP query timeout. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Chapter 48 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Configuring the Switch as a Statically Connected Member Sometimes there is either no group member on a network segment or a host cannot report its group membership by using IGMP. However, you might want multicast traffic to go to that network segment. These are ways to pull multicast traffic down to a network segment: • Use the ip igmp join-group interface configuration command.
Chapter 48 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Enabling CGMP Server Support The switch serves as a CGMP server for devices that do not support IGMP snooping but have CGMP client functionality. CGMP is a protocol used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP.
Chapter 48 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Configuring sdr Listener Support The MBONE is the small subset of Internet routers and hosts that are interconnected and capable of forwarding IP multicast traffic. Other multimedia content is often broadcast over the MBONE.
Chapter 48 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Beginning in privileged EXEC mode, follow these steps to limit how long an sdr cache entry stays active in the cache. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip sdr cache-timeout minutes Limit how long an sdr cache entry stays active in the cache. By default, entries are never deleted from the cache.
Chapter 48 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Figure 48-7 Administratively-Scoped Boundaries Company XYZ 45154 Marketing Engineering 239.128.0.0/16 239.0.0.0/8 You can define an administratively-scoped boundary on a routed interface for multicast group addresses. A standard access list defines the range of addresses affected. When a boundary is defined, no multicast data packets are allowed to flow across the boundary from either direction.
Chapter 48 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features To remove the boundary, use the no ip multicast boundary interface configuration command. This example shows how to set up a boundary for all administratively-scoped addresses: Switch(config)# access-list 1 deny 239.0.0.0 0.255.255.255 Switch(config)# access-list 1 permit 224.0.0.0 15.255.255.
Chapter 48 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to configure the sources that are advertised and the metrics that are used when DVMRP route-report messages are sent. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 48 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features This example shows how to configure DVMRP interoperability when the PIM device and the DVMRP router are on the same network segment. In this example, access list 1 advertises the networks (198.92.35.0, 198.92.36.0, 198.92.37.0, 131.108.0.0, and 150.136.0.0) to the DVMRP router, and access list 2 prevents all other networks from being advertised (ip dvmrp metric 0 interface configuration command).
Chapter 48 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to configure a DVMRP tunnel. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list, repeating the command as many times as necessary. • For access-list-number, the range is 1 to 99.
Chapter 48 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Command Purpose Step 11 show running-config Verify your entries. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the filter, use the no ip dvmrp accept-filter access-list-number [distance] neighbor-list access-list-number interface configuration command. This example shows how to configure a DVMRP tunnel.
Chapter 48 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To prevent the default route advertisement, use the no ip dvmrp default-information interface configuration command.
Chapter 48 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Cisco devices do not perform DVMRP multicast routing among each other, but they can exchange DVMRP routes. The DVMRP routes provide a multicast topology that might differ from the unicast topology. This enables PIM to run over the multicast topology, thereby enabling sparse-mode PIM over the MBONE topology.
Chapter 48 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 48-8 Leaf Nonpruning DVMRP Neighbor Source router or RP RP PIM dense mode Router A Valid multicast traffic Router B Receiver Layer 3 switch Leaf nonpruning DVMRP device Stub LAN with no members 101244 Unnecessary multicast traffic You can prevent the switch from peering (communicating) with a DVMRP neighbor if that neighbor does not support DVMRP pruning or grafting.
Chapter 48 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 48-9 Router Rejects Nonpruning DVMRP Neighbor Source router or RP RP Router A Multicast traffic gets to receiver, not to leaf DVMRP device Router B Receiver Layer 3 switch 101245 Configure the ip dvmrp reject-non-pruners command on this interface. Leaf nonpruning DVMRP device Note that the ip dvmrp reject-non-pruners interface configuration command prevents peering with neighbors only.
Chapter 48 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Controlling Route Exchanges These sections describe how to tune the Cisco device advertisements of DVMRP routes: • Limiting the Number of DVMRP Routes Advertised, page 48-58 (optional) • Changing the DVMRP Route Threshold, page 48-58 (optional) • Configuring a DVMRP Summary Address, page 48-59 (optional) • Disabling DVMRP Autosummarization, page 48-61 (optional) • Adding a Metric Offset to the DVMRP
Chapter 48 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to change the threshold number of routes that trigger the warning. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip dvmrp routehog-notification route-count Configure the number of routes that trigger a syslog message. Step 3 end Return to privileged EXEC mode.
Chapter 48 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 48-10 Connected Unicast Routes Advertised by Default (Catalyst 3750-X Switches) interface tunnel 0 ip unnumbered gigabitethernet1/0/1 DVMRP Report 151.16.0.0/16 m = 39 172.34.15.0/24 m = 42 202.13.3.0/24 m = 40 176.32.10.0/24 m=1 176.32.15.0/24 m=1 interface gigabitethernet1/0/1 ip addr 176.32.10.1 255.255.255.0 ip pim dense-mode DVMRP router interface gigabitethernet1/0/2 ip addr 176.32.15.1 255.
Chapter 48 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features To remove the summary address, use the no ip dvmrp summary-address address mask [metric value] interface configuration command. Disabling DVMRP Autosummarization By default, the software automatically performs some level of DVMRP summarization. Disable this function if you want to advertise all routes, not just a summary.
Chapter 48 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Step 3 Command Purpose ip dvmrp metric-offset [in | out] increment Change the metric added to DVMRP routes advertised in incoming reports. The keywords have these meanings: • (Optional) in—Specifies that the increment value is added to incoming DVMRP reports and is reported in mrinfo replies.
Chapter 48 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Table 48-5 Commands for Clearing Caches, Tables, and Databases (continued) Command Purpose clear ip pim auto-rp rp-address Clear the auto-RP cache. clear ip sdr [group-address | “session-name”] Delete the Session Directory Protocol Version 2 cache or an sdr cache entry.
Chapter 48 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Monitoring IP Multicast Routing You can use the privileged EXEC commands in Table 48-7 to monitor IP multicast routers, packets, and paths: Table 48-7 Commands for Monitoring IP Multicast Routing Command Purpose mrinfo [hostname | address] [source-address | interface] Query a multicast router or multilayer switch about which neighboring multicast devices are peering with it.
CH A P T E R 49 Configuring MSDP This chapter describes how to configure the Multicast Source Discovery Protocol (MSDP) on the Catalyst 3750-X or 3560-X switch. The MSDP connects multiple Protocol-Independent Multicast sparse-mode (PIM-SM) domains. MSDP is not fully supported in this software release because of a lack of support for Multicast Border Gateway Protocol (MBGP), which works closely with MSDP. However, it is possible to create default peers that MSDP can operate with if MBGP is not running.
Chapter 49 Configuring MSDP Understanding MSDP The purpose of this topology is to have domains discover multicast sources in other domains. If the multicast sources are of interest to a domain that has receivers, multicast data is delivered over the normal, source-tree building mechanism in PIM-SM. MSDP is also used to announce sources sending to a group. These announcements must originate at the domain’s RP. MSDP depends heavily on the Border Gateway Protocol (BGP) or MBGP for interdomain operation.
Chapter 49 Configuring MSDP Configuring MSDP Figure 49-1 MSDP Running Between RP Peers MSDP peer RP + MSDP peer MSDP SA M SD P SA Peer RPF flooding MSDP SA TCP connection BGP MSDP peer Receiver 49885 Register Multicast (S,G) Join PIM DR Source PIM sparse-mode domain MSDP Benefits MSDP has these benefits: • It breaks up the shared multicast distribution tree. You can make the shared tree local to your domain.
Chapter 49 Configuring MSDP Configuring MSDP • Controlling Source Information that Your Switch Forwards, page 49-12 (optional) • Controlling Source Information that Your Switch Receives, page 49-14 (optional) • Configuring an MSDP Mesh Group, page 49-16 (optional) • Shutting Down an MSDP Peer, page 49-16 (optional) • Including a Bordering PIM Dense-Mode Region in MSDP, page 49-17 (optional) • Configuring an Originating Address other than the RP Address, page 49-18 (optional) Default MSDP Conf
Chapter 49 Configuring MSDP Configuring MSDP Figure 49-2 Default MSDP Peer Network Router C Default MSDP peer ISP C PIM domain 10.1.1.1 SA SA SA Default MSDP peer Default MSDP peer ISP A PIM domain Customer PIM domain 86515 Switch B Router A Beginning in privileged EXEC mode, follow these steps to specify a default MSDP peer. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 49 Configuring MSDP Configuring MSDP Step 3 Step 4 Command Purpose ip prefix-list name [description string] | seq number {permit | deny} network length (Optional) Create a prefix list using the name specified in Step 2. ip msdp description {peer-name | peer-address} text • (Optional) For description string, enter a description of up to 80 characters to describe this prefix list. • For seq number, enter the sequence number of the entry. The range is 1 to 4294967294.
