Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide Cisco IOS Release 12.2(50)SE March 2009 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface xlv Audience Purpose xlv xlv Conventions xlv Related Publications xlvi Obtaining Documentation and Submitting a Service Request CHAPTER 1 Overview xlvii 1-1 Features 1-1 Deployment Features 1-2 Performance Features 1-4 Management Options 1-5 Manageability Features 1-6 Availability and Redundancy Features VLAN Features 1-8 Security Features 1-9 QoS and CoS Features 1-11 Layer 3 Features 1-12 Monitoring Features 1-14 1-7 Default Settings After Initial Switch Configuration 1-1
Contents Changing the Command History Buffer Size 2-6 Recalling Commands 2-6 Disabling the Command History Feature 2-7 Using Editing Features 2-7 Enabling and Disabling Editing Features 2-7 Editing Commands through Keystrokes 2-8 Editing Command Lines that Wrap 2-9 Searching and Filtering Output of show and more Commands 2-10 Accessing the CLI 2-10 Accessing the CLI through a Console Connection or through Telnet CHAPTER 3 Assigning the Switch IP Address and Default Gateway Understanding the Boot Proce
Contents Booting a Specific Software Image 3-18 Controlling Environment Variables 3-19 Scheduling a Reload of the Software Image 3-21 Configuring a Scheduled Reload 3-22 Displaying Scheduled Reload Information 3-23 CHAPTER 4 Configuring Cisco EnergyWise 4-1 Managing Single Entities 4-1 EnergyWise Entity 4-1 EnergyWise Domain 4-2 EnergyWise Network 4-2 Single PoE Switch Scenario 4-3 EnergyWise Power Level 4-4 EnergyWise Importance 4-5 EnergyWise Names, Roles, and Keywords 4-5 Configuration Guidelines 4
Contents Additional Information 4-18 Managing Power in a LAN 4-18 Managing Power with IP Routing CHAPTER 5 4-18 Configuring Cisco IOS Configuration Engine 5-1 Understanding Cisco Configuration Engine Software 5-1 Configuration Service 5-2 Event Service 5-3 NameSpace Mapper 5-3 What You Should Know About the CNS IDs and Device Hostnames ConfigID 5-3 DeviceID 5-4 Hostname and DeviceID 5-4 Using Hostname, DeviceID, and ConfigID 5-4 Understanding Cisco IOS Agents 5-5 Initial Configuration 5-5 Incremental
Contents Stack Protocol Version Compatibility 6-12 Major Version Number Incompatibility Among Switches 6-12 Minor Version Number Incompatibility Among Switches 6-13 Understanding Auto-Upgrade and Auto-Advise 6-13 Auto-Upgrade and Auto-Advise Example Messages 6-14 Incompatible Software and Stack Member Image Upgrades 6-16 Switch Stack Configuration Files 6-16 Additional Considerations for System-Wide Configuration on Switch Stacks 6-17 Switch Stack Management Connectivity 6-18 Connectivity to the Switch Sta
Contents CHAPTER 7 Administering the Switch 7-1 Managing the System Time and Date 7-1 Understanding the System Clock 7-1 Understanding Network Time Protocol 7-2 Configuring NTP 7-3 Default NTP Configuration 7-4 Configuring NTP Authentication 7-4 Configuring NTP Associations 7-5 Configuring NTP Broadcast Service 7-6 Configuring NTP Access Restrictions 7-8 Configuring the Source IP Address for NTP Packets 7-10 Displaying the NTP Configuration 7-11 Configuring Time and Date Manually 7-11 Setting the Syste
Contents Disabling MAC Address Learning on a VLAN Displaying Address Table Entries 7-27 Managing the ARP Table CHAPTER 8 7-26 7-28 Configuring Switch-Based Authentication 8-1 Preventing Unauthorized Access to Your Switch 8-1 Protecting Access to Privileged EXEC Commands 8-2 Default Password and Privilege Level Configuration 8-2 Setting or Changing a Static Enable Password 8-3 Protecting Enable and Enable Secret Passwords with Encryption Disabling Password Recovery 8-5 Setting a Telnet Password for
Contents Configuring the Switch for Vendor-Proprietary RADIUS Server Communication Configuring RADIUS Server Load Balancing 8-31 Displaying the RADIUS Configuration 8-32 8-31 Controlling Switch Access with Kerberos 8-32 Understanding Kerberos 8-32 Kerberos Operation 8-34 Authenticating to a Boundary Switch 8-35 Obtaining a TGT from a KDC 8-35 Authenticating to Network Services 8-35 Configuring Kerberos 8-35 Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Secur
Contents Configuring the Switch SDM Template 9-4 Default SDM Template 9-4 SDM Template Configuration Guidelines Setting the SDM Template 9-5 Displaying the SDM Templates CHAPTER 10 9-4 9-6 Configuring IEEE 802.1x Port-Based Authentication 10-1 Understanding IEEE 802.
Contents Using Web Authentication 10-27 Web Authentication with Automatic MAC Check 10-28 Local Web Authentication Banner 10-28 802.1x Switch Supplicant with Network Edge Access Topology (NEAT) 10-30 Configuring IEEE 802.1x Authentication 10-31 Default IEEE 802.1x Authentication Configuration 10-32 IEEE 802.1x Authentication Configuration Guidelines 10-33 IEEE 802.
Contents Disabling IEEE 802.1x Authentication on the Port 10-66 Resetting the IEEE 802.1x Authentication Configuration to the Default Values Displaying IEEE 802.
Contents Monitoring Interface Status 11-28 Clearing and Resetting Interfaces and Counters 11-29 Shutting Down and Restarting the Interface 11-29 CHAPTER 12 Configuring Smartports Macros 12-1 Understanding Smartports Macros 12-1 Configuring Smartports Macros 12-2 Default Smartports Macro Configuration 12-2 Smartports Macro Configuration Guidelines 12-2 Creating Smartports Macros 12-4 Applying Smartports Macros 12-5 Applying Cisco-Default Smartports Macros 12-6 Displaying Smartports Macros CHAPTER 1
Contents Default Layer 2 Ethernet Interface VLAN Configuration 13-20 Configuring an Ethernet Interface as a Trunk Port 13-20 Interaction with Other Features 13-20 Configuring a Trunk Port 13-21 Defining the Allowed VLANs on a Trunk 13-22 Changing the Pruning-Eligible List 13-23 Configuring the Native VLAN for Untagged Traffic 13-24 Configuring Trunk Ports for Load Sharing 13-24 Load Sharing Using STP Port Priorities 13-25 Load Sharing Using STP Path Cost 13-27 Configuring VMPS 13-28 Understanding VMPS 13-2
Contents VTP Configuration Guidelines 14-8 Domain Names 14-8 Passwords 14-8 VTP Version 14-9 Configuration Requirements 14-9 Configuring a VTP Server 14-9 Configuring a VTP Client 14-11 Disabling VTP (VTP Transparent Mode) 14-12 Enabling VTP Version 2 14-13 Enabling VTP Pruning 14-14 Adding a VTP Client Switch to a VTP Domain 14-14 Monitoring VTP CHAPTER 15 14-16 Configuring Voice VLAN 15-1 Understanding Voice VLAN 15-1 Cisco IP Phone Voice Traffic 15-2 Cisco IP Phone Data Traffic 15-2 Configuring Vo
Contents Private-VLAN Configuration Guidelines 16-7 Secondary and Primary VLAN Configuration 16-7 Private-VLAN Port Configuration 16-8 Limitations with Other Features 16-9 Configuring and Associating VLANs in a Private VLAN 16-10 Configuring a Layer 2 Interface as a Private-VLAN Host Port 16-11 Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port 16-13 Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface 16-14 Monitoring Private VLANs CHAPTER 17 16-15 Configuring IEEE 802.
Contents Forwarding State 18-7 Disabled State 18-7 How a Switch or Port Becomes the Root Switch or Root Port 18-8 Spanning Tree and Redundant Connectivity 18-8 Spanning-Tree Address Management 18-9 Accelerated Aging to Retain Connectivity 18-9 Spanning-Tree Modes and Protocols 18-10 Supported Spanning-Tree Instances 18-10 Spanning-Tree Interoperability and Backward Compatibility 18-11 STP and IEEE 802.
Contents IEEE 802.1s Implementation 19-6 Port Role Naming Change 19-7 Interoperation Between Legacy and Standard Switches Detecting Unidirectional Link Failure 19-8 MSTP and Switch Stacks 19-8 Interoperability with IEEE 802.
Contents Understanding Cross-Stack UplinkFast 20-5 How CSUF Works 20-6 Events that Cause Fast Convergence 20-7 Understanding BackboneFast 20-7 Understanding EtherChannel Guard 20-10 Understanding Root Guard 20-10 Understanding Loop Guard 20-11 Configuring Optional Spanning-Tree Features 20-11 Default Optional Spanning-Tree Configuration 20-12 Optional Spanning-Tree Configuration Guidelines 20-12 Enabling Port Fast 20-12 Enabling BPDU Guard 20-13 Enabling BPDU Filtering 20-14 Enabling UplinkFast for Use wit
Contents CHAPTER 22 Configuring DHCP Features and IP Source Guard 22-1 Understanding DHCP Features 22-1 DHCP Server 22-2 DHCP Relay Agent 22-2 DHCP Snooping 22-2 Option-82 Data Insertion 22-3 Cisco IOS DHCP Server Database 22-6 DHCP Snooping Binding Database 22-6 DHCP Snooping and Switch Stacks 22-7 Configuring DHCP Features 22-8 Default DHCP Configuration 22-8 DHCP Snooping Configuration Guidelines 22-9 Configuring the DHCP Server 22-10 DHCP Server and Switch Stacks 22-10 Configuring the DHCP Relay Ag
Contents CHAPTER 23 Configuring Dynamic ARP Inspection 23-1 Understanding Dynamic ARP Inspection 23-1 Interface Trust States and Network Security 23-3 Rate Limiting of ARP Packets 23-4 Relative Priority of ARP ACLs and DHCP Snooping Entries Logging of Dropped Packets 23-5 Configuring Dynamic ARP Inspection 23-5 Default Dynamic ARP Inspection Configuration 23-5 Dynamic ARP Inspection Configuration Guidelines 23-6 Configuring Dynamic ARP Inspection in DHCP Environments Configuring ARP ACLs for Non-DHCP E
Contents Displaying IGMP Snooping Information 24-16 Understanding Multicast VLAN Registration 24-18 Using MVR in a Multicast Television Application Configuring MVR 24-20 Default MVR Configuration 24-20 MVR Configuration Guidelines and Limitations Configuring MVR Global Parameters 24-21 Configuring MVR Interfaces 24-22 Displaying MVR Information 24-18 24-20 24-24 Configuring IGMP Filtering and Throttling 24-24 Default IGMP Filtering and Throttling Configuration 24-25 Configuring IGMP Profiles 24-25 Ap
Contents CHAPTER 26 Configuring Port-Based Traffic Control 26-1 Configuring Storm Control 26-1 Understanding Storm Control 26-1 Default Storm Control Configuration 26-3 Configuring Storm Control and Threshold Levels Configuring Small-Frame Arrival Rate 26-5 26-3 Configuring Protected Ports 26-6 Default Protected Port Configuration 26-6 Protected Port Configuration Guidelines 26-7 Configuring a Protected Port 26-7 Configuring Port Blocking 26-7 Default Port Blocking Configuration 26-8 Blocking Flooded
Contents CHAPTER 28 Configuring LLDP, LLDP-MED, and Wired Location Service 28-1 Understanding LLDP, LLDP-MED, and Wired Location Service LLDP 28-1 LLDP-MED 28-2 Wired Location Service 28-3 28-1 Configuring LLDP, LLDP-MED, and Wired Location Service Default LLDP Configuration 28-4 Configuration Guidelines 28-4 Enabling LLDP 28-5 Configuring LLDP Characteristics 28-5 Configuring LLDP-MED TLVs 28-6 Configuring Network-Policy TLV 28-7 Configuring Location TLV and Wired Location Service 28-4 28-9 Monit
Contents SPAN and RSPAN Interaction with Other Features SPAN and RSPAN and Switch Stacks 30-10 Understanding Flow-Based SPAN 30-9 30-10 Configuring SPAN and RSPAN 30-11 Default SPAN and RSPAN Configuration 30-11 Configuring Local SPAN 30-12 SPAN Configuration Guidelines 30-12 Creating a Local SPAN Session 30-13 Creating a Local SPAN Session and Configuring Incoming Traffic 30-15 Specifying VLANs to Filter 30-16 Configuring RSPAN 30-17 RSPAN Configuration Guidelines 30-17 Configuring a VLAN as an RSPAN V
Contents Setting the Message Display Destination Device 32-5 Synchronizing Log Messages 32-6 Enabling and Disabling Time Stamps on Log Messages 32-8 Enabling and Disabling Sequence Numbers in Log Messages 32-8 Defining the Message Severity Level 32-9 Limiting Syslog Messages Sent to the History Table and to SNMP 32-10 Enabling the Configuration-Change Logger 32-11 Configuring UNIX Syslog Servers 32-12 Logging Messages to a UNIX Syslog Daemon 32-13 Configuring the UNIX System Logging Facility 32-13 Displayi
Contents CHAPTER 34 Configuring Network Security with ACLs 34-1 Understanding ACLs 34-1 Supported ACLs 34-2 Port ACLs 34-3 Router ACLs 34-4 VLAN Maps 34-5 Handling Fragmented and Unfragmented Traffic ACLs and Switch Stacks 34-6 34-5 Configuring IPv4 ACLs 34-7 Creating Standard and Extended IPv4 ACLs 34-8 Access List Numbers 34-8 ACL Logging 34-9 Creating a Numbered Standard ACL 34-10 Creating a Numbered Extended ACL 34-11 Resequencing ACEs in an ACL 34-15 Creating Named Standard and Extended ACLs 34-
Contents Using VLAN Maps with Router ACLs 34-36 VLAN Maps and Router ACL Configuration Guidelines 34-36 Examples of Router ACLs and VLAN Maps Applied to VLANs 34-37 ACLs and Switched Packets 34-37 ACLs and Bridged Packets 34-38 ACLs and Routed Packets 34-39 ACLs and Multicast Packets 34-39 Displaying IPv4 ACL Configuration CHAPTER 35 Configuring IPv6 ACLs 34-40 35-1 Understanding IPv6 ACLs 35-1 Supported ACL Features 35-2 IPv6 ACL Limitations 35-2 IPv6 ACLs and Switch Stacks 35-3 Configuring IPv6 ACL
Contents Configuring Auto-QoS 36-20 Generated Auto-QoS Configuration 36-21 Effects of Auto-QoS on the Configuration 36-25 Auto-QoS Configuration Guidelines 36-25 Enabling Auto-QoS for VoIP 36-26 Auto-QoS Configuration Example 36-27 Displaying Auto-QoS Information 36-29 Configuring Standard QoS 36-29 Default Standard QoS Configuration 36-30 Default Ingress Queue Configuration 36-30 Default Egress Queue Configuration 36-31 Default Mapping Table Configuration 36-32 Standard QoS Configuration Guidelines 36-3
Contents Allocating Bandwidth Between the Ingress Queues 36-68 Configuring the Ingress Priority Queue 36-69 Configuring Egress Queue Characteristics 36-70 Configuration Guidelines 36-71 Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID 36-73 Configuring SRR Shaped Weights on Egress Queues 36-75 Configuring SRR Shared Weights on Egress Queues 36-76 Configuring the Egress Expedite Queue 36-76 Limiting the Bandwidt
Contents Understanding Link-State Tracking 37-22 Configuring Link-State Tracking 37-24 Default Link-State Tracking Configuration 37-24 Link-State Tracking Configuration Guidelines 37-24 Configuring Link-State Tracking 37-25 Displaying Link-State Tracking Status 37-26 CHAPTER 38 Configuring IP Unicast Routing 38-1 Understanding IP Routing 38-2 Types of Routing 38-3 IP Routing and Switch Stacks Steps for Configuring Routing 38-3 38-5 Configuring IP Addressing 38-6 Default Addressing Configuration 3
Contents Configuring OSPF 38-26 Default OSPF Configuration 38-27 OSPF Nonstop Forwarding 38-28 Configuring Basic OSPF Parameters 38-29 Configuring OSPF Interfaces 38-30 Configuring OSPF Area Parameters 38-31 Configuring Other OSPF Parameters 38-32 Changing LSA Group Pacing 38-34 Configuring a Loopback Interface 38-35 Monitoring OSPF 38-35 Configuring EIGRP 38-36 Default EIGRP Configuration 38-38 EIGRP Nonstop Forwarding 38-39 Configuring Basic EIGRP Parameters 38-40 Configuring EIGRP Interfaces 38-41 Confi
Contents Configuring IS-IS Global Parameters 38-70 Configuring IS-IS Interface Parameters 38-73 Monitoring and Maintaining ISO IGRP and IS-IS 38-75 Configuring Multi-VRF CE 38-76 Understanding Multi-VRF CE 38-77 Default Multi-VRF CE Configuration 38-79 Multi-VRF CE Configuration Guidelines 38-79 Configuring VRFs 38-80 Configuring VRF-Aware Services 38-81 User Interface for ARP 38-81 User Interface for PING 38-81 User Interface for SNMP 38-82 User Interface for HSRP 38-82 User Interface for uRPF 38-82 User
Contents CHAPTER 39 Configuring IPv6 Unicast Routing 39-1 Understanding IPv6 39-1 IPv6 Addresses 39-2 Supported IPv6 Unicast Routing Features 39-2 128-Bit Wide Unicast Addresses 39-3 DNS for IPv6 39-4 Path MTU Discovery for IPv6 Unicast 39-4 ICMPv6 39-4 Neighbor Discovery 39-4 Default Router Preference 39-4 IPv6 Stateless Autoconfiguration and Duplicate Address Detection IPv6 Applications 39-5 Dual IPv4 and IPv6 Protocol Stacks 39-5 DHCP for IPv6 Address Assignment 39-6 Static Routes for IPv6 39-6 RIP
Contents Configuring EIGRP for IPv6 39-24 Configuring HSRP for IPv6 39-24 Enabling HSRP Version 2 39-25 Enabling an HSRP Group for IPv6 Displaying IPv6 CHAPTER 40 Configuring HSRP 39-25 39-26 40-1 Understanding HSRP 40-1 HSRP Versions 40-3 Multiple HSRP 40-4 HSRP and Switch Stacks 40-5 Configuring HSRP 40-5 Default HSRP Configuration 40-6 HSRP Configuration Guidelines 40-6 Enabling HSRP 40-7 Configuring HSRP Priority 40-8 Configuring MHSRP 40-10 Configuring HSRP Authentication and Timers 40-11 Ena
Contents CHAPTER 42 Configuring Enhanced Object Tracking 42-1 Understanding Enhanced Object Tracking 42-1 Configuring Enhanced Object Tracking Features 42-2 Default Configuration 42-2 Tracking Interface Line-Protocol or IP Routing State 42-2 Configuring a Tracked List 42-3 Configuring a Tracked List with a Boolean Expression 42-3 Configuring a Tracked List with a Weight Threshold 42-4 Configuring a Tracked List with a Percentage Threshold 42-5 Configuring HSRP Object Tracking 42-7 Configuring Other T
Contents Bootstrap Router 44-7 Multicast Forwarding and Reverse Path Check Understanding DVMRP 44-9 Understanding CGMP 44-9 Multicast Routing and Switch Stacks 44-8 44-10 Configuring IP Multicast Routing 44-10 Default Multicast Routing Configuration 44-11 Multicast Routing Configuration Guidelines 44-11 PIMv1 and PIMv2 Interoperability 44-11 Auto-RP and BSR Configuration Guidelines 44-12 Configuring Basic Multicast Routing 44-12 Configuring Source-Specific Multicast 44-14 SSM Components Overview 44-14 H
Contents Configuring Optional IGMP Features 44-38 Default IGMP Configuration 44-39 Configuring the Switch as a Member of a Group 44-39 Controlling Access to IP Multicast Groups 44-40 Changing the IGMP Version 44-41 Modifying the IGMP Host-Query Message Interval 44-41 Changing the IGMP Query Timeout for IGMPv2 44-42 Changing the Maximum Query Response Time for IGMPv2 Configuring the Switch as a Statically Connected Member 44-43 44-43 Configuring Optional Multicast Routing Features 44-44 Enabling CGMP Serv
Contents Configuring MSDP 45-3 Default MSDP Configuration 45-4 Configuring a Default MSDP Peer 45-4 Caching Source-Active State 45-6 Requesting Source Information from an MSDP Peer 45-8 Controlling Source Information that Your Switch Originates 45-8 Redistributing Sources 45-9 Filtering Source-Active Request Messages 45-10 Controlling Source Information that Your Switch Forwards 45-11 Using a Filter 45-12 Using TTL to Limit the Multicast Data Sent in SA Messages 45-13 Controlling Source Information that Yo
Contents Preventing Switch Stack Problems 47-8 Preventing Autonegotiation Mismatches SFP Module Security and Identification Monitoring SFP Module Status Monitoring Temperature 47-9 47-9 47-10 47-10 Using Ping 47-10 Understanding Ping 47-11 Executing Ping 47-11 Using Layer 2 Traceroute 47-12 Understanding Layer 2 Traceroute 47-12 Usage Guidelines 47-12 Displaying the Physical Path 47-13 Using IP Traceroute 47-13 Understanding IP Traceroute 47-14 Executing IP Traceroute 47-14 Using TDR 47-15 Understand
Contents CHAPTER 48 Configuring Online Diagnostics 48-1 Understanding Online Diagnostics 48-1 Configuring Online Diagnostics 48-2 Scheduling Online Diagnostics 48-2 Configuring Health-Monitoring Diagnostics 48-3 Running Online Diagnostic Tests 48-5 Starting Online Diagnostic Tests 48-5 Displaying Online Diagnostic Tests and Test Results APPENDIX A Supported MIBs MIB List A-1 A-1 Using FTP to Access the MIB Files APPENDIX B 48-6 A-4 Working with the Cisco IOS File System, Configuration Fi
Contents Clearing Configuration Information B-19 Clearing the Startup Configuration File B-20 Deleting a Stored Configuration File B-20 Replacing and Rolling Back Configurations B-20 Understanding Configuration Replacement and Rollback B-20 Configuration Guidelines B-21 Configuring the Configuration Archive B-22 Performing a Configuration Replacement or Rollback Operation B-23 Working with Software Images B-23 Image Location on the Switch B-25 File Format of Images on a Server or Cisco.
Contents Debug Commands C-3 Unsupported Privileged EXEC Commands C-3 Embedded Event Manager C-3 Unsupported Privileged EXEC Commands C-3 Unsupported Global Configuration Commands C-3 Unsupported Commands in Applet Configuration Mode C-3 Fallback Bridging C-3 Unsupported Privileged EXEC Commands C-4 Unsupported Global Configuration Commands C-4 Unsupported Interface Configuration Commands C-4 HSRP C-5 Unsupported Global Configuration Commands C-5 Unsupported Interface Configuration Commands C-5 IGMP Sno
Contents MSDP C-11 Unsupported Privileged EXEC Commands C-11 Unsupported Global Configuration Commands C-11 NetFlow Commands C-11 Unsupported Global Configuration Commands C-11 Network Address Translation (NAT) Commands C-12 Unsupported Privileged EXEC Commands C-12 QoS C-12 Unsupported Global Configuration Command C-12 Unsupported Interface Configuration Commands C-12 Unsupported Policy-Map Configuration Command C-12 RADIUS C-12 Unsupported Global Configuration Commands C-12 SNMP C-13 Unsupported Gl
Contents Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xlvi OL-13270-03
Preface Audience This guide is for the networking professional using the Cisco IOS command-line interface (CLI) to manage the standalone Cisco Catalyst Blade Switch 3130 for Dell or blade switch stack, referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS commands and the switch software features. Before using this guide, you should have experience working with the concepts and terminology of Ethernet and local area networking.
Preface • Square brackets ([ ]) mean optional elements. • Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements. • Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional element. Interactive examples use these conventions: • Terminal sessions and system displays are in screen font. • Information you enter is in boldface screen font.
Preface • Cisco Catalyst Blade Switch 3130 for Dell and Cisco Catalyst Blade Switch 3032 for Dell Hardware Installation Guide • Cisco Catalyst Blade Switch 3130 for Dell and Cisco Catalyst Blade Switch 3032 for Dell Getting Started Guide • Regulatory Compliance and Safety Information for the Cisco Catalyst Blade Switch 3000 Series for Dell • Device manager online help (available on the switch) • Getting Started with Cisco Network Assistant • Release Notes for Cisco Network Assistant • Installa
Preface Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xlviii OL-13270-03
CH A P T E R 1 Overview This chapter provides these topics about the switch software: • Features, page 1-1 • Default Settings After Initial Switch Configuration, page 1-14 • Network Configuration Examples, page 1-17 • Where to Go Next, page 1-21 The term switch refers to a standalone switch and to a switch stack. In this document, IP refers to IP Version 4 (IPv4) unless there is a specific reference to IP Version 6 (IPv6). Note The examples in this document are for a stacking-capable switch.
Chapter 1 Overview Features • IP services feature set, which provides a richer set of enterprise-class intelligent services and full IPv6 support. It includes all IP base features plus full Layer 3 routing (IP unicast routing, IP multicast routing, and fallback bridging). The IP services feature set includes protocols such as the Enhanced Interior Gateway Routing Protocol (EIGRP) and the Open Shortest Path First (OSPF) Protocol.
Chapter 1 Overview Features • Cisco Network Assistant (referred to as Network Assistant) for – Managing communities, which are device groups like clusters, except that they can contain routers and access points and can be made more secure. – Simplifying and minimizing switch and switch stack management from anywhere in your intranet.
Chapter 1 Overview Features Performance Features The switch ships with these performance features: • Cisco EnergyWise to manage the energy usage of power over Ethernet (PoE) entities • Autosensing of port speed and autonegotiation of duplex mode on all switch ports for optimizing bandwidth • Automatic-medium-dependent interface crossover (auto-MDIX) capability on 10/100- and 10/100/1000-Mb/s interfaces and on 10/100/1000 BASE-TX SFP module interfaces that enables the interface to automatically detec
Chapter 1 Overview Features • IGMP throttling for configuring the action when the maximum number of entries is in the IGMP forwarding table • IGMP leave timer for configuring the leave latency for the network • Switch Database Management (SDM) templates for allocating system resources to maximize support for user-selected features • Web Cache Communication Protocol (WCCP) for redirecting traffic to wide-area application engines, for enabling content requests to be fulfilled locally, and for localiz
Chapter 1 Overview Features Manageability Features These are the manageability features: • CNS embedded agents for automating switch management, configuration storage, and delivery • DHCP for automating configuration of switch information (such as IP address, default gateway, hostname, and Domain Name System [DNS] and TFTP server names) • DHCP relay for forwarding User Datagram Protocol (UDP) broadcasts, including IP address requests, from DHCP clients • DHCP server for automatic assignment of IP
Chapter 1 Overview Features Note • Secure Copy Protocol (SCP) feature to provide a secure and authenticated method for copying switch configuration or switch image files (requires the cryptographic universal software image) • Wired location service that sends location and attachment tracking information for connected devices to a Cisco Mobility Services Engine (MSE) • LLDP-MED network-policy profile time, length, value (TLV) for creating a profile for voice and voice-signalling by specifying the val
Chapter 1 Overview Features • Optional spanning-tree features available in PVST+, rapid-PVST+, and MSTP mode: – Port Fast for eliminating the forwarding delay by enabling a port to immediately change from the blocking state to the forwarding state – BPDU guard for shutting down Port Fast-enabled ports that receive bridge protocol data units (BPDUs) – BPDU filtering for preventing a Port Fast-enabled port from sending or receiving BPDUs – Root guard for preventing switches outside the network core from
Chapter 1 Overview Features • Port security on a PVLAN host to limit the number of MAC addresses learned on a port, or define which MAC addresses may be learned on a port • VLAN Flex Link Load Balancing to provide Layer 2 redundancy without requiring Spanning Tree Protocol (STP). A pair of interfaces configured as primary and backup links can load balance traffic based on VLAN.
Chapter 1 Overview Features • IEEE 802.1x with open access to allow a host to access the network before being authenticated • IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. These features are supported: – Multidomain authentication (MDA) to allow both a data device and a voice device, such as an IP phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.
Chapter 1 Overview Features – IEEE 802.1x inaccessible authentication bypass. For information about configuring this feature, see the “Configuring the Inaccessible Authentication Bypass Feature” section on page 10-51. – Authentication, authorization, and accounting (AAA) down policy for a NAC Layer 2 IP validation of a host if the AAA server is not available when the posture validation occurs. For information about this feature, see the Network Admission Control Software Configuration Guide.
Chapter 1 Overview Features • Out-of-Profile – Out-of-profile markdown for packets that exceed bandwidth utilization limits • Ingress queueing and scheduling – Two configurable ingress queues for user traffic (one queue can be the priority queue) – Weighted tail drop (WTD) as the congestion-avoidance mechanism for managing the queue lengths and providing drop precedences for different traffic classifications – Shaped round robin (SRR) as the scheduling service for specifying the rate at which packets
Chapter 1 Overview Features • VRF Lite for configuring multiple private routing domains for network virtualization and virtual private multicast networks • Support for these IP services, making them VRF aware so that they can operate on multiple routing instances: HSRP, uRPF, ARP, SNMP, IP SLA, TFTP, FTP, syslog, traceroute, and ping • Fallback bridging for forwarding non-IP traffic between two or more VLANs (requires the IP services feature set) • Static IP routing for manually building a routing
Chapter 1 Overview Default Settings After Initial Switch Configuration Monitoring Features These are the monitoring features: • Switch LEDs that provide port- and switch-level status on nonstacking-capable switches • Switch LEDs that provide port-, switch-, and stack-level status on stacking-capable switches • MAC address notification traps and RADIUS accounting for tracking users on a network by storing the MAC addresses that the switch has learned or removed • Switched Port Analyzer (SPAN) and R
Chapter 1 Overview Default Settings After Initial Switch Configuration If you do not configure the switch at all, the switch operates with these default settings: • Default switch IP address, subnet mask, and default gateway is 0.0.0.0. For more information, see Chapter 3, “Assigning the Switch IP Address and Default Gateway,” and Chapter 22, “Configuring DHCP Features and IP Source Guard.” • Default domain name is not configured.
Chapter 1 Overview Default Settings After Initial Switch Configuration – VTP version is Version 1. For more information, see Chapter 14, “Configuring VTP.” – No private VLANs are configured. For more information, see Chapter 16, “Configuring Private VLANs.” – Voice VLAN is disabled. For more information, see Chapter 15, “Configuring Voice VLAN.” • IEEE 802.1Q tunneling and Layer 2 protocol tunneling are disabled. For more information, see Chapter 17, “Configuring IEEE 802.
Chapter 1 Overview Network Configuration Examples • No ACLs are configured. For more information, see Chapter 34, “Configuring Network Security with ACLs.” • QoS is disabled. For more information, see Chapter 36, “Configuring QoS.” • No EtherChannels are configured. For more information, see Chapter 37, “Configuring EtherChannels and Link-State Tracking.” • IP unicast routing is disabled. For more information, see Chapter 38, “Configuring IP Unicast Routing.” • No HSRP groups are configured.
Chapter 1 Overview Network Configuration Examples Table 1-1 describes what can cause network performance to degrade and how you can configure your network to increase the bandwidth available to your network users.