Chapter 49 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to enable the caching of source/group pairs. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp cache-sa-state [list access-list-number] Enable the caching of source/group pairs (create an SA state). Those pairs that pass the access list are cached. For list access-list-number, the range is 100 to 199.
Chapter 49 Configuring MSDP Configuring MSDP Requesting Source Information from an MSDP Peer Local RPs can send SA requests and get immediate responses for all active sources for a given group. By default, the switch does not send any SA request messages to its MSDP peers when a new member joins a group and wants to receive multicast traffic. The new member waits to receive the next periodic SA message.
Chapter 49 Configuring MSDP Configuring MSDP Redistributing Sources SA messages originate on RPs to which sources have registered. By default, any source that registers with an RP is advertised. The A flag is set in the RP when a source is registered, which means the source is advertised in an SA unless it is filtered. Beginning in privileged EXEC mode, follow these steps to further restrict which registered sources are advertised. This procedure is optional.
Chapter 49 Configuring MSDP Configuring MSDP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] Create an IP standard access list, repeating the command as many times as necessary. or or access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended access list, repeating the command as many times as necessary.
Chapter 49 Configuring MSDP Configuring MSDP Filtering Source-Active Request Messages By default, only switches that are caching SA information can respond to SA requests. By default, such a switch honors all SA request messages from its MSDP peers and supplies the IP addresses of the active sources. However, you can configure the switch to ignore all SA requests from an MSDP peer. You can also honor only those SA request messages from a peer for groups described by a standard access list.
Chapter 49 Configuring MSDP Configuring MSDP Controlling Source Information that Your Switch Forwards By default, the switch forwards all SA messages it receives to all its MSDP peers. However, you can prevent outgoing messages from being forwarded to a peer by using a filter or by setting a time-to-live (TTL) value. These methods are described in the next sections.
Chapter 49 Configuring MSDP Configuring MSDP Step 3 Command Purpose access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard (Optional) Create an IP extended access list, repeating the command as many times as necessary. • For access-list-number, enter the number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 49 Configuring MSDP Configuring MSDP Using TTL to Limit the Multicast Data Sent in SA Messages You can use a TTL value to control what data is encapsulated in the first SA message for every source. Only multicast packets with an IP-header TTL greater than or equal to the ttl argument are sent to the specified MSDP peer. For example, you can limit internal traffic to a TTL of 8. If youwant other groups to go to external locations, you must send those packets with a TTL greater than 8.
Chapter 49 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to apply a filter. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp sa-filter in ip-address | name Filter all SA messages from the specified MSDP peer. or or ip msdp sa-filter in {ip-address | name} list access-list-number From the specified peer, pass only those SA messages that pass the IP extended access list.
Chapter 49 Configuring MSDP Configuring MSDP Configuring an MSDP Mesh Group An MSDP mesh group is a group of MSDP speakers that have fully meshed MSDP connectivity among one another. Any SA messages received from a peer in a mesh group are not forwarded to other peers in the same mesh group. Thus, you reduce SA message flooding and simplify peer-RPF flooding. Use the ip msdp mesh-group global configuration command when there are multiple RPs within a domain.
Chapter 49 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to shut down a peer. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp shutdown {peer-name | peer address} Administratively shut down the specified MSDP peer without losing configuration information. For peer-name | peer address, enter the IP address or name of the MSDP peer to shut down. Step 3 end Return to privileged EXEC mode.
Chapter 49 Configuring MSDP Configuring MSDP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note that the ip msdp originator-id global configuration command also identifies an interface to be used as the RP address.
Chapter 49 Configuring MSDP Monitoring and Maintaining MSDP Monitoring and Maintaining MSDP To monitor MSDP SA messages, peers, state, or peer status, use one or more of the privileged EXEC commands in Table 49-1: Table 49-1 Commands for Monitoring and Maintaining MSDP Command Purpose debug ip msdp [peer-address | name] [detail] [routes] Debugs an MSDP activity. debug ip msdp resets Debugs MSDP peer reset reasons.
Chapter 49 Configuring MSDP Monitoring and Maintaining MSDP Catalyst 3750-X and 3560-X Switch Software Configuration Guide 49-20 OL-21521-01
CH A P T E R 50 Configuring Fallback Bridging This chapter describes how to configure fallback bridging (VLAN bridging) on the Catalyst 3750-X or 3560-X switch. With fallback bridging, you can forward non-IP packets that the switch does not route between VLAN bridge domains and routed ports. To use this feature, the switch or stack master must be running the IP services feature set.
Chapter 50 Configuring Fallback Bridging Understanding Fallback Bridging A bridge group is an internal organization of network interfaces on a switch. You cannot use bridge groups to identify traffic switched within the bridge group outside the switch on which they are defined. Bridge groups on the switch function as distinct bridges; that is, bridged traffic and bridge protocol data units (BPDUs) are not exchanged between different bridge groups on a switch.
Chapter 50 Configuring Fallback Bridging Configuring Fallback Bridging Fallback Bridging and Switch Stacks When the stack master fails, a stack member becomes the new stack master by using the election process described in Chapter 5, “Managing Switch Stacks.” The new stack master creates new VLAN-bridge spanning-tree instance, which temporarily puts the spanning-tree ports used for fallback bridging into a nonforwarding state.
Chapter 50 Configuring Fallback Bridging Configuring Fallback Bridging Fallback Bridging Configuration Guidelines Up to 32 bridge groups can be configured on the switch. An interface (an SVI or routed port) can be a member of only one bridge group. Use a bridge group for each separately bridged (topologically distinct) network connected to the switch. Do not configure fallback bridging on a switch configured with private VLANs.
Chapter 50 Configuring Fallback Bridging Configuring Fallback Bridging Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a bridge group, use the no bridge bridge-group global configuration command. The no bridge bridge-group command automatically removes all SVIs and routes ports from that bridge group.
Chapter 50 Configuring Fallback Bridging Configuring Fallback Bridging Changing the VLAN-Bridge Spanning-Tree Priority You can globally configure the VLAN-bridge spanning-tree priority of a switch when it ties with another switch for the position as the root switch. You also can configure the likelihood that the switch will be selected as the root switch. Beginning in privileged EXEC mode, follow these steps to change the switch priority. This procedure is optional.
Chapter 50 Configuring Fallback Bridging Configuring Fallback Bridging Command Purpose Step 5 show running-config Verify your entry. Step 6 copy running-config startup-config (Optional) Save your entry in the configuration file. To return to the default setting, use the no bridge-group bridge-group priority interface configuration command.
Chapter 50 Configuring Fallback Bridging Configuring Fallback Bridging Note Each switch in a spanning tree adopts the interval between hello BPDUs, the forward delay interval, and the maximum idle interval parameters of the root switch, regardless of what its individual configuration might be. Adjusting the Interval between Hello BPDUs Beginning in privileged EXEC mode, follow these step to adjust the interval between hello BPDUs. This procedure is optional.
Chapter 50 Configuring Fallback Bridging Configuring Fallback Bridging To return to the default setting, use the no bridge bridge-group forward-time global configuration command. This example shows how to change the forward-delay interval to 10 seconds in bridge group 10: Switch(config)# bridge 10 forward-time 10 Changing the Maximum-Idle Interval If a switch does not receive BPDUs from the root switch within a specified interval, it recomputes the spanning-tree topology.
Chapter 50 Configuring Fallback Bridging Monitoring and Maintaining Fallback Bridging Command Purpose Step 5 show running-config Verify your entry. Step 6 copy running-config startup-config (Optional) Save your entry in the configuration file. To re-enable spanning tree on the port, use the no bridge-group bridge-group spanning-disabled interface configuration command.
CH A P T E R 51 Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the Catalyst 3750-X or 3560-X switch. Depending on the nature of the problem, you can use the command-line interface (CLI), the device manager, or Network Assistant to identify and solve problems. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Chapter 51 Troubleshooting Recovering from a Software Failure • Using the show platform forward Command, page 51-22 • Using the crashinfo Files, page 51-24 • Using On-Board Failure Logging, page 51-25 • Troubleshooting Tables, page 51-27 Recovering from a Software Failure Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file.
Chapter 51 Troubleshooting Recovering from a Lost or Forgotten Password Step 7 Connect the switch to a TFTP server through the Ethernet management port. Step 8 Start the file transfer by using TFTP. a. Specify the IP address of the TFTP server: switch: set IP_ADDR ip_address/mask b. Specify the default router: switch: set DEFAULT_ROUTER ip_address Step 9 Copy the software image from the TFTP server to the switch: switch: copy tftp://ip_address/filesystem:/source-file-url flash:image_filename.
Chapter 51 Troubleshooting Recovering from a Lost or Forgotten Password • Connect a PC to the Ethernet management port. If you are recovering the password for a switch stack, connect to the Ethernet management port of a Catalyst 3750-X stack member. For details about using the internal Ethernet management port, see the “Using the Ethernet Management Port” section on page 13-22 and the hardware installation guide. Step 2 Set the line speed on the emulation software to 9600 baud.
Chapter 51 Troubleshooting Recovering from a Lost or Forgotten Password Step 1 Initialize the flash file system: switch: flash_init Step 2 If you had set the console port speed to anything other than 9600, it has been reset to that particular speed. Change the emulation software line speed to match that of the switch console port.
Chapter 51 Troubleshooting Recovering from a Lost or Forgotten Password Step 11 Change the password: Switch (config)# enable secret password The secret password can be from 1 to 25 alphanumeric characters, can start with a number, is case sensitive, and allows spaces but ignores leading spaces.
Chapter 51 Troubleshooting Recovering from a Lost or Forgotten Password Step 1 Elect to continue with password recovery and lose the existing configuration: Would you like to reset the system back to the default configuration (y/n)? Y Step 2 Load any helper files: Switch: load_helper Step 3 Display the contents of flash memory: switch: dir flash: The switch file system appears: Directory of flash: 13 drwx 192 Mar 01 1993 22:30:48 switch_image 16128000 bytes total (10003456 bytes free) Step 4 Boot
Chapter 51 Troubleshooting Preventing Switch Stack Problems Step 10 You must now reconfigure the switch. If the system administrator has the backup switch and VLAN configuration files available, you should use those. Preventing Switch Stack Problems Note • Make sure that the switches that you add to or remove from the switch stack are powered off. For all powering considerations in switch stacks, see the “Switch Installation” chapter in the hardware installation guide.
Chapter 51 Troubleshooting Recovering from a Command Switch Failure Recovering from a Command Switch Failure This section describes how to recover from a failed command switch. You can configure a redundant command switch group by using the Hot Standby Router Protocol (HSRP). For more information, see Chapter 6, “Clustering Switches.”For more information, see Chapter 6, “Clustering Switches” and Chapter 44, “Configuring HSRP.” Also see the Getting Started with Cisco Network Assistant, available on Cisco.
Chapter 51 Troubleshooting Recovering from a Command Switch Failure Step 6 Enter global configuration mode. Switch# configure terminal Enter configuration commands, one per line. Step 7 End with CNTL/Z. Remove the member switch from the cluster. Switch(config)# no cluster commander-address Step 8 Return to privileged EXEC mode. Switch(config)# end Switch# Step 9 Use the setup program to configure the switch IP information. This program prompts you for IP address information and passwords.
Chapter 51 Troubleshooting Recovering from a Command Switch Failure Step 17 Start your browser, and enter the IP address of the new command switch. Step 18 From the Cluster menu, select Add to Cluster to display a list of candidate switches to add to the cluster.
Chapter 51 Troubleshooting Recovering from Lost Cluster Member Connectivity Step 7 Respond to the questions in the setup program. When prompted for the hostname, recall that on a command switch, the hostname is limited to 28 characters. Do not use -n, where n is a number, as the last character in a hostname for any switch. When prompted for the Telnet (virtual terminal) password, recall that it can be from 1 to 25 alphanumeric characters, is case sensitive, allows spaces, but ignores leading spaces.
Chapter 51 Troubleshooting Preventing Autonegotiation Mismatches Preventing Autonegotiation Mismatches The IEEE 802.3ab autonegotiation protocol manages the switch settings for speed (10 Mb/s, 100 Mb/s, and 1000 Mb/s, excluding SFP module ports) and duplex (half or full). There are situations when this protocol can incorrectly align these settings, reducing performance.
Chapter 51 Troubleshooting SFP Module Security and Identification Disabled Port Caused by False Link Up If a Cisco powered device is connected to a port and you configure the port by using the power inline never interface configuration command, a false link up can occur, placing the port into an error-disabled state. To take the port out of the error-disabled state, enter the shutdown and the no shutdown interface configuration commands.
Chapter 51 Troubleshooting Monitoring Temperature Monitoring Temperature The switch monitors the temperature conditions and uses the temperature information to control the fans. Use the show env temperature status privileged EXEC command to display the temperature value, state, and thresholds. The temperature value is the temperature in the switch (not the external temperature).
Chapter 51 Troubleshooting Using Layer 2 Traceroute Note Though other protocol keywords are available with the ping command, they are not supported in this release. This example shows how to ping an IP host: Switch# ping 172.20.52.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 172.20.52.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Switch# Table 51-1 describes the possible ping character output.
Chapter 51 Troubleshooting Using Layer 2 Traceroute Usage Guidelines • Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 traceroute to function properly, do not disable CDP. If any devices in the physical path are transparent to CDP, the switch cannot identify the path through these devices. For more information about enabling CDP, see Chapter 29, “Configuring CDP.
Chapter 51 Troubleshooting Using IP Traceroute Using IP Traceroute • Understanding IP Traceroute, page 51-18 • Executing IP Traceroute, page 51-18 Understanding IP Traceroute You can use IP traceroute to identify the path that packets take through the network on a hop-by-hop basis. The command output displays all network layer (Layer 3) devices, such as routers, that the traffic passes through on the way to the destination.
Chapter 51 Troubleshooting Using TDR This example shows how to perform a traceroute to an IP host: Switch# traceroute ip 171.9.15.10 Type escape sequence to abort. Tracing the route to 171.69.115.10 1 172.2.52.1 0 msec 0 msec 4 msec 2 172.2.1.203 12 msec 8 msec 0 msec 3 171.9.16.6 4 msec 0 msec 0 msec 4 171.9.4.5 0 msec 4 msec 0 msec 5 171.9.121.34 0 msec 4 msec 4 msec 6 171.9.15.9 120 msec 132 msec 128 msec 7 171.9.15.
Chapter 51 Troubleshooting Using Debug Commands TDR can detect these cabling problems: • Open, broken, or cut twisted-pair wires—The wires are not connected to the wires from the remote device. • Shorted twisted-pair wires—The wires are touching each other or the wires from the remote device. For example, a shorted twisted pair can occur if one wire of the twisted pair is soldered to the other wire. If one of the twisted-pair wires is open, TDR can find the length at which the wire is open.
Chapter 51 Troubleshooting Using Debug Commands Note For complete syntax and usage information for specific debug commands, see the command reference for this release. Enabling Debugging on a Specific Feature In a Catalyst 3750-X switch stack, when you enable debugging, it is enabled only on the stack master. To enable debugging on a stack member, you must start a session from the stack master by using the session switch-number privileged EXEC command.
Chapter 51 Troubleshooting Using the show platform forward Command Redirecting Debug and Error Message Output By default, the network server sends the output from debug commands and system error messages to the console. If you use this default, you can use a virtual terminal connection to monitor debug output instead of connecting to the console port or the Ethernet management port. Possible destinations include the console, virtual terminals, internal buffer, and UNIX hosts running a syslog server.
Chapter 51 Troubleshooting Using the show platform forward Command ========================================== Egress:Asic 2, switch 1 Output Packets: -----------------------------------------Packet 1 Lookup Key-Used OutptACL 50_0D020202_0D010101-00_40000014_000A0000 Port Gi1/0/1 Vlan SrcMac 0005 0001.0001.0001 DstMac Cos 0002.0002.0002 -----------------------------------------Packet 2 Lookup Key-Used OutptACL 50_0D020202_0D010101-00_40000014_000A0000 Port Gi0/2 Vlan SrcMac 0005 0001.0001.
Chapter 51 Troubleshooting Using the crashinfo Files This is an example of the output when the packet coming in on port 1 in VLAN 5 has a destination MAC address set to the router MAC address in VLAN 5 and the destination IP address unknown. Because there is no default route set, the packet should be dropped. Switch# show platform forward gigabitethernet1/0/1 vlan 5 1.1.1 03.e319.ee44 ip 13.1.1.1 13.2.2.