Chapter 1 Overview Network Configuration Examples Table 1-2 Providing Network Services (continued) Network Demands Suggested Design Methods An evolving demand for IP telephony • Use QoS to prioritize applications such as IP telephony during congestion and to help control both delay and jitter within the network. • Use switches that support at least two queues per port to prioritize voice and data traffic as either high- or low-priority, based on IEEE 802.1p/Q.
Chapter 1 Overview Network Configuration Examples QoS and policing on the switches provide preferential treatment for certain data streams. They segment traffic streams into different paths for processing. Security features on the switch ensure rapid handling of packets. Fault tolerance from the server racks to the core is achieved through dual homing of servers connected to dual switch stacks or the switches, which have redundant Gigabit EtherChannels and cross-stack EtherChannels.
Chapter 1 Overview Where to Go Next When an end station in one VLAN needs to communicate with an end station in another VLAN, a router or Layer 3 switch routes the traffic to the destination VLAN. In this network, the switch stack is providing inter-VLAN routing. VLAN access control lists (VLAN maps) on the switch stack or switch provide intra-VLAN security and prevent unauthorized users from accessing critical areas of the network.
Chapter 1 Overview Where to Go Next Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 1-22 OL-13270-03
CH A P T E R 2 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your standalone switch or a switch stack, referred to as the switch.
Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the hostname Switch. Table 2-1 Command Mode Summary Mode Access Method Prompt User EXEC Begin a session with Switch> your switch. Exit Method About This Mode Enter logout or quit. Use this mode to • Change terminal settings. • Perform basic tests.
Chapter 2 Using the Command-Line Interface Understanding the Help System Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method Interface configuration While in global configuration mode, enter the interface command (with a specific interface). Switch(config-if)# To exit to global Use this mode to configure configuration mode, parameters for the Ethernet enter exit. ports. To return to privileged EXEC mode, press Ctrl-Z or enter end.
Chapter 2 Using the Command-Line Interface Understanding Abbreviated Commands Table 2-2 Help Summary (continued) Command Purpose ? List all commands available for a particular command mode. For example: Switch> ? command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword.
Chapter 2 Using the Command-Line Interface Understanding CLI Error Messages Understanding CLI Error Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Table 2-3 Common CLI Error Messages Error Message Meaning How to Get Help % Ambiguous command: "show con" You did not enter enough characters for your switch to recognize the command.
Chapter 2 Using the Command-Line Interface Using Command History Using Command History The software provides a history or record of commands that you have entered. The command history feature is particularly useful for recalling long or complex commands or entries, including access lists.
Chapter 2 Using the Command-Line Interface Using Editing Features Disabling the Command History Feature The command history feature is automatically enabled. You can disable it for the current terminal session or for the command line. These procedures are optional. To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command.
Chapter 2 Using the Command-Line Interface Using Editing Features Editing Commands through Keystrokes Table 2-5 shows the keystrokes that you need to edit command lines. These keystrokes are optional. Table 2-5 Editing Commands through Keystrokes Capability Keystroke1 Move around the command line to make changes or corrections. Press Ctrl-B, or press the Move the cursor back one character. left arrow key. Purpose Press Ctrl-F, or press the right arrow key. Move the cursor forward one character.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Scroll down a line or screen on displays that are longer than the terminal screen can display. Press the Return key. Scroll down one line. Press the Space bar. Scroll down one screen. Press Ctrl-L or Ctrl-R. Redisplay the current command line.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Use line wrapping with the command history feature to recall and modify previous complex command entries. For information about recalling previous command entries, see the “Editing Commands through Keystrokes” section on page 2-8. Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands.
Chapter 2 Using the Command-Line Interface Accessing the CLI Accessing the CLI through a Console Connection or through Telnet Before you can access the CLI, you must connect a terminal or a PC to the switch console or connect a PC to the Ethernet management port and then power on the switch, as described in the hardware installation guide that shipped with your switch.
Chapter 2 Using the Command-Line Interface Accessing the CLI Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 2-12 OL-13270-03
CH A P T E R 3 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assigning the IP address and default gateway information) by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The normal boot process involves the operation of the boot loader software, which performs these activities: • Performs low-level CPU initialization. It initializes the CPU registers, which control where physical memory is mapped, its quantity, its speed, and so forth. • Performs power-on self-test (POST) for the CPU subsystem.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Note Stack members retain their IP address when you remove them from a switch stack. To avoid a conflict by having two devices with the same IP address in your network, change the IP address of the switch that you removed from the switch stack. Use a DHCP server for centralized control and automatic assignment of IP information after the server is configured.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information With DHCP-based autoconfiguration, no DHCP client-side configuration is needed on your switch. However, you need to configure the DHCP server for various lease options associated with IP addresses. If you are using DHCP to relay the configuration file location on the network, you might also need to configure a Trivial File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The DHCP server sends the client a DHCPNAK denial broadcast message, which means that the offered configuration parameters have not been assigned, that an error has occurred during the negotiation of the parameters, or that the client has been slow in responding to the DHCPOFFER message (the DHCP server assigned the parameters to another client).
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Limitations and Restrictions These are the limitations: • The DHCP-based autoconfiguration with a saved configuration process stops if there is not at least one Layer 3 interface in an up state without an assigned IP address in the network. • Unless you configure a timeout, the DHCP-based autoconfiguration with a saved configuration feature tries indefinitely to download an IP address.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information • Hostname (optional) Depending on the settings of the DHCP server, the switch can receive IP address information, the configuration file, or both. If you do not configure the DHCP server with the lease options described previously, it replies to client requests with only those parameters that are configured. If the IP address and the subnet mask are not in the reply, the switch is not configured.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the Relay Device You must configure a relay device, also referred to as a relay agent, when a switch sends broadcast packets that require a response from a host on a different LAN. Examples of broadcast packets that the switch might send are DHCP, DNS, and in some cases, TFTP packets. You must configure this relay device to forward received broadcast packets on an interface to the destination host.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information • The IP address and the configuration filename is reserved for the switch, but the TFTP server address is not provided in the DHCP reply (one-file read method). The switch receives its IP address, subnet mask, and the configuration filename from the DHCP server.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Table 3-2 shows the configuration of the reserved leases on the DHCP server. Table 3-2 DHCP Server Configuration Switch A Switch B Switch C Switch D Binding key (hardware address) 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 IP address 10.0.0.21 10.0.0.22 10.0.0.23 10.0.0.24 Subnet mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Router address 10.0.0.10 10.0.0.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information • It reads its host table by indexing its IP address 10.0.0.21 to its hostname (switcha). • It reads the configuration file that corresponds to its hostname; for example, it reads switch1-confg from the TFTP server. Switches B through D retrieve their configuration files and IP addresses in the same way.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Switch(dhcp-config)# default-router 10.10.10.1 Switch(dhcp-config)# option 150 10.10.10.1 Switch(dhcp-config)# exit Switch(config)# tftp-server flash:config-boot.text Switch(config)# interface gigabitethernet1/0/4 Switch(config-if)# no switchport Switch(config-if)# ip address 10.10.10.1 255.255.255.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information This example shows how to configure a switch as a DHCP server so it downloads a configuration file: Switch# configure terminal Switch(config)# ip dhcp pool pool1 Switch(dhcp-config)# network 10.10.10.0 255.255.255.0 Switch(dhcp-config)# bootfile config-boot.text Switch(dhcp-config)# default-router 10.10.10.1 Switch(dhcp-config)# option 150 10.10.10.1 Switch(dhcp-config)# option 125 hex 0000.0009.0a05.08661.7574.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Manual Boot: HELPER path-list: NVRAM/Config file buffer size: Timeout for Config Download: Config Download via DHCP: Switch# Note no 32768 300 seconds enabled (next boot: enabled) You should only configure and enable the Layer 3 interface. Do not assign an IP address or DHCP-based autoconfiguration with a saved configuration.
Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration All VLAN interfaces have assigned MAC addresses that are derived from the base MAC address. The base MAC address is the hardware address that is on the switch label. It also appears when you enter the show version privileged EXEC command. On the first VLAN interface (VLAN 1), the MAC address is the base MAC address + 0 x 40.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration snmp-server community private@es0 RW snmp-server community public@es0 RO snmp-server chassis-id 0x12 ! end To store the configuration or changes you have made to your startup configuration in flash memory, enter this privileged EXEC command: Switch# copy running-config startup-config Destination filename [startup-config]? Building configuration...
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Default Boot Configuration Table 3-3 shows the default boot configuration. Table 3-3 Default Boot Configuration Feature Default Setting Operating system software image The switch attempts to automatically boot up the system using information in the BOOT environment variable.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Step 4 Command Purpose show boot Verify your entries. The boot config-file global configuration command changes the setting of the CONFIG_FILE environment variable. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no boot config-file global configuration command.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Beginning in privileged EXEC mode, follow these steps to configure the switch to boot up a specific image during the next boot cycle: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 boot system filesystem:/file-url Configure the switch to boot up a specific image in flash memory during the next boot cycle.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Each line in these files contains an environment variable name and an equal sign followed by the value of the variable. A variable has no value if it is not listed in this file; it has a value if it is listed in the file even if the value is a null string. A variable that is set to a null string (for example, “ ”) is a variable with a value. Many environment variables are predefined and have default values.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Table 3-4 Environment Variables (continued) Variable Boot Loader Command Cisco IOS Global Configuration Command SWITCH_NUMBER set SWITCH_NUMBER stack-member-number switch current-stack-member-number renumber new-stack-member-number Changes the member number of a stack member. Changes the member number of a stack member.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Configuring a Scheduled Reload To configure your switch to reload the software image at a later time, use one of these commands in privileged EXEC mode: • reload in [hh:]mm [text] This command schedules a reload of the software to take affect in the specified minutes or hours and minutes. The reload must take place within approximately 24 days.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Displaying Scheduled Reload Information To display information about a previously scheduled reload or to find out if a reload has been scheduled on the switch, use the show reload privileged EXEC command. It displays reload information including the time the reload is scheduled to occur and the reason for the reload (if it was specified when the reload was scheduled).
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 3-24 OL-13270-03
CH A P T E R 4 Configuring Cisco EnergyWise Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. The switch command reference has command syntax and usage information. • Managing Single Entities, page 4-1 • Managing Multiple Entities, page 4-12 • Troubleshooting EnergyWise, page 4-16 • Additional Information, page 4-18 For more information about EnergyWise, go to http://www.cisco.com/en/US/products/ps10195/tsd_products_support_series_home.html.
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities EnergyWise uses a distributed model to manage energy usage. • Switches are grouped in an EnergyWise domain and become domain entities. They receive messages from and send them to other domain entities. • An entity in the EnergyWise domain responds to queries. • An entity participating in EnergyWise controls the power usage of connected PoE devices, such as an IP phone, an IP camera, or a PoE-enabled device.
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities Figure 4-1 Typical Network 1 SNMP Manager SNMP 3 3 3 2 TCP Catalyst 6500 switches 3 Catalyst non-PoE switches 3 3 3 3 Catalyst PoE switches 3 IP IP phone 1 Entity managing power usage 2 Domain Access point Cisco IP camera 3 205655 3 Wireless controller Entities Single PoE Switch Scenario Managing the power usage when • A PoE entity powers on or off the connected entities.
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities Figure 4-2 Single PoE Switch Example Catalyst PoE switch 1 3 Catalyst non-PoE switch 1 3 WAN Catalyst non-PoE switch 1 3 Router 3 Catalyst PoE switch 1 3 2 3 3 IP phone IP Cisco IP camera 1 Entity managing power usage 2 Domain IP phone 3 205656 IP 3 Entities EnergyWise Power Level The EnergyWise power level is for both a PoE port and a switch. The range is from 0 to 10. The default power level is 10.
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities EnergyWise Importance Set the EnergyWise importance value on a PoE port or a switch to rank domain entities. The range is from 1 to 100. The default importance value is 1. EnergyWise Names, Roles, and Keywords Set an EnergyWise-specific entity name to identify the domain entity. • For a PoE port, the default is a short version of the port name; for example, Gi1.0.2 for Gigabit Ethernet 1/0/2. • For a switch, the default is the hostname.
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities Manually Managing Power • Powering the Entity, page 4-6 • Configuring Entity Attributes, page 4-7 • Powering the PoE Port, page 4-8 • Configuring PoE-Port Attributes, page 4-8 Powering the Entity Beginning in privileged EXEC mode: Command Purpose Step 1 show energywise (Optional) Verify that EnergyWise is disabled. Step 2 configure terminal Enter global configuration mode.
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities Configuring Entity Attributes Beginning in privileged EXEC mode: Command Purpose Step 1 show energywise (Optional) Verify that EnergyWise is enabled. Step 2 configure terminal Enter global configuration mode. Step 3 energywise importance importance (Optional) Set the importance of the entity. The range is from 1 to 100. The default is 1. Step 4 energywise keywords word,word,...
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities Step 10 Command Purpose show energywise Verify your entries. show energywise domain Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file. Powering the PoE Port Beginning in privileged EXEC mode: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities Step 4 Command Purpose energywise keywords word,word,... (Optional) Assign at least one keyword for the port. When assigning multiple keywords, separate the keywords with commas, and do not use spaces between keywords. • You can enter alphanumeric characters and symbols such as #, (, %, !, or &. • Do not use an asterisk (*) or a blank space between the characters and symbols. By default, no keywords are defined.
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities Command Step 3 Purpose energywise domain domain-name secret [0 | 7] Enable EnergyWise on the entity, assign the entity to a domain password [protocol udp port udp-port-number with the specified domain-name, and set the password for secure [interface interface-id | ip ip-address]] communication among the entities in the domain. • (Optional) 0—Use an unencrypted password. This is the default. • (Optional) 7—Use a hidden password.
Chapter 4 Configuring Cisco EnergyWise Managing Single Entities Command Step 6 Purpose energywise level 0 recurrence importance (Optional) Schedule the power-off recurrence. importance at minute hour day_of_month month • importance importance—Set the importance of the port in day_of_week the domain. The range is from 1 to 100. The default is 1. • minute—The range is from 0 to 59. Use * for the wildcard. • hour—The range is from 0 to 23. Use * for the wildcard.
Chapter 4 Configuring Cisco EnergyWise Managing Multiple Entities Manually Managing Power To power on the lab IP phones now: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# energywise domain cisco secret cisco protocol udp port 43440 ip 2.2.4.44 Switch(config)# interface gigabitethernet1/0/3 Switch(config-if)# energywise importance 65 Switch(config-if)# energywise name labphone.5 Switch(config-if)# energywise role role.
Chapter 4 Configuring Cisco EnergyWise Managing Multiple Entities Multiple PoE Switch Scenario Figure 4-3 Multiple PoE Switches Example WAN Catalyst PoE switch 1 3 Router 3 Router Catalyst non-PoE switches Catalyst non-PoE switches 3 3 3 2 3 3 3 3 3 IP IP phone Catalyst PoE switches 1 3 IP Cisco IP camera 1 Entity managing power usage 2 Domain IP phone 3 IP IP phone 205657 Catalyst PoE switches 1 Entities EnergyWise Query • Collect power usage information.
Chapter 4 Configuring Cisco EnergyWise Managing Multiple Entities Use EnergyWise importance values to select entities in a query. For example, an office phone is less important than an emergency phone that should never be in sleep mode. Query results show entities, such as PoE ports, with importance values less than or equal to the specified value in the query. The entity sending a query to all domain entities receives the results.
Chapter 4 Configuring Cisco EnergyWise Managing Multiple Entities Command Step 2 Purpose energywise query importance importance (Optional) Run a query to power on or power off the domain {keywords word,word,... | name name} set level entities or PoE ports. level Caution Use this query with care because it affects the entity on which you enter the command and other domain entities that match the query criteria. • importance importance—Filter the results based on the importance value.
Chapter 4 Configuring Cisco EnergyWise Troubleshooting EnergyWise Querying with Keywords To show the power usage of IP phones with different names, different roles, and importance values less than or equal to 80, but all with the Admin keyword, run this query on Switch 1: Switch# energywise query importance 80 keyword Admin collect usage EnergyWise query, timeout is 3 seconds: Host ---192.168.40.2 192.168.50.2 Queried: Name ---shipping.1 orders.1 2 Responded: Usage ----6.3 (W) 10.3 (W) 2 Time: 0.
Chapter 4 Configuring Cisco EnergyWise Troubleshooting EnergyWise Using CLI Commands Table 4-2 EnergyWise Commands Command Purpose clear energywise neighbors privileged EXEC Delete the EnergyWise neighbor tables on the entity. It immediately discovers the neighbors and recreates the table. no energywise interface configuration Disable EnergyWise on the PoE port. no energywise domain global configuration Disable EnergyWise on the entity.
Chapter 4 Configuring Cisco EnergyWise Additional Information Additional Information • Managing Power in a LAN, page 4-18 • Managing Power with IP Routing, page 4-18 Managing Power in a LAN Multiple switches connected in the same LAN and in the same EnergyWise domain.
Chapter 4 Configuring Cisco EnergyWise Additional Information Figure 4-5 EnergyWise with IP Routing LAN 20 LAN 10 Switch 1 192.168.1.2 Switch 2 Router A Port 1 192.168.1.1/24 Port 24 Port 24 192.168.2.1/24 Port 1 192.168.2.2 Switch 3 205695 192.168.1.3 On Switch 1, to prevent a disjointed domain, manually assign Switch 2 as a static neighbor or the reverse. Switch(config)# energywise neighbor 192.168.2.2 43440 Switch 1 discovers Switch 3 as a neighbor because they are in the same LAN.
Chapter 4 Configuring Cisco EnergyWise Additional Information Note To prevent a disjointed domain, you can also configure a helper address on Router A and specify that the router use UDP to forward broadcast packets with the ip helper-address address interface configuration command. ip forward-protocol udp [port] global configuration command.
CH A P T E R 5 Configuring Cisco IOS Configuration Engine This chapter describes how to configure the feature on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete configuration information for the Cisco Configuration Engine, go to http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.
Chapter 5 Configuring Cisco IOS Configuration Engine Understanding Cisco Configuration Engine Software Figure 5-1 Configuration Engine Architectural Overview Service provider network Configuration engine Data service directory Configuration server Event service 141327 Web-based user interface Order entry configuration management These sections contain this conceptual information: • Configuration Service, page 5-2 • Event Service, page 5-3 • What You Should Know About the CNS IDs and Device Ho
Chapter 5 Configuring Cisco IOS Configuration Engine Understanding Cisco Configuration Engine Software Event Service The Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine. The Event Service is a highly capable publish-and-subscribe communication method.
Chapter 5 Configuring Cisco IOS Configuration Engine Understanding Cisco Configuration Engine Software DeviceID Each configured switch participating on the event bus has a unique DeviceID, which is analogous to the switch source address so that the switch can be targeted as a specific destination on the bus. All switches configured with the cns config partial global configuration command must access the event bus.
Chapter 5 Configuring Cisco IOS Configuration Engine Understanding Cisco IOS Agents Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent.
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Incremental (Partial) Configuration After the network is running, new services can be added by using the Cisco IOS agent. Incremental (partial) configurations can be sent to the switch. The actual configuration can be sent as an event payload by way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation.
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling Automated CNS Configuration To enable automated CNS configuration of the switch, you must first complete the prerequisites in Table 5-1. When you complete them, power on the switch. At the setup prompt, do nothing: The switch begins the initial configuration as described in the “Initial Configuration” section on page 5-5. When the full configuration file is loaded on your switch, you need to do nothing else.
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling the CNS Event Agent Note You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: • The cns config initial global configuration command enables the Cisco IOS agent and initiates an initial configuration on the switch.
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Step 7 Command Purpose discover {controller controller-type | dlci [subinterface subinterface-number] | interface [interface-type] | line line-type} Specify the interface parameters in the CNS connect profile. • For controller controller-type, enter the controller type. • For dlci, enter the active data-link connection identifiers (DLCIs).
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Step 13 Command Purpose cns id interface num {dns-reverse | ipaddress | mac-address} [event] [image] (Optional) Set the unique EventID or ConfigID used by the Configuration Engine. or • For interface num, enter the type of interface–for example, ethernet, group-async, loopback, or virtual-template. This setting specifies from which interface the IP or MAC address should be retrieved to define the unique ID.
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Step 14 Command Purpose cns config initial {hostname | ip-address} [port-number] [event] [no-persist] [page page] [source ip-address] [syntax-check] Enable the Cisco IOS agent, and initiate an initial configuration. • For {hostname | ip-address}, enter the hostname or the IP address of the configuration server. • (Optional) For port-number, enter the port number of the configuration server.
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents This example shows how to configure an initial configuration on a remote switch when the switch IP address is known. The Configuration Engine IP address is 172.28.129.22. Switch(config)# cns template connect template-dhcp Switch(config-tmpl-conn)# cli ip address dhcp Switch(config-tmpl-conn)# exit Switch(config)# cns template connect ip-route Switch(config-tmpl-conn)# cli ip route 0.0.0.0 0.0.0.
Chapter 5 Configuring Cisco IOS Configuration Engine Displaying CNS Configuration Displaying CNS Configuration You can use the privileged EXEC commands in Table 5-2 to display CNS configuration information. Table 5-2 Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed.
CH A P T E R 6 Managing Switch Stacks This chapter provides the concepts and procedures to manage switch stacks. Note The switch command reference has command syntax and usage information.
Chapter 6 Managing Switch Stacks Understanding Switch Stacks All stack members are eligible to be stack masters. If the stack master becomes unavailable, the remaining stack members elect a new stack master from among themselves. The switch with the highest stack member priority value becomes the new stack master. The system-level features supported on the stack master are supported on the entire switch stack.
Chapter 6 Managing Switch Stacks Understanding Switch Stacks – Switch Stack Management Connectivity, page 6-18 – Switch Stack Configuration Scenarios, page 6-19 Switch Stack Membership A switch stack has up to nine stack members connected through their StackWise Plus ports. A switch stack always has one stack master. A standalone switch is a switch stack with one stack member that also operates as the stack master.
Chapter 6 Managing Switch Stacks Understanding Switch Stacks Figure 6-1 Creating a Switch Stack from Two Standalone Switches in Two Enclosures Enclosure 1 Blade switch Enclosure 2 2 Blade switch 1 1 Stack member 1 Blade switch Blade switch Stack member 1 Blade switch Blade switch 2 Enclosure 1 Blade switch Stack member 1 Blade switch Blade switch Enclosure 2 Blade switch Blade switch Stack member 2 and stack master 3 201911 Blade switch Cisco Catalyst Blade Switch 3130 and 3032 for Del
Chapter 6 Managing Switch Stacks Understanding Switch Stacks Figure 6-2 Creating a Switch Stack from Two Standalone Switches in the Same Enclosures Enclosure Stack member 1 Blade switch 2 1 Blade switch Stack member 1 Blade switch 2 Enclosure Stack member 1 Blade switch Blade switch Stack member 2 and stack master 3 201912 Blade switch Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-03 6-5
Chapter 6 Managing Switch Stacks Understanding Switch Stacks Figure 6-3 Adding a Standalone Switch to a Switch Stack Enclosure 1 Stack member 1 and stack master Blade switch Enclosure 2 3 Blade switch 1 Stack member 2 3 1 3 Blade switch Blade switch Stack member 1 Stack member 3 Blade switch Blade switch Stack member 1 and stack master 3 Enclosure 1 Blade switch 3 Stack member 2 Blade switch Stack member 3 Blade switch Enclosure 2 Blade switch 3 3 Blade switch Stack member 4 2 201
Chapter 6 Managing Switch Stacks Understanding Switch Stacks 4. The switch with the higher priority feature set and software image combination.
Chapter 6 Managing Switch Stacks Understanding Switch Stacks Switch Stack Bridge ID and Router MAC Address The bridge ID and router MAC address identify the switch stack in the network. When the switch stack initializes, the MAC address of the stack master determines the bridge ID and router MAC address. If the stack master changes, the MAC address of the new stack master determines the new bridge ID and router MAC address.
Chapter 6 Managing Switch Stacks Understanding Switch Stacks Stack Member Priority Values A higher priority value for a stack member increases its likelihood of being elected stack master and retaining its stack member number. The priority value can be 1 to 15. The default priority value is 1. You can display the stack member priority value by using the show switch user EXEC command. Note We recommend assigning the highest priority value to the switch that you prefer to be the stack master.
Chapter 6 Managing Switch Stacks Understanding Switch Stacks Effects of Adding a Provisioned Switch to a Switch Stack When you add a provisioned switch to the switch stack, the stack applies either the provisioned configuration or the default configuration. Table 6-1 lists the events that occur when the switch stack compares the provisioned configuration with the provisioned switch.
Chapter 6 Managing Switch Stacks Understanding Switch Stacks Table 6-1 Results of Comparing the Provisioned Configuration with the Provisioned Switch (continued) Scenario Result The stack member number of the provisioned switch is not found in the provisioned configuration. The switch stack applies the default configuration to the provisioned switch and adds it to the stack.
Chapter 6 Managing Switch Stacks Understanding Switch Stacks Hardware Compatibility and SDM Mismatch Mode in Switch Stacks The switch supports only the desktop Switch Database Management (SDM) templates. All stack members use the SDM template configured on the stack master. Version-mismatch (VM) mode has priority over SDM-mismatch mode. If a VM-mode condition and an SDM-mismatch mode exist, the switch stack first attempts to resolve the VM-mode condition.
Chapter 6 Managing Switch Stacks Understanding Switch Stacks Minor Version Number Incompatibility Among Switches Switches with the same major version number but with a different minor version number are considered partially compatible. When connected to a switch stack, a partially compatible switch enters version-mismatch (VM) mode and cannot join the stack as a fully functioning member.
Chapter 6 Managing Switch Stacks Understanding Switch Stacks Note • Auto-upgrade performs the upgrade only when the two feature sets are the same type. For example, it does not automatically upgrade a switch in VM mode from IP services feature set to IP base feature set (or the reverse) or from cryptographic universal software image to noncryptographic universal software image (or the reverse).
Chapter 6 Managing Switch Stacks Understanding Switch Stacks *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting cbs31x0-universal-mz.122-40.EX1/info (450 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting info (104 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:Stacking Version Number:1.4 *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:System Type: 0x00000000 *Mar 11 20:36:15.
Chapter 6 Managing Switch Stacks Understanding Switch Stacks *Mar 1 00:03:15.554:%IMAGEMGR-6-AUTO_COPY_SW:as software donor... *Mar 1 00:03:15.554:%IMAGEMGR-6-AUTO_COPY_SW:Software was not copied *Mar 1 00:03:15.562:%IMAGEMGR-6-AUTO_ADVISE_SW_INITIATED:Auto-advise-software process initiated for switch number(s) 1 *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW: *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW: *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:Systems with incompatible software *Mar 1 00:04:22.
Chapter 6 Managing Switch Stacks Understanding Switch Stacks When a new, out-of-box switch joins a switch stack, it uses the system-level settings of that switch stack. If a switch is moved to a different switch stack, that switch loses its saved configuration file and uses the system-level configuration of the new switch stack. The interface-specific configuration of each stack member is associated with the stack member number.
Chapter 6 Managing Switch Stacks Understanding Switch Stacks • “Multicast Routing and Switch Stacks” section on page 44-10 • “Fallback Bridging and Switch Stacks” section on page 46-3 Switch Stack Management Connectivity You manage the switch stack and the stack member interfaces through the stack master. You can use the CLI, SNMP, Network Assistant, and CiscoWorks network management applications. You cannot manage stack members on an individual switch basis.
Chapter 6 Managing Switch Stacks Understanding Switch Stacks Be careful when using multiple CLI sessions to the stack master. Commands that you enter in one session are not displayed in the other sessions. Therefore, it is possible that you might not be able to identify the session from which you entered a command. We recommend using only one CLI session when managing the switch stack.
Chapter 6 Managing Switch Stacks Understanding Switch Stacks Table 6-2 Switch Stack Configuration Scenarios (continued) Scenario Result Stack master election specifically determined by the cryptographic software image and the IP services feature set and the IP services feature set Stack master election specifically determined by the cryptographic software image and the IP base feature set Assuming that all stack members have the same priority value: 1.
Chapter 6 Managing Switch Stacks Configuring the Switch Stack Table 6-2 Switch Stack Configuration Scenarios (continued) Scenario Result Stack master failure Remove (or power off) the stack master. Add more than nine stack members 1. Through their StackWise Plus ports, connect ten switches. 2. Power on all switches. Based on the factors described in the “Stack Master Election and Re-Election” section on page 6-6, one of the remaining stack members becomes the new stack master.
Chapter 6 Managing Switch Stacks Configuring the Switch Stack the previous stack master does not rejoin the stack during this period, the switch stack takes the MAC address of the new stack master as the stack MAC address.You can also configure stack MAC persistency so that the stack never switches to the MAC address of the new stack master. Note When you enter the command to configure this feature, a warning message appears containing the consequences of your configuration.
Chapter 6 Managing Switch Stacks Configuring the Switch Stack Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify that the stack MAC address timer is enabled. If enabled, the output shows stack-mac persistent timer and the time in minutes. or Step 5 show switch If enabled, the display includes: Mac persistency wait time, the number of minutes configured, and the current stack MAC address.
Chapter 6 Managing Switch Stacks Configuring the Switch Stack Beginning in privileged EXEC mode, follow these steps to assign a member number to a stack member. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 switch current-stack-member-number renumber new-stack-member-number Specify the current stack member number and the new stack member number for the stack member. The range is 1 to 9.
Chapter 6 Managing Switch Stacks Configuring the Switch Stack Setting the Stack Member Priority Value Note This task is available only from the stack master. Beginning in privileged EXEC mode, follow these steps to assign a priority value to a stack member: This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 switch stack-member-number priority new-priority-number Specify the stack member number and the new priority for the stack member.
Chapter 6 Managing Switch Stacks Accessing the CLI of a Specific Stack Member Command Purpose Step 6 show switch stack-member-number Verify the status of the provisioned switch. For stack-member-number, enter the same number as in Step 1. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove provisioned information and to avoid receiving an error message, remove the specified switch from the stack before you use the no form of this command.
Chapter 6 Managing Switch Stacks Displaying Switch Stack Information Displaying Switch Stack Information To display saved configuration changes after resetting a specific member or the stack, use these privileged EXEC commands: Table 6-4 Commands for Displaying Stack Information Command Description show platform stack manager all Display all stack information, such as the stack protocol version. show platform stack ports {buffer | history} Display the stack port events and history.
Chapter 6 Managing Switch Stacks Troubleshooting Stacks Manually Disabling a Stack Port If a stack port is flapping and causing instability in the stack ring, to disable the port, enter the switch stack-member-number stack port port-number disable privileged EXEC command. To re-enable the port, enter the switch stack-member-number stack port port-number enable command. Note Be careful when using the switch stack-member-number stack port port-number disable command.
Chapter 6 Managing Switch Stacks Troubleshooting Stacks Understanding the show switch stack-ports summary Output Only Port 1 on stack member 2 is disabled.
Chapter 6 Managing Switch Stacks Troubleshooting Stacks Identifying Loopback Problems • Software Loopback, page 6-30 • Software Loopback Example: No Connected Stack Cable, page 6-31 • Software Loopback Examples: Connected Stack Cables, page 6-31 • Hardware Loopback, page 6-32 • Hardware Loopback Example: LINK OK event, page 6-32 • Hardware Loop Example: LINK NOT OK Event, page 6-32 Software Loopback In a stack with three members, stack cables connect all the members.
Chapter 6 Managing Switch Stacks Troubleshooting Stacks Switch 1 is a standalone switch.
Chapter 6 Managing Switch Stacks Troubleshooting Stacks Hardware Loopback The show platform stack ports buffer privileged EXEC command output shows the hardware loopback values.