Chapter 51 Troubleshooting Using On-Board Failure Logging Basic crashinfo Files The information in the basic file includes the Cisco IOS image name and version that failed, a list of the processor registers, and a stack trace. You can provide this information to the Cisco technical support representative by using the show tech-support privileged EXEC command. Basic crashinfo files are kept in this directory on the flash file system: flash:/crashinfo/.
Chapter 51 Troubleshooting Using On-Board Failure Logging Understanding OBFL By default, OBFL is enabled. It collects information about the switch and small form-factor pluggable (SFP) modules.
Chapter 51 Troubleshooting Troubleshooting Tables In a switch stack, if you enter the hw-module module [switch-number] logging onboard command on a stack member that does not support OBFL, such as a Catalyst 3750 switch, a message appears with that information.
Chapter 51 Troubleshooting Troubleshooting Tables Troubleshooting CPU Utilization This section lists some possible symptoms that could be caused by the CPU being too busy and shows how to verify a CPU utilization problem. Table 51-4 lists the primary types of CPU utilization problems that you can identify. It gives possible causes and corrective action with links to the Troubleshooting High CPU Utilization document on Cisco.com.
Chapter 51 Troubleshooting Troubleshooting Tables \ Table 51-4 Troubleshooting CPU Utilization Problems Type of Problem Cause Corrective Action Interrupt percentage value is almost The CPU is receiving too many packets as high as total CPU utilization value. from the network. Total CPU utilization is greater than 50% with minimal time spent on interrupts. One or more Cisco IOS process is consuming too much CPU time. This is usually triggered by an event that activated the process.
Chapter 51 Troubleshooting Troubleshooting Tables Figure 51-1 Power Over Ethernet Troubleshooting Scenarios (continued) Symptom or problem Possible cause and solution No PoE on all ports or a group of ports. If there is a continuous, intermittent, or reoccurring alarm related to power, replace the power supply if possible it is a field-replaceable unit. Otherwise, replace the switch. Trouble is on all switch ports.
Chapter 51 Troubleshooting Troubleshooting Tables Figure 51-1 Power Over Ethernet Troubleshooting Scenarios (continued) Symptom or problem Possible cause and solution Cisco IP Phone disconnects or resets. Verify all electrical connections from the switch to the powered device. Any unreliable connection results in power interruptions and irregular powered device functioning such as erratic powered device disconnects and reloads.
Chapter 51 Troubleshooting Troubleshooting Tables Troubleshooting Stackwise (Catalyst 3750-X Switches Only) Table 51-5 Switch Stack Troubleshooting Scenarios Symptom/problem How to Verify Problem Possible Cause/Solution General troubleshooting of switch stack issues Review this document. Use the Troubleshooting Switch Stacks document for problem solutions and tutorial information. Switch cannot join stack Enter the show switch privileged EXEC Incompatible Cisco IOS versions between command.
Chapter 51 Troubleshooting Troubleshooting Tables Table 51-5 Switch Stack Troubleshooting Scenarios (continued) Symptom/problem How to Verify Problem Possible Cause/Solution Slow traffic throughput on stack Test the switch interface. ring Defective StackWise switch interface. Note The only solution is to replace the switch. Review the rules of stack master election. Current stack master is rebooted or Problems with stack master disconnected (see Stack Master is Rebooted or election.
Chapter 51 Troubleshooting Troubleshooting Tables Catalyst 3750-X and 3560-X Switch Software Configuration Guide 51-34 OL-21521-01
CH A P T E R 52 Configuring Online Diagnostics This chapter describes how to configure the online diagnostics on the Catalyst 3750-X or 3560-X switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 52 Configuring Online Diagnostics Configuring Online Diagnostics Scheduling Online Diagnostics You can schedule online diagnostics to run at a designated time of day or on a daily, weekly, or monthly basis for a switch. Use the no form of this command to remove the scheduling.
Chapter 52 Configuring Online Diagnostics Configuring Online Diagnostics By default, health monitoring is disabled, but the switch generates a syslog message when a test fails. Beginning in privileged EXEC mode, follow these steps to configure and enable the health-monitoring diagnostic tests: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 52 Configuring Online Diagnostics Running Online Diagnostic Tests Command Step 5 Purpose diagnostic monitor switch number test Enable the specified health-monitoring tests. {name | test-id | test-id-range | all} The switch number keyword is supported only on Catalyst 3750-X switches. The range is from 1 to 9. When specifying the tests, use one of these parameters: • name—Name of the test that appears in the show diagnostic content command output.
Chapter 52 Configuring Online Diagnostics Running Online Diagnostic Tests Starting Online Diagnostic Tests After you configure diagnostic tests to run on the switch, use the diagnostic start privileged EXEC command to begin diagnostic testing. Use this privileged EXEC command to manually start online diagnostic testing: Command Purpose diagnostic start switch number Start the diagnostic tests. test {name | test-id | test-id-range The switch number keyword is supported only on Catalyst 3750-X switches.
Chapter 52 Configuring Online Diagnostics Running Online Diagnostic Tests Table 52-1 Commands for Diagnostic Test Configuration and Results Command Purpose show diagnostic schedule switch [number | all] show diagnostic post 1 Display the online diagnostics test schedule. Display the POST results. (The output is the same as the show post command output.) 1. The switch [number | all] parameter is supported only on Catalyst 3750-X switches.
A P P E N D I X A Supported MIBs This appendix lists the supported management information base (MIBs) for this release on the Catalyst 3750-X or 3560-X switch. It contains these sections: • MIB List, page A-1 • Using FTP to Access the MIB Files, page A-4 • BRIDGE-MIB MIB List Note The BRIDGE-MIB supports the context of a single VLAN. By default, SNMP messages using the configured community string always provide information for VLAN 1.
Appendix A Supported MIBs MIB List • CISCO-HSRP-MIB (not supported on switches running the LAN Base feature set) • CISCO-HSRP-EXT-MIB (partial support) • CISCO-IETF-IP-MIB (Only with the IP services feature set) • CISCO-IETF-IP-FORWARDING-MIB (Only with the IP services feature set) • CISCO-IETF-ISIS-MIB (Only with the IP services feature sets) • CISCO-IF-EXTENSIONS-MIB • CISCO-IGMP-FILTER-MIB • CISCO-IMAGE-MIB (Only stack master feature set details are shown.
Appendix A Supported MIBs MIB List Note • CISCO-VLAN-MEMBERSHIP-MIB • CISCO-VTP-MIB • ENTITY-MIB • ETHERLIKE-MIB • IEEE8021-PAE-MIB • IEEE8023-LAG-MIB • IF-MIB (In and out counters for VLANs are not supported.) • IGMP-MIB • INET-ADDRESS-MIB • IPMROUTE-MIB (not supported on switches running the LAN Base feature set) • OLD-CISCO-CHASSIS-MIB (Partial support on Catalyst 3760-X stacking-capable switches; some objects reflect only the stack master.
Appendix A Supported MIBs Using FTP to Access the MIB Files Using FTP to Access the MIB Files You can get each MIB file by using this procedure: Step 1 Make sure that your FTP client is in passive mode. Note Some FTP clients do not support passive mode. Step 2 Use FTP to access the server ftp.cisco.com. Step 3 Log in with the username anonymous. Step 4 Enter your e-mail username when prompted for the password. Step 5 At the ftp> prompt, change directories to /pub/mibs/v1 and /pub/mibs/v2.
A P P E N D I X B Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the Catalyst 3750-X or 3560-X switch flash file system, how to copy configuration files, and how to archive (upload and download) software images to a Catalyst 3750-X or 3560-X switch or to a Catalyst 3750-X switch stack. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System • Changing Directories and Displaying the Working Directory, page B-4 • Creating and Removing Directories, page B-5 • Copying Files, page B-5 • Deleting Files, page B-6 • Creating, Displaying, and Extracting Files, page B-6 Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown i
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table B-1 show file systems Field Descriptions (continued) Field Value Type Type of file system. flash—The file system is for a flash memory device. nvram—The file system is for a NVRAM device. opaque—The file system is a locally generated pseudo file system (for example, the system) or a download interface, such as brimux. unknown—The file system is an unknown type.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System To display information about files on a file system, use one of the privileged EXEC commands in Table B-2: Table B-2 Commands for Displaying Information About Files Command Description dir [/all] [filesystem:][filename] Display a list of files on a file system. show file systems Display more information about each of the files on a file system.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Step 1 Command Purpose dir filesystem: Display the directories on the specified file system. For filesystem:, use flash: for the system board flash device. Step 2 mkdir old_configs Create a new directory.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Some invalid combinations of source and destination exist.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Beginning in privileged EXEC mode, follow these steps to create a file, display the contents, and extract it. Step 1 Command Purpose archive /create destination-url flash:/file-url Create a file and add files to it. For destination-url, specify the destination URL alias for the local or network file system and the name of the file to create. The -filename.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Step 3 Command Purpose archive /xtract source-url flash:/file-url [dir/file...] Extract a file into a directory on the flash file system. For source-url, specify the source URL alias for the local file system. The -filename. is the file from which to extract files.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to display the contents of a configuration file on a TFTP server: Switch# ! ! Saved ! version service service service service !