Chapter 6 Managing Switch Stacks Troubleshooting Stacks Event type SYNC: Sync changes to Not OK ============================================================== Event Stack Count Port ========= ===== Event type: LINK 0000000014 1 0000000014 2 Event type: RAC 0000000015 1 0000000015 2 Event type: LINK 0000000029 1 0000000029 2 Event type: RAC 0000000030 1 0000000030 2 Event type: LINK 0000009732 1 0000009732 2 Event type: RAC 0000009733 1 0000009733 2 Event type: LINK 0000010119 1 0000010119 2 Event type: RA
Chapter 6 Managing Switch Stacks Troubleshooting Stacks This is now the port status: Switch# show switch stack-ports summary Switch#/ Stack Neighbor Cable Link Port# Port Length OK Status -------- ------ -------- -------- ---1/1 OK 2 50 cm Yes 1/2 Absent None No cable No 2/1 Down None 50 cm No 2/2 OK 1 50 cm Yes Link Active Sync OK -----Yes No No Yes ---Yes No No Yes # Changes To LinkOK --------1 2 2 1 In Loopback -------No No No No Only one end of the cable connects to a stack port, Port 1 on Swi
CH A P T E R 7 Administering the Switch This chapter describes how to perform one-time operations to administer the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 7 Administering the Switch Managing the System Time and Date The system clock can provide time to these services: • User show commands • Logging and debugging messages The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight saving time) so that the time appears correctly for the local time zone.
Chapter 7 Administering the Switch Managing the System Time and Date Figure 7-1 shows a typical network example using NTP. Switch A is the NTP master, with the Switch E, Switch B, and Switch C configured in NTP server mode, in server association with Switch A. Switch D is configured as an NTP peer to the upstream and downstream switches, Switch E and the blade switch, respectively.
Chapter 7 Administering the Switch Managing the System Time and Date These sections contain this configuration information: • Default NTP Configuration, page 7-4 • Configuring NTP Authentication, page 7-4 • Configuring NTP Associations, page 7-5 • Configuring NTP Broadcast Service, page 7-6 • Configuring NTP Access Restrictions, page 7-8 • Configuring the Source IP Address for NTP Packets, page 7-10 • Displaying the NTP Configuration, page 7-11 Default NTP Configuration Table 7-1 shows the
Chapter 7 Administering the Switch Managing the System Time and Date Step 3 Command Purpose ntp authentication-key number md5 value Define the authentication keys. By default, none are defined. • For number, specify a key number. The range is 1 to 4294967295. • md5 specifies that message authentication support is provided by using the message digest algorithm 5 (MD5). • For value, enter an arbitrary string of up to eight characters for the key.
Chapter 7 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to form an NTP association with another device: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp peer ip-address [version number] [key keyid] [source interface] [prefer] Configure the switch system clock to synchronize a peer or to be synchronized by a peer (peer association).
Chapter 7 Administering the Switch Managing the System Time and Date The switch can send or receive NTP broadcast packets on an interface-by-interface basis if there is an NTP broadcast server, such as a router, broadcasting time information on the network. The switch can send NTP broadcast packets to a peer so that the peer can synchronize to it. The switch can also receive NTP broadcast packets to synchronize its own clock.
Chapter 7 Administering the Switch Managing the System Time and Date Step 5 Command Purpose ntp broadcastdelay microseconds (Optional) Change the estimated round-trip delay between the switch and the NTP broadcast server. The default is 3000 microseconds; the range is 1 to 999999. Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 7 Administering the Switch Managing the System Time and Date Step 3 Command Purpose access-list access-list-number permit source [source-wildcard] Create the access list. • For access-list-number, enter the number specified in Step 2. • Enter the permit keyword to permit access if the conditions are matched. • For source, enter the IP address of the device that is permitted access to the switch. • (Optional) For source-wildcard, enter the wildcard bits to be applied to the source.
Chapter 7 Administering the Switch Managing the System Time and Date Disabling NTP Services on a Specific Interface NTP services are enabled on all interfaces by default. Beginning in privileged EXEC mode, follow these steps to disable NTP packets from being received on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to disable.
Chapter 7 Administering the Switch Managing the System Time and Date Displaying the NTP Configuration You can use two privileged EXEC commands to display NTP information: • show ntp associations [detail] • show ntp status For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 7 Administering the Switch Managing the System Time and Date Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command. The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source such as NTP, the flag is set. If the time is not authoritative, it is used only for display purposes.
Chapter 7 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 7 Administering the Switch Configuring a System Name and Prompt Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone date [month Configure summer time to start on the first date and end on the second date year hh:mm month date year hh:mm date.
Chapter 7 Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Chapter 7 Administering the Switch Configuring a System Name and Prompt To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the hostnames, specify the name server that is present on your network, and enable the DNS.
Chapter 7 Administering the Switch Creating a Banner Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.
Chapter 7 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message. For c, enter the delimiting character of your choice, for example, a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text.
Chapter 7 Administering the Switch Managing the MAC Address Table • Removing Dynamic Address Entries, page 7-22 • Configuring MAC Address Notification Traps, page 7-22 • Adding and Removing Static Address Entries, page 7-24 • Configuring Unicast MAC Address Filtering, page 7-25 • Disabling MAC Address Learning on a VLAN, page 7-26 • Displaying Address Table Entries, page 7-27 Building the Address Table With multiple MAC addresses supported on all ports, you can connect any port on the switch
Chapter 7 Administering the Switch Managing the MAC Address Table MAC Addresses and Switch Stacks The MAC address tables on all stack members are synchronized. At any given time, each stack member has the same copy of the address tables for each VLAN. When an address ages out, the address is removed from the address tables on all stack members. When a switch joins a switch stack, that switch receives the addresses for each VLAN learned on the other stack members.
Chapter 7 Administering the Switch Managing the MAC Address Table To return to the default value, use the no mac address-table aging-time global configuration command. Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode.
Chapter 7 Administering the Switch Managing the MAC Address Table Command Purpose Step 4 mac address-table notification Enable the MAC address notification feature. Step 5 mac address-table notification [interval value] | [history-size value] Enter the trap interval time and the history table size. • (Optional) For interval value, specify the notification trap interval in seconds between each set of traps that are generated to the NMS. The range is 0 to 2147483647 seconds; the default is 1 second.
Chapter 7 Administering the Switch Managing the MAC Address Table Adding and Removing Static Address Entries A static address has these characteristics: • It is manually entered in the address table and must be manually removed. • It can be a unicast or multicast address. • It does not age and is retained when the switch restarts. You can add and remove static addresses and define the forwarding behavior for them.
Chapter 7 Administering the Switch Managing the MAC Address Table This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packet is received in VLAN 4 with this MAC address as its destination address, the packet is forwarded to the specified port: Switch(config)# mac address-table static c2f3.220a.
Chapter 7 Administering the Switch Managing the MAC Address Table Command Purpose Step 4 show mac address-table static Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable unicast MAC address filtering, use the no mac address-table static mac-addr vlan vlan-id global configuration command.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to disable MAC address learning on a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no mac address-table learning vlan vlan-id Disable MAC address learning on the specified VLAN or VLANs. You can specify a single VLAN ID or a range of VLAN IDs separated by a hyphen or comma. Valid VLAN IDs are 1 to 4094. It cannot be an internal VLAN.
Chapter 7 Administering the Switch Managing the ARP Table Managing the ARP Table To communicate with a device (over Ethernet, for example), the software first must learn the 48-bit MAC address or the local data link address of that device. The process of learning the local data link address from an IP address is called address resolution. The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or MAC addresses and the VLAN ID.
CH A P T E R 8 Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands • If you want to use username and password pairs, but you want to store them centrally on a server instead of locally, you can store them in a database on a security server. Multiple networking devices can then use the same database to obtain user authentication (and, if necessary, authorization) information. For more information, see the “Controlling Switch Access with TACACS+” section on page 8-10.
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable secret passwords: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password [level level] {password | encryption-type encrypted-password} Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2: Switch(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8 Disabling Password Recovery By default, any end user with physical access to the switch can recover from a lost password by interrupting the bootup process while the switch is powering on and then by entering a new password.
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting a Telnet Password for a Terminal Line When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use. The setup program also prompts you to configure your switch for Telnet access through a password.
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username and a password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 username name [privilege level] {password encryption-type password} Enter the username, privilege level, and password for each user.
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting the Privilege Level for a Command Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 privilege mode level level command Set the privilege level for a command.
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line vty line Select the virtual terminal line on which to restrict access. Step 3 privilege level level Change the default privilege level for the line.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Controlling Switch Access with TACACS+ This section describes how to enable and configure Terminal Access Controller Access Control System Plus (TACACS+), which provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 8-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ server 1) Catalyst 6500 series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) Servers Configure the blade switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers). Enable AAA. Create a login authentication method list. Apply the list to the terminal lines.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: 1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user. The user enters a username, and the switch then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ • Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 8-16 • Starting TACACS+ Accounting, page 8-17 Default TACACS+ Configuration TACACS+ and AAA are disabled by default. To prevent a lapse in security, you cannot configure TACACS+ through a network management application. When enabled, TACACS+ can authenticate users accessing the switch through the CLI.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 show tacacs Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the specified TACACS+ server name or address, use the no tacacs-server host hostname global configuration command.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Starting TACACS+ Accounting The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Understanding RADIUS RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco routers and switches. Clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Transitioning from RADIUS to TACACS+ Services Remote PC R1 RADIUS server R2 RADIUS server T1 TACACS+ server T2 TACACS+ server Workstation 86891 Figure 8-2 RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: 1. The user is prompted to enter a username and password. 2.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a user. You can use method lists to designate one or more security protocols to be used (such as TACACS+ or local username lookup), thus ensuring a backup system if the initial method fails.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as a fail-over backup to the first one. Using this example, if the first host entry fails to provide accounting services, the %RADIUS-4-RADIUS_DEAD message appears, and then the switch tries the second host entry configured on the same device for accounting services.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 8 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 8-23. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information). Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the switch and all RADIUS servers.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“ This example shows how to specify an authorized VLAN in the RADIUS server database: cis
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring the Switch for Vendor-Proprietary RADIUS Server Communication Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Displaying the RADIUS Configuration To display the RADIUS configuration, use the show running-config privileged EXEC command. Controlling Switch Access with Kerberos This section describes how to enable and configure the Kerberos security system, which authenticates requests for network resources by using a trusted third party.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Note A Kerberos server can be a switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol. The Kerberos credential scheme uses a process called single logon. This process authenticates a user once and then allows secure authentication (without encrypting another password) wherever that user credential is accepted.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 8-2 Kerberos Terms (continued) Term Definition Kerberos realm A domain consisting of users, hosts, and network services that are registered to a Kerberos server. The Kerberos server is trusted to verify the identity of a user or network service to another user or network service. Note The Kerberos realm name must be in all uppercase characters.
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Authenticating to a Boundary Switch This section describes the first layer of security through which a remote user must pass. The user must first authenticate to the boundary switch. This process then occurs: 1. The user opens an un-Kerberized Telnet connection to the boundary switch. 2. The switch prompts the user for a username and password. 3. The switch requests a TGT from the KDC for this user. 4.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization When you add or create entries for the hosts and users, follow these guidelines: Note • The Kerberos principal name must be in all lowercase characters. • The Kerberos instance name must be in all lowercase characters. • The Kerberos realm name must be in all uppercase characters.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Step 6 Command Purpose username name [privilege level] {password encryption-type password} Enter the local database, and establish a username-based authentication system. Repeat this command for each user. • For name, specify the user ID as one word. Spaces and quotation marks are not allowed. • (Optional) For level, specify the privilege level the user has after gaining access. The range is 0 to 15.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell For SSH configuration examples, see the “SSH Configuration Examples” section in the “Configuring Secure Shell” chapter of the Cisco IOS Security Configuration Guide, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter0918 6a00800ca7d5.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Note This software release does not support IP Security (IPSec). Limitations These limitations apply to SSH: • The switch supports Rivest, Shamir, and Adelman (RSA) authentication. • SSH supports only the execution-shell application. • The SSH server and the SSH client are supported only on DES (56-bit) and 3DES (168-bit) data encryption software.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: 1. Download the cryptographic software image from www.dell.com/support. This step is required. For more information, see the release notes for this release. 2. Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server. 3.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Configuring the SSH Server Beginning in privileged EXEC mode, follow these steps to configure the SSH server: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip ssh version [1 | 2] (Optional) Configure the switch to run SSH Version 1 or SSH Version 2. • 1—Configure the switch to run SSH Version 1. • 2—Configure the switch to run SSH Version 2.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Displaying the SSH Configuration and Status To display the SSH server configuration and status, use one or more of the privileged EXEC commands in Table 8-3: Table 8-3 Commands for Displaying the SSH Server Configuration and Status Command Purpose show ip ssh Shows the version and configuration information for the SSH server. show ssh Shows the status of the SSH server.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP The primary role of the HTTP secure server (the switch) is to listen for HTTPS requests on a designated port (the default HTTPS port is 443) and pass the request to the HTTP 1.1 Web server. The HTTP 1.1 server processes requests and passes responses (pages) back to the HTTP secure server, which, in turn, responds to the original request.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Configuring Secure HTTP Servers and Clients These sections contain this configuration information: • Default SSL Configuration, page 8-45 • SSL Configuration Guidelines, page 8-45 • Configuring a CA Trustpoint, page 8-45 • Configuring the Secure HTTP Server, page 8-46 • Configuring the Secure HTTP Client, page 8-48 Default SSL Configuration The standard HTTP server is enabled. SSL is enabled.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Command Purpose Step 7 enrollment http-proxy host-name port-number (Optional) Configure the switch to obtain certificates from the CA through an HTTP proxy server. Step 8 crl query url Configure the switch to request a certificate revocation list (CRL) to ensure that the certificate of the peer has not been revoked.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Step 5 Step 6 Step 7 Command Purpose ip http secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-md5] [rc4-128-sha] [des-cbc-sha]} (Optional) Specify the CipherSuites (encryption algorithms) to be used for encryption over the HTTPS connection. If you do not have a reason to specify a particularly CipherSuite, you should allow the server and client to negotiate a CipherSuite that they both support.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Configuring the Secure HTTP Client The standard HTTP client and secure HTTP client are always enabled. A certificate authority is required for secure HTTP client certification. This procedure assumes that you have previously configured a CA trustpoint on the switch. If a CA trustpoint is not configured and the remote HTTPS server requires client authentication, connections to the secure HTTP client fail.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol For SSH to work, the switch needs an RSA public/private key pair. This is the same with SCP, which relies on SSH for its secure transport. Because SSH also relies on AAA authentication, and SCP relies further on AAA authorization, correct configuration is necessary. Note • Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch.
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 8-50 OL-13270-03
CH A P T E R 9 Configuring SDM Templates This chapter describes how to configure the Switch Database Management (SDM) templates on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 9 Configuring SDM Templates Understanding the SDM Templates Table 9-1 lists the approximate numbers of each resource supported in each of the four templates.
Chapter 9 Configuring SDM Templates Understanding the SDM Templates Table 9-2 Approximate Feature Resources Allowed by Dual IPv4-IPv6 Templates Resource IPv4-and-IPv6 Default IPv4-and-IPv6 Routing IPv4-and-IPv6 VLAN Unicast MAC addresses 2K 1.5 K 8K IPv4 IGMP groups and multicast routes 1K 1K 1 K for IGMP groups 0 for multicast routes Total IPv4 unicast routes: 3K 2.75 K 0 • Directly connected IPv4 hosts 2K 1.5 K 0 • Indirect IPv4 routes 1K 1.
Chapter 9 Configuring SDM Templates Configuring the Switch SDM Template 2d23h:%SDM-6-MISMATCH_ADVISE:compatible desktop SDM template: 2d23h:%SDM-6-MISMATCH_ADVISE: 2d23h:%SDM-6-MISMATCH_ADVISE: "sdm prefer vlan desktop" 2d23h:%SDM-6-MISMATCH_ADVISE: "reload" Configuring the Switch SDM Template These sections contain this configuration information: • Default SDM Template, page 9-4 • SDM Template Configuration Guidelines, page 9-4 • Setting the SDM Template, page 9-5 Default SDM Template The default
Chapter 9 Configuring SDM Templates Configuring the Switch SDM Template Setting the SDM Template Beginning in privileged EXEC mode, follow these steps to use the SDM template to maximize feature usage: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring SDM Templates Displaying the SDM Templates number of qos aces: number of security aces: 0.5K 1K On next reload, template will be “desktop vlan” template. To return to the default template, use the no sdm prefer global configuration command.
Chapter 9 Configuring SDM Templates Displaying the SDM Templates This is an example of output from the show sdm prefer dual-ipv4-and-ipv6 routing command: Switch# show sdm prefer dual-ipv4-and-ipv6 routing The current template is "desktop IPv4 and IPv6 routing" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.
Chapter 9 Configuring SDM Templates Displaying the SDM Templates Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-8 OL-13270-03
CH A P T E R 10 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the switch. IEEE 802.1x authentication prevents unauthorized devices (clients) from gaining access to the network.Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • IEEE 802.1x Host Mode, page 10-11 • IEEE 802.1x Accounting, page 10-13 • IEEE 802.1x Accounting Attribute-Value Pairs, page 10-13 • “Using 802.1x Readiness Check” section on page 10-14 • Using IEEE 802.1x Authentication with VLAN Assignment, page 10-14 • Using IEEE 802.1x Authentication with Per-User ACLs, page 10-16 • 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • Client—the device (workstation) that requests access to the LAN and switch services and responds to requests from the switch. The workstation must be running IEEE 802.1x-compliant client software such as that offered in the Microsoft Windows XP operating system. (The client is the supplicant in the IEEE 802.1x standard.) Note To resolve Windows XP network connectivity and IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • If the RADIUS authentication server is unavailable (down) and inaccessible authentication bypass is enabled, the switch grants the client access to the network by putting the port in the critical-authentication state in the RADIUS-configured or the user-specified access VLAN. Note Inaccessible authentication bypass is also referred to as critical authentication or the AAA fail policy.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The switch re-authenticates a client when one of these situations occurs: • Periodic re-authentication is enabled, and the re-authentication timer expires. You can configure the re-authentication timer to use a switch-specific value or to be based on values from the RADIUS server. After IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The specific exchange of EAP frames depends on the authentication method being used. Figure 10-3 shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 10-4 Message Exchange During MAC Authentication Bypass Client Authentication server (RADIUS) Switch EAPOL Request/Identity EAPOL Request/Identity EAPOL Request/Identity RADIUS Access/Request RADIUS Access/Accept 201762 Ethernet packet Authentication Manager In Cisco IOS Release 12.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Port-Based Authentication Methods Table 10-1 802.1x Features Mode Authentication method Single host Multiple host MDA1 Multiple Authentication22 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Authentication Manager CLI Commands The authentication-manager interface-configuration commands control all the authentication methods, such as 802.1x, MAC authentication bypass, and web authentication. The authentication manager commands determine the priority and order of authentication methods applied to a connected host.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Table 10-2 Authentication Manager Commands and Earlier 802.1x Commands (continued) The authentication manager commands in Cisco IOS Release 12.2(50)SE or later The equivalent 802.1x commands in Cisco IOS Release 12.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication retried. If the authentication server cannot be reached, the switch can resend the request. If no response is received from the server after the specified number of attempts, authentication fails, and network access is not granted. When a client logs off, it sends an EAPOL-logoff message, causing the switch port to change to the unauthorized state.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch denies network access to all of the attached clients. In this topology, the wireless access point is responsible for authenticating the clients attached to it, and it also acts as a client to the switch. With the multiple-hosts mode enabled, you can use IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication IEEE 802.1x Accounting The IEEE 802.1x standard defines how users are authorized and authenticated for network access but does not keep track of network usage. IEEE 802.1x accounting is disabled by default. You can enable IEEE 802.1x accounting to monitor this activity on IEEE 802.1x-enabled ports: • User successfully authenticates. • User logs off. • Link-down occurs.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Table 10-3 Accounting AV Pairs (continued) Attribute Number AV Pair Name START INTERIM STOP Attribute[46] Acct-Session-Time Never Never Always Attribute[49] Acct-Terminate-Cause Never Never Always Attribute[61] NAS-Port-Type Always Always Always 1.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication When configured on the switch and the RADIUS server, IEEE 802.1x authentication with VLAN assignment has these characteristics: • If no VLAN is supplied by the RADIUS server or if IEEE 802.1x authentication is disabled, the port is configured in its access VLAN after successful authentication. Recall that an access VLAN is a VLAN assigned to an access port.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the IEEE 802.1x-authenticated user. For examples of tunnel attributes, see the “Configuring the Switch to Use Vendor-Specific RADIUS Attributes” section on page 8-29. Using IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication To configure per-user ACLs, you need to perform these tasks: • Enable AAA authentication. • Enable AAA authorization by using the network keyword to allow interface configuration from the RADIUS server. • Enable IEEE 802.1x authentication. • Configure the user profile and VSAs on the RADIUS server. • Configure the IEEE 802.1x port for single-host mode. 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs You can set the CiscoSecure-Defined-ACL Attribute-Value (AV) pair on the Cisco Secure ACS with the RADIUS cisco-av-pair vendor-specific attributes (VSAs). This pair specifies the names of the downloadable ACLs on the Cisco Secure ACS with the #ACL#-IP-name-number attribute. • The name is the ACL name.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Note If an EAPOL packet is detected after the interface has changed to the guest VLAN, the interface reverts to an unauthorized state, and IEEE 802.1x authentication restarts. Any number of IEEE 802.1x-incapable clients are allowed access when the switch port is moved to the guest VLAN. If an IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication receive a link down or EAP logoff event. We recommend that you keep re-authentication enabled if a client might connect through a hub. When a client disconnects from the hub, the port might not receive the link down or EAP logoff event. After a port moves to the restricted VLAN, a simulated EAP success message is sent to the client.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Inaccessible authentication bypass interacts with these features: • Guest VLAN—Inaccessible authentication bypass is compatible with guest VLAN. When a guest VLAN is enabled on IEEE 8021.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • When an IEEE 802.1x client logs off, the port changes to an unauthenticated state, and all dynamic entries in the secure host table are cleared, including the entry for the client. Normal authentication then takes place. • If the port is administratively shut down, the port becomes unauthenticated, and all dynamic entries are removed from the secure host table.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication When the MAC authentication bypass feature is enabled on an IEEE 802.1x port, the switch uses the MAC address as the client identity. The authentication server has a database of client MAC addresses that are allowed network access. After detecting a client on an IEEE 802.1x port, the switch waits for an Ethernet packet from the client.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Network Admission Control Layer 2 IEEE 802.1x Validation The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which checks the antivirus condition or posture of endpoint systems or clients before granting the devices network access. With NAC Layer 2 IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication For more information see the “Configuring the Host Mode” section on page 10-42. Using Multidomain Authentication The switch supports multidomain authentication (MDA), which allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • Switching a port host mode from multidomain to single- or multihost mode removes all authorized devices from the port. • If a data domain is authorized first and placed in the guest VLAN, non-IEEE 802.1x-capable voice devices need to tag their packets on the voice VLAN to trigger authentication. • We do not recommend per-user ACLs with an MDA-enabled port.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Web Authentication with Automatic MAC Check You can use web authentication with automatic MAC check to authenticate a client that does not support IEEE 802.1x or web browser functionality. This allows end hosts, such as printers, to automatically authenticate by using the MAC address without any additional required configuration.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication This banner can also be customized, as shown in Figure 10-7. • Add a switch, router, or company name to the banner by using the ip admission auth-proxy-banner http banner-text global configuration command. • Add a logo or text file to the banner by using the ip admission auth-proxy-banner http file-path global configuration command.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 10-8 Login Screen With No Banner For more information, see the “Configuring a Web Authentication Local Banner” section on page 10-64. 802.1x Switch Supplicant with Network Edge Access Topology (NEAT) NEAT extends identity to areas outside the wiring closet (such as conference rooms) through the following: • Note 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Figure 10-9 Authenticator and Supplicant Switch using CISP 2 4 3 1 205718 5 1 Workstations (clients) 2 Supplicant switch (outside wiring closet) 3 Authenticator switch 4 Access control server (ACS) 5 Trunk port For more information, see the “Configuring 802.1x Switch Supplicant with NEAT” section on page 10-55. Configuring IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication • Configuring MAC Authentication Bypass, page 10-54 (optional) • Configuring NAC Layer 2 IEEE 802.1x Validation, page 10-55 (optional) • Configuring Web Authentication, page 10-61 • Configuring a Web Authentication Local Banner, page 10-64 • Disabling IEEE 802.1x Authentication on the Port, page 10-65 (optional) • Resetting the IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Table 10-4 Default IEEE 802.1x Authentication Configuration (continued) Feature Default Setting Client timeout period 30 seconds (when relaying a request from the authentication server to the client, the amount of time the switch waits for a response before resending the request to the client.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication • The IEEE 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3 routed ports, but it is not supported on these port types: – Trunk port—If you try to enable IEEE 802.1x authentication on a trunk port, an error message appears, and IEEE 802.1x authentication is not enabled. If you try to change the mode of an IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication the IEEE 802.1x authentication process (authentication timer inactivity or dot1x timeout quiet-period and authentication timer reauthentication or dot1x timeout tx-period). The amount to decrease the settings depends on the connected IEEE 802.1x client type. • When configuring the inaccessible authentication bypass feature, follow these guidelines: – The feature is supported on IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring IEEE 802.1x Violation Modes You can configure an IEEE 802.1x port so that it shuts down, generates a syslog error, or discards packets from a new device when: • a device connects to an IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication This is the IEEE 802.1x AAA process: Step 1 A user connects to a port on the switch. Step 2 Authentication is performed. Step 3 VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration. Step 4 The switch sends a start message to an accounting server. Step 5 Re-authentication is performed, as necessary.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 10 Command Purpose dot1x port-control auto Enable IEEE 802.1x authentication on the port. For feature interaction information, see the “IEEE 802.1x Authentication Configuration Guidelines” section on page 10-33. Step 11 end Return to privileged EXEC mode. Step 12 show dot1x Verify your entries.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication This example shows how to enable a readiness check on a switch to query a port. It also shows the response received from the queried port verifying that the device connected to it is IEEE 802.1x-capable: switch# dot1x test eapol-capable interface gigabitethernet1/0/13 DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC 00-01-02-4b-f1-a3 on gigabitethernet1/0/13 is EAPOL capable Configuring Voice Aware 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose shutdown no-shutdown (Optional) Re-enable an error-disabled VLAN, and clear all error-disable indications. Step 6 end Return to privileged EXEC mode. Step 7 show errdisable detect Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on the switch. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Configure the RADIUS server parameters.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring the Host Mode Beginning in privileged EXEC mode, follow these steps to allow multiple hosts (clients) on an IEEE 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication This example shows how to enable MDA and to allow both a host and a voice device on the port: Switch(config)# interface gigabitethernet3/0/1 Switch(config-if)# dot1x port-control auto Switch(config-if)# dot1x host-mode multi-domain Switch(config-if)# switchport voice vlan 101 Switch(config-if)# end Configuring Periodic Re-Authentication You can enable periodic IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 6 Command Purpose show authentication interface-id Verify your entries. or show dot1x interface interface-id Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable periodic re-authentication, use the no authentication periodic or the no dot1x reauthentication interface configuration command.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 5 Command Purpose show authentication interface-id Verify your entries. or show dot1x interface interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default quiet time, use the no dot1x timeout quiet-period interface configuration command.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Setting the Switch-to-Client Frame-Retransmission Number In addition to changing the switch-to-client retransmission time, you can change the number of times that the switch sends an EAP-request/identity frame (assuming no response is received) to the client before restarting the authentication process.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to set the re-authentication number. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure IEEE 802.1x accounting after AAA is enabled on your switch. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 5 Command Purpose dot1x guest-vlan vlan-id Specify an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to 4094. You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x guest VLAN. Step 6 end Return to privileged EXEC mode. Step 7 show authentication interface-id Verify your entries.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 4 Command Purpose authentication port-control auto Enable IEEE 802.1x authentication on the port. or dot1x port-control auto Step 5 dot1x auth-fail vlan vlan-id Specify an active VLAN as an IEEE 802.1x restricted VLAN. The range is 1 to 4094. You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 6 dot1x auth-fail max-attempts max attempts Specify a number of authentication attempts to allow before a port moves to the restricted VLAN. The range is 1 to 3, and the default is 3. Step 7 end Return to privileged EXEC mode. Step 8 show authentication interface-id (Optional) Verify your entries.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 4 Command Purpose radius-server host ip-address [acct-port udp-port] [auth-port udp-port][test username name [idle-time time] [ignore-acct-port] [ignore-auth-port]] [key string] (Optional) Configure the RADIUS server parameters by using these keywords: • acct-port udp-port—Specify the UDP port for the RADIUS accounting server. The range for the UDP port number is from 0 to 65536.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 8 Command Purpose show authentication interface-id (Optional) Verify your entries. or show dot1x [interface interface-id] Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication To disable IEEE 802.1x authentication with WoL, use the no dot1x control-direction interface configuration command. This example shows how to enable IEEE 802.1x authentication with WoL and set the port as bidirectional: Switch(config-if)# dot1x control-direction both Configuring MAC Authentication Bypass Beginning in privileged EXEC mode, follow these steps to enable MAC authentication bypass.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring NAC Layer 2 IEEE 802.1x Validation You can configure NAC Layer 2 IEEE 802.1x validation, which is also referred to as IEEE 802.1x authentication with a RADIUS server. Beginning in privileged EXEC mode, follow these steps to configure NAC Layer 2 IEEE 802.1x validation. The procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Note You cannot enable MDA or multiauth mode on the authenticator switch interface that connects to one more supplicant switches. For overview information, see the “802.1x Switch Supplicant with Network Edge Access Topology (NEAT)” section on page 10-30.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 5 password password Create a password for the new username. Step 6 interface interface-id Specify the port to be configured, and enter interface configuration mode. Step 7 switchport trunk encapsulation dot1q Set the port to trunk mode. Step 8 switchport mode trunk Configure the interface as a VLAN trunk port.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 3 aaa new-model Enables AAA. Step 4 aaa authorization network default group radius Sets the authorization method to local. To remove the authorization method, use the no aaa authorization network default group radius command. Step 5 radius-server vsa send authentication Configure the radius vsa send authentication.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring a Downloadable Policy Beginning in privileged EXEC mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number deny source source-wildcard log Defines the default port ACL by using a source address and wildcard. The access-list-number is a decimal number from 1 to 99 or 1300 to 1999.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 12 show ip device tracking all Displays information about the entries in the IP device tracking table. Step 13 copy running-config startup-config (Optional) Saves your entries in the configuration file. This example shows how to configure a switch for a downloadable policy: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 3 authentication control-direction {both | in} (Optional) Configure the port control as unidirectional or bidirectional. Step 4 authentication fallback name (Optional) Configure a port to use web authentication as a fallback method for clients that do not support 802.1x authentication.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 3 Command Purpose aaa authentication login default group radius Use RADIUS authentication. Before you can use this authentication method, you must configure the RADIUS server. For more information, see Chapter 8, “Configuring Switch-Based Authentication.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure a port to use web authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip admission name rule proxy http Define a web authentication rule. Note The same rule cannot be used for both web authentication and NAC Layer 2 IP validation.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 9 dot1x port-control auto Enable IEEE 802.1x authentication on the interface. Step 10 dot1x fallback fallback-profile Configure the port to authenticate a client by using web authentication when no IEEE 802.1x supplicant is detected on the port. Any change to the fallback-profile global configuration takes effect the next time IEEE 802.1x fallback is invoked on the interface.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication This example shows how to configure a local banner with the custom message My Switch: Switch(config) configure terminal Switch(config)# aaa new-model Switch(config)# aaa ip auth-proxy auth-proxy-banner C My Switch C Switch(config) end For more information about the ip auth-proxy auth-proxy-banner command, see the “Authentication Proxy Commands” section of the Cisco IOS Security Command Reference on Cisco.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Displaying IEEE 802.1x Statistics and Status Step 5 Command Purpose show authentication interface-id Verify your entries. or show dot1x interface interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Displaying IEEE 802.1x Statistics and Status To display IEEE 802.1x statistics for all ports, use the show dot1x all statistics privileged EXEC command. To display IEEE 802.
CH A P T E R 11 Configuring Interface Characteristics This chapter defines the types of interfaces on the switch and describes how to configure them. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types • 10-Gigabit Ethernet Interfaces, page 11-6 • Connecting Interfaces, page 11-7 Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 13, “Configuring VLANs.” Packets received on a port are forwarded only to ports that belong to the same VLAN as the receiving port.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types Note When you put an interface that is in Layer 3 mode into Layer 2 mode, the previous configuration information related to the affected interface might be lost, and the interface is returned to its default configuration. For detailed information about configuring access port and trunk port characteristics, see Chapter 13, “Configuring VLANs.” For more information about tunnel ports, see Chapter 17, “Configuring IEEE 802.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types traffic is forwarded to and from the trunk port for that VLAN. If VTP learns of a new, enabled VLAN that is not in the allowed list for a trunk port, the port does not become a member of the VLAN, and no traffic for the VLAN is forwarded to or from the port. For more information about trunk ports, see Chapter 13, “Configuring VLANs.” Tunnel Ports Tunnel ports are used in IEEE 802.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types Switch Virtual Interfaces A switch virtual interface (SVI) represents a VLAN of switch ports as one interface to the routing or bridging function in the system. Only one SVI can be associated with a VLAN, but you need to configure an SVI for a VLAN only when you wish to route between VLANs, to fallback-bridge nonroutable protocols between VLANs, or to provide IP host connectivity to the switch.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types The default action, when a VLAN has multiple ports, is that the SVI goes down when all ports in the VLAN go down. You can use the SVI autostate exclude feature to configure a port so that it is not included in the SVI line-state up-an- down calculation.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types Connecting Interfaces Devices within a single VLAN can communicate directly through any switch. Ports in different VLANs cannot exchange data without going through a routing device. With a standard Layer 2 switch, ports in different VLANs have to exchange information through a router.
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode • The routing function can be enabled on all SVIs and routed ports. The switch routes only IP traffic. When IP routing protocol parameters and address configuration are added to an SVI or routed port, any IP traffic received from these ports is routed. For more information, see Chapter 38, “Configuring IP Unicast Routing,” Chapter 44, “Configuring IP Multicast Routing,” and Chapter 45, “Configuring MSDP.
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode You can identify physical interfaces by physically checking the interface location on the switch. You can also use the show privileged EXEC commands to display information about a specific interface or all the interfaces on the switch. The remainder of this chapter primarily provides physical interface configuration procedures.
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode Enter the show interfaces privileged EXEC command to see a list of all interfaces on or configured for the switch. A report is provided for each interface that the device supports or for the specified interface. Configuring a Range of Interfaces You can use the interface range global configuration command to configure multiple interfaces with the same configuration parameters.
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode – port-channel port-channel-number - port-channel-number, where the port-channel-number is 1 to 64 Note When you use the interface range command with port channels, the first and last port-channel number must be active port channels. • You must add a space between the first interface number and the hyphen when using the interface range command.
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode Beginning in privileged EXEC mode, follow these steps to define an interface range macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 define interface-range macro_name interface-range Define the interface-range macro, and save it in NVRAM. Step 3 interface range macro macro_name • The macro_name is a 32-character maximum character string.
Chapter 11 Configuring Interface Characteristics Using the Internal Ethernet Management Port • All interfaces defined as in a range must be the same type (all Gigabit Ethernet ports, all 10-Gigabit Ethernet ports, all EtherChannel ports, or all VLANs), but you can combine multiple interface types in a macro.
Chapter 11 Configuring Interface Characteristics Using the Internal Ethernet Management Port In a switch stack, only the Ethernet management port on the stack master is enabled. The ports on the stack members are disabled. You cannot modify the IP address of stack member by using the Chassis Management Module. For a nonstacking-capable switch or a standalone stacking-capable switch, connect the Ethernet management port to the PC as shown in Figure 11-2.
Chapter 11 Configuring Interface Characteristics Using the Internal Ethernet Management Port Figure 11-3 Connecting a Switch Stack to a PC Enclosure 1 Blade switch Stack member 1 3 1 2 Blade switch Blade switch Stack member 2 2 Enclosure 2 Stack member 3 2 Blade switch Stack member 4 Blade switch and stack master Blade switch 3 1 PC 3 Blade switch Stack member 5 Stack member 6 Blade switch Blade switch 2 2 1 3 Blade switch 2 201910 Stack member 7 1 Chassis Management Module 2 Inte
Chapter 11 Configuring Interface Characteristics Using the Internal Ethernet Management Port • Telnet with passwords • TFTP • Secure Shell (SSH) • DHCP-based autoconfiguration • SMNP (only the ENTITY-MIB and the IF-MIB) • IP ping • Interface features – Speed—100 Mb/s (nonconfigurable) – Duplex mode—Full (nonconfigurable) – Loopback detection Caution • Cisco Discovery Protocol (CDP) • DHCP relay agent • IPv4 and IPv6 access control lists (ACLs) • Routing protocols Before enabling a
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces TFTP and the Ethernet Management Port Use the commands in Table 11-1 when using TFTP to download or upload a configuration file to the boot loader. Table 11-1 Boot Loader Commands Command Description arp [ip_address] Displays the currently cached ARP1 table when this command is entered without the ip_address parameter.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces the interface is connected. When you put an interface that is in Layer 3 mode into Layer 2 mode, the previous configuration information related to the affected interface might be lost, and the interface is returned to its default configuration. Table 11-2 Default Layer 2 Ethernet Interface Configuration Feature Default Setting Operating mode Layer 2 or switching mode (switchport command).
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Interface Speed and Duplex Mode Ethernet interfaces on the switch operate at 10, 100, 1000, or 10,000 Mb/s and in either full- or half-duplex mode. In full-duplex mode, two stations can send and receive traffic at the same time. Normally, 10-Mb/s ports operate in half-duplex mode, which means that stations can either receive or send traffic.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Setting the Interface Speed and Duplex Parameters Beginning in privileged EXEC mode, follow these steps to set the speed and duplex mode for a physical interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the physical interface to be configured, and enter interface configuration mode.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Switch(config-if)# speed 10 Switch(config-if)# duplex half This example shows how to set the interface speed to 100 Mb/s on an external 10/100/1000 Mb/s port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/17 Switch(config-if)# speed 100 Configuring IEEE 802.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to turn on flow control on a port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# flowcontrol receive on Switch(config-if)# end Configuring Auto-MDIX on an Interface When automatic medium-dependent interface crossover (auto-MDIX) is enabled on an interface, the interface automatically detects the required cable connection type (straight through or crossove
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to enable auto-MDIX on a port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# speed auto Switch(config-if)# duplex auto Switch(config-if)# mdix auto Switch(config-if)# end Adding a Description for an Interface You can add a description about an interface to help you remember its function.
Chapter 11 Configuring Interface Characteristics Configuring Layer 3 Interfaces Configuring Layer 3 Interfaces The switch supports these types of Layer 3 interfaces: • SVIs: You should configure SVIs for any VLANs for which you want to route traffic. SVIs are created when you enter a VLAN ID following the interface vlan global configuration command. To delete an SVI, use the no interface vlan global configuration command. You cannot delete interface VLAN 1.
Chapter 11 Configuring Interface Characteristics Configuring Layer 3 Interfaces Beginning in privileged EXEC mode, follow these steps to configure a Layer 3 interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface {gigabitethernet interface-id} | {vlan vlan-id} Specify the interface to be configured as a Layer 3 | {port-channel port-channel-number} interface, and enter interface configuration mode.
Chapter 11 Configuring Interface Characteristics Configuring the System MTU Step 5 Step 6 Command Purpose show running config interface interface-id (Optional) Show the running configuration. show interface interface-id switchport Verify the configuration. copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 11 Configuring Interface Characteristics Configuring the System MTU The upper limit of the system routing MTU value is based on the switch or switch stack configuration and refers to either the currently applied system MTU or the system jumbo MTU value. For more information about setting the MTU sizes, see the system mtu global configuration command in the command reference for this release.
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Monitoring and Maintaining the Interfaces These sections contain interface monitoring and maintenance information: • Monitoring Interface Status, page 11-28 • Clearing and Resetting Interfaces and Counters, page 11-29 • Shutting Down and Restarting the Interface, page 11-29 Monitoring Interface Status Commands entered at the privileged EXEC prompt display information about the interface, including the version
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Clearing and Resetting Interfaces and Counters Table 11-5 lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces. Table 11-5 Clear Commands for Interfaces Command Purpose clear counters [interface-id] Clear interface counters. clear interface interface-id Reset the hardware logic on an interface.
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-30 OL-13270-03
CH A P T E R 12 Configuring Smartports Macros This chapter describes how to configure and apply Smartports macros on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Table 12-1 Cisco-Default Smartports Macros (continued) Macro Name1 Description cisco-phone Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros • When creating a macro that requires the assignment of unique values, use the parameter value keywords to designate values specific to the interface. Keyword matching is case sensitive. All matching occurrences of the keyword are replaced with the corresponding value. Any full match of a keyword, even if it is part of a larger string, is considered a match and is replaced by the corresponding value.
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Creating Smartports Macros Beginning in privileged EXEC mode, follow these steps to create a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro name macro-name Create a macro definition, and enter a macro name. A macro definition can contain up to 3000 characters. Enter the macro commands with one command per line. Use the @ character to end the macro.
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Applying Smartports Macros Beginning in privileged EXEC mode, follow these steps to apply a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro global {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Apply each individual command defined in the macro to the switch by entering macro global apply macro-name.
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros This example shows how to apply the user-created macro called snmp, to set the hostname address to test-server, and to set the IP precedence value to 7: Switch(config)# macro global apply snmp ADDRESS test-server VALUE 7 This example shows how to debug the user-created macro called snmp by using the macro global trace global configuration command to find any syntax or configuration errors in the macro when it is applied to the switch
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Step 7 Command Purpose macro {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Append the Cisco-default macro with the required values by using the parameter value keywords, and apply the macro to the interface. Keywords that begin with $ mean that a unique parameter value is required. You can use the macro apply macro-name ? command to display a list of any required values in the macro.
Chapter 12 Configuring Smartports Macros Displaying Smartports Macros Displaying Smartports Macros To display the Smartports macros, use one or more of the privileged EXEC commands in Table 12-2. Table 12-2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros. show parser macro name macro-name Displays a specific macro. show parser macro brief Displays the configured macro names.
CH A P T E R 13 Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS). Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 13 Configuring VLANs Understanding VLANs Figure 13-1 shows an example of VLANs segmented into logically defined networks. Figure 13-1 VLANs as Logically Defined Networks Engineering VLAN Marketing VLAN Accounting VLAN Cisco router Enclosure 3 Gigabit Ethernet Enclosure 1 201766 Enclosure 2 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Chapter 13 Configuring VLANs Understanding VLANs Although the switch or switch stack supports a total of 1005 (normal range and extended range) VLANs, the number of routed ports, SVIs, and other configured features affects the use of the switch hardware. The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Table 13-1 Port Membership Modes and Characteristics (continued) Membership Mode VLAN Membership Characteristics VTP Characteristics Dynamic access A dynamic-access port can belong to one VLAN (VLAN ID 1 to 4094) and is dynamically assigned by a VMPS. The VMPS can be a Catalyst 5000 or Catalyst 6500 series switch, for example, but never a blade switch. The switch is a VMPS client. VTP is required.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Caution You can cause inconsistency in the VLAN database if you attempt to manually delete the vlan.dat file. If you want to modify the VLAN configuration, use the commands described in these sections and in the command reference for this release. To change the VTP configuration, see Chapter 14, “Configuring VTP.” You use the interface configuration mode to define the port membership mode and to add and remove ports from VLANs.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Token Ring VLANs Although the switch does not support Token Ring connections, a remote device such as a Catalyst 5000 series switch with Token Ring connections could be managed from one of the supported switches.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs VLAN Configuration Mode Options You can configure normal-range VLANs (with VLAN IDs 1 to 1005) by using these two configuration modes: • VLAN Configuration in config-vlan Mode, page 13-7 You access config-vlan mode by entering the vlan vlan-id global configuration command. • VLAN Configuration in VLAN Database Configuration Mode, page 13-7 You access VLAN database configuration mode by entering the vlan database privileged EXEC command.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs When you save VLAN and VTP information (including extended-range VLAN configuration information) in the startup configuration file and reboot the switch, the switch configuration is selected as follows: Caution • If the VTP mode is transparent in the startup configuration, and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file, the VLAN database is ignored (cleared), and the VTP and
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Creating or Modifying an Ethernet VLAN Each Ethernet VLAN in the VLAN database has a unique, 4-digit ID that can be a number from 1 to 1001. VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs. To create a normal-range VLAN to be added to the VLAN database, assign a number and name to the VLAN. Note When the switch is in VTP transparent mode, you can assign VLAN IDs greater than 1006, but they are not added to the VLAN database.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs You can also create or modify Ethernet VLANs by using the VLAN database configuration mode. Note VLAN database configuration mode does not support RSPAN VLAN configuration or extended-range VLANs. Beginning in privileged EXEC mode, follow these steps to use VLAN database configuration mode to create or modify an Ethernet VLAN: Command Purpose Step 1 vlan database Enter VLAN database configuration mode.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Caution When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN. Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no vlan vlan-id Remove the VLAN by entering the VLAN ID.
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs To return an interface to its default configuration, use the default interface interface-id interface configuration command. This example shows how to configure a port as an access port in VLAN 2: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Extended-Range VLAN Configuration Guidelines Follow these guidelines when creating extended-range VLANs: • To add an extended-range VLAN, you must use the vlan vlan-id global configuration command and access config-vlan mode. You cannot add extended-range VLANs in VLAN database configuration mode (accessed by entering the vlan database privileged EXEC command).
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Creating an Extended-Range VLAN You create an extended-range VLAN in global configuration mode by entering the vlan global configuration command with a VLAN ID from 1006 to 4094. This command accesses the config-vlan mode. The extended-range VLAN has the default Ethernet VLAN characteristics (see Table 13-2) and the MTU size, private VLAN, and RSPAN configuration are the only parameters you can change.
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs This example shows how to create a new extended-range VLAN with all default characteristics, enter config-vlan mode, and save the new VLAN in the switch startup configuration file: Switch(config)# vtp mode transparent Switch(config)# vlan 2000 Switch(config-vlan)# end Switch# copy running-config startup config Creating an Extended-Range VLAN with an Internal VLAN ID If you enter an extended-range VLAN ID that is already assigned to an internal
Chapter 13 Configuring VLANs Displaying VLANs Displaying VLANs Use the show vlan privileged EXEC command to display a list of all VLANs on the switch, including extended-range VLANs. The display includes VLAN status, ports, and configuration information. To view normal-range VLANs in the VLAN database (1 to 1005), use the show VLAN database configuration command (accessed by entering the vlan database privileged EXEC command). Table 13-3 lists the commands for monitoring VLANs.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Figure 13-2 shows a network of switches that are connected by ISL trunks. Figure 13-2 Switches in an ISL Trunking Environment Catalyst 6500 series switch ISL trunk ISL trunk ISL trunk ISL trunk Blade switch Blade switch Blade switch VLAN1 VLAN3 VLAN2 VLAN2 VLAN1 VLAN3 119945 Blade switch Figure 13-3 shows a network of switches that are connected by IEEE 802.1Q trunks. Figure 13-3 Switches in an IEEE 802.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Ethernet trunk interfaces support different trunking modes (see Table 13-4). You can set an interface as trunking or nontrunking or to negotiate trunking with the neighboring interface. To autonegotiate trunking, the interfaces must be in the same VTP domain. Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which is a Point-to-Point Protocol.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Encapsulation Types Table 13-5 lists the Ethernet trunk encapsulation types and keywords. Table 13-5 Ethernet Trunk Encapsulation Types Encapsulation Function switchport trunk encapsulation isl Specifies ISL encapsulation on the trunk link. switchport trunk encapsulation dot1q Specifies IEEE 802.1Q encapsulation on the trunk link.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Default Layer 2 Ethernet Interface VLAN Configuration Table 13-6 shows the default Layer 2 Ethernet interface VLAN configuration.
Chapter 13 Configuring VLANs Configuring VLAN Trunks – STP Port Fast setting. – trunk status: if one port in a port group ceases to be a trunk, all ports cease to be trunks. • We recommend that you configure no more than 24 trunk ports in PVST mode and no more than 40 trunk ports in MST mode. • If you try to enable IEEE 802.1x on a trunk port, an error message appears, and IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to trunk, the port mode is not changed.
Chapter 13 Configuring VLANs Configuring VLAN Trunks To return an interface to its default configuration, use the default interface interface-id interface configuration command. To reset all trunking characteristics of a trunking interface to the defaults, use the no switchport trunk interface configuration command. To disable trunking, use the switchport mode access interface configuration command to configure the port as a static-access port. This example shows how to configure a port as an IEEE 802.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Step 4 Command Purpose switchport trunk allowed vlan {add | all | except | remove} vlan-list (Optional) Configure the list of VLANs allowed on the trunk. For explanations about using the add, all, except, and remove keywords, see the command reference for this release. The vlan-list parameter is either a single VLAN number from 1 to 4094 or a range of VLANs described by two VLAN numbers, the lower one first, separated by a hyphen.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 5 show interfaces interface-id switchport Verify your entries in the Pruning VLANs Enabled field of the display. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default pruning-eligible list of all VLANs, use the no switchport trunk pruning vlan interface configuration command.
Chapter 13 Configuring VLANs Configuring VLAN Trunks You configure load sharing on trunk ports by using STP port priorities or STP path costs. For load sharing using STP port priorities, both load-sharing links must be connected to the same switch. For load sharing using STP path costs, each load-sharing link can be connected to the same switch or to two different switches. For more information about STP, see Chapter 18, “Configuring STP.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 13-4. Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A. Step 2 vtp domain domain-name Configure a VTP administrative domain. The domain name can be 1 to 32 characters. Step 3 vtp mode server Configure Switch A as the VTP server. Step 4 end Return to privileged EXEC mode.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Load Sharing Using STP Path Cost You can configure parallel trunks to share VLAN traffic by setting different path costs on a trunk and associating the path costs with different sets of VLANs, blocking different ports for different VLANs. The VLANs keep the traffic separate and maintain redundancy in the event of a lost link. In Figure 13-5, Trunk ports 1 and 2 are configured as 100BASE-T ports.
Chapter 13 Configuring VLANs Configuring VMPS Command Purpose Step 12 spanning-tree vlan 2-4 cost 30 Set the spanning-tree path cost to 30 for VLANs 2 through 4. Step 13 end Return to global configuration mode. Step 14 Repeat Steps 9 through 13 on the other configured trunk interface on Switch A, and set the spanning-tree path cost to 30 for VLANs 8, 9, and 10. Step 15 exit Return to privileged EXEC mode. Step 16 show running-config Verify your entries.
Chapter 13 Configuring VLANs Configuring VMPS If the port is currently unassigned (that is, it does not yet have a VLAN assignment), the VMPS provides one of these responses: • If the host is allowed on the port, the VMPS sends the client a vlan-assignment response containing the assigned VLAN name and allowing access to the host. • If the host is not allowed on the port and the VMPS is in open mode, the VMPS sends an access-denied response.
Chapter 13 Configuring VLANs Configuring VMPS Default VMPS Client Configuration Table 13-7 shows the default VMPS and dynamic-access port configuration on client switches.
Chapter 13 Configuring VLANs Configuring VMPS Entering the IP Address of the VMPS You must first enter the IP address of the server to configure the switch as a client. Beginning in privileged EXEC mode, follow these steps to enter the IP address of the VMPS: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vmps server ipaddress primary Enter the IP address of the switch acting as the primary VMPS server.
Chapter 13 Configuring VLANs Configuring VMPS To return an interface to its default configuration, use the default interface interface-id interface configuration command. To return an interface to its default switchport mode (dynamic auto), use the no switchport mode interface configuration command. To reset the access mode to the default VLAN for the switch, use the no switchport access vlan interface configuration command.
Chapter 13 Configuring VLANs Configuring VMPS To return the switch to its default setting, use the no vmps retry global configuration command. Monitoring the VMPS You can display information about the VMPS by using the show vmps privileged EXEC command. The switch displays this information about the VMPS: • VMPS VQP Version—the version of VQP used to communicate with the VMPS. The switch queries the VMPS that is using VQP Version 1.
Chapter 13 Configuring VLANs Configuring VMPS VMPS Configuration Example Figure 13-6 shows a network with a VMPS server switch and VMPS client switches with dynamic-access ports. In this example, these assumptions apply: • The VMPS server and the VMPS client are separate switches. • The Catalyst 6500 series Switch A is the primary VMPS server. • The Catalyst 6500 series Switch C and Switch J are secondary VMPS servers. • End stations are connected to the clients, Switch B and Switch I.
CH A P T E R 14 Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 14 Configuring VTP Understanding VTP The switch supports 1005 VLANs, but the number of routed ports, SVIs, and other configured features affects the usage of the switch hardware. If the switch is notified by VTP of a new VLAN and the switch is already using the maximum available hardware resources, it sends a message that there are not enough hardware resources available and shuts down the VLAN. The output of the show vlan user EXEC command shows the VLAN in a suspended state.
Chapter 14 Configuring VTP Understanding VTP For domain name and password configuration guidelines, see the “VTP Configuration Guidelines” section on page 14-8. VTP Modes You can configure a supported switch or switch stack to be in one of the VTP modes listed in Table 14-1. Table 14-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
Chapter 14 Configuring VTP Understanding VTP VTP advertisements distribute this global domain information: • VTP domain name • VTP configuration revision number • Update identity and update timestamp • MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN. • Frame format VTP advertisements distribute this VLAN information for each configured VLAN: • VLAN IDs (ISL and IEEE 802.
Chapter 14 Configuring VTP Understanding VTP VTP pruning blocks unneeded flooded traffic to VLANs on trunk ports that are included in the pruning-eligible list. Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning eligible switch trunk ports. If the VLANs are configured as pruning-ineligible, the flooding continues. VTP pruning is supported with VTP Version 1 and Version 2. Figure 14-1 shows a switched network without VTP pruning enabled.
Chapter 14 Configuring VTP Configuring VTP Enabling VTP pruning on a VTP server enables pruning for the entire management domain. Making VLANs pruning-eligible or pruning-ineligible affects pruning eligibility for those VLANs on that trunk only (not on all switches in the VTP domain). See the “Enabling VTP Pruning” section on page 14-14. VTP pruning takes effect several seconds after you enable it. VTP pruning does not prune traffic from VLANs that are pruning-ineligible.
Chapter 14 Configuring VTP Configuring VTP Default VTP Configuration Table 14-2 shows the default VTP configuration. Table 14-2 Default VTP Configuration Feature Default Setting VTP domain name Null. VTP mode Server. VTP version Version 1 (Version 2 is disabled). VTP password None. VTP pruning Disabled. VTP Configuration Options You can configure VTP by using these configuration modes.
Chapter 14 Configuring VTP Configuring VTP VTP Configuration in VLAN Database Configuration Mode You can configure all VTP parameters in VLAN database configuration mode, which you access by entering the vlan database privileged EXEC command. For more information about available keywords, see the vtp VLAN database configuration command description in the command reference for this release.
Chapter 14 Configuring VTP Configuring VTP VTP Version Follow these guidelines when deciding which VTP version to implement: • All switches in a VTP domain must run the same VTP version. • A VTP Version 2-capable switch can operate in the same VTP domain as a switch running VTP Version 1 if Version 2 is disabled on the Version 2-capable switch (Version 2 is disabled by default). • Do not enable VTP Version 2 on a switch unless all of the switches in the same VTP domain are Version-2-capable.
Chapter 14 Configuring VTP Configuring VTP Step 4 Command Purpose vtp password password (Optional) Set the password for the VTP domain. The password can be 8 to 64 characters. If you configure a VTP password, the VTP domain does not function properly if you do not assign the same password to each switch in the domain. Step 5 end Return to privileged EXEC mode. Step 6 show vtp status Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display.
Chapter 14 Configuring VTP Configuring VTP This example shows how to use VLAN database configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# vlan database Switch(vlan)# vtp server Switch(vlan)# vtp domain eng_group Switch(vlan)# vtp password mypassword Switch(vlan)# exit APPLY completed. Exiting.... Switch# Configuring a VTP Client When a switch is in VTP client mode, you cannot change its VLAN configuration.
Chapter 14 Configuring VTP Configuring VTP Use the no vtp mode global configuration command to return the switch to VTP server mode. To return the switch to a no-password state, use the no vtp password privileged EXEC command. When you configure a domain name, it cannot be removed; you can only reassign a switch to a different domain.
Chapter 14 Configuring VTP Configuring VTP Note You can also configure VTP transparent mode by using the vlan database privileged EXEC command to enter VLAN database configuration mode and by entering the vtp transparent command, similar to the second procedure under the “Configuring a VTP Server” section on page 14-9. Use the no vtp transparent VLAN database configuration command to return the switch to VTP server mode.
Chapter 14 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode. Beginning in privileged EXEC mode, follow these steps to enable VTP pruning in the VTP domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 14 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to verify and reset the VTP configuration revision number on a switch before adding it to a VTP domain: Step 1 Command Purpose show vtp status Check the VTP configuration revision number. If the number is 0, add the switch to the VTP domain. If the number is greater than 0, follow these steps: a. Write down the domain name. b. Write down the configuration revision number. c.
Chapter 14 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 14-3 shows the privileged EXEC commands for monitoring VTP activity. Table 14-3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information.
CH A P T E R 15 Configuring Voice VLAN This chapter describes how to configure the voice VLAN feature on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Voice VLAN is referred to as an auxiliary VLAN in some Catalyst 6500 family switch documentation. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 15 Configuring Voice VLAN Understanding Voice VLAN Figure 15-1 shows one way to connect a Cisco 7960 IP Phone. Figure 15-1 Cisco 7960 IP Phone Connected to a Switch Cisco IP Phone 7960 Phone ASIC P2 3-port switch P3 Access port 101351 P1 PC Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN Note Untagged traffic from the device attached to the Cisco IP Phone passes through the phone unchanged, regardless of the trust state of the access port on the phone.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN • If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the same IP subnet. These conditions indicate that they are in the same VLAN: – They both use IEEE 802.1p or untagged frames. – The Cisco IP Phone uses IEEE 802.1p frames, and the device uses untagged frames. – The Cisco IP Phone uses untagged frames, and the device uses IEEE 802.1p frames. – The Cisco IP Phone uses IEEE 802.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN Configuring Cisco IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value. It can use IEEE 802.1p priority tagging to give voice traffic a higher priority and forward all voice traffic through the native (access) VLAN.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN This example shows how to configure a port connected to a Cisco IP Phone to use the CoS value to classify incoming traffic, to use IEEE 802.1p priority tagging for voice traffic, and to use the default native VLAN (VLAN 0) to carry all traffic: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 15 Configuring Voice VLAN Displaying Voice VLAN Step 3 Command Purpose switchport priority extend {cos value | trust} Set the priority of data traffic received from the Cisco IP Phone access port: • cos value—Configure the phone to override the priority received from the PC or the attached device with the specified CoS value. The value is a number from 0 to 7, with 7 as the highest priority. The default priority is cos 0.
Chapter 15 Configuring Voice VLAN Displaying Voice VLAN Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 15-8 OL-13270-03
CH A P T E R 16 Configuring Private VLANs This chapter describes how to configure private VLANs on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 16 Configuring Private VLANs Understanding Private VLANs Figure 16-1 Private-VLAN Domain Private VLAN domain Subdomain Subdomain Secondary isolated VLAN 201784 Secondary community VLAN Primary VLAN There are two types of secondary VLANs: • Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.
Chapter 16 Configuring Private VLANs Understanding Private VLANs Primary and secondary VLANs have these characteristics: • Primary VLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports. • Isolated VLAN —A private VLAN has only one isolated VLAN.
Chapter 16 Configuring Private VLANs Understanding Private VLANs Private VLANs across Multiple Switches As with regular VLANs, private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. The trunk port treats the private VLAN as any other VLAN. A feature of private VLANs across multiple switches is that traffic from an isolated port in switch A does not reach an isolated port on Switch B. See Figure 16-2.
Chapter 16 Configuring Private VLANs Understanding Private VLANs You should also see the “Secondary and Primary VLAN Configuration” section on page 16-7 under the “Private-VLAN Configuration Guidelines” section. Private VLANs and Unicast, Broadcast, and Multicast Traffic In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but devices connected to interfaces in different VLANs must communicate at the Layer 3 level.
Chapter 16 Configuring Private VLANs Configuring Private VLANs • If two stacks merge, private VLANs on the winning stack are not affected, but private-VLAN configuration on the losing switch is lost when that switch reboots. For more information about switch stacks, see Chapter 6, “Managing Switch Stacks.
Chapter 16 Configuring Private VLANs Configuring Private VLANs Private-VLAN Configuration Guidelines Guidelines for configuring private VLANs fall into these categories: • Secondary and Primary VLAN Configuration, page 16-7 • Private-VLAN Port Configuration, page 16-8 • Limitations with Other Features, page 16-9 Secondary and Primary VLAN Configuration Follow these guidelines when configuring private VLANs: • Set VTP to transparent mode.
Chapter 16 Configuring Private VLANs Configuring Private VLANs – The ip sticky-arp interface configuration command is only supported on Layer 3 interfaces SVIs belonging to normal VLANs SVIs belonging to private VLANs For more information about using the ip sticky-arp global configuration and the ip sticky-arp interface configuration commands, see the command reference for this release. • You can configure VLAN maps on primary and secondary VLANs (see the “Configuring VLAN Maps” section on page 34-30).
Chapter 16 Configuring Private VLANs Configuring Private VLANs Limitations with Other Features When configuring private VLANs, remember these limitations with other features: Note In some cases, the configuration is accepted with no error messages, but the commands have no effect. • Do not configure fallback bridging on switches with private VLANs. • When IGMP snooping is enabled on the switch (the default), the switch or switch stack supports no more than 20 private-VLAN domains.
Chapter 16 Configuring Private VLANs Configuring Private VLANs Configuring and Associating VLANs in a Private VLAN Beginning in privileged EXEC mode, follow these steps to configure a private VLAN: Note The private-vlan commands do not take effect until you exit VLAN configuration mode. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp mode transparent Set VTP mode to transparent (disable VTP).
Chapter 16 Configuring Private VLANs Configuring Private VLANs When you associate secondary VLANs with a primary VLAN, note this syntax information: • The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single private-VLAN ID or a hyphenated range of private-VLAN IDs. • The secondary_vlan_list parameter can contain multiple community VLAN IDs but only one isolated VLAN ID.