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • Copying Configuration Files By Using RCP, page B-17 • Clearing Configuration Information, page B-20 • Replacing and Rolling Back Configurations, page B-20 Guidelines for Creating and Using Configuration Files Creating configuration files can aid in your switch configuration.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Creating a Configuration File By Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately. This is one method of creating a configuration file: Step 1 Copy an existing configuration from a switch to a server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation). • For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading the Configuration File By Using TFTP To upload a configuration file from a switch to a TFTP server for storage, follow these steps: Step 1 Verify that the TFTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using TFTP” section on page B-11.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The username and password must be associated with an account on the FTP server. If you are writing to the server, the FTP server must be properly configured to accept your FTP write request. Use the ip ftp username and ip ftp password commands to specify a username and password for all copies.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 4 ip ftp username username (Optional) Change the default remote username. Step 5 ip ftp password password (Optional) Change the default password. Step 6 end Return to privileged EXEC mode.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using FTP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using FTP: Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using FTP” section on page B-14.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Copying Configuration Files By Using RCP The RCP provides another method of downloading, uploading, and copying configuration files between remote hosts and the switch. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection-oriented.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • When you upload a file to the RCP server, it must be properly configured to accept the RCP write request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to specify a remote username of netadmin1. Then it copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to store a startup configuration file on a server: Switch# configure terminal Switch(config)# ip rcmd remote-username netadmin2 Switch(config)# end Switch# copy nvram:startup-config rcp: Remote host[]? 172.16.101.101 Name of configuration file to write [switch2-confg]? Write file switch2-confg on host 172.16.101.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Understanding Configuration Replacement and Rollback • Archiving a Configuration, page B-21 • Replacing a Configuration, page B-21 • Rolling Back a Configuration, page B-22 Archiving a Configuration The configuration archive provides a mechanism to store, organize, and manage an archive of configuration files.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Rolling Back a Configuration You can also use the configure replace command to roll back changes that were made since the previous configuration was saved. Instead of basing the rollback operation on a specific set of changes that were applied, the configuration rollback capability reverts to a specific configuration based on a saved configuration file.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Configuring the Configuration Archive Using the configure replace command with the configuration archive and with the archive config command is optional but offers significant benefit for configuration rollback scenarios. Before using the archive config command, you must first configure the configuration archive.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 5 Command Purpose configure replace target-url [list] [force] [time seconds] [nolock] Replace the running configuration file with a saved configuration file.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Working with Software Images This section describes how to archive (download and upload) software image files, which contain the system software, the Cisco IOS code, and the embedded device manager software.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management. The image is stored on the system board flash memory (flash:). You can use the show version privileged EXEC command to see the software version that is currently running on your switch.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Table B-3 info File Description (continued) Field Description ios_image_file_size Specifies the Cisco IOS image size in the file, which is an approximate measure of the flash memory that the Cisco IOS image needs.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Preparing to Download or Upload an Image File By Using TFTP Before you begin downloading or uploading an image file by using TFTP, do these tasks: • Ensure that the workstation acting as the TFTP server is properly configured. On a Sun workstation, make sure that the /etc/inetd.conf file contains this line: tftp dgram udp wait root /usr/etc/in.tftpd in.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 3 Step 4 Command Purpose archive download-sw /allow-feature-upgrade [/directory] /overwrite /reload tftp:[[//location]/directory]/image-name1.tar [image-name2.tar image-name3.tar image-name4.tar] (Optional) Download the image files from the TFTP server to the switch, and overwrite the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image on the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Copying Image Files By Using FTP You can download a switch image from an FTP server or upload the image from the switch to an FTP server. You download a switch image file from a server to upgrade the switch software. You can overwrite the current image with the new one or keep the current image after a download. You upload a switch image file to a server for backup purposes.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Use the ip ftp username and ip ftp password commands to specify a username and password for all copies. Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify a username only for that operation.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 7 Step 8 Command Purpose archive download-sw /allow-feature-upgrade [/directory] /overwrite /reload tftp:[[//location]/directory]/image-name1.tar [image-name2.tar image-name3.tar image-name4.tar] (Optional) Download the image files from the FTP server to the switch, and overwrite the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note If the flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option. If you specify the /leave-old-sw, the existing files are not removed.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 archive upload-sw Upload the currently running switch image to the FTP server. ftp:[[//[username[:password]@]location]/directory]/ • For //username:password, specify the username and image-name.tar. password. These must be associated with an account on the FTP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Preparing to Download or Upload an Image File By Using RCP RCP provides another method of downloading and uploading image files between remote hosts and the switch. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection-oriented. To use RCP to copy files, the server from or to which you will be copying files must support RCP.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images If the switch IP address translates to Switch1.company.com, the .rhosts file for User0 on the RCP server should contain this line: Switch1.company.com Switch1 For more information, see the documentation for your RCP server. Downloading an Image File By Using RCP You can download a new image file and replace or keep the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 7 Command Purpose archive download-sw [/directory] /leave-old-sw /reload tftp:[[//location]/directory]/image-name1.tar [image-name2.tar image-name3.tar image-name4.tar] Download the images file from the RCP server to the switch and keep the current image. • (Optional) The /directory option specifies a directory for the images.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The upload feature should be used only if the web management pages associated with the embedded device manager have been installed with the existing image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note To use the archive copy-sw privileged EXEC command, you must have downloaded from a TFTP server the images for both the stack member switch being added and the stack master. You use the archive download-sw privileged EXEC command to perform the download.
A P P E N D I X C Unsupported Commands in Cisco IOS Release 12.2(53)SE2 This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Catalyst 3750-X or 3560-X switch prompt but are not supported in this release, either because they are not tested or because of Catalyst 3750-X or 3560-X switch hardware limitations. This is not a complete list. The unsupported commands are listed by software feature and command mode.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(53)SE2 Archive Commands Unsupported Route-Map Configuration Commands match ip address prefix-list prefix-list-name [prefix-list-name...
Appendix C Unsupported Commands in Cisco IOS Release 12.2(53)SE2 Debug Commands Debug Commands Note These commands are supported only on Catalyst 3750-X switches.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(53)SE2 IP Multicast Routing IP Multicast Routing Unsupported Privileged EXEC Commands clear ip rtp header-compression [type number] The debug ip packet command displays packets received by the switch CPU. It does not display packets that are hardware-switched. The debug ip mcache command affects packets received by the switch CPU. It does not display packets that are hardware-switched.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(53)SE2 VTP VTP Unsupported Privileged EXEC Command vtp {password password | pruning | version number} Note This command has been replaced by the vtp global configuration command.
INDEX access template Numerics accounting 10-Gigabit Ethernet interfaces 802.1AE with 802.1x 13-7 11-50 with IEEE 802.1x 11-31 802.
Index ACLs (continued) ACLs (continued) host keyword port 37-13 IP 37-2, 38-2 precedence of creating QoS 37-8 fragments and QoS guidelines implicit deny 37-8 named creating support for time ranges terminal lines, setting on unsupported features 37-19 38-3 38-7 interactions with other features named matching 37-38 37-9 44-1 addresses displaying the MAC address table 7-30 20-9 changing the aging time 37-41, 38-8 default aging defined IPv4 37-15 IPv6 learning 38-3 removing 3
Index area border routers addresses (continued) MAC, discovering See ABRs 7-31 multicast area routing group address range IS-IS 48-3 STP address management ISO IGRP 20-8 static defined configuring 7-27 defined 7-19 address resolution address resolution 42-90 administrative distances managing ASBRs 42-102 routing protocol defaults 42-26 vendor-proprietary vendor-specific 30-2 attribute-value pairs 42-20 audience 15-17, 16-3, 16-4 aggregatable global unicast addresses aggregate
Index authentication manager CLI commands autonegotiation duplex mode 11-9 compatibility with older 802.