Chapter 16 Configuring Private VLANs Configuring Private VLANs Command Purpose Step 3 switchport mode private-vlan host Configure the Layer 2 port as a private-VLAN host port. Step 4 switchport private-vlan host-association primary_vlan_id secondary_vlan_id Associate the Layer 2 port with a private VLAN. Step 5 end Return to privileged EXEC mode. Step 6 show interfaces [interface-id] switchport Verify the configuration.
Chapter 16 Configuring Private VLANs Configuring Private VLANs Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN promiscuous port and map it to primary and secondary VLANs: Note Isolated and community VLANs are both secondary VLANs. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 16 Configuring Private VLANs Configuring Private VLANs Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface If the private VLAN will be used for inter-VLAN routing, you configure an SVI for the primary VLAN and map secondary VLANs to the SVI. Note Isolated and community VLANs are both secondary VLANs.
Chapter 16 Configuring Private VLANs Monitoring Private VLANs Monitoring Private VLANs Table 16-1 shows the privileged EXEC commands for monitoring private-VLAN activity. Table 16-1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces, including the VLANs to which they belongs. show vlan private-vlan [type] Display the private-VLAN information for the switch. show interface switchport Display private-VLAN configuration on interfaces.
Chapter 16 Configuring Private VLANs Monitoring Private VLANs Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 16-16 OL-13270-03
CH A P T E R 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Virtual private networks (VPNs) provide enterprise-scale connectivity on a shared infrastructure, often Ethernet-based, with the same security, prioritization, reliability, and manageability requirements of private networks.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling Customer traffic tagged in the normal way with appropriate VLAN IDs comes from an IEEE 802.1Q trunk port on the customer device and into a tunnel port on the service-provider edge switch. The link between the customer device and the edge switch is asymmetric because one end is configured as an IEEE 802.1Q trunk port, and the other end is configured as a tunnel port.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling Original (Normal), IEEE 802.1Q, and Double-Tagged Ethernet Packet Formats Source address Destination Length/ address EtherType DA SA Len/Etype DA SA Etype DA SA Etype Frame Check Sequence Data Tag Tag FCS Len/Etype Etype Tag Original Ethernet frame Data Len/Etype FCS IEE 802.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling These sections contain this configuration information: • Default IEEE 802.1Q Tunneling Configuration, page 17-4 • IEEE 802.1Q Tunneling Configuration Guidelines, page 17-4 • IEEE 802.1Q Tunneling and Other Features, page 17-6 • Configuring an IEEE 802.1Q Tunneling Port, page 17-6 Default IEEE 802.1Q Tunneling Configuration By default, IEEE 802.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling These are some ways to solve this problem: • Use ISL trunks between core switches in the service-provider network. Although customer interfaces connected to edge switches must be IEEE 802.1Q trunks, we recommend using ISL trunks for connecting switches in the core layer. • Use the vlan dot1q tag native global configuration command to configure the edge switch so that all packets going out an IEEE 802.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling and Other Features Although IEEE 802.1Q tunneling works well for Layer 2 packet switching, there are incompatibilities between some Layer 2 features and Layer 3 switching. • A tunnel port cannot be a routed port. • IP routing is not supported on a VLAN that includes IEEE 802.1Q ports. Packets received from a tunnel port are forwarded based only on Layer 2 information.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling Command Purpose Step 5 exit Return to global configuration mode. Step 6 vlan dot1q tag native (Optional) Set the switch to enable tagging of native VLAN packets on all IEEE 802.1Q trunk ports. When not set, and a customer VLAN ID is the same as the native VLAN, the trunk port does not apply a metro tag, and packets could be sent to the wrong destination.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling as normal packets. Layer 2 protocol data units (PDUs) for CDP, STP, or VTP cross the service-provider network and are delivered to customer switches on the outbound side of the service-provider network.
Chapter 17 Configuring IEEE 802.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling For example, in Figure 17-6, Customer A has two switches in the same VLAN that are connected through the SP network. When the network tunnels PDUs, switches on the far ends of the network can negotiate the automatic creation of EtherChannels without needing dedicated lines. See the “Configuring Layer 2 Tunneling for EtherChannels” section on page 17-14 for instructions.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling See Figure 17-4, with Customer X and Customer Y in access VLANs 30 and 40, respectively. Asymmetric links connect the customers in Site 1 to edge switches in the service-provider network. The Layer 2 PDUs (for example, BPDUs) coming into Switch B from Customer Y in Site 1 are forwarded to the infrastructure as double-tagged packets with the well-known MAC address as the destination MAC address.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Layer 2 Protocol Tunneling Configuration Guidelines These are some configuration guidelines and operating characteristics of Layer 2 protocol tunneling: • The switch supports tunneling of CDP, STP, including multiple STP (MSTP), and VTP. Protocol tunneling is disabled by default but can be enabled for the individual protocols on IEEE 802.1Q tunnel ports or access ports.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Beginning in privileged EXEC mode, follow these steps to configure a port for Layer 2 protocol tunneling: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the interface to be configured as a tunnel port.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Use the no l2protocol-tunnel [cdp | stp | vtp] interface configuration command to disable protocol tunneling for one of the Layer 2 protocols or for all three. Use the no l2protocol-tunnel shutdown-threshold [cdp | stp | vtp] and the no l2protocol-tunnel drop-threshold [cdp | stp | vtp] commands to return the shutdown and drop thresholds to the default settings.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Step 5 Command Purpose l2protocol-tunnel shutdown-threshold [point-to-point [pagp | lacp | udld]] value (Optional) Configure the threshold for packets-per-second accepted for encapsulation. The interface is disabled if the configured threshold is exceeded. If no protocol option is specified, the threshold applies to each of the tunneled Layer 2 protocol types. The range is 1 to 4096.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Configuring the Customer Switch After configuring the SP edge switch, begin in privileged EXEC mode and follow these steps to configure a customer switch for Layer 2 protocol tunneling for EtherChannels: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter the interface configuration mode. This should be the customer switch port.
Chapter 17 Configuring IEEE 802.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status Monitoring and Maintaining Tunneling Status Table 17-2 shows the privileged EXEC commands for monitoring and maintaining IEEE 802.1Q and Layer 2 protocol tunneling. Table 17-2 Commands for Monitoring and Maintaining Tunneling Command Purpose clear l2protocol-tunnel counters Clear the protocol counters on Layer 2 protocol tunneling ports. show dot1q-tunnel Display IEEE 802.
CH A P T E R 18 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard. A switch stack appears as a single spanning-tree node to the rest of the network, and all stack members use the same bridge ID.
Chapter 18 Configuring STP Understanding Spanning-Tree Features • Supported Spanning-Tree Instances, page 18-10 • Spanning-Tree Interoperability and Backward Compatibility, page 18-11 • STP and IEEE 802.1Q Trunks, page 18-11 • VLAN-Bridge Spanning Tree, page 18-11 • Spanning Tree and Switch Stacks, page 18-12 For configuration information, see the “Configuring Spanning-Tree Features” section on page 18-12.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch. In a switch stack, all switches use the same bridge ID for a given spanning-tree instance. • The spanning-tree path cost to the root switch.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Only one outgoing port on the stack root switch is selected as the root port. The remaining switches in the stack become its designated switches (Switch 2 and Switch 3) as shown in Figure 18-1. • The shortest distance to the root switch is calculated for each switch based on the path cost. • A designated switch for each LAN segment is selected.
Chapter 18 Configuring STP Understanding Spanning-Tree Features The switch supports the IEEE 802.1t spanning-tree extensions, and some of the bits previously used for the switch priority are now used as the VLAN identifier. The result is that fewer MAC addresses are reserved for the switch, and a larger range of VLAN IDs can be supported, all while maintaining the uniqueness of the bridge ID.
Chapter 18 Configuring STP Understanding Spanning-Tree Features • From learning to forwarding or to disabled • From forwarding to disabled Figure 18-2 illustrates how an interface moves through the states.
Chapter 18 Configuring STP Understanding Spanning-Tree Features • Does not learn addresses • Receives BPDUs Listening State The listening state is the first state a Layer 2 interface enters after the blocking state. The interface enters this state when the spanning tree decides that the interface should participate in frame forwarding.
Chapter 18 Configuring STP Understanding Spanning-Tree Features How a Switch or Port Becomes the Root Switch or Root Port If all switches in a network are enabled with default spanning-tree settings, the switch with the lowest MAC address becomes the root switch. In Figure 18-3, Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768) and Switch A has the lowest MAC address.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity Active link Blocked link Blade servers 201769 Figure 18-4 You can also create redundant links between switches by using EtherChannel groups. For more information, see Chapter 37, “Configuring EtherChannels and Link-State Tracking.” Spanning-Tree Address Management IEEE 802.1D specifies 17 multicast addresses, ranging from 0x00180C2000000 to 0x0180C2000010, to be used by different bridge protocols.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: • PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Interoperability and Backward Compatibility Table 18-2 lists the interoperability and compatibility among the supported spanning-tree modes in a network.
Chapter 18 Configuring STP Configuring Spanning-Tree Features individual VLAN spanning trees to prevent loops from forming if there are multiple connections among VLANs. It also prevents the individual spanning trees from the VLANs being bridged from collapsing into a single spanning tree. To support VLAN-bridge spanning tree, some of the spanning-tree timers are increased. To use the fallback bridging feature, you must have the IP services feature set enabled on your switch.
Chapter 18 Configuring STP Configuring Spanning-Tree Features • Configuring the Switch Priority of a VLAN, page 18-21 (optional) • Configuring Spanning-Tree Timers, page 18-22 (optional) Default Spanning-Tree Configuration Table 18-3 shows the default spanning-tree configuration. Table 18-3 Default Spanning-Tree Configuration Feature Default Setting Enable state Enabled on VLAN 1. For more information, see the “Supported Spanning-Tree Instances” section on page 18-10. Spanning-tree mode PVST+.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Caution Switches that are not running spanning tree still forward BPDUs that they receive so that the other switches on the VLAN that have a running spanning-tree instance can break loops. Therefore, spanning tree must be running on enough switches to break all the loops in the network; for example, at least one switch on each loop in the VLAN must be running spanning tree.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Changing the Spanning-Tree Mode. The switch supports three spanning-tree modes: PVST+, rapid PVST+, or MSTP. By default, the switch runs the PVST+ protocol. Beginning in privileged EXEC mode, follow these steps to change the spanning-tree mode. If you want to enable a mode that is different from the default mode, this procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Disabling Spanning Tree Spanning tree is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit specified in the “Supported Spanning-Tree Instances” section on page 18-10. Disable spanning tree only if you are sure there are no loops in the network topology.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Note The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not configure an access switch as the spanning-tree primary root. Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).
Chapter 18 Configuring STP Configuring Spanning-Tree Features Configuring a Secondary Root Switch When you configure a switch as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified VLAN if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Note If your switch is a member of a switch stack, you must use the spanning-tree [vlan vlan-id] cost cost interface configuration command instead of the spanning-tree [vlan vlan-id] port-priority priority interface configuration command to select an interface to put in the forwarding state. Assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 18 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree [vlan vlan-id] port-priority interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree port priorities, see the “Configuring Trunk Ports for Load Sharing” section on page 13-24. Configuring Path Cost The spanning-tree path cost default value is derived from the media speed of an interface.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Note The show spanning-tree interface interface-id privileged EXEC command displays information only for ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. To return to the default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 18-4 describes the timers that affect the entire spanning-tree performance. Table 18-4 Spanning-Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches. Forward-delay timer Controls how long each of the listening and learning states last before the interface begins forwarding.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id forward-time seconds Configure the forward time of a VLAN.
Chapter 18 Configuring STP Displaying the Spanning-Tree Status Configuring the Transmit Hold-Count You can configure the BPDU burst size by changing the transmit hold count value. Note Changing this parameter to a higher value can have a significant impact on CPU utilization, especially in Rapid-PVST mode. Lowering this value can slow down convergence in certain scenarios. We recommend that you maintain the default setting.
CH A P T E R 19 Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the switch. Note The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard. The MSTP enables multiple VLANs to be mapped to the same spanning-tree instance, reducing the number of spanning-tree instances needed to support a large number of VLANs. The MSTP provides for multiple forwarding paths for data traffic and enables load-balancing.
Chapter 19 Configuring MSTP Understanding MSTP Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic, enables load-balancing, and reduces the number of spanning-tree instances required to support a large number of VLANs.
Chapter 19 Configuring MSTP Understanding MSTP The IST is the only spanning-tree instance that sends and receives BPDUs. All of the other spanning-tree instance information is contained in M-records, which are encapsulated within MSTP BPDUs. Because the MSTP BPDU carries information for all instances, the number of BPDUs that need to be processed to support multiple spanning-tree instances is significantly reduced.
Chapter 19 Configuring MSTP Understanding MSTP The IST connects all the MSTP switches in the region and appears as a subtree in the CIST that encompasses the entire switched domain. The root of the subtree is the CIST regional root. The MST region appears as a virtual switch to adjacent STP switches and MST regions. Figure 19-1 shows a network with three MST regions and a legacy IEEE 802.1D switch (D). The CIST regional root for region 1 (A) is also the CIST root.
Chapter 19 Configuring MSTP Understanding MSTP IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network.
Chapter 19 Configuring MSTP Understanding MSTP Boundary Ports In the Cisco prestandard implementation, a boundary port connects an MST region to a single spanning-tree region running RSTP, to a single spanning-tree region running PVST+ or rapid PVST+, or to another MST region with a different MST configuration. A boundary port also connects to a LAN, the designated switch of which is either a single spanning-tree switch or a switch with a different MST configuration.
Chapter 19 Configuring MSTP Understanding MSTP • The boundary port is not the root port of the CIST regional root—The MSTI ports follow the state and role of the CIST port. The standard provides less information, and it might be difficult to understand why an MSTI port can be alternately blocking when it receives no BPDUs (MRecords). In this case, although the boundary role no longer exists, the show commands identify a port as boundary in the type column of the output.
Chapter 19 Configuring MSTP Understanding MSTP Figure 19-3 illustrates a unidirectional link failure that typically creates a bridging loop. Switch A is the root switch, and its BPDUs are lost on the link leading to switch B. RSTP and MST BPDUs include the role and state of the sending port. With this information, switch A can detect that switch B does not react to the superior BPDUs it sends and that switch B is the designated, not root switch.
Chapter 19 Configuring MSTP Understanding RSTP to a port when the switch to which this switch is connected has joined the region. To restart the protocol migration process (force the renegotiation with neighboring switches), use the clear spanning-tree detected-protocols privileged EXEC command. If all the legacy switches on the link are RSTP switches, they can process MSTP BPDUs as if they are RSTP BPDUs.
Chapter 19 Configuring MSTP Understanding RSTP In a stable topology with consistent port roles throughout the network, the RSTP ensures that every root port and designated port immediately transition to the forwarding state while all alternate and backup ports are always in the discarding state (equivalent to blocking in IEEE 802.1D). The port state controls the operation of the forwarding and learning processes. Table 19-2 provides a comparison of IEEE 802.1D and RSTP port states.
Chapter 19 Configuring MSTP Understanding RSTP When Switch C is connected to Switch B, a similar set of handshaking messages are exchanged. Switch C selects the port connected to Switch B as its root port, and both ends immediately transition to the forwarding state. With each iteration of this handshaking process, one more switch joins the active topology. As the network converges, this proposal-agreement handshaking progresses from the root toward the leaves of the spanning tree.
Chapter 19 Configuring MSTP Understanding RSTP After ensuring that all of the ports are synchronized, the switch sends an agreement message to the designated switch corresponding to its root port. When the switches connected by a point-to-point link are in agreement about their port roles, the RSTP immediately transitions the port states to forwarding. The sequence of events is shown in Figure 19-5. Figure 19-5 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5.
Chapter 19 Configuring MSTP Understanding RSTP The sending switch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN. The port role in the proposal message is always set to the designated port. The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal. The port role in the agreement message is always set to the root port. The RSTP does not have a separate topology change notification (TCN) BPDU.
Chapter 19 Configuring MSTP Configuring MSTP Features • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them. • Protocol migration—For backward compatibility with IEEE 802.1D switches, RSTP selectively sends IEEE 802.
Chapter 19 Configuring MSTP Configuring MSTP Features Table 19-4 Default MSTP Configuration (continued) Feature Default Setting Spanning-tree port priority (configurable on a per-CIST port basis) 128. Spanning-tree port cost (configurable on a per-CIST port basis) 1000 Mb/s: 4. 100 Mb/s: 19. 10 Mb/s: 100. Hello time 2 seconds. Forward-delay time 15 seconds. Maximum-aging time 20 seconds. Maximum hop count 20 hops.
Chapter 19 Configuring MSTP Configuring MSTP Features • All MST boundary ports must be forwarding for load-balancing between a PVST+ and an MST cloud or between a rapid-PVST+ and an MST cloud. For this to occur, the IST master of the MST cloud should also be the root of the CST.
Chapter 19 Configuring MSTP Configuring MSTP Features Step 8 Command Purpose spanning-tree mode mst Enable MSTP. RSTP is also enabled. Caution Changing spanning-tree modes can disrupt traffic because all spanning-tree instances are stopped for the previous mode and restarted in the new mode. You cannot run both MSTP and PVST+ or both MSTP and rapid PVST+ at the same time. Step 9 end Return to privileged EXEC mode. Step 10 show running-config Verify your entries.
Chapter 19 Configuring MSTP Configuring MSTP Features If any root switch for the specified instance has a switch priority lower than 24576, the switch sets its own priority to 4096 less than the lowest switch priority. (4096 is the value of the least-significant bit of a 4-bit switch priority value as shown in Table 18-1 on page 18-5.
Chapter 19 Configuring MSTP Configuring MSTP Features Configuring a Secondary Root Switch When you configure a switch with the extended system ID support as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified instance if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch.
Chapter 19 Configuring MSTP Configuring MSTP Features Note If your switch is a member of a switch stack, you must use the spanning-tree mst [instance-id] cost cost interface configuration command instead of the spanning-tree mst [instance-id] port-priority priority interface configuration command to select a port to put in the forwarding state. Assign lower cost values to ports that you want selected first and higher cost values to ports that you want selected last.
Chapter 19 Configuring MSTP Configuring MSTP Features Configuring Path Cost The MSTP path cost default value is derived from the media speed of an interface. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 19 Configuring MSTP Configuring MSTP Features Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority. Beginning in privileged EXEC mode, follow these steps to configure the switch priority. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 19 Configuring MSTP Configuring MSTP Features Command Purpose Step 4 show spanning-tree mst Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst hello-time global configuration command. Configuring the Forwarding-Delay Time Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for all MST instances.
Chapter 19 Configuring MSTP Configuring MSTP Features To return the switch to its default setting, use the no spanning-tree mst max-age global configuration command. Configuring the Maximum-Hop Count Beginning in privileged EXEC mode, follow these steps to configure the maximum-hop count for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 19 Configuring MSTP Configuring MSTP Features Command Purpose Step 5 show spanning-tree mst interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Designating the Neighbor Type A topology could contain both prestandard and IEEE 802.1s standard compliant devices.
Chapter 19 Configuring MSTP Displaying the MST Configuration and Status To restart the protocol migration process on a specific interface, use the clear spanning-tree detected-protocols interface interface-id privileged EXEC command.
CH A P T E R 20 Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+). You can configure only the noted features when your switch or switch stack is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features At the interface level, you enable BPDU guard on any port by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature. When the port receives a BPDU, it is put in the error-disabled state. The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 20-2 Switches in a Hierarchical Network Backbone switches Root bridge 126763 Distribution switches Active link Blocked link Blade switches If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 20-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B L1 L2 L3 43575 Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root. As shown in Figure 20-5, the stack-root port on Switch 1 provides the path to the root of the spanning tree. The alternate stack-root ports on Switches 2 and 3 can provide an alternate path to the spanning-tree root if the current stack-root switch fails or if its link to the spanning-tree root fails.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Each switch in the stack decides if the sending switch is a better choice than itself to be the stack root of this spanning-tree instance by comparing the root, cost, and bridge ID. If the sending switch is the best choice as the stack root, each switch in the stack returns an acknowledgement; otherwise, it sends a fast-transition request.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features BackboneFast, which is enabled by using the spanning-tree backbonefast global configuration command, starts when a root port or blocked interface on a switch receives inferior BPDUs from its designated switch. An inferior BPDU identifies a switch that declares itself as both the root bridge and the designated switch.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If link L1 fails as shown in Figure 20-7, Switch C cannot detect this failure because it is not connected directly to link L1. However, because Switch B is directly connected to the root switch over L1, it detects the failure, elects itself the root, and begins sending BPDUs to Switch C, identifying itself as the root.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding EtherChannel Guard You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device. A misconfiguration can occur if the switch interfaces are configured in an EtherChannel, but the interfaces on the other device are not. A misconfiguration can also occur if the channel parameters are not the same at both ends of the EtherChannel.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Figure 20-9 Root Guard in a Data-Center Network Data-center network Customer network Potential spanning-tree root without root guard enabled Desired root switch 201771 Enable the root-guard feature on these interfaces to prevent switches in the customer network from becoming the root switch or being in the path to the root.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features • Enabling BackboneFast, page 20-16 (optional) • Enabling EtherChannel Guard, page 20-17 (optional) • Enabling Root Guard, page 20-18 (optional) • Enabling Loop Guard, page 20-18 (optional) Default Optional Spanning-Tree Configuration Table 20-1 shows the default optional spanning-tree configuration.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to enable Port Fast. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Step 3 spanning-tree portfast [trunk] Enable Port Fast on an access port connected to a single workstation or server.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features The BPDU guard feature provides a secure response to invalid configurations because you must manually put the port back in service. Use the BPDU guard feature in a service-provider network to prevent an access port from participating in the spanning tree.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU filtering on any interface without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs. Caution Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to enable UplinkFast and CSUF. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree uplinkfast [max-update-rate Enable UplinkFast. pkts-per-second] (Optional) For pkts-per-second, the range is 0 to 32000 packets per second; the default is 150.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Note If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not supported on Token Ring VLANs. This feature is supported for use with third-party switches. You can configure the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Root Guard Root guard enabled on an interface applies to all the VLANs to which the interface belongs. Do not enable the root guard on interfaces to be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in the blocked state) replace the root port in the case of a failure.
Chapter 20 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Step 3 Command Purpose spanning-tree loopguard default Enable loop guard. By default, loop guard is disabled. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To globally disable loop guard, use the no spanning-tree loopguard default global configuration command.
Chapter 20 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-20 OL-13270-03
CH A P T E R 21 Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 21 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature typically configured in service provider or enterprise networks where customers do not want to run STP on the switch. If the switch is running STP, Flex Links is not necessary because STP already provides link-level redundancy or backup.
Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Figure 21-2 VLAN Flex Links Load Balancing Configuration Example Uplink switch C Uplink switch B Forwarding (51-100) Forwarding (1-50) gi2/0/6 gi2/0/8 Switch A 201398 Chapter 21 Flex Link Multicast Fast Convergence Flex Link Multicast Fast Convergence reduces the multicast traffic convergence time after a Flex Link failure.
Chapter 21 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature Leaking IGMP Reports To achieve multicast traffic convergence with minimal loss, a redundant data path must be set up before the Flex Link active link goes down. This can be achieved by leaking only IGMP report packets on the Flex Link backup link.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Similarly, both Flex Link ports are part of learned groups. Gigabit Ethernet2/0/11 is a receiver/host in VLAN 1, which is interested in two multicast groups: Switch# show ip igmp snooping groups Vlan Group Type Version Port List ----------------------------------------------------------------------1 228.1.5.1 igmp v2 Gi1/0/11, Gi1/0/12, Gi2/0/11 1 228.1.5.
Chapter 21 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature Whenever a host responds to the general query, the switch forwards this report on all the mrouter ports. When you turn on this feature through the command-line port, and when a report is forwarded by the switch on Gigabit Ethernet 1/0/11, it is also leaked to the backup port Gigabit Ethernet 1/0/12.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Figure 21-3 MAC Address-Table Move Update Example Server Switch C Port 4 Port 3 Switch B Switch D Port 1 Port 2 141223 Switch A PC Configuring Flex Links and MAC Address-Table Move Update These sections contain this information: • Configuration Guidelines, page 21-8 • Default Configuration, page 21-8 • Configuring Flex Links, page 21-9 • Configuring V
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuration Guidelines Follow these guidelines to configure Flex Links: • You can configure up to 16 backup links. • You can configure only one Flex Link backup link for any active link, and it must be a different interface from the active interface. • An interface can belong to only one Flex Link pair. An interface can be a backup link for only one active link.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links Beginning in privileged EXEC mode, follow these steps to configure a pair of Flex Links: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface, and enter interface configuration mode.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Step 4 Step 5 Command Purpose switchport backup interface interface-id preemption mode [forced | bandwidth | off] Configure a preemption mechanism and delay for a Flex Link interface pair. You can configure the preemption as: switchport backup interface interface-id preemption delay delay-time • Forced—the active interface always preempts the backup.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring VLAN Load Balancing on Flex Links Beginning in privileged EXEC mode, follow these steps to configure VLAN load balancing on Flex Links: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface, and enter interface configuration mode.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update When a Flex Link interface comes up, VLANs preferred on this interface are blocked on the peer interface and moved to the forwarding state on the interface that has just come up. In this example, if interface Gi2/0/6 comes up, VLANs preferred on this interface are blocked on the peer interface Gi2/0/8 and forwarded on Gi2/0/6.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Command Purpose Step 4 end Return to global configuration mode. Step 5 mac address-table move update transmit Enable the access switch to send MAC address-table move updates to other switches in the network if the primary link goes down and the switch starts forwarding traffic through the standby link. Step 6 end Return to privileged EXEC mode.
Chapter 21 Monitoring Flex Links and the MAC Address-Table Move Update Information Configuring Flex Links and the MAC Address-Table Move Update Feature Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show mac address-table move update Verify the configuration. Step 5 copy running-config startup config (Optional) Save your entries in the switch startup configuration file.
CH A P T E R 22 Configuring DHCP Features and IP Source Guard This chapter describes how to configure DHCP snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the switch. It also describes how to configure the IP source guard feature. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 22 Configuring DHCP Features and IP Source Guard Understanding DHCP Features • DHCP Snooping and Switch Stacks, page 22-7 • Cisco IOS DHCP Server Database, page 22-6 • DHCP Snooping Binding Database, page 22-6 For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2.
Chapter 22 Configuring DHCP Features and IP Source Guard Understanding DHCP Features When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware address. If the addresses match (the default), the switch forwards the packet. If the addresses do not match, the switch drops the packet.
Chapter 22 Configuring DHCP Features and IP Source Guard Understanding DHCP Features Figure 22-1 is an example of a blade switch in an enclosure in which a centralized DHCP server assigns IP addresses to subscribers connected to the switch at the access layer.
Chapter 22 Configuring DHCP Features and IP Source Guard Understanding DHCP Features • Remote-ID suboption fields – Suboption type – Length of the suboption type – Remote-ID type – Length of the remote-ID type In the port field of the circuit ID suboption, the port numbers start at 1. For example, on a switch with Cisco dual SFP X2 converter modules in the 10-Gigabit Ethernet module slots, port 1 is the internal Gigabit Ethernet 1/0/1 port, port 2 is the internal Gigabit Ethernet1/0/2 port, and so on.
Chapter 22 Configuring DHCP Features and IP Source Guard Understanding DHCP Features – The length values are variable, depending on the length of the string that you configure. • Remote-ID suboption fields – The remote-ID type is 1. – The length values are variable, depending on the length of the string that you configure.
Chapter 22 Configuring DHCP Features and IP Source Guard Understanding DHCP Features To keep the bindings when the switch reloads, you must use the DHCP snooping database agent. If the agent is disabled, dynamic ARP inspection or IP source guard is enabled, and the DHCP snooping binding database has dynamic bindings, the switch loses its connectivity.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Features All snooping statistics are generated on the stack master. If a new stack master is elected, the statistics counters reset. When a stack merge occurs, all DHCP snooping bindings in the stack master are lost if it is no longer the stack master. With a stack partition, the existing stack master is unchanged, and the bindings belonging to the partitioned switches age out.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Table 22-1 Default DHCP Configuration (continued) Feature Default Setting DHCP snooping VLAN Disabled DHCP snooping MAC address verification Enabled Cisco IOS DHCP server binding database Enabled in Cisco IOS software, requires configuration. Note DHCP snooping binding database agent The switch gets network addresses and configuration parameters only from a device configured as a DHCP server.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Features • If a switch port is connected to a DHCP server, configure a port as trusted by entering the ip dhcp snooping trust interface configuration command. • If a switch port is connected to a DHCP client, configure a port as untrusted by entering the no ip dhcp snooping trust interface configuration command.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Configuring the DHCP Relay Agent Beginning in privileged EXEC mode, follow these steps to enable the DHCP relay agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service dhcp Enable the DHCP server and relay agent on your switch. By default, this feature is enabled. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Command Purpose interface range port-range Configure multiple physical ports that are connected to the DHCP clients, and enter interface range configuration mode. or or interface interface-id Configure a single physical port that is connected to the DHCP client, and enter interface configuration mode. Step 7 switchport mode access Define the VLAN membership mode for the port.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Step 6 Command Purpose ip dhcp snooping information option allow-untrusted (Optional) If the switch is an aggregation switch connected to an edge switch, enable the switch to accept incoming DHCP snooping packets with option-82 information from the edge switch. The default setting is disabled. Note Enter this command only on aggregation switches that are connected to trusted devices.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Features This example shows how to enable DHCP snooping globally and on VLAN 10 and to configure a rate limit of 100 packets per second on a port: Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 10 Switch(config)# ip dhcp snooping information option Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# ip dhcp snooping limit rate 100 Enabling DHCP Snooping on Private VLANs You can enable DHCP sno
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Enabling the DHCP Snooping Binding Database Agent Beginning in privileged EXEC mode, follow these steps to enable and configure the DHCP snooping binding database agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 22 Configuring DHCP Features and IP Source Guard Displaying DHCP Snooping Information To delete binding entries from the DHCP snooping binding database, use the no ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id privileged EXEC command. Enter this command for each entry that you want to delete.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard These sections contain this information: • Source IP Address Filtering, page 22-17 • Source IP and MAC Address Filtering, page 22-17 Source IP Address Filtering When IP source guard is enabled with this option, IP traffic is filtered based on the source IP address.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard IP Source Guard Configuration Guidelines These are the configuration guides for IP source guard: • You can configure static IP bindings only on nonrouted ports. If you enter the ip source binding mac-address vlan vlan-id ip-address interface interface-id global configuration command on a routed interface, this error message appears: Static IP source binding can only be configured on switch port.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Enabling IP Source Guard Beginning in privileged EXEC mode, follow these steps to enable and configure IP source guard on an interface. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode. Step 3 ip verify source Enable IP source guard with source IP address filtering.
Chapter 22 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information Switch(config)# ip source binding 0100.0230.0002 vlan 11 10.0.0.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Server Port-Based Address Allocation Default Port-Based Address Allocation Configuration By default, DHCP server port-based address allocation is disabled. Port-Based Address Allocation Configuration Guidelines These are the configuration guidelines for DHCP port-based address allocation: • Only one IP address can be assigned per port.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Server Port-Based Address Allocation Beginning in privileged EXEC mode follow these steps to preassign an IP address and to associate it to a client identified by the interface name. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip dhcp pool poolname Enter DHCP pool configuration mode, and define the name for the DHCP pool.