Index backup static routing, configuring binding database 46-12 banners address, DHCP server configuring login See DHCP, Cisco IOS server database DHCP snooping 7-19 message-of-the-day login default configuration when displayed See DHCP snooping binding database 7-18 bindings 7-17 address, Cisco IOS DHCP server 7-17 Berkeley r-tools replacement DHCP snooping database 10-55 BGP IP source guard aggregate addresses CIDR blocking packets configuring neighbors described enabling monitoring
Index BPDU guard CDP (continued) described 22-2 enabling and disabling disabling 22-14 on an interface enabling 22-13 on a switch support for 29-4 29-3 Layer 2 protocol tunneling 1-8 bridged packets, ACLs on monitoring 37-39 bridge groups 19-8 29-5 overview 29-1 power negotiation extensions See fallback bridging support for bridge protocol data unit 1-6 switch stack considerations See BPDU broadcast flooding broadcast packets updates 42-14 flooded 42-14 29-2 29-2 CEF de
Index Cisco Medianet CLI (continued) See Auto Smartports macros error messages filtering command output Cisco Network Assistant getting help See Network Assistant 13-42 Cisco Secure ACS attribute-value pairs for downloadable ACLs attribute-value pairs for redirect URL Cisco Secure ACS configuration guide Cisco StackWise Plus technology 1-3 See also stacks, switch CiscoWorks 2000 CISP disabling 2-6 recalling commands 11-18 managing clusters no and default forms of commands 2-4 Client Info
Index command switch clusters, switch (continued) passwords RADIUS SNMP accessing 6-14 active (AC) 6-16 TACACS+ defined 6-14 See also candidate switch, command switch, cluster standby group, member switch, and standby command switch cluster standby group considerations defined 6-3 6-11 CNS configID, deviceID, hostname configuration service 4-3 recovery with another switch 51-11 with cluster member 51-9 requirements 6-3 standby (SC) 6-10 community list, BGP 4-3 community ports 42-57
Index configuration, initial defaults configuration guidelines, multi-VRF CE configuration logging 1-16 Express Setup See also getting started guide and hardware installation guide configuration rollback configuration conflicts, recovering from lost member connectivity 51-12 configuration examples, network 1-19 B-21 B-20, B-21 configuration settings, saving 3-15 configure terminal command 13-18 configuring multicast VRFs B-20 conflicts, configuration creating and using, guidelines for B-1
Index critical VLAN default configuration 11-21 cross-stack EtherChannel 802.
Index description command default configuration (continued) MVR designing your network, examples 26-19 NTP desktop template 7-4 optional spanning-tree configuration OSPF password and privilege level 10-2 RADIUS 18-6 RSPAN 32-12 35-6 SPAN 32-12 40-9 22-8 29-1, 30-1 1-2 1-2, 1-5 in-band management requirements standard QoS 1-7 l DHCP 39-34 Cisco IOS server database 20-12 switch stacks configuring 5-20 system message logging system name and prompt TACACS+ 24-14 default config
Index DHCP-based autoconfiguration (continued) overview DHCP snooping (continued) configuration guidelines 3-3 relationship to BOOTP relay support support for default configuration 3-4 DHCP-based autoconfiguration and image update option 82 data insertion trusted interface 3-11 to 3-14 3-5 to 3-6 DHCP binding database bindings 24-9 24-6 24-6 configuring 24-11 binding file packet format, suboption remote ID 24-5 bindings described 24-5 24-15 configuration guidelines default configuration
Index DHCPv6 domains, ISO IGRP routing configuration guidelines default configuration described dot1q-tunnel switchport mode 43-15 IEEE 802.
Index dual protocol stacks IPv4 and IPv6 dynamic access ports characteristics 43-6 SDM templates supporting configuring 43-6 DVMRP defined configuring a summary address 13-3 See addresses 48-59 dynamic ARP inspection 48-61 connecting PIM domain to DVMRP router enabling unicast routing 48-51 ARP cache poisoning 25-1 ARP requests, described 48-54 interoperability ARP spoofing attack with Cisco devices log buffer 48-9 mrinfo requests, responding to statistics 48-54 neighbors 25-1
Index dynamic ARP inspection (continued) EIGRP (continued) rate limiting of ARP packets configuring described stub routing support for 25-10 EIGRP IPv6 25-4 error-disabled state 43-7 See stack master clearing ELIN location 25-15 displaying dynamic auto trunking mode 25-12 15-16 Dynamic Host Configuration Protocol 36-5 configuring event detectors policies 15-26 36-8 36-5 36-3 36-4 registering and defining an applet 15-29 36-6 registering and defining a TCL script 15-31 types of
Index enhanced object tracking static routing EtherChannel (continued) 46-10 environmental variables, embedded event manager environment variables, function of equal-cost routing 36-5 aggregate-port learners 3-20 described 22-2 error messages during command entry interaction with virtual switches 40-5, 40-7 channel groups 40-7 40-6 learn method and priority configuration binding physical and logical interfaces numbering of 40-4 modes 1-4 with dual-action detection 40-12 configuring 40
Index Ethernet VLANs adding fallback bridging and protected ports 15-7 defaults and ranges modifying EUI bridge groups 15-7 creating 15-7 event detectors, embedded event manager 36-3 33-3 examples 50-2 displaying 50-10 function of 50-2 number supported conventions for removing l network configuration expedite queue for QoS Express Setup clearing 39-86 default configuration described 15-10 13-13 50-3 50-1 flooding packets creating with an internal VLAN ID 50-2 forwarding pack
Index Fast Uplink Transition Protocol features, incompatible FIB Flex Links 22-6 configuring 28-12 23-8, 23-9 configuring preferred VLAN 42-90 fiber-optic, detecting unidirectional links configuring VLAN load balancing 31-1 files default configuration description basic crashinfo description location copying monitoring 51-25 VLANs B-5 deleting 23-8 23-2 23-14 23-2 flooded traffic, blocking 51-24 28-8 flow-based packet classification B-6 displaying the contents of location QoS c
Index host ports G configuring general query kinds of 23-5 18-11 18-2 Generating IGMP Reports 23-3 hosts, limit on dynamic ports get-bulk-request operation 35-3 Hot Standby Router Protocol get-next-request operation 35-3, 35-4 get-request operation See HSRP HP OpenView 35-3, 35-4 get-response operation 1-6 HSRP 35-3 Gigabit modules authentication string See SFPs global leave, IGMP binding to cluster group 2-2 configuring xlix 1-3 GUIs definition 44-1 guidelines 44-6 monit
Index IEEE 802.1w I See RSTP IBPG IEEE 802.1x 42-44 ICMP See port-based authentication IPv6 IEEE 802.3ad 43-4 redirect messages support for See EtherChannel 42-12 IEEE 802.3af 1-14 time-exceeded messages traceroute and See PoE 51-18 IEEE 802.