Chapter 22 Configuring DHCP Features and IP Source Guard Displaying DHCP Server Port-Based Address Allocation This example shows that the preassigned address was correctly reserved in the DHCP pool: switch# show ip dhcp pool dhcppool Pool dhcp pool: Utilization mark (high/low) : 100 / 0 Subnet size (first/next) : 0 / 0 Total addresses : 254 Leased addresses : 0 Excluded addresses : 4 Pending event : none 1 subnet is currently in the pool: Current index IP address range Leased/Excluded/Total 10.1.1.1 10.1.
Chapter 22 Configuring DHCP Features and IP Source Guard Displaying DHCP Server Port-Based Address Allocation Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-24 OL-13270-03
CH A P T E R 23 Configuring Dynamic ARP Inspection This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 23 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Figure 23-1 Host A (IA, MA) ARP Cache Poisoning A B Host B (IB, MB) Host C (man-in-the-middle) (IC, MC) 111750 C Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA.
Chapter 23 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header. Use the ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command. For more information, see the “Performing Validation Checks” section on page 23-11.
Chapter 23 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a switch running dynamic ARP inspection.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Logging of Dropped Packets When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Table 23-1 Default Dynamic ARP Inspection Configuration (continued) Feature Default Setting Log buffer When dynamic ARP inspection is enabled, all denied or dropped ARP packets are logged. The number of entries in the log is 32. The number of system messages is limited to 5 per second. The logging-rate interval is 1 second. Per-VLAN logging All denied or dropped ARP packets are logged.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection The rate of incoming packets on a physical port is checked against the port-channel configuration rather than the physical-ports configuration. The rate-limit configuration on a port channel is independent of the configuration on its physical ports. If the EtherChannel receives more ARP packets than the configured rate, the channel (including all physical ports) is placed in the error-disabled state.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 5 Command Purpose ip arp inspection trust Configure the connection between the switches as trusted. By default, all interfaces are untrusted. The switch does not check ARP packets that it receives from the other switch on the trusted interface. It simply forwards the packets. For untrusted interfaces, the switch intercepts all ARP requests and responses.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Beginning in privileged EXEC mode, follow these steps to configure an ARP ACL on Switch A. This procedure is required in non-DHCP environments. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 arp access-list acl-name Define an ARP ACL, and enter ARP access-list configuration mode. By default, no ARP access lists are defined.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 7 Command Purpose no ip arp inspection trust Configure the Switch A interface that is connected to Switch B as untrusted. By default, all interfaces are untrusted. For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection For configuration guidelines for rate limiting trunk ports and EtherChannel ports, see the “Dynamic ARP Inspection Configuration Guidelines” section on page 23-6. Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip arp inspection validate {[src-mac] [dst-mac] [ip]} Perform a specific check on incoming ARP packets. By default, no checks are performed.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer or increase the logging rate.
Chapter 23 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Step 3 Command Purpose ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {all | none | permit}} Control the type of packets that are logged per VLAN. By default, all denied or all dropped packets are logged. The term logged means the entry is placed in the log buffer and a system message is generated.
Chapter 23 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information To clear or display dynamic ARP inspection statistics, use the privileged EXEC commands in Table 23-3: Table 23-3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics.
Chapter 23 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 23-16 OL-13270-03
CH A P T E R 24 Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on the switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 24 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Understanding IGMP Snooping Layer 2 switches can use IGMP snooping to constrain the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with IP multicast devices.
Chapter 24 Configuring IGMP Snooping and MVR Understanding IGMP Snooping IGMP Versions The switch supports IGMP Version 1, IGMP Version 2, and IGMP Version 3. These versions are interoperable on the switch. For example, if IGMP snooping is enabled on an IGMPv2 switch and the switch receives an IGMPv3 report from a host, the switch can forward the IGMPv3 report to the multicast router. Note The switch supports IGMPv3 snooping based only on the destination multicast MAC address.
Chapter 24 Configuring IGMP Snooping and MVR Understanding IGMP Snooping the group if it is not already present. The CPU also adds the interface where the join message was received to the forwarding-table entry. The blade server associated with that interface receives multicast traffic for that multicast group. See Figure 24-1. Figure 24-1 Initial IGMP Join Message Router A 19 IGMP report 224.1.2.
Chapter 24 Configuring IGMP Snooping and MVR Understanding IGMP Snooping If another blade server (for example, Blade Server 4) sends an unsolicited IGMP join message for the same group (Figure 24-2), the CPU receives that message and adds the port number of Blade Server 4 to the forwarding table as shown in Table 24-2. Note that because the forwarding table directs IGMP messages only to the CPU, the message is not flooded to other ports on the switch.
Chapter 24 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Immediate Leave Immediate Leave is only supported on IGMP Version 2 hosts. The switch uses IGMP snooping Immediate Leave to remove from the forwarding table an interface that sends a leave message without the switch sending group-specific queries to the interface. The VLAN interface is pruned from the multicast tree for the multicast group specified in the original leave message.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping IGMP Snooping and Switch Stacks IGMP snooping functions across the switch stack; that is, IGMP control information from one switch is distributed to all switches in the stack. (See Chapter 6, “Managing Switch Stacks,” for more information about switch stacks.) Regardless of the stack member through which IGMP multicast data enters the stack, the data reaches the hosts that have registered for that group.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Table 24-3 Default IGMP Snooping Configuration (continued) Feature Default Setting IGMP snooping querier Disabled IGMP report suppression Enabled 1. TCN = Topology Change Notification Enabling or Disabling IGMP Snooping By default, IGMP snooping is globally enabled on the switch. When globally enabled or disabled, it is also enabled or disabled in all existing VLAN interfaces.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Setting the Snooping Method Multicast-capable router ports are added to the forwarding table for every Layer 2 multicast entry.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring a Multicast Router Port To add a multicast router port (add a static connection to a multicast router), use the ip igmp snooping vlan mrouter global configuration command on the switch. Note Static connections to multicast routers are supported only on switch ports.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to add a Layer 2 port as a member of a multicast group: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id static ip_address Statically configure a Layer 2 port as a member of a multicast interface interface-id group: • vlan-id is the multicast group VLAN ID. The range is 1 to 1001 and 1006 to 4094.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping To disable IGMP Immediate Leave on a VLAN, use the no ip igmp snooping vlan vlan-id immediate-leave global configuration command.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Controlling the Multicast Flooding Time After a TCN Event You can control the time that multicast traffic is flooded after a TCN event by using the ip igmp snooping tcn flood query count global configuration command. This command configures the number of general queries for which multicast data traffic is flooded after a TCN event.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping To return to the default query solicitation, use the no ip igmp snooping tcn query solicit global configuration command. Disabling Multicast Flooding During a TCN Event When the switch receives a TCN, multicast traffic is flooded to all the ports until 2 general queries are received.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping • When it is administratively enabled, the IGMP snooping querier moves to the operationally disabled state under these conditions: – IGMP snooping is disabled in the VLAN. – PIM is enabled on the SVI of the corresponding VLAN. Beginning in privileged EXEC mode, follow these steps to enable the IGMP snooping querier feature in a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information This example shows how to set the IGMP snooping querier feature to Version 2: Switch# configure terminal Switch(config)# no ip igmp snooping querier version 2 Switch(config)# end Disabling IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. This feature is not supported when the query includes IGMPv3 reports.
Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information To display IGMP snooping information, use one or more of the privileged EXEC commands in Table 24-4. Table 24-4 Commands for Displaying IGMP Snooping Information Command Purpose show ip igmp snooping [vlan vlan-id] Display the snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.
Chapter 24 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service-provider network (for example, the broadcast of multiple television channels over a service-provider network).
Chapter 24 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration switch to join the appropriate multicast. If the IGMP report matches one of the configured IP multicast group addresses, the switch CPU modifies the hardware address table to include this receiver port and VLAN as a forwarding destination of the specified multicast stream when it is received from the multicast VLAN.
Chapter 24 Configuring IGMP Snooping and MVR Configuring MVR dynamically register for streams of multicast traffic in the multicast VLAN on the Layer 3 device. The access layer blade switch modifies the forwarding behavior to allow the traffic to be forwarded from the multicast VLAN to the subscriber port in a different VLAN, selectively allowing traffic to cross between two VLANs. IGMP reports are sent to the same IP multicast group address as the multicast data.
Chapter 24 Configuring IGMP Snooping and MVR Configuring MVR • Do not configure MVR on private VLAN ports. • MVR is not supported when multicast routing is enabled on a switch. If you enable multicast routing and a multicast routing protocol while MVR is enabled, MVR is disabled, and you receive a warning message. If you try to enable MVR while multicast routing and a multicast routing protocol are enabled, the operation to enable MVR is cancelled, and you receive an error message.
Chapter 24 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 8 show mvr or show mvr members Verify the configuration. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default settings, use the no mvr [mode | group ip-address | querytime | vlan] global configuration commands.
Chapter 24 Configuring IGMP Snooping and MVR Configuring MVR Command Step 5 Purpose mvr vlan vlan-id group [ip-address] (Optional) Statically configure a port to receive multicast traffic sent to the multicast VLAN and the IP multicast address. A port statically configured as a member of a group remains a member of the group until statically removed. Note In compatible mode, this command applies to only receiver ports. In dynamic mode, it applies to receiver ports and source ports.
Chapter 24 Configuring IGMP Snooping and MVR Displaying MVR Information Displaying MVR Information You can display MVR information for the switch or for a specified interface.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling IGMP filtering is applicable only to the dynamic learning of IP multicast group addresses, not static configuration. With the IGMP throttling feature, you can set the maximum number of IGMP groups that a Layer 2 interface can join.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling • permit: Specifies that matching addresses are permitted. • range: Specifies a range of IP addresses for the profile. You can enter a single IP address or a range with a start and an end address. The default is for the switch to have no IGMP profiles configured. When a profile is configured, if neither the permit nor deny keyword is included, the default is to deny access to the range of IP addresses.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Applying IGMP Profiles To control access as defined in an IGMP profile, use the ip igmp filter interface configuration command to apply the profile to the appropriate interfaces. You can apply IGMP profiles only to Layer 2 access ports; you cannot apply IGMP profiles to routed ports or SVIs. You cannot apply profiles to ports that belong to an EtherChannel port group.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Command Purpose Step 3 ip igmp max-groups number Set the maximum number of IGMP groups that the interface can join. The range is 0 to 4294967294. The default is to have no maximum set. Step 4 end Return to privileged EXEC mode. Step 5 show running-config interface interface-id Verify the configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Beginning in privileged EXEC mode, follow these steps to configure the throttling action when the maximum number of entries is in the forwarding table: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the physical interface to be configured, and enter interface configuration mode.
Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-30 OL-13270-03
CH A P T E R 25 Configuring IPv6 MLD Snooping You can use Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP Version 6 (IPv6) multicast data to clients and routers in a switched network on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note To use IPv6, you must configure the dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
Chapter 25 Configuring IPv6 MLD Snooping Understanding MLD Snooping IGMPv3. MLD is a subprotocol of Internet Control Message Protocol Version 6 (ICMPv6), and MLD messages are a subset of ICMPv6 messages, identified in IPv6 packets by a preceding Next Header value of 58. The switch supports two versions of MLD snooping: • MLDv1 snooping detects MLDv1 control packets and sets up traffic bridging based on IPv6 destination multicast addresses.
Chapter 25 Configuring IPv6 MLD Snooping Understanding MLD Snooping MLDv2 supports MLDv2 queries and reports, as well as MLDv1 Report and Done messages. Message timers and state transitions resulting from messages being sent or received are the same as those of IGMPv2 messages. MLD messages that do not have valid link-local IPv6 source addresses are ignored by MLD routers and switches.
Chapter 25 Configuring IPv6 MLD Snooping Understanding MLD Snooping • Dynamic multicast router port aging is based on a default timer of 5 minutes; the multicast router is deleted from the router port list if no control packet is received on the port for 5 minutes. • IPv6 multicast router discovery only takes place when MLD snooping is enabled on the switch. • Received IPv6 multicast router control packets are always flooded to the ingress VLAN, whether or not MLD snooping is enabled on the switch.
Chapter 25 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping last-listener-query-interval global configuration command. If the deleted port is the last member of the multicast address, the multicast address is also deleted, and the switch sends the address leave information to all detected multicast routers.
Chapter 25 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Table 25-1 Default MLD Snooping Configuration Feature Default Setting MLD snooping (Global) Disabled. MLD snooping (per VLAN) Enabled. MLD snooping must be globally enabled for VLAN MLD snooping to take place. IPv6 Multicast addresses None configured. IPv6 Multicast router ports None configured. MLD snooping Immediate Leave Disabled. MLD snooping robustness variable Global: 2; Per VLAN: 0.
Chapter 25 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Enabling or Disabling MLD Snooping By default, IPv6 MLD snooping is globally disabled on the switch and enabled on all VLANs. When MLD snooping is globally disabled, it is also disabled on all VLANs. When you globally enable MLD snooping, the VLAN configuration overrides the global configuration. That is, MLD snooping is enabled only on VLAN interfaces in the default state (enabled).
Chapter 25 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Configuring a Static Multicast Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure an IPv6 multicast address and member ports for a VLAN.
Chapter 25 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Beginning in privileged EXEC mode, follow these steps to add a multicast router port to a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 mld snooping vlan vlan-id mrouter interface interface-id Specify the multicast router VLAN ID, and specify the interface to the multicast router. • The VLAN ID range is 1 to 1001 and 1006 to 4094.
Chapter 25 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Configuring MLD Snooping Queries When Immediate Leave is not enabled and a port receives an MLD Done message, the switch generates MASQs on the port and sends them to the IPv6 multicast address for which the Done message was sent. You can optionally configure the number of MASQs that are sent and the length of time the switch waits for a response before deleting the port from the multicast group.
Chapter 25 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information This example shows how to set the MLD snooping global robustness variable to 3: Switch# configure terminal Switch(config)# ipv6 mld snooping robustness-variable 3 Switch(config)# exit This example shows how to set the MLD snooping last-listener query count for a VLAN to 3: Switch# configure terminal Switch(config)# ipv6 mld snooping vlan 200 last-listener-query-count 3 Switch(config)# exit This example shows how to set the MLD
Chapter 25 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information Table 25-2 Commands for Displaying MLD Snooping Information Command Purpose show ipv6 mld snooping [vlan vlan-id] Display the MLD snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094.
CH A P T E R 26 Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 26 Configuring Port-Based Traffic Control Configuring Storm Control Storm control uses one of these methods to measure traffic activity: • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received • Traffic rate in packets per second and for small frames. This feature is enabled globally.
Chapter 26 Configuring Port-Based Traffic Control Configuring Storm Control You use the storm-control interface configuration commands to set the threshold value for each traffic type. Default Storm Control Configuration By default, unicast, broadcast, and multicast storm control are disabled on the switch interfaces; that is, the suppression level is 100 percent.
Chapter 26 Configuring Port-Based Traffic Control Configuring Storm Control Step 3 Command Purpose storm-control {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]} Configure broadcast, multicast, or unicast storm control. By default, storm control is disabled. The keywords have these meanings: • For level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage (up to two decimal places) of the bandwidth.
Chapter 26 Configuring Port-Based Traffic Control Configuring Storm Control Command Purpose Step 6 show storm-control [interface-id] [broadcast | Verify the storm control suppression levels set on the interface for multicast | unicast] the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 26 Configuring Port-Based Traffic Control Configuring Protected Ports Command Purpose Step 5 interface interface-id Enter interface configuration mode, and specify the interface to be configured. Step 6 small violation-rate pps Configure the threshold rate for the interface to drop incoming packets and error disable the port. The range is 1 to 10,000 packets per second (pps) Step 7 end Return to privileged EXEC mode. Step 8 show interfaces interface-id Verify the configuration.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Blocking Protected Port Configuration Guidelines You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group. Do not configure a private-VLAN port as a protected port. Do not configure a protected port as a private-VLAN port.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security Default Port Blocking Configuration The default is to not block flooding of unknown multicast and unicast traffic out of a port, but to flood these packets to all ports. Blocking Flooded Traffic on an Interface Note The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security These sections contain this conceptual and configuration information: • Understanding Port Security, page 26-9 • Default Port Security Configuration, page 26-11 • Port Security Configuration Guidelines, page 26-11 • Enabling and Configuring Port Security, page 26-13 • Enabling and Configuring Port Security Aging, page 26-17 • Port Security and Switch Stacks, page 26-18 • Port Security and Private VLANs, page 26-18 Un
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration. The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum number of available MAC addresses allowed in the system. This number is determined by the active Switch Database Management (SDM) template.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security Table 26-1 shows the violation mode and the actions taken when you configure an interface for port security.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security • A secure port cannot be a private-VLAN port. • When you enable port security on an interface that is also configured with a voice VLAN, set the maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security Enabling and Configuring Port Security Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security Step 7 Command Purpose switchport port-security violation {protect | restrict | shutdown | shutdown vlan} (Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these: • Note protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security Step 8 Command Purpose switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}] (Optional) Enter a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table. All addresses are now dynamically learned.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# switchport switchport switchport switchport switchport port-security port-security port-security port-security port-security mac-address 0000.0000.0003 mac-address sticky 0000.0000.0001 vlan voice mac-address 0000.0000.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security To disable port security aging for all secure addresses on a port, use the no switchport port-security aging time interface configuration command. To disable aging for only statically configured secure addresses, use the no switchport port-security aging static interface configuration command.
Chapter 26 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings This example shows how to configure port security on a PVLAN host and promiscuous ports Switch(config)# interface gigabitethernet 1/0/8 Switch(config-if)# switchport private-vlan mapping 2061 2201-2206,3101 Switch(config-if)# switchport mode private-vlan promiscuous Switch(config-if)# switchport port-security maximum 288 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security vi
Chapter 26 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-20 OL-13270-03
CH A P T E R 27 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 27 Configuring CDP Configuring CDP CDP and Switch Stacks A switch stack appears as a single switch in the network. Therefore, CDP discovers the switch stack, not the individual stack members. The switch stack sends CDP messages to neighboring network devices when there are changes to the switch stack membership, such as stack members being added or removed.
Chapter 27 Configuring CDP Configuring CDP Step 3 Command Purpose cdp holdtime seconds (Optional) Specify the amount of time a receiving device should hold the information sent by your device before discarding it. The range is 10 to 255 seconds; the default is 180 seconds. Step 4 cdp advertise-v2 (Optional) Configure CDP to send Version-2 advertisements. This is the default state. Step 5 end Return to privileged EXEC mode. Step 6 show cdp Verify your settings.
Chapter 27 Configuring CDP Configuring CDP Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and to receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on a port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you are disabling CDP, and enter interface configuration mode.
Chapter 27 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, use one or more of the privileged EXEC commands in Table 27-2. Table 27-2 Commands for Displaying CDP Information Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors.
Chapter 27 Configuring CDP Monitoring and Maintaining CDP Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 27-6 OL-13270-03
CH A P T E R 28 Configuring LLDP, LLDP-MED, and Wired Location Service This chapter describes how to configure the Link Layer Discovery Protocol (LLDP), LLDP Media Endpoint Discovery (LLDP-MED) and wired location service on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 28 Configuring LLDP, LLDP-MED, and Wired Location Service Understanding LLDP, LLDP-MED, and Wired Location Service The switch supports these basic management TLVs. These are mandatory LLDP TLVs. • Port description TLV • System name TLV • System description TLV • System capabilities TLV • Management address TLV These organizationally specific LLDP TLVs are also advertised to support LLDP-MED. Note • Port VLAN ID TLV ((IEEE 802.
Chapter 28 Configuring LLDP, LLDP-MED, and Wired Location Service Understanding LLDP, LLDP-MED, and Wired Location Service • Location TLV Provides location information from the switch to the endpoint device. The location TLV can send this information: – Civic location information Provides the civic address information and postal information. Examples of civic location information are street address, road name, and postal community name information.
Chapter 28 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service • Device category is specified as a wired station • State is specified as delete • Serial number, UDI • Time in seconds since the switch detected the disassociation When the switch shuts down, it sends an attachment notification with the state delete and the IP address before closing the NMSP connection to the MSE.
Chapter 28 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service • If you first configure a network-policy profile on an interface, you cannot apply the switchport voice vlan command on the interface. If the switchport voice vlan vlan-id is already configured on an interface, you can apply a network-policy profile on the interface. This way the interface has the voice or voice-signaling VLAN network-policy profile applied on the interface.
Chapter 28 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Beginning in privileged EXEC mode, follow these steps to configure the LLDP characteristics. Note Steps 2 through 5 are optional and can be performed in any order. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 28 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service By using the lldp interface configuration command, you can configure the interface not to send the TLVs listed in Table 28-2.
Chapter 28 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Step 3 Command Purpose {voice | voice-signaling} vlan [vlan-id {cos cvalue | dscp dvalue}] | [[dot1p {cos cvalue | dscp dvalue}] | none | untagged] Configure the policy attributes: voice—Specify the voice application type. voice-signaling—Specify the voice-signaling application type. vlan—Specify the native VLAN for voice traffic.
Chapter 28 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Configuring Location TLV and Wired Location Service Beginning in privileged EXEC mode, follow these steps to configure location information for an endpoint and to apply it to an interface. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 location {admin-tag string | civic-location Specify the location information for an endpoint.
Chapter 28 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Beginning in privileged EXEC mode, follow these steps to enable wired location service on the switch. Note Your switch must be running the cryptographic (encrypted) software image to enable the nmsp global configuration commands. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 nmsp enable Enable the NMSP features on the switch.
Chapter 28 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Command Description show lldp neighbors [interface-id] [detail] Display information about neighbors, including device type, interface type and number, holdtime settings, capabilities, and port ID. You can limit the display to neighbors of a specific interface or expand the display for more detailed information.
Chapter 28 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 28-12 OL-13270-03
CH A P T E R 29 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 29 Configuring UDLD Understanding UDLD In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection. If the ports are connected correctly but the traffic is one way, UDLD does not detect the unidirectional link because the Layer 1 mechanism, which is supposed to detect this condition, does not do so.
Chapter 29 Configuring UDLD Configuring UDLD If the detection window ends and no valid reply message is received, the link might shut down, depending on the UDLD mode. When UDLD is in normal mode, the link might be considered undetermined and might not be shut down. When UDLD is in aggressive mode, the link is considered unidirectional, and the port is disabled.
Chapter 29 Configuring UDLD Configuring UDLD Default UDLD Configuration Table 29-1 shows the default UDLD configuration.
Chapter 29 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch and all members in the switch stack: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 29 Configuring UDLD Configuring UDLD Enabling UDLD on an Interface Beginning in privileged EXEC mode, follow these steps either to enable UDLD in the aggressive or normal mode or to disable UDLD on a port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be enabled for UDLD, and enter interface configuration mode. Step 3 udld port [aggressive] UDLD is disabled by default.
Chapter 29 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release.
Chapter 29 Configuring UDLD Displaying UDLD Status Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 29-8 OL-13270-03
CH A P T E R 30 Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 30 Configuring SPAN and RSPAN Understanding SPAN and RSPAN These sections contain this conceptual information: • Local SPAN, page 30-2 • Remote SPAN, page 30-3 • SPAN and RSPAN Concepts and Terminology, page 30-4 • SPAN and RSPAN Interaction with Other Features, page 30-9 • SPAN and RSPAN and Switch Stacks, page 30-10 Local SPAN Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and destination ports are in the same switch or switch stack.
Chapter 30 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 30-2 Example of Local SPAN Configuration on a Switch Stack Blade switch stack Switch 1 1/0/4 Port 4 on switch 1 in the stack mirrored on port 15 on switch 2 2/0/15 Network analyzer Switch 2 Switch 3 202310 Stackwise Plus port connections Remote SPAN RSPAN supports source ports, source VLANs, and destination ports on different switches (or different switch stacks), enabling remote monitoring of multiple switches across your
Chapter 30 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 30-3 Example of RSPAN Configuration RSPAN destination ports RSPAN destination session Switch C Intermediate switches must support RSPAN VLAN RSPAN VLAN RSPAN source session A RSPAN source ports Switch B RSPAN source session B RSPAN source ports 101366 Switch A SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration.
Chapter 30 Configuring SPAN and RSPAN Understanding SPAN and RSPAN An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed over normal trunk ports to the destination switch. An RSPAN destination session takes all packets received on the RSPAN VLAN, strips off the VLAN tagging, and presents them on the destination port.
Chapter 30 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Features that can cause a packet to be dropped during receive processing have no effect on ingress SPAN; the destination port receives a copy of the packet even if the actual incoming packet is dropped. These features include IP standard and extended input access control lists (ACLs), ingress QoS policing, VLAN ACLs, and egress QoS policing.
Chapter 30 Configuring SPAN and RSPAN Understanding SPAN and RSPAN A source port has these characteristics: • It can be monitored in multiple SPAN sessions. • Each source port can be configured with a direction (ingress, egress, or both) to monitor. • It can be any port type (for example, EtherChannel, Gigabit Ethernet, and so forth). • For EtherChannel sources, you can monitor traffic for the entire EtherChannel or individually on a physical port as it participates in the port channel.
Chapter 30 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Destination Port Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user, usually a network analyzer. A destination port has these characteristics: • For a local SPAN session, the destination port must reside on the same switch or switch stack as the source port.
Chapter 30 Configuring SPAN and RSPAN Understanding SPAN and RSPAN RSPAN VLAN The RSPAN VLAN carries SPAN traffic between RSPAN source and destination sessions. It has these special characteristics: • All traffic in the RSPAN VLAN is always flooded. • No MAC address learning occurs on the RSPAN VLAN. • RSPAN VLAN traffic only flows on trunk ports. • RSPAN VLANs must be configured in VLAN configuration mode by using the remote-span VLAN configuration mode command.
Chapter 30 Configuring SPAN and RSPAN Understanding Flow-Based SPAN A physical port that belongs to an EtherChannel group can be configured as a SPAN source port and still be a part of the EtherChannel. In this case, data from the physical port is monitored as it participates in the EtherChannel. However, if a physical port that belongs to an EtherChannel group is configured as a SPAN destination, it is removed from the group.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN ACL permits it. But if the security output ACL denies a packet and it is not sent, it is not copied to the SPAN destination ports. However, if the security output ACL permits the packet to go out, it is only copied to the SPAN destination ports if the FSPAN ACL permits it. This is also true for an RSPAN session. You can attach three types of FSPAN ACLs to the SPAN session: • IPv4 FSPAN ACL— filters only IPv4 packets.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Table 30-1 Default SPAN and RSPAN Configuration (continued) Feature Default Setting Encapsulation type (destination port) Native form (untagged packets). Ingress forwarding (destination port) Disabled VLAN filtering On a trunk interface used as a source port, all VLANs are monitored. RSPAN VLANs None configured.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating a Local SPAN Session Beginning in privileged EXEC mode, follow these steps to create a SPAN session and specify the source (monitored) ports or VLANs and the destination (monitoring) ports: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Remove any existing SPAN configuration for the session. For session_number, the range is 1 to 66.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 4 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]} Specify the SPAN session and the destination port (monitoring port). For session_number, specify the session number entered in step 3. Note For local SPAN, you must use the same session number for the source and destination interfaces. For interface-id, specify the destination port.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination Gigabit Ethernet port 2. The configuration is then modified to also monitor all traffic on all ports belonging to VLAN 10.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 5 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]} Specify the SPAN session and the destination port (monitoring port). For session_number, specify the session number entered in Step 3. For interface-id, specify the destination port. The destination interface must be a physical port; it cannot be an EtherChannel, and it cannot be a VLAN.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets. Specify these ACLs on the RSPAN VLAN in the RSPAN source switches. • For RSPAN configuration, you can distribute the source ports and the destination ports across multiple switches in your network. • RSPAN does not support BPDU packet monitoring or other Layer 2 switch protocols.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN To remove the remote SPAN characteristic from a VLAN and convert it back to a normal VLAN, use the no remote-span VLAN configuration command. This example shows how to create RSPAN VLAN 901.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 6 Command Purpose show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 5 Command Purpose monitor session session_number destination remote vlan vlan-id Specify the RSPAN session and the destination remote VLAN (RSPAN VLAN). For session_number, enter the session number specified in step 3. For vlan-id, specify the RSPAN VLAN to carry the monitored traffic to the destination port. Step 6 end Return to privileged EXEC mode. Step 7 show monitor [session session_number] Verify the configuration.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 6 Command Purpose monitor session session_number source remote vlan vlan-id Specify the RSPAN session and the source RSPAN VLAN. For session_number, the range is 1 to 66. For vlan-id, specify the source RSPAN VLAN to monitor. Step 7 monitor session session_number destination interface interface-id Specify the RSPAN session and the destination interface. For session_number, enter the number defined in Step 6.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 3 Command Purpose monitor session session_number source remote vlan vlan-id Specify the RSPAN session and the source RSPAN VLAN. For session_number, the range is 1 to 66. For vlan-id, specify the source RSPAN VLAN to monitor. Step 4 monitor session session_number Specify the SPAN session, the destination port, the packet destination {interface interface-id [, | -] encapsulation, and the incoming VLAN and encapsulation.
Chapter 30 Configuring SPAN and RSPAN Configuring FSPAN and FRSPAN Configuring FSPAN and FRSPAN These sections contain this configuration information: • Configuration Guidelines, page 30-24 • Configuring an FSPAN Session, page 30-25 • Configuring an FRSPAN Session, page 30-26 Configuration Guidelines Follow these guidelines when configuring FSPAN or FRSPAN: • You can attach ACLs to only one SPAN or RSPAN session at a time.
Chapter 30 Configuring SPAN and RSPAN Configuring FSPAN and FRSPAN Configuring an FSPAN Session Beginning in privileged EXEC mode, follow these steps to create a SPAN session, specify the source (monitored) ports or VLANs and the destination (monitoring) ports, and configure FSPAN for the session: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Remove any existing SPAN configuration for the session.
Chapter 30 Configuring SPAN and RSPAN Configuring FSPAN and FRSPAN Step 4 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]} Specify the SPAN session and the destination port (monitoring port). For session_number, specify the session number entered in Step 3. Note • For interface-id, specify the destination port. The destination interface must be a physical port; it cannot be an EtherChannel, and it cannot be a VLAN.
Chapter 30 Configuring SPAN and RSPAN Configuring FSPAN and FRSPAN Step 3 Command Purpose monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx] Specify the RSPAN session and the source port (monitored port). For session_number, the range is 1 to 66. Enter a source port or source VLAN for the RSPAN session: • For source interface-id, specify the source port to monitor. Only physical interfaces are valid.
Chapter 30 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions.
CH A P T E R 31 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information.
Chapter 31 Configuring RMON Configuring RMON Figure 31-1 Remote Monitoring Example Network management station with generic RMON console application RMON history and statistic collection enabled. Blade Servers RMON alarms and events configured. SNMP configured.
Chapter 31 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station. We recommend that you use a generic RMON console application on the network management station (NMS) to take advantage of the RMON network management capabilities.
Chapter 31 Configuring RMON Configuring RMON Command Step 3 Purpose rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535. • (Optional) For description string, specify a description of the event. • (Optional) Use the log keyword to generate an RMON log entry when the event is triggered.
Chapter 31 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 31 Configuring RMON Displaying RMON Status Command Step 3 Purpose rmon collection stats index [owner ownername] Enable RMON statistic collection on the interface. • For index, specify the RMON group of statistics. The range is from 1 to 65535. • (Optional) For owner ownername, enter the name of the owner of the RMON group of statistics. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries.
CH A P T E R 32 Configuring System Message Logging This chapter describes how to configure system message logging on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Chapter 32 Configuring System Message Logging Configuring System Message Logging You can set the severity level of the messages to control the type of messages displayed on the consoles and each of the destinations. You can time-stamp log messages or set the syslog source address to enhance real-time debugging and management. For information on possible messages, see the system message guide for this release.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Table 32-1 describes the elements of syslog messages. Table 32-1 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages” section on page 32-8. timestamp formats: Date and time of the message or event.
Chapter 32 Configuring System Message Logging Configuring System Message Logging *Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) 18:47:02: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) *Mar 1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Default System Message Logging Configuration Table 32-2 shows the default system message logging configuration.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Disabling the logging process can slow down the switch because a process must wait until the messages are written to the console before continuing. When the logging process is disabled, messages appear on the console as soon as they are produced, often appearing in the middle of command output. The logging synchronous global configuration command also affects the display of messages to the console.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Step 4 Command Purpose logging file flash:filename [max-file-size [min-file-size]] [severity-level-number | type] Store log messages in a file in flash memory on a standalone switch or, in the case of a switch stack, on the stack master. • For filename, enter the log message filename. • (Optional) For max-file-size, specify the maximum logging file size. The range is 4096 to 2147483647. The default is 4096 bytes.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to configure synchronous logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line [console | vty] line-number [ending-line-number] Specify the line to be configured for synchronous logging of messages.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Time Stamps on Log Messages By default, log messages are not time-stamped. Beginning in privileged EXEC mode, follow these steps to enable time-stamping of log messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log time stamps.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable sequence numbers, use the no service sequence-numbers global configuration command. This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Table 32-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to change the level and history table size defaults. This procedure is optional. Command Step 1 Step 2 Purpose configure terminal logging history level Enter global configuration mode. 1 Change the default level of syslog messages stored in the history file and sent to the SNMP server. See Table 32-3 on page 32-10 for a list of level keywords.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to enable configuration logging: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 archive Enter archive configuration mode. Step 3 log config Enter configuration-change logger configuration mode. Step 4 logging enable Enable configuration change logging.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. This procedure is optional. Log in as root, and perform these steps: Note Step 1 Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network.
Chapter 32 Configuring System Message Logging Displaying the Logging Configuration Step 4 Command Purpose logging facility facility-type Configure the syslog facility. See Table 32-4 on page 32-14 for facility-type keywords. The default is local7. Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
CH A P T E R 33 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.
Chapter 33 Configuring SNMP Understanding SNMP These sections contain this conceptual information: • SNMP Versions, page 33-2 • SNMP Manager Functions, page 33-3 • SNMP Agent Functions, page 33-4 • SNMP Community Strings, page 33-4 • Using SNMP to Access MIB Variables, page 33-4 • SNMP Notifications, page 33-5 • SNMP ifIndex MIB Object Values, page 33-5 SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standar
Chapter 33 Configuring SNMP Understanding SNMP Table 33-1 identifies the characteristics of the different combinations of security models and levels. Table 33-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication.
Chapter 33 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. • Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Chapter 33 Configuring SNMP Understanding SNMP SNMP Notifications SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP notifications can be sent as traps or inform requests. In command syntax, unless there is an option in the command to select either traps or informs, the keyword traps refers to either traps or informs, or both. Use the snmp-server host command to specify whether to send SNMP notifications as traps or informs.
Chapter 33 Configuring SNMP Configuring SNMP Configuring SNMP These sections contain this configuration information: • Default SNMP Configuration, page 33-6 • SNMP Configuration Guidelines, page 33-6 • Disabling the SNMP Agent, page 33-7 • Configuring Community Strings, page 33-8 • Configuring SNMP Groups and Users, page 33-9 • Configuring SNMP Notifications, page 33-11 • Setting the Agent Contact and Location Information, page 33-16 • Limiting TFTP Servers Used Through SNMP, page 33-16 •
Chapter 33 Configuring SNMP Configuring SNMP When configuring SNMP, follow these guidelines: • When configuring an SNMP group, do not specify a notify view. The snmp-server host global configuration command autogenerates a notify view for the user and then adds it to the group associated with that user. Modifying the group's notify view affects all users associated with that group. See the Cisco IOS Configuration Fundamentals Command Reference, Release 12.
Chapter 33 Configuring SNMP Configuring SNMP Configuring Community Strings You use the SNMP community string to define the relationship between the SNMP manager and the agent. The community string acts like a password to permit access to the agent on the switch.
Chapter 33 Configuring SNMP Configuring SNMP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note To disable access for an SNMP community, set the community string for that community to the null string (do not enter a value for the community string). To remove a specific community string, use the no snmp-server community string global configuration command.
Chapter 33 Configuring SNMP Configuring SNMP Command Step 3 Purpose snmp-server group groupname {v1 | v2c | v3 Configure a new SNMP group on the remote device. {auth | noauth | priv}} [read readview] • For groupname, specify the name of the group. [write writeview] [notify notifyview] [access • Specify a security model: access-list] – v1 is the least secure of the possible security models. – v2c is the second least secure model. It allows transmission of informs and integers twice the normal width.
Chapter 33 Configuring SNMP Configuring SNMP Command Step 4 Purpose snmp-server user username groupname Add a new user for an SNMP group. {remote host [udp-port port]} {v1 [access • The username is the name of the user on the host that connects access-list] | v2c [access access-list] | v3 to the agent. [encrypted] [access access-list] [auth {md5 | • The groupname is the name of the group to which the user is sha} auth-password]} associated.
Chapter 33 Configuring SNMP Configuring SNMP Table 33-5 Switch Notification Types (continued) Notification Type Keyword Description config Generates a trap for SNMP configuration changes. copy-config Generates a trap for SNMP copy configuration changes. cpu-threshold Allow CPU-related traps. entity Generates a trap for SNMP entity changes. envmon Generates environmental monitor traps. You can enable any or all of these environmental traps: fan, shutdown, status, supply, temperature.
Chapter 33 Configuring SNMP Configuring SNMP Table 33-5 Note Switch Notification Types (continued) Notification Type Keyword Description vlan-membership Generates a trap for SNMP VLAN membership changes. vlancreate Generates SNMP VLAN created traps. vlandelete Generates SNMP VLAN deleted traps. vtp Generates a trap for VLAN Trunking Protocol (VTP) changes.
Chapter 33 Configuring SNMP Configuring SNMP Step 5 Step 6 Command Purpose snmp-server host host-addr [informs | traps] [version {1 | 2c | 3 {auth | noauth | priv}}] community-string [notification-type] Specify the recipient of an SNMP trap operation. snmp-server enable traps notification-types • For host-addr, specify the name or Internet address of the host (the targeted recipient). • (Optional) Enter informs to send SNMP informs to the host.
Chapter 33 Configuring SNMP Configuring SNMP To remove the specified host from receiving traps, use the no snmp-server host host global configuration command. The no snmp-server host command with no keywords disables traps, but not informs, to the host. To disable informs, use the no snmp-server host informs global configuration command. To disable a specific trap type, use the no snmp-server enable traps notification-types global configuration command.
Chapter 33 Configuring SNMP Configuring SNMP Setting the Agent Contact and Location Information Beginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server contact text Set the system contact string. For example: snmp-server contact Dial System Operator at beeper 21555.
Chapter 33 Configuring SNMP Configuring SNMP Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. SNMP Examples This example shows how to enable all versions of SNMP. The configuration permits any SNMP manager to access all objects with read-only permissions using the community string public.
Chapter 33 Configuring SNMP Displaying SNMP Status Displaying SNMP Status To display SNMP input and output statistics, including the number of illegal community string entries, errors, and requested variables, use the show snmp privileged EXEC command. You also can use the other privileged EXEC commands in Table 33-6 to display SNMP information. For information about the fields in the displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
CH A P T E R 34 Configuring Network Security with ACLs This chapter describes how to configure network security on the switch by using access control lists (ACLs). Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note Information in this chapter about IP ACLs is specific to IP Version 4 (IPv4). For information about IPv6 ACLs, see Chapter 35, “Configuring IPv6 ACLs.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs You configure access lists on a router or Layer 3 switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use ACLs to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked at router interfaces.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs • When an output router ACL and input port ACL exist in an SVI, incoming packets received on the ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are filtered by the router ACL. Other packets are not filtered. • When a VLAN map, input router ACL, and input port ACL exist in an SVI, incoming packets received on the ports to which a port ACL is applied are only filtered by the port ACL.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs Figure 34-1 Using ACLs to Control Traffic to a Network Blade Server A Blade Server B Research & Development network = ACL denying traffic from Blade Server B and permitting traffic from Blade Server A = Packet 119651 Human Resources network When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs As with port ACLs, the switch examines ACLs associated with features configured on a given interface. However, router ACLs are supported in both directions. As packets enter the switch on an interface, ACLs associated with all inbound features configured on that interface are examined.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs • Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer 4 information. Consider access list 102, configured with these commands, applied to three fragmented packets: Switch(config)# Switch(config)# Switch(config)# Switch(config)# Note access-list access-list access-list access-list 102 102 102 102 permit tcp any host 10.1.1.1 eq smtp deny tcp any host 10.1.1.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Stack members perform these ACL functions: • They receive the ACL information from the master switch and program their hardware. • They act as standby switches, ready to take over the role of the stack master if the existing master were to fail and they were to be elected as the new stack master. When a stack master fails and a new stack master is elected, the newly elected master reparses the backed up running configuration.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Creating Standard and Extended IPv4 ACLs This section describes IP ACLs. An ACL is a sequential collection of permit and deny conditions. One by one, the switch tests packets against the conditions in an access list. The first match determines whether the switch accepts or rejects the packet. Because the switch stops testing after the first match, the order of the conditions is critical.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Table 34-1 Note Access List Numbers (continued) Access List Number Type Supported 1200–1299 IPX summary address access list No 1300–1999 IP standard access list (expanded range) Yes 2000–2699 IP extended access list (expanded range) Yes In addition to numbered standard and extended ACLs, you can also create standard and extended named IP ACLs by using the supported numbers.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Creating a Numbered Standard ACL Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} Define a standard IPv4 access list by using a source address and source [source-wildcard] [log] wildcard. The access-list-number is a decimal number from 1 to 99 or 1300 to 1999.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs The switch always rewrites the order of standard access lists so that entries with host matches and entries with matches having a don’t care mask of 0.0.0.0 are moved to the top of the list, above any entries with non-zero don’t care masks. Therefore, in show command output and in the configuration file, the ACEs do not necessarily appear in the order in which they were entered.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs or or Step 2b Command Purpose access-list access-list-number {deny | permit} protocol any any [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] In access-list configuration mode, define an extended IP access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and an abbreviation for a destination and destination wildcard of 0.0.0.0 255.255.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Step 2d Step 2e Command Purpose access-list access-list-number {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] (Optional) Define an extended ICMP access list and the access conditions. Enter icmp for Internet Control Message Protocol.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs After creating a numbered extended ACL, you can apply it to terminal lines (see the “Applying an IPv4 ACL to a Terminal Line” section on page 34-19), to interfaces (see the “Applying an IPv4 ACL to an Interface” section on page 34-20), or to VLANs (see the “Configuring VLAN Maps” section on page 34-30).
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create a standard ACL using names: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip access-list standard name Define a standard IPv4 access list using a name, and enter access-list configuration mode. The name can be a number from 1 to 99.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs When you are creating standard extended ACLs, remember that, by default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end. For standard ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask. After you create an ACL, any additions are placed at the end of the list.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to configure a time-range parameter for an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 time-range time-range-name Assign a meaningful name (for example, workhours) to the time range to be created, and enter time-range configuration mode. The name cannot contain a space or quotation mark and must begin with a letter.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs This example uses named ACLs to permit and deny the same traffic.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line [console | vty] line-number Identify a specific line to configure, and enter in-line configuration mode. • console—Specify the console terminal line. The console port is DCE.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to control access to an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Identify a specific interface for configuration, and enter interface configuration mode. The interface can be a Layer 2 interface (port ACL), or a Layer 3 interface (router ACL).
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Hardware and Software Treatment of IP ACLs ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to the CPU for software processing. If the hardware reaches its capacity to store ACL configurations, packets are sent to the CPU for forwarding. The forwarding rate for software-forwarded traffic is substantially less than for hardware-forwarded traffic.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Use one of these workarounds: • Modify the ACL configuration to use fewer resources. • Rename the ACL with a name or number that alphanumerically precedes the ACL names or numbers. To determine the specialized hardware resources, enter the show platform layer4 acl map privileged EXEC command. If the switch does not have available resources, the output shows that index 0 to index 15 are not available.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Figure 34-3 Using Router ACLs to Control Traffic Blade server A Blade server B Port 2 Port 1 Accounting 172.20.128.64-95 201775 Human Resources 172.20.128.0-31 This example uses a standard ACL to filter traffic coming into blade server B from a port, permitting traffic only from Accounting’s source addresses 172.20.128.64 to 172.20.128.95.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Numbered ACLs In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host. Using access list 2, the switch accepts one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the switch accepts addresses on all other network 36.0.0.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Named ACLs This example creates a standard ACL named internet_filter and an extended ACL named marketing_group. The internet_filter ACL allows all traffic from the source address 1.2.3.4. Switch(config)# ip access-list standard Internet_filter Switch(config-ext-nacl)# permit 1.2.3.4 Switch(config-ext-nacl)# exit The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Commented IP ACL Entries In this example of a numbered ACL, the server that belongs to Jones is allowed access, and the workstation that belongs to Smith is not allowed access: Switch(config)# Switch(config)# Switch(config)# Switch(config)# access-list access-list access-list access-list 1 1 1 1 remark Permit only Jones server through permit 171.69.2.88 remark Do not allow Smith server through deny 171.69.3.
Chapter 34 Configuring Network Security with ACLs Creating Named MAC Extended ACLs This example is a named extended access list ext1 that permits ICMP packets from any source to 10.1.1.0 0.0.0.255 and denies all UDP packets. Switch(config)# ip access-list extended ext1 Switch(config-ext-nacl)# permit icmp any 10.1.1.0 0.0.0.
Chapter 34 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Step 3 Command Purpose {deny | permit} {any | host source MAC address | source MAC address mask} {any | host destination MAC address | destination MAC address mask} [type mask | lsap lsap mask | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump | msdos | mumps | netbios | vines-echo |vines-ip | xns-idp | 0-65535] [cos cos] In extended MAC acces
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps • A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one. Beginning in privileged EXEC mode, follow these steps to apply a MAC access list to control access to a Layer 2 interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps To create a VLAN map and apply it to one or more VLANs, perform these steps: Step 1 Create the standard or extended IPv4 ACLs or named MAC extended ACLs that you want to apply to the VLAN. See the “Creating Standard and Extended IPv4 ACLs” section on page 34-8 and the “Creating a VLAN Map” section on page 34-32. Step 2 Enter the vlan access-map global configuration command to create a VLAN ACL map entry.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps • When a frame is Layer-2 forwarded within a private VLAN, the same VLAN map is applied at the ingress side and at the egress side. When a frame is routed from inside a private VLAN to an external port, the private-VLAN map is applied at the ingress side. – For frames going upstream from a host port to a promiscuous port, the VLAN map configured on the secondary VLAN is applied.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps Examples of ACLs and VLAN Maps These examples show how to create ACLs and VLAN maps that for specific purposes. Example 1 This example shows how to create an ACL and a VLAN map to deny a packet. In the first map, any packets that match the ip1 ACL (TCP packets) would be dropped. You first create the ip1ACL to permit any TCP packet and no other packets.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps Example 3 In this example, the VLAN map has a default action of drop for MAC packets and a default action of forward for IP packets. Used with MAC extended access lists good-hosts and good-protocols, the map will have the following results: • Forward MAC packets from hosts 0000.0c00.0111 and 0000.0c00.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps Applying a VLAN Map to a VLAN Beginning in privileged EXEC mode, follow these steps to apply a VLAN map to one or more VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan filter mapname vlan-list list Apply the VLAN map to one or more VLAN IDs. The list can be a single VLAN ID (22), a consecutive list (10-22), or a string of VLAN IDs (12, 22, 30).
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs This example shows how to deny access to a server on another VLAN by creating the VLAN map SERVER 1 that denies access to hosts in subnet 10.1.2.0.8, host 10.1.1.4, and host 10.1.1.8 and permits other IP traffic. The final step is to apply the map SERVER1 to VLAN 10. Step 1 Define the IP ACL that will match the correct packets. Switch(config)# ip access-list extended SERVER1_ACL Switch(config-ext-nacl))# permit ip 10.1.2.
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs The switch hardware provides one lookup for security ACLs for each direction (input and output); therefore, you must merge a router ACL and a VLAN map when they are configured on the same VLAN. Merging the router ACL with the VLAN map might significantly increase the number of ACEs.
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 34-5 Applying ACLs on Switched Packets VLAN 10 map Input router ACL Output router ACL VLAN 20 map Frame Blade server A (VLAN 10) Routing function or fallback bridge VLAN 10 Packet VLAN 20 201776 Blade server B (VLAN 10) ACLs and Bridged Packets Figure 34-6 shows how an ACL is applied on fallback-bridged packets. For bridged packets, only Layer 2 ACLs are applied to the input VLAN.
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs ACLs and Routed Packets Figure 34-7 shows how ACLs are applied on routed packets. For routed packets, the ACLs are applied in this order: 1. VLAN map for input VLAN 2. Input router ACL 3. Output router ACL 4.
Chapter 34 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Figure 34-8 Applying ACLs on Multicast Packets VLAN 10 map Input router ACL Output router ACL VLAN 20 map Frame Blade server A (VLAN 10) Blade server B (VLAN 20) Routing function VLAN 10 Packet VLAN 20 201779 Blade server C (VLAN 10) Displaying IPv4 ACL Configuration You can display the ACLs that are configured on the switch, and you can display the ACLs that have been applied to interfaces and VLANs.
Chapter 34 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration You can also display information about VLAN access maps or VLAN filters. Use the privileged EXEC commands in Table 34-3 to display VLAN map information. Table 34-3 Commands for Displaying VLAN Map Information Command Purpose show vlan access-map [mapname] Show information about all VLAN access maps or the specified access map.
Chapter 34 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 34-42 OL-13270-03
CH A P T E R 35 Configuring IPv6 ACLs You can filter IP Version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces as you would create and apply IP Version 4 (IPv4) named ACLs. You can also create and apply input router ACLs to filter Layer 3 management traffic when the switch is running the IP services or IP base feature set. This chapter includes information about configuring IPv6 ACLs on the switch.
Chapter 35 Configuring IPv6 ACLs Understanding IPv6 ACLs A switch running the IP services or IP base feature set supports only input router IPv6 ACLs. It does not support port ACLs or output IPv6 router ACLs. Note If you configure unsupported IPv6 ACLs, an error message appears, and the configuration does not take affect.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs The switch supports most Cisco IOS-supported IPv6 ACLs with these exceptions: • The switch does not support matching on these keywords: flowlabel, routing header, and undetermined-transport. • The switch does not support reflexive ACLs (the reflect keyword). • This release supports only port ACLs and router ACLs for IPv6; it does not support VLAN ACLs (VLAN maps). • The switch does not apply MAC-based ACLs on IPv6 frames.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs Step 3 Apply the IPv6 ACL to an interface. For router ACLs, you must also configure an IPv6 address on the Layer 3 interface to which the ACL is applied.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs Command Step 3a Purpose {deny | permit} protocol Enter deny or permit to specify whether to deny or permit the packet if {source-ipv6-prefix/prefix-length | conditions are matched.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs Command Step 3b Step 3c Step 3d Purpose {deny | permit} tcp (Optional) Define a TCP access list and the access conditions. {source-ipv6-prefix/prefix-length | Enter tcp for Transmission Control Protocol. The parameters are the same as any | host source-ipv6-address} those described in Step 3a, with these additional optional parameters: [operator [port-number]] • ack—Acknowledgment bit set.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs Use the no {deny | permit} IPv6 access-list configuration commands with keywords to remove the deny or permit conditions from the specified access list. This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000.
Chapter 35 Configuring IPv6 ACLs Displaying IPv6 ACLs This example shows how to apply the access list Cisco to outbound traffic on a Layer 3 interface: Switch(config)# interface gigabitethernet 1/0/3 Switch(config-if)# no switchport Switch(config-if)# ipv6 address 2001::/64 eui-64 Switch(config-if)# ipv6 traffic-filter CISCO out Displaying IPv6 ACLs You can display information about all configured access lists, all IPv6 access lists, or a specific access list by using either or both of the privileged EX
CH A P T E R 36 Configuring QoS This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 36 Configuring QoS Understanding QoS Understanding QoS Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Chapter 36 Configuring QoS Understanding QoS Figure 36-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 header IP header Data Layer 2 ISL Frame ISL header (26 bytes) Encapsulated frame 1... (24.5 KB) FCS (4 bytes) 3 bits used for CoS Layer 2 802.1Q and 802.
Chapter 36 Configuring QoS Understanding QoS Figure 36-2 shows the basic QoS model. Actions at the ingress port include classifying traffic, policing, marking, queueing, and scheduling: • Classifying a distinct path for a packet by associating it with a QoS label. The switch maps the CoS or DSCP in the packet to a QoS label to distinguish one kind of traffic from another. The QoS label that is generated identifies all future QoS actions to be performed on this packet.
Chapter 36 Configuring QoS Understanding QoS Classification Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification is enabled only if QoS is globally enabled on the switch. By default, QoS is globally disabled, so no classification occurs. During classification, the switch performs a lookup and assigns a QoS label to the packet.
Chapter 36 Configuring QoS Understanding QoS After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Figure 36-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface configuration for classification. Trust DSCP (IP traffic). IP and non-IP traffic Trust DSCP or IP precedence (non-IP traffic). Trust IP precedence (IP traffic). Assign DSCP identical to DSCP in packet.
Chapter 36 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: Note • If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken.
Chapter 36 Configuring QoS Understanding QoS The policy map can contain the police and police aggregate policy-map class configuration commands, which define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded. To enable the policy map, you attach it to a port by using the service-policy interface configuration command. You can apply a nonhierarchical policy map to a physical port or an SVI.
Chapter 36 Configuring QoS Understanding QoS Policing on Physical Ports In policy maps on physical ports, you can create these types of policers: • Individual—QoS applies the bandwidth limits specified in the policer separately to each matched traffic class. You configure this type of policer within a policy map by using the police policy-map class configuration command. • Aggregate—QoS applies the bandwidth limits specified in an aggregate policer cumulatively to all matched traffic flows.
Chapter 36 Configuring QoS Understanding QoS Figure 36-4 Policing and Marking Flowchart on Physical Ports Start Get the clasification result for the packet. No Is a policer configured for this packet? Yes Check if the packet is in profile by querying the policer. No Yes Pass through Check out-of-profile action configured for this policer. Drop Drop packet. Mark Done 86835 Modify DSCP according to the policed-DSCP map. Generate a new QoS label.
Chapter 36 Configuring QoS Understanding QoS When configuring policing on an SVI, you can create and configure a hierarchical policy map with these two levels: • VLAN level—Create this primary level by configuring class maps and classes that specify the port trust state or set a new DSCP or IP precedence value in the packet. The VLAN-level policy map applies only to the VLAN in an SVI and does not support policers.
Chapter 36 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an QoS label based on the DSCP or CoS value from the classification stage: • During classification, QoS uses configurable mapping tables to derive a corresponding DSCP or CoS value from a received CoS, DSCP, or IP precedence value. These maps include the CoS-to-DSCP map and the IP-precedence-to-DSCP map.
Chapter 36 Configuring QoS Understanding QoS Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 36-6.
Chapter 36 Configuring QoS Understanding QoS CoS 6-7 CoS 4-5 CoS 0-3 WTD and Queue Operation 100% 1000 60% 600 40% 400 0 86692 Figure 36-7 For more information, see the “Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds” section on page 36-67, the “Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set” section on page 36-71, and the “Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID” section on page 36-73.
Chapter 36 Configuring QoS Understanding QoS Queueing and Scheduling on Ingress Queues Figure 36-8 shows the queueing and scheduling flowchart for ingress ports. Figure 36-8 Queueing and Scheduling Flowchart for Ingress Ports Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds. Are thresholds being exceeded? Yes No Drop packet. Queue the packet. Service the queue according to the SRR weights. Note 86693 Send packet to the stack ring.
Chapter 36 Configuring QoS Understanding QoS You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Chapter 36 Configuring QoS Understanding QoS Queueing and Scheduling on Egress Queues Figure 36-9 shows the queueing and scheduling flowchart for egress ports. Note If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Figure 36-9 Queueing and Scheduling Flowchart for Egress Ports Start Receive packet from the stack ring. Read QoS label (DSCP or CoS value). Determine egress queue number and threshold based on the label.
Chapter 36 Configuring QoS Understanding QoS Figure 36-10 shows the egress queue buffer. The buffer space is divided between the common pool and the reserved pool. The switch uses a buffer allocation scheme to reserve a minimum amount of buffers for each egress queue, to prevent any queue or port from consuming all the buffers and depriving other queues, and to control whether to grant buffer space to a requesting queue.
Chapter 36 Configuring QoS Understanding QoS WTD Thresholds You can assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an egress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue output dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue output cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Chapter 36 Configuring QoS Configuring Auto-QoS • During policing, IP and non-IP packets can have another DSCP assigned to them (if they are out of profile and the policer specifies a markdown DSCP). Once again, the DSCP in the packet is not modified, but an indication of the marked-down value is carried along. For IP packets, the packet modification occurs at a later stage; for non-IP packets the DSCP is converted to CoS and used for queueing and scheduling decisions.
Chapter 36 Configuring QoS Configuring Auto-QoS Generated Auto-QoS Configuration By default, auto-QoS is disabled on all ports. When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress and egress queues as shown in Table 36-2.
Chapter 36 Configuring QoS Configuring Auto-QoS If the packet does not have a DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. The switch configures ingress and egress queues on the port according to the settings in Table 36-3 and Table 36-4.
Chapter 36 Configuring QoS Configuring Auto-QoS Table 36-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically maps DSCP values to an ingress queue and to a threshold ID.
Chapter 36 Configuring QoS Configuring Auto-QoS Table 36-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically configures the egress queue buffer sizes. It configures the bandwidth and the SRR mode (shaped or shared) on the egress queues mapped to the port.
Chapter 36 Configuring QoS Configuring Auto-QoS Effects of Auto-QoS on the Configuration When auto-QoS is enabled, the auto qos voip interface configuration command and the generated configuration are added to the running configuration. The switch applies the auto-QoS-generated commands as if the commands were entered from the CLI. An existing user configuration can cause the application of the generated commands to fail or to be overridden by the generated commands. These actions occur without warning.
Chapter 36 Configuring QoS Configuring Auto-QoS Enabling Auto-QoS for VoIP Beginning in privileged EXEC mode, follow these steps to enable auto-QoS for VoIP within a QoS domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 36 Configuring QoS Configuring Auto-QoS Auto-QoS Configuration Example This section describes how you could implement auto-QoS in a network, as shown in Figure 36-11. For optimum QoS performance, enable auto-QoS on all the devices in the network. Figure 36-11 Auto-QoS Configuration Example Network Cisco router To Internet Trunk link Trunk link Video server 172.20.10.
Chapter 36 Configuring QoS Configuring Auto-QoS Note You should not configure any standard QoS commands before entering the auto-QoS commands. You can fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoS configuration is completed. Beginning in privileged EXEC mode, follow these steps to configure the switch at the edge of the QoS domain to prioritize the VoIP traffic over all other traffic: Command Purpose Step 1 debug auto qos Enable debugging for auto-QoS.
Chapter 36 Configuring QoS Displaying Auto-QoS Information Displaying Auto-QoS Information To display the initial auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings.
Chapter 36 Configuring QoS Configuring Standard QoS Default Standard QoS Configuration QoS is disabled. There is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
Chapter 36 Configuring QoS Configuring Standard QoS Default Egress Queue Configuration Table 36-9 shows the default egress queue configuration for each queue-set when QoS is enabled. All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited.
Chapter 36 Configuring QoS Configuring Standard QoS Default Mapping Table Configuration The default CoS-to-DSCP map is shown in Table 36-12 on page 36-60. The default IP-precedence-to-DSCP map is shown in Table 36-13 on page 36-61. The default DSCP-to-CoS map is shown in Table 36-14 on page 36-63. The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value.
Chapter 36 Configuring QoS Configuring Standard QoS • Follow these guidelines when configuring policy maps on physical ports or SVIs: – You cannot apply the same policy map to a physical port and to an SVI. – If VLAN-based QoS is configured on a physical port, the switch removes all the port-based policy maps on the port. The traffic on this physical port is now affected by the policy map attached to the SVI to which the physical port belongs.
Chapter 36 Configuring QoS Configuring Standard QoS • A switch that is running the IP services feature set supports QoS DSCP and IP precedence matching in policy-based routing (PBR) route maps with these limitations: – You cannot apply QoS DSCP mutation maps and PBR route maps to the same interface. – You cannot configure DSCP transparency and PBR DSCP route maps on the same switch. Enabling QoS Globally By default, QoS is disabled on the switch.
Chapter 36 Configuring QoS Configuring Standard QoS Use the no mls qos vlan-based interface configuration command to disable VLAN-based QoS on the physical port. Configuring Classification Using Port Trust States These sections describe how to classify incoming traffic by using port trust states.
Chapter 36 Configuring QoS Configuring Standard QoS Figure 36-12 Port Trusted States within the QoS Domain Trusted interface Trunk Traffic classification performed here P1 201781 P3 Trusted boundary Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 36 Configuring QoS Configuring Standard QoS Step 3 Command Purpose mls qos trust [cos | dscp | ip-precedence] Configure the port trust state. By default, the port is not trusted. If no keyword is specified, the default is dscp. The keywords have these meanings: • cos—Classifies an ingress packet by using the packet CoS value. For an untagged packet, the port default CoS value is used. The default port CoS value is 0. • dscp—Classifies an ingress packet by using the packet DSCP value.
Chapter 36 Configuring QoS Configuring Standard QoS Step 3 Command Purpose mls qos cos {default-cos | override} Configure the default CoS value for the port. • For default-cos, specify a default CoS value to be assigned to a port. If the packet is untagged, the default CoS value becomes the packet CoS value. The CoS range is 0 to 7. The default is 0.
Chapter 36 Configuring QoS Configuring Standard QoS With the trusted setting, you also can use the trusted boundary feature to prevent misuse of a high-priority queue if a user bypasses the telephone and connects the PC directly to the switch. Without trusted boundary, the CoS labels generated by the PC are trusted by the switch (because of the trusted CoS setting).
Chapter 36 Configuring QoS Configuring Standard QoS If DSCP transparency is enabled by using the no mls qos rewrite ip dscp command, the switch does not modify the DSCP field in the incoming packet, and the DSCP field in the outgoing packet is the same as that in the incoming packet. Note Enabling DSCP transparency does not affect the port trust settings on IEEE 802.1Q tunneling ports.
Chapter 36 Configuring QoS Configuring Standard QoS Figure 36-13 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. 101235 IP traffic Beginning in privileged EXEC mode, follow these steps to configure the DSCP-trusted state on a port and modify the DSCP-to-DSCP-mutation map.
Chapter 36 Configuring QoS Configuring Standard QoS To return a port to its non-trusted state, use the no mls qos trust interface configuration command. To return to the default DSCP-to-DSCP-mutation map values, use the no mls qos map dscp-mutation dscp-mutation-name global configuration command.
Chapter 36 Configuring QoS Configuring Standard QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify non-IP traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended ACL, repeating the command as many times as necessary. • For access-list-number, enter the access list number.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Create a Layer 2 MAC ACL by specifying the name of the list. After entering this command, the mode changes to extended MAC ACL configuration.