Index IGMP (continued) IGMP snooping (continued) report suppression global configuration described 26-5 Immediate Leave disabling 26-15, 27-11 in the switch stack supported versions support for method 26-3 Version 1 described configuring 48-3 described support for 48-41 maximum query response time value pruning groups 48-43 1-4 configuring described described IGP 26-23 42-25 described IGMP groups enabling configuring filtering 26-26 IGMP Immediate Leave support for multiaut
Index IOS shell interfaces (continued) described See Auto Smartports macros 13-36 descriptive name, adding IP ACLs 13-36 displaying information about for QoS classification 13-45 duplex and speed configuration guidelines 13-28 implicit deny 37-10, 37-14 flow control 13-30 implicit masks management 1-5 named monitoring naming physical, identifying classes of 13-29 command switch discovering 13-17 6-3, 6-11, 6-13 interfaces range macro command 13-21 IPv6 42-6 7-31 for IP routin
Index IP multicast routing IP multicast routing (continued) addresses MBONE all-hosts deleting sdr cache entries 48-3 all-multicast-routers described 48-3 host group address range administratively-scoped boundaries, described and IGMP snooping 48-46 displaying sdr cache 48-3 48-63 enabling sdr listener support 48-47 48-46 limiting DVMRP routes advertised 26-2 Auto-RP limiting sdr cache entry lifetime adding to an existing sparse-mode cloud benefits of packet rate loss 48-64 peerin
Index IP phones IP SLAs (continued) and QoS responder 17-1 automatic classification and queueing configuring 39-23 45-4 enabling 17-4 ensuring port security with QoS trusted boundary for QoS 39-42 on a Layer 2 access port on a PVLAN host port 45-7 response time scheduling 39-42 IP Port Security for Static Hosts IP precedence described 45-4 45-5 SNMP support 45-2 supported metrics 24-20 45-2 threshold monitoring 24-24 45-6 track object monitoring agent, configuring 39-2 IP-pre
Index IP source guard (continued) IP unicast routing (continued) static bindings adding Layer 3 interfaces MAC address and IP address 24-19, 24-21 deleting passive interfaces 24-20 static hosts executing 51-18 dynamic overview 51-18 link-state IP unicast routing proxy ARP address resolution authentication keys 42-94 42-7 static routing 42-3 subnet mask flooding supernet 42-17 packets UDP 42-14 storms 42-7 42-8 42-16 unicast reverse path forwarding 42-14 classless routing
Index IS-IS IPv6 (continued) address formats and switch stacks applications addresses 43-2 42-65 area routing 43-9 42-65 default configuration 43-5 assigning address 43-11 monitoring autoconfiguration 43-5 show commands CEFv6 default configuration and IPv6 43-4 Enhanced Interior Gateway Routing Protocol (EIGRP) IPv6 43-7 EIGRP IPv6 Commands clear commands monitoring NETs 42-74 42-64 OSI standard area routing 43-4 supported features 43-3 switch limitations 43-9 understanding sta
Index Kerberos Layer 2 traceroute authenticating to boundary switch KDC 10-42 configuration examples configuring described KDC 51-17 51-16 multicast traffic unicast traffic realm 10-41 Layer 3 features server 10-41 Layer 3 interfaces switch as trusted third party TGT 1-14 42-7 assigning IPv4 and IPv6 addresses to 10-39 assigning IPv6 addresses to 10-40 types of 10-40 key distribution center 42-7, 42-80, 42-81 42-5 Layer 3 packets, classification methods LDAP See KDC 43-14 43-12
Index link-state tracking configuring described M 40-25 MAC/PHY configuration status TLV 40-23 30-2 MAC addresses LLDP configuring aging time 30-5 characteristics enabling and VLAN association 30-6 default configuration default configuration monitoring and maintaining discovering displaying 30-2 switch stack considerations 30-6 7-30 in ACLs 30-5 overview supported TLVs removing 7-27 1-6 MAC address notification, support for 37-9 configuration guidelines 10-29 configuring 10-1
Index MAC extended access lists mapping tables for QoS applying to Layer 2 interfaces configuring for QoS configuring 37-30 CoS-to-DSCP 39-50 creating 37-28 DSCP defined 37-28 DSCP-to-CoS for QoS classification 39-71 39-70 39-74 DSCP-to-DSCP-mutation 39-5 macros IP-precedence-to-DSCP policed-DSCP See Auto Smartports macros described See Smartports macros MACsec and stacking described 11-31 MSTP 11-24 STP 1-6 management access 37-8 browser session CLI session 20-23 21-25 ma
Index messages, to users through banners metrics, in BGP IP 42-52 metric translations, between routing protocols metro tags MHSRP monitoring (continued) 7-17 address tables 42-97 42-18 multicast routing 19-2 routes 44-4 MIBs 42-104 IP SLAs operations accessing files with FTP location of files overview 45-13 IPv4 ACL configuration A-4 IPv6 A-4 37-41 43-27 IPv6 ACL configuration 35-1 SNMP interaction with supported 48-62 IS-IS 35-4 42-74 ISO CLNS A-1 mini-point-of-presence 3
Index MSDP MSTP benefits of boundary ports 49-3 clearing MSDP connections and statistics 49-19 controlling source information described forwarded by switch 49-12 originated by switch 49-8 received by switch dense-mode regions sending SA messages to 49-17 specifying the originating address 49-18 filtering enabling 22-14 described 22-2 enabling 22-13 CIST, described 21-3 defined forward-delay time 49-6 hello time 21-23 maximum hop count 49-18 MST region 49-1 path cost con
Index MSTP (continued) MSTP (continued) extended system ID root guard effects on root switch described 21-18 effects on secondary root switch unexpected behavior 22-10 enabling 21-19 22-18 root switch 21-18 IEEE 802.
Index multioperations scheduling, IP SLAs multiple authentication NAC (continued) 45-5 inaccessible authentication bypass 11-12 Multiple HSRP Layer 2 IEEE 802.1x validation Layer 2 IP validation See MHSRP multiple VPN routing/forwarding in customer edge devices See multi-VRF CE named IPv6 ACLs 38-3 1-11 See NSM configuration example 42-85 configuration guidelines configuring native VLAN 42-77 and IEEE 802.
Index NTP network configuration examples (continued) server aggregation and Linux server cluster small to medium-sized network associations 1-24 authenticating 1-26 network design defined performance services peer 1-20 overview network performance, measuring with IP SLAs network policy TLV source IP address, configuring 30-2, 30-7 stratum nonhierarchical policy maps nontrunking mode 7-2 synchronizing 37-28 7-2 OBFL 15-4 configuration guidelines configuring O 15-16 normal-range VLA
Index online diagnostics passive interfaces described 52-1 configuring overview 52-1 OSPF running tests 11-64 open1x authentication overview 42-33 passwords 52-4 open1x configuring default configuration 10-2 disabling recovery of 10-5 encrypting 10-3 for security 11-27 Open Shortest Path First 1-10 in clusters 6-14 overview See OSPF optimizing system resources options, management 42-101 10-1 recovery of 8-1 51-3 setting 1-5 OSPF enable area parameters, configuring conf
Index PIM PoE (continued) default configuration high-power devices operating in low-power mode 13-7 48-11 dense mode overview IEEE power classification levels 48-4 rendezvous point (RP), described RPF lookups overview 13-35 policing power consumption 48-63 policing power usage 48-13 power budgeting 48-4 router-query message interval, modifying 48-38 shared tree and source tree, overview 48-35 shortest path tree, delaying the use of 48-37 join messages and shared tree RPF lookups 13
Index policy maps for QoS port-based authentication (continued) characteristics of described switch-to-client frame-retransmission number 11-48, 11-49 39-57 39-8 displaying switch-to-client retransmission time 39-88 hierarchical violation mode 39-9 configuration guidelines configuring described described described POP 11-3, 12-2 displaying statistics nonhierarchical on physical ports 11-35, 12-9 11-1 device roles 39-12 configuration guidelines 11-41 default configuration 39-37 39-
Index port-based authentication (continued) per-user ACLs port-based authentication (continued) voice VLAN AAA authorization 11-41 described configuration tasks 11-17 PVID 11-23 VVID 11-23 described 11-16 RADIUS server attributes 11-16 ports 11-23 wake-on-LAN, described 11-24 port-based authentication methods, supported authorization state and dot1x port-control command 11-10 authorized and unauthorized voice VLAN 11-10 11-23 port blocking port-channel See EtherChannel described 1
Index private VLANs port security (continued) configuring default configuration described and SDM template 28-11 and SVIs 28-8 displaying enabling across multiple switches 28-13 on trunk ports 28-14 sticky learning 28-9 18-1 configuration tasks 15-26 configuring 30-2 30-2, 30-7 Power over Ethernet 18-6 end station access to 18-3 18-3 mapping 13-44 preemption, default configuration 18-2 isolated VLANs 13-44 preemption delay, default configuration 18-2, 18-3 18-13 monitoring
Index promiscuous ports configuring defined Q 18-12 QoS 18-2 protected ports and MQC commands 1-10, 28-6 protocol-dependent modules, EIGRP 39-1 auto-QoS 42-36 categorizing traffic Protocol-Independent Multicast Protocol 39-24 configuration and defaults display See PIM provider edge devices configuration guidelines 42-75 provisioning new members for a switch stack 5-8 proxy ARP configuring definition 39-23 disabling 39-30 effects on running configuration 42-12 egress queue defaults
Index QoS (continued) QoS (continued) configuration guidelines auto-QoS flowcharts classification 39-28 standard QoS egress queueing and scheduling 39-36 configuring 39-19 ingress queueing and scheduling aggregate policers auto-QoS 39-7 policing and marking 39-68 implicit deny 39-23 default port CoS value DSCP maps 39-11 39-8 ingress queues 39-41 allocating bandwidth 39-70 DSCP transparency 39-16 39-78 allocating buffer space 39-43 39-78 DSCP trust states bordering another dom
Index QoS (continued) R policers configuring described RADIUS 39-59, 39-65, 39-69 attributes 39-9 displaying 39-88 vendor-proprietary number of 39-38 vendor-specific types of 10-35 configuring 39-10 policies, attaching to an interface accounting 39-9 10-34 authentication policing described 10-36 authorization 39-4, 39-9 token bucket algorithm 10-29 10-33 communication, global 39-10 10-27, 10-35 communication, per-server policy maps characteristics of displaying multiple UDP
Index RARP Remote Network Monitoring 42-10 rcommand command See RMON 6-16 RCP Remote SPAN configuration files See RSPAN downloading overview remote SPAN B-18 report suppression, IGMP B-17 preparing the server uploading B-17 B-19 image files downloading 26-5 disabling 26-15, 27-11 uploading cluster B-38 l device manager B-37 preparing the server resets, in BGP 24-27 42-50 resetting a UDLD-shutdown interface port-based authentication 31-6 responder, IP SLAs 11-38 describe
Index root switch RFC (continued) 1166, IP addresses 1253, OSPF MSTP 42-7 STP 42-25 21-18 20-15 1267, BGP 42-43 route calculation timers, OSPF 1305, NTP 7-2 route dampening, BGP 42-62 1587, NSSAs 42-26 routed packets, ACLs on 1757, RMON 33-2 routed ports 1771, BGP configuring 42-43 1901, SNMPv2C defined 35-2 1902 to 1907, SNMPv2 2236, IP multicast and IGMP 2273-2275, SNMPv3 RFC 5176 Compliance 26-2 IP addresses on BGP configuring for IPv6 42-21 42-21 37-2 types of 37-4
Index RSPAN RSTP (continued) 32-3 and stack changes characteristics rapid convergence 32-10 cross-stack rapid convergence 32-9 configuration guidelines default configuration described 32-17 21-10 edge ports and Port Fast 32-12 destination ports 32-8 point-to-point links displaying status 32-28 root ports in a switch stack 32-3 root port, defined interaction with other features monitored ports overview replacing 21-10 21-9 B-20, B-21 rolling back 1-15, 32-1 session limits 21-10
Index secure HTTP server configuring displaying shaped round robin See SRR 10-53 Shell functions 10-55 secure MAC addresses and switch stacks deleting See Auto Smartports macros Shell triggers 28-18 See Auto Smartports macros 28-16 maximum number of types of 28-10 28-9 secure ports show access-lists hw-summary command 37-22 show and more command output, filtering 2-9 show cdp traffic command and switch stacks configuring 29-5 show cluster members command 28-18 show configuration comm
Index SNMP SNMP (continued) accessing MIB variables with traps 35-4 agent described 35-3, 35-5 described 35-4 differences from informs disabling 35-7 disabling 35-15 enabling 35-12 and IP SLAs 45-2 authentication level enabling MAC address notification 35-10 overview 35-8 for cluster switches overview users 35-4 default configuration groups host types of 35-4 configuration examples engine ID SNMPv2C 35-7, 35-9 SNMPv3 35-7 in clusters 35-7, 35-9 35-2 43-7 35-2 35-2 35-2
Index SPAN SSH and stack changes configuring 32-10 configuration guidelines default configuration 10-46 described 32-12 1-7, 10-45 encryption methods 32-12 10-45 destination ports 32-8 switch stack considerations displaying status 32-28 user authentication methods, supported interaction with other features monitored ports overview configuration guidelines 32-8 1-15, 32-1 ports, restrictions received traffic session limits 10-54 configuring a secure HTTP server 10-53 10-49 monito
Index stack changes, effects on ACL configuration CDP stack member (continued) displaying information of 37-7 IPv6 29-2 cross-stack EtherChannel EtherChannel HSRP replacing IEEE 802.
Index stacks, switch (continued) MAC address of stacks, switch (continued) STP 5-20 management connectivity managing bridge ID 5-17 instances supported 5-1 managing mixed root port selection See Catalyst 3750-E and 3750 Switch Stacking Compatibility Guide membership merged 20-3 5-4 20-10 20-3 stack root switch election system messages hostnames in the display 5-4 remotely monitoring mixed 5-2 5-2 upgrading 5-2 5-2 mixed software images See Cisco Software Activation and Compatibility Doc
Index startup configuration storm control booting configuring manually 3-18 specific image clearing 3-19 B-20 configuration file automatically downloading specifying the filename default boot configuration 3-17 28-1 disabling 28-5 displaying 28-19 support for 1-4 thresholds 28-1 accelerating root port selection 3-17 15-9 13-3, 15-3 static addresses described 22-7 disabling 22-17 enabling 22-16 BPDU filtering See addresses 1-14 static MAC addressing 1-10 static route prima
Index STP (continued) STP (continued) default optional feature configuration designated port, defined loop guard described 20-4 designated switch, defined 20-9 multicast addresses, effect of displaying status optional features supported 20-24 EtherChannel guard overview described 22-10 path costs disabling 22-17 Port Fast enabling 22-17 extended system ID effects on root switch 20-17 unexpected behavior features supported 22-2 enabling 22-12 15-23 preventing root switch selection
Index subnet mask switch virtual interface 42-7 subnet zero See SVI 42-7 success response, VMPS summer time See system message logging 1-6 system capabilities TLV 42-8 supported port-based authentication methods Smartports macros manually time zones SVIs overview and IP unicast routing default configuration 13-5 disabling enabling Switch Database Management limiting messages switched packets, ACLs on message format 37-39 Switched Port Analyzer overview See SPAN 34-14 34-10 34-10
Index system MTU and IEEE 802.
Index time stamps in log messages time zones traffic 34-8 blocking flooded 7-12 TLVs fragmented defined LLDP 37-5 fragmented IPv6 30-2 unfragmented 30-2 LLDP-MED traffic policing 30-2 1-13 traffic suppression support for transmit hold-count 15-5 VTP support 38-2 37-5 Token Ring VLANs ToS 28-8 28-1 see STP 16-4 transparent mode, VTP 1-13 traceroute, Layer 2 and ARP 51-17 and CDP 51-17 trap-door mechanism configuring MAC address notification configuring managers 51-16 d
Index trunks UDLD (continued) allowed-VLAN list configuring ISL disabling 15-19 globally 15-18, 15-23, 15-25 on fiber-optic interfaces 15-14 load sharing per interface setting STP path costs globally 15-21 pruning-eligible list to non-DTP device neighbor database 39-42 trusted port states overview classification options support for 39-42 31-7 42-16 UDP jitter, configuring 39-40 31-6 1-8 UDP, configuring 1-13 trustpoints, CA 31-1 status, displaying 39-5 31-1 31-2 resettin
Index UNIX syslog servers daemon configuration facilities supported V 34-12 version-dependent transparent mode 34-14 message logging configuration version-mismatch (VM) mode 34-13 unrecognized Type-Length-Value (TLV) support 16-4 automatic upgrades with auto-upgrade described upgrading information 5-12 manual upgrades with auto-advise upgrading software images upgrades with auto-extract See downloading 5-13 5-12 virtual IP address UplinkFast described 22-3 cluster standby group disabl
Index VLAN load balancing on flex links configuration guidelines described VLANs (continued) customer numbering in service-provider networks 19-3 23-8 23-2 VLAN management domain default configuration 16-2 deleting VLAN Management Policy Server VLAN map entries, order of 15-14 extended-range applying features 37-35 common uses for configuring internal 37-31 37-32 defined 37-3 modifying 37-36 multicast 37-33 examples of ACLs and VLAN maps parameters 1-10 wiring closet configuratio
Index VRF VMPS (continued) dynamic port membership described defining tables 15-26 reconfirming ARP 15-31 entering server address ftp 15-26 reconfirmation interval, changing reconfirming membership retry count, changing ping 15-29 15-30 voice aware 802.
Index VTP (continued) WCCP (continued) modes displaying client off dynamic service groups 16-3 enabling 16-3 server transitions transparent 47-3 Layer-2 header rewrite 16-3 MD5 security 16-17 passwords 47-5 forwarding method 16-3 47-3 47-6 features unsupported 16-3 monitoring 47-10 47-3 message exchange 16-9 pruning 47-3 47-2 monitoring and maintaining 47-10 disabling 16-15 negotiation enabling 16-15 packet redirection examples 16-7 packet-return method overview
Index WTD described 39-15 setting thresholds egress queue-sets ingress queues support for 39-81 39-77 1-13 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-21521-01 IN-61
Index Catalyst 3750-X and 3560-X Switch Software Configuration Guide IN-62 OL-21521-01