Chapter 36 Configuring QoS Configuring Standard QoS Classifying Traffic by Using Class Maps You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. The class map defines the criteria to use to match against a specific traffic flow to further classify it. Match statements can include criteria such as an ACL, IP precedence values, or DSCP values.
Chapter 36 Configuring QoS Configuring Standard QoS Step 3 Command Purpose class-map [match-all | match-any] class-map-name Create a class map, and enter class-map configuration mode. By default, no class maps are defined. • (Optional) Use the match-all keyword to perform a logical-AND of all matching statements under this class map. All match criteria in the class map must be matched. • (Optional) Use the match-any keyword to perform a logical-OR of all matching statements under this class map.
Chapter 36 Configuring QoS Configuring Standard QoS This example shows how to create a class map called class2, which matches incoming traffic with DSCP values of 10, 11, and 12.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a nonhierarchical policy map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 class-map [match-all | match-any] class-map-name Create a class map, and enter class-map configuration mode. By default, no class maps are defined. • (Optional) Use the match-all keyword to perform a logical-AND of all matching statements under this class map.
Chapter 36 Configuring QoS Configuring Standard QoS Step 5 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, go to Step 6. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 36 Configuring QoS Configuring Standard QoS Command Purpose Step 8 exit Return to policy map configuration mode. Step 9 exit Return to global configuration mode. Step 10 interface interface-id Specify the port to attach to the policy map, and enter interface configuration mode. Valid interfaces include physical ports. Step 11 service-policy input policy-map-name Specify the policy-map name, and apply it to an ingress port. Only one policy map per ingress port is supported.
Chapter 36 Configuring QoS Configuring Standard QoS Switch(config-ext-mac)# exit Switch(config)# class-map macclass1 Switch(config-cmap)# match access-group maclist1 Switch(config-cmap)# exit Switch(config)# policy-map macpolicy1 Switch(config-pmap)# class macclass1 Switch(config-pmap-c)# set dscp 63 Switch(config-pmap-c)# exit Switch(config-pmap)# class macclass2 maclist2 Switch(config-pmap-c)# set dscp 45 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet1/0
Chapter 36 Configuring QoS Configuring Standard QoS • When configuring a hierarchical policy map on trunk ports, the VLAN ranges must not overlap. If the ranges overlap, the actions specified in the policy map affect the incoming and outgoing traffic on the overlapped VLANs. • Aggregate policers are not supported in hierarchical policy maps. • When VLAN-based QoS is enabled, the switch supports VLAN-based features, such as the VLAN map.
Chapter 36 Configuring QoS Configuring Standard QoS Command Step 3 Purpose match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported. • For access-group acl-index-or-name, specify the number or name of the ACL.
Chapter 36 Configuring QoS Configuring Standard QoS Step 10 Command Purpose policy-map policy-map-name Create an interface-level policy map by entering the policy-map name, and enter policy-map configuration mode. By default, no policy maps are defined, and no policing is performed. Step 11 class-map class-map-name Define an interface-level traffic classification, and enter policy-map configuration mode. By default, no policy-map class-maps are defined.
Chapter 36 Configuring QoS Configuring Standard QoS Step 17 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, omit Step 18. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 36 Configuring QoS Configuring Standard QoS Step 23 Command Purpose service-policy input policy-map-name Specify the VLAN-level policy-map name, and apply it to the SVI. Repeat the previous step and this command to apply the policy map to other SVIs. If the hierarchical VLAN-level policy map has more than one interface-level policy map, all class maps must be configured to the same VLAN-level policy map specified in the service-policy policy-map-name command.
Chapter 36 Configuring QoS Configuring Standard QoS Switch(config-pmap-c)# exit Switch(config-pmap)# class-map cm-2 Switch(config-pmap-c)# match ip dscp 2 Switch(config-pmap-c)# service-policy port-plcmap-1 Switch(config-pmap)# exit Switch(config-pmap)# class-map cm-3 Switch(config-pmap-c)# match ip dscp 3 Switch(config-pmap-c)# service-policy port-plcmap-2 Switch(config-pmap)# exit Switch(config-pmap)# class-map cm-4 Switch(config-pmap-c)# trust dscp Switch(config-pmap)# exit Switch(config)# interface v
Chapter 36 Configuring QoS Configuring Standard QoS Step 4 Command Purpose policy-map policy-map-name Create a policy map by entering the policy map name, and enter policy-map configuration mode. For more information, see the “Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps” section on page 36-48. Step 5 class class-map-name Define a traffic classification, and enter policy-map class configuration mode.
Chapter 36 Configuring QoS Configuring Standard QoS Switch(config-pmap-c)# trust dscp Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# class ipclass2 Switch(config-pmap-c)# set dscp 56 Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# service-policy input aggflow1 Switch(config-if)# exit Configuring DSCP Maps These sections contain this
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the CoS-to-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map cos-dscp dscp1...dscp8 Modify the CoS-to-DSCP map. For dscp1...dscp8, enter eight DSCP values that correspond to CoS values 0 to 7. Separate each DSCP value with a space. The DSCP range is 0 to 63. Step 3 end Return to privileged EXEC mode.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the IP-precedence-to-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map ip-prec-dscp dscp1...dscp8 Modify the IP-precedence-to-DSCP map. For dscp1...dscp8, enter eight DSCP values that correspond to the IP precedence values 0 to 7. Separate each DSCP value with a space. The DSCP range is 0 to 63.
Chapter 36 Configuring QoS Configuring Standard QoS To return to the default map, use the no mls qos policed-dscp global configuration command.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-CoS map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-cos dscp-list to cos Modify the DSCP-to-CoS map. • For dscp-list, enter up to eight DSCP values separated by spaces. Then enter the to keyword. • For cos, enter the CoS value to which the DSCP values correspond.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-DSCP-mutation map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-mutation dscp-mutation-name in-dscp to out-dscp Modify the DSCP-to-DSCP-mutation map. • For dscp-mutation-name, enter the mutation map name. You can create more than one map by specifying a new name.
Chapter 36 Configuring QoS Configuring Standard QoS Note In the above DSCP-to-DSCP-mutation map, the mutated values are shown in the body of the matrix. The d1 column specifies the most-significant digit of the original DSCP; the d2 row specifies the least-significant digit of the original DSCP. The intersection of the d1 and d2 values provides the mutated value. For example, a DSCP value of 12 corresponds to a mutated value of 10.
Chapter 36 Configuring QoS Configuring Standard QoS Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and to set WTD thresholds. This procedure is optional.
Chapter 36 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to allocate bandwidth between the ingress queues. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input bandwidth weight1 weight2 Assign shared round robin weights to the ingress queues. The default setting for weight1 and weight2 is 4 (1/2 of the bandwidth is equally shared between the two queues).
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the priority queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input priority-queue queue-id bandwidth weight Assign a queue as the priority queue and guarantee bandwidth on the stack or internal ring if the ring is congested.
Chapter 36 Configuring QoS Configuring Standard QoS These sections contain this configuration information: • Configuration Guidelines, page 36-71 • Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set, page 36-71 (optional) • Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID, page 36-73 (optional) • Configuring SRR Shaped Weights on Egress Queues, page 36-75 (optional) • Configuring SRR Shared Weights on Egress Queues, page 36-76 (optional) • Configuri
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and to drop thresholds for a queue-set. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos queue-set output qset-id buffers allocation1 ... allocation4 Allocate buffers to a queue-set. By default, all allocation values are equally mapped among the four queues (25, 25, 25, 25).
Chapter 36 Configuring QoS Configuring Standard QoS Command Purpose Step 7 show mls qos interface [interface-id] buffers Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos queue-set output qset-id buffers global configuration command. To return to the default WTD threshold percentages, use the no mls qos queue-set output qset-id threshold [queue-id] global configuration command.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an egress queue and to a threshold ID. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue output dscp-map queue queue-id threshold threshold-id dscp1...dscp8 Map DSCP or CoS values to an egress queue and to a threshold ID.
Chapter 36 Configuring QoS Configuring Standard QoS Configuring SRR Shaped Weights on Egress Queues You can specify how much of the available bandwidth is allocated to each queue. The ratio of the weights is the ratio of frequency in which the SRR scheduler sends packets from each queue. You can configure the egress queues for shaped or shared weights, or both. Use shaping to smooth bursty traffic or to provide a smoother output over time.
Chapter 36 Configuring QoS Configuring Standard QoS Configuring SRR Shared Weights on Egress Queues In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue empties and does not require a share of the link, the remaining queues can expand into the unused bandwidth and share it among them.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on a switch. Step 3 interface interface-id Specify the egress port, and enter interface configuration mode. Step 4 priority-queue out Enable the egress expedite queue, which is disabled by default.
Chapter 36 Configuring QoS Displaying Standard QoS Information Command Purpose Step 5 show mls qos interface [interface-id] queueing Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no srr-queue bandwidth limit interface configuration command.
Chapter 36 Configuring QoS Displaying Standard QoS Information Table 36-15 Commands for Displaying Standard QoS Information (continued) Command Purpose show policy-map [policy-map-name [class class-map-name]] Display QoS policy maps, which define classification criteria for incoming traffic. Note show running-config | include rewrite Do not use the show policy-map interface privileged EXEC command to display classification information for incoming traffic.
Chapter 36 Configuring QoS Displaying Standard QoS Information Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 36-80 OL-13270-03
CH A P T E R 37 Configuring EtherChannels and Link-State Tracking This chapter describes how to configure EtherChannels on Layer 2 and Layer 3 ports on the switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels EtherChannel Overview An EtherChannel consists of individual Gigabit Ethernet links bundled into a single logical link as shown in Figure 37-1.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Figure 37-2 Single-Switch EtherChannel Blade switch stack Switch 1 Channel group 1 StackWise Plus port connections Switch A Channel group 2 201782 Switch 2 Switch 3 Figure 37-3 Cross-Stack EtherChannel Blade switch stack Switch 1 StackWise Plus port connections Switch A Switch 2 Switch 3 201783 Channel group 1 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-0
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Port-Channel Interfaces When you create an EtherChannel, a port-channel logical interface is involved: • With Layer 2 ports, use the channel-group interface configuration command to dynamically create the port-channel logical interface.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports. You can use PAgP only in single-switch EtherChannel configurations; PAgP cannot be enabled on cross-stack EtherChannels.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Use the silent mode when the switch is connected to a device that is not PAgP-capable and seldom, if ever, sends packets. An example of a silent partner is a file server or a packet analyzer that is not generating traffic. In this case, running PAgP on a physical port connected to a silent partner prevents that switch port from ever becoming operational.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels LACP Modes Table 37-2 shows the user-configurable EtherChannel LACP modes for the channel-group interface configuration command. Table 37-2 EtherChannel LACP Modes Mode Description active Places a port into an active negotiating state in which the port starts negotiations with other ports by sending LACP packets.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Caution You should use care when using the on mode. This is a manual configuration, and ports on both ends of the EtherChannel must have the same configuration. If the group is misconfigured, packet loss or spanning-tree loops can occur.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels forwarding on the switch EtherChannel ensures that the switch uses all available bandwidth to the router. The router is configured for destination-based forwarding because the large number of workstations ensures that the traffic is evenly distributed from the router EtherChannel. Use the option that provides the greatest variety in your configuration.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels With PAgP, if the stack master fails or leaves the stack, a new stack master is elected. A spanning-tree reconvergence is not triggered unless there is a change in the EtherChannel bandwidth. The new stack master synchronizes the configuration of the stack members to that of the stack master.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Table 37-3 Default EtherChannel Configuration (continued) Feature Default Setting LACP mode No default. LACP learn method Aggregate-port learning on all ports. LACP port priority 32768 on all ports. LACP system priority 32768. LACP system ID LACP system priority and the switch MAC address. Load-balancing Load distribution on the switch is based on the source-MAC address of the incoming packet.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels • If EtherChannels are configured on switch interfaces, remove the EtherChannel configuration from the interfaces before globally enabling IEEE 802.1x on a switch by using the dot1x system-auth-control global configuration command. • For Layer 2 EtherChannels: – Assign all ports in the EtherChannel to the same VLAN, or configure them as trunks. Ports with different native VLANs cannot form an EtherChannel.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Step 3 Command Purpose switchport mode {access | trunk} Assign all ports as static-access ports in the same VLAN, or configure them as trunks. switchport access vlan vlan-id If you configure the port as a static-access port, assign it to only one VLAN. The range is 1 to 4094.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels To remove a port from the EtherChannel group, use the no channel-group interface configuration command. This example shows how to configure an EtherChannel on a single switch in the stack.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to create a port-channel interface for a Layer 3 EtherChannel. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface port-channel port-channel-number Specify the port-channel logical interface, and enter interface configuration mode. For port-channel-number, the range is 1 to 64.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Step 5 Command Purpose channel-group channel-group-number mode {auto [non-silent] | desirable [non-silent] | on} | {active | passive} Assign the port to a channel group, and specify the PAgP or the LACP mode. For channel-group-number, the range is 1 to 64. This number must be the same as the port-channel-number (logical port) configured in the “Creating Port-Channel Logical Interfaces” section on page 37-14.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels This example shows how to configure an EtherChannel. It assigns two ports to channel 5 with the LACP mode active: Switch# configure terminal Switch(config)# interface range gigabitethernet2/0/1 -2 Switch(config-if-range)# no ip address Switch(config-if-range)# no switchport Switch(config-if-range)# channel-group 5 mode active Switch(config-if-range)# end This example shows how to configure a cross-stack EtherChannel.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load-balancing to the default configuration, use the no port-channel load-balance global configuration command.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to configure your switch as a PAgP physical-port learner and to adjust the priority so that the same port in the bundle is selected for sending packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port for transmission, and enter interface configuration mode.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels If you configure more than eight links for an EtherChannel group, the software automatically decides which of the hot-standby ports to make active based on the LACP priority.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Configuring the LACP Port Priority By default, all ports use the same port priority. If the local system has a lower value for the system priority and the system ID than the remote system, you can affect which of the hot-standby links become active first by changing the port priority of LACP EtherChannel ports to a lower value than the default.
Chapter 37 Configuring EtherChannels and Link-State Tracking Displaying EtherChannel, PAgP, and LACP Status Displaying EtherChannel, PAgP, and LACP Status To display EtherChannel, PAgP, and LACP status information, use the privileged EXEC commands described in Table 37-4: Table 37-4 Commands for Displaying EtherChannel, PAgP, and LACP Status Command Description show etherchannel [channel-group-number {detail | port | port-channel | protocol | summary}] {detail | load-balance | port | port-channel | p
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding Link-State Tracking Figure 37-6 Typical Link-State Tracking Configuration Layer 3 link Distribution switch 1 Distribution switch 2 Link-state group 1 (Port-channel 1) Link-state group 2 (Port-channel 2) Blade switch 1 Enclosure Link-state group 2 201917 Link-state group 1 Blade switch 2 Blade server 1 Blade server 2 Blade server n–1 Blade server n The configuration in Figure 37-6 ensures that when server NIC adapter
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking In a link-state group, the upstream ports can become unavailable or lose connectivity because the distribution switch or router fails, the cables are disconnected, or the link is lost.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking • Do not configure an EtherChannel as a downstream interface. • Only interfaces gigabitethernetn/0/1 through gigabitethernetn/0/16, where n is the stack member number from 1 to 9, can be configured as downstream ports in a specific link-state group.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Displaying Link-State Tracking Status Use the show link state group command to display the link-state group information. Enter this command without keywords to display information about all link-state groups. Enter the group number to display information specific to the group. Enter the detail keyword to display detailed information about the group.
CH A P T E R 38 Configuring IP Unicast Routing This chapter describes how to configure IP Version 4 (IPv4) unicast routing on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. A switch stack operates and appears as a single router to the rest of the routers in the network. Basic routing functions, including static routing and the Routing Information Protocol (RIP), are available with both the IP base feature set and the IP services feature set.
Chapter 38 Configuring IP Unicast Routing Understanding IP Routing Note • Configuring Protocol-Independent Features, page 38-91 • Monitoring and Maintaining the IP Network, page 38-107 When configuring routing parameters on the switch and to allocate system resources to maximize the number of unicast routes allowed, you can use the sdm prefer routing global configuration command to set the Switch Database Management (SDM) feature to the routing template.
Chapter 38 Configuring IP Unicast Routing Understanding IP Routing Types of Routing Routers and Layer 3 switches can route packets in these ways: • By using default routing • By using preprogrammed static routes for the traffic • By dynamically calculating routes by using a routing protocol Default routing refers to sending traffic with a destination unknown to the router to a default outlet or destination.
Chapter 38 Configuring IP Unicast Routing Understanding IP Routing • The MAC address of the stack master is used as the router MAC address for the whole stack, and all outside devices use this address to send IP packets to the stack. • All IP packets that require software forwarding or processing go through the CPU of the stack master.
Chapter 38 Configuring IP Unicast Routing Steps for Configuring Routing Caution Partitioning on the switch stack into two or more stacks might lead to undesirable behavior in the network. Steps for Configuring Routing By default, IP routing is disabled on the switch, and you must enable it before routing can take place. For detailed IP routing configuration information, see the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Configuring IP Addressing A required task for configuring IP routing is to assign IP addresses to Layer 3 network interfaces to enable the interfaces and to allow communication with the hosts on those interfaces that use IP. These sections describe how to configure various IP addressing features. Assigning IP addresses to the interface is required; the other procedures are optional.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Table 38-1 Default Addressing Configuration (continued) Feature Default Setting IRDP Disabled. Defaults when enabled: • Broadcast IRDP advertisements. • Maximum interval between advertisements: 600 seconds. • Minimum interval between advertisements: 0.75 times maximum interval • Preference: 0. IP proxy ARP Enabled. IP routing Disabled. IP subnet-zero Disabled.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Use of Subnet Zero We strongly discourage subnetting with a subnet address of zero because of the problems that can arise if a network and a subnet have the same addresses. For example, if network 131.108.0.0 is subnetted as 255.255.255.0, subnet zero would be written as 131.108.0.0, which is the same as the network address. You can use the all ones subnet (131.108.255.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Figure 38-2 IP Classless Routing 128.0.0.0/8 128.20.4.1 IP classless 128.20.0.0 128.20.1.0 128.20.3.0 128.20.2.0 Host 45749 128.20.4.1 In Figure 38-3, the router in network 128.20.0.0 is connected to subnets 128.20.1.0, 128.20.2.0, and 128.20.3.0. If the host sends a packet to 120.20.4.1, because there is no network default route, the router discards the packet. Figure 38-3 No IP Classless Routing 128.0.0.0/8 128.20.4.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 4 show running-config Verify your entry. Step 5 copy running-config startup-config (Optional) Save your entry in the configuration file. To restore the default so that the switch forwards packets destined for a subnet of a network without a network default route to the best possible supernet route, use the ip classless global configuration command.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Define a Static ARP Cache ARP and other address resolution protocols provide dynamic mapping between IP addresses and MAC addresses. Because most hosts support dynamic address resolution, you usually do not need to specify static ARP cache entries. If you must define a static ARP cache entry, you can do so globally, which installs a permanent entry in the ARP cache that the switch uses to translate IP addresses into MAC addresses.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to specify the ARP encapsulation type: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Proxy ARP Proxy ARP, the most common method for learning about other routes, enables an Ethernet host with no routing information to communicate with hosts on other networks or subnets. The host assumes that all hosts are on the same local Ethernet and that they can use ARP to learn their MAC addresses.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing The only required task for IRDP routing on an interface is to enable IRDP processing on that interface. When enabled, the default parameters apply. You can change any of these parameters. Beginning in privileged EXEC mode, follow these steps to enable and configure IRDP on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Configuring Broadcast Packet Handling After configuring an IP interface address, you can enable routing and configure one or more routing protocols, or you can configure the way the switch responds to network broadcasts. A broadcast is a data packet destined for all hosts on a physical network. The switch supports these kinds of broadcasting: Note • A directed broadcast packet sent to a specific network or series of networks.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Step 3 Command Purpose ip directed-broadcast [access-list-number] Enable directed broadcast-to-physical broadcast translation on the interface. You can include an ACL to control which broadcasts are forwarded. When an access list, only IP packets permitted by the access list can be translated Note The ip directed-broadcast interface configuration command can be configured on a VPN routing/forwarding(VRF) interface and is VRF-aware.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to enable forwarding of UDP broadcast packets on an interface and to specify the destination address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Flooding IP Broadcasts You can allow IP broadcasts to be flooded throughout your internetwork in a controlled fashion by using the database created by the bridging STP. Using this feature also prevents loops. To support this capability, you must configure bridging on each interface that is to participate in the flooding. If bridging is not configured on an interface, it still can receive broadcasts.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to increase spanning-tree-based flooding: Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip forward-protocol turbo-flood Use the spanning-tree database to speed up flooding of UDP datagrams. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entry.
Chapter 38 Configuring IP Unicast Routing Enabling IP Unicast Routing Enabling IP Unicast Routing By default, the switch is in Layer 2 switching mode, and IP routing is disabled. To use the Layer 3 capabilities of the switch, you must enable IP routing. Beginning in privileged EXEC mode, follow these steps to enable IP routing: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip routing Enable IP routing.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Note RIP is the only routing protocol supported by the IP base feature set; other routing protocols require the switch or the stack master to be running the IP services feature set. Using RIP, the switch sends routing information updates (advertisements) every 30 seconds. If a router does not receive an update from another router for 180 seconds or more, it marks the routes served by that router as unusable.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Table 38-4 Default RIP Configuration (continued) Feature Default Setting Output delay 0 milliseconds. Timers basic • Update: 30 seconds. • Invalid: 180 seconds. • Hold-down: 180 seconds. • Flush: 240 seconds. Validate-update-source Enabled. Version Receives RIP Version 1 and 2 packets; sends Version 1 packets.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 8 version {1 | 2} (Optional) Configure the switch to receive and send only RIP Version 1 or RIP Version 2 packets. By default, the switch receives Version 1 and Version 2 but sends only Version 1. You can also use the interface commands ip rip {send | receive} version 1 | 2 | 1 2} to control what versions are used for sending and receiving on interfaces. Step 9 no auto summary (Optional) Disable automatic summarization.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Beginning in privileged EXEC mode, follow these steps to configure RIP authentication on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to configure. Step 3 ip rip authentication key-chain name-of-chain Enable RIP authentication.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 7 show ip interface interface-id Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable IP summarization, use the no ip summary-address rip router configuration command. In this example, the major net is 10.0.0.0. The summary address of 10.2.0.0 overrides the autosummary address of 10.0.0.0 so that 10.2.0.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 6 show ip interface interface-id Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To enable the split horizon mechanism, use the ip split-horizon interface configuration command. Configuring OSPF This section briefly describes how to configure Open Shortest Path First (OSPF).
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Note To enable OSPF, the switch or stack master must be running the IP services feature set. Default OSPF Configuration Table 38-5 shows the default OSPF configuration. Table 38-5 Default OSPF Configuration Feature Default Setting Interface parameters Cost: No default cost predefined. Resend interval: 5 seconds. Send delay: 1 second. Priority: 1. Hello interval: 10 seconds. Dead interval: 4 times the hello interval. No authentication.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Table 38-5 Default OSPF Configuration (continued) Feature 1 Default Setting NSF awareness Enabled2. Allows Layer 3 switches to continue forwarding packets from a neighboring NSF-capable router during hardware or software changes. NSF capability Disabled. Note The switch stack supports OSPF NSF-capable routing for IPv4. Router ID No OSPF routing process defined. Summary address Disabled. Timers LSA group pacing 240 seconds.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF OSPF NSF Capability The IP-services feature set also supports OSPF NSF-capable routing for IPv4 for better convergence and lower traffic loss following a stack-master change. When a stack-master change occurs in an OSPF NSF-capable stack, the new stack master must do two things to resynchronize its link-state database with its OSFP neighbors: • Release the available OSPF neighbors on the network without resetting the neighbor relationship.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 3 nsf (Optional) Enable NSF operations for OSPF on a stacking-capable switch. Step 4 network address wildcard-mask area area-id Define an interface on which OSPF runs and the area ID for that interface. You can use the wildcard-mask to use a single command to define more than one interface to be associated with a specific OSPF area. The area ID can be a decimal value or an IP address.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 8 ip ospf dead-interval seconds (Optional) Set the number of seconds after the last device hello packet was seen before its neighbors declare the OSPF router to be down. The value must be the same for all nodes on a network. The range is 1 to 65535 seconds. The default is 4 times the hello interval. Step 9 ip ospf authentication-key key (Optional) Assign a password to be used by neighboring OSPF routers.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Beginning in privileged EXEC mode, follow these steps to configure area parameters: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router ospf process-id Enable OSPF routing, and enter router configuration mode. Step 3 area area-id authentication (Optional) Allow password-based protection against unauthorized access to the identified area. The identifier can be either a decimal value or an IP address.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF • Virtual links: In OSPF, all areas must be connected to a backbone area. You can establish a virtual link in case of a backbone-continuity break by configuring two ABRs as endpoints of a virtual link. Configuration information includes the identity of the other virtual endpoint (the other ABR) and the nonbackbone link that the two routers have in common (the transit area). Virtual links cannot be configured through a stub area.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 7 ip auto-cost reference-bandwidth ref-bw (Optional) Specify an address range for which a single route is advertised. Use this command only with area border routers. Step 8 distance ospf {[inter-area dist1] [inter-area (Optional) Change the OSPF distance values. The range is 1 to 255. dist2] [external dist3]} The default distance for each type of route is 110.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Configuring a Loopback Interface OSPF uses the highest IP address configured on the interfaces as its router ID. If this interface is down or removed, the OSPF process must recalculate a new router ID and resend all its routing information through its interfaces. If a loopback interface is configured with an IP address, OSPF uses this IP address as its router ID, even if other interfaces have higher IP addresses.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Table 38-6 Show IP OSPF Statistics Commands Command Purpose show ip ospf neighbor [interface-name] [neighbor-id] detail Display OSPF interface neighbor information. show ip ospf virtual-links Display OSPF-related virtual links information. Configuring EIGRP Note If the switch is running the IP base image, you can configure complete EIGRP routing.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP EIGRP has these four basic components: • Neighbor discovery and recovery is the process that routers use to dynamically learn of other routers on their directly attached networks. Routers must also discover when their neighbors become unreachable or inoperative. Neighbor discovery and recovery is achieved by periodically sending small hello packets.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Default EIGRP Configuration Table 38-7 shows the default EIGRP configuration. Table 38-7 Default EIGRP Configuration Feature Default Setting Auto summary Enabled. Subprefixes are summarized to the classful network boundary when crossing classful network boundaries. Default-information Exterior routes are accepted, and default information is passed between EIGRP processes during redistribution.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Table 38-7 Default EIGRP Configuration (continued) Feature Default Setting Set metric No metric set in the route map. Traffic-share Distributed proportionately to the ratios of the metrics. Variance 1 (equal-cost load-balancing). 1. NSF = nonstop forwarding 2. EIGRP NSF awareness is enabled for IPv4 on switches running the IP services feature set. To create an EIGRP routing process, you must enable EIGRP and associate networks.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP If at least one of the stack peer neighbors is NSF-aware, the stack master receives updates and rebuilds its database. Each NSF-aware neighbor sends an end-of-table (EOT) marker in the last update packet to mark the end of the table content. The stack master recognizes the convergence when it receives the EOT marker and begins sending updates.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 11 show ip protocols Verify your entries. Step 12 show ip protocols Verify your entries. For NSF awareness, the output shows: *** IP Routing is NSF aware *** EIGRP NSF enabled Step 13 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no forms of these commands to disable the feature or to return the setting to the default value.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Use the no forms of these commands to disable the feature or to return the setting to the default value. Configuring EIGRP Route Authentication EIGRP route authentication provides MD5 authentication of routing updates from the EIGRP routing protocol to prevent the introduction of unauthorized or false routing messages from unapproved sources.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP EIGRP Stub Routing Note The IP base feature set contains EIGRP stub routing capability, which only advertises connected or summary routes from the routing tables to other switches in the network. The switch uses EIGRP stub routing at the access layer to eliminate the need for other types of routing advertisements. For enhanced capability and complete EIGRP routing, the switch must be running the IP services feature set.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Table 38-8 IP EIGRP Clear and Show Commands Command Purpose clear ip eigrp neighbors [if-address | interface] Delete neighbors from the neighbor table. show ip eigrp interface [interface] [as number] Display information about interfaces configured for EIGRP. show ip eigrp neighbors [type-number] Display EIGRP discovered neighbors.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Configuring BGP The Border Gateway Protocol (BGP) is an exterior gateway protocol for an interdomain routing system that guarantees the loop-free exchange of routing information between autonomous systems. Autonomous systems are made up of routers operating under the same administration and run Interior Gateway Protocols (IGPs), such as RIP or OSPF, within their boundaries and interconnecting by using an Exterior Gateway Protocol (EGP).
Chapter 38 Configuring IP Unicast Routing Configuring BGP The network has these characteristics: • Routers A and B are running EBGP, and Routers B and C are running IBGP. Note that the EBGP peers are directly connected and that the IBGP peers are not. As long as an IGP allows the two neighbors to reach one another, IBGP peers do not have to be directly connected. • All BGP speakers within an autonomous system must establish a peer relationship.
Chapter 38 Configuring IP Unicast Routing Configuring BGP For detailed descriptions of BGP configuration, see the “Configuring BGP” chapter in the “IP Routing Protocols” part of the Cisco IOS IP Configuration Guide, Release 12.2. For details about specific commands, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. For a list of BGP commands that are visible but not supported by the switch, see Appendix C, “Unsupported Commands in Cisco IOS Release 12.2(50)SE.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Table 38-9 Default BGP Configuration (continued) Feature Default Setting Distribute list • In (filter networks received in updates): Disabled. • Out (suppress networks from being advertised in updates): Disabled. Internal route redistribution Disabled. IP prefix list None defined. Multi-exit discriminator (MED) Neighbor • Always compare: Disabled. Does not compare MEDs for paths from neighbors in different autonomous systems.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Table 38-9 Default BGP Configuration (continued) Feature Default Setting Table map update Disabled. Timers Keepalive: 60 seconds; holdtime: 180 seconds. 1. NSF = nonstop forwarding. 2. NSF awareness can be enabled for IPv4 on switches with the IP services feature set by enabling graceful restart. Nonstop Forwarding Awareness The BGP NSF awareness feature is supported for IPv4 in the IP services feature set.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, follow these steps to enable BGP routing, establish a BGP routing process, and specify a neighbor: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip routing Enable IP routing (required only if IP routing is disabled). Step 3 router bgp autonomous-system Enable a BGP routing process, assign it an autonomous-system number, and enter router configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Step 12 Command Purpose show ip bgp network network-number Verify the configuration. or show ip bgp neighbor Verify that NSF awareness (graceful restart) is enabled on the neighbor.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Sent 2826 messages, 0 notifications, 0 in queue Connections established 11; dropped 10 Anything other than BGP state = established means that the peers are not running. The remote router ID is the highest IP address on that router (or the highest loopback interface). Each time the table is updated with new information, the table version number increments.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, follow these steps to learn if a BGP peer supports the route-refresh capability and to reset the BGP session: Step 1 Command Purpose show ip bgp neighbors Display whether a neighbor supports the route-refresh capability. When supported, this message appears for the router: Received route refresh capability from peer.
Chapter 38 Configuring IP Unicast Routing Configuring BGP 3. Prefer the route with the highest local preference. Local preference is part of the routing update and is exchanged among routers in the same autonomous system. The default value of the local preference attribute is 100. You can set local preference by using the bgp default local-preference router configuration command or by using a route map. 4. Prefer the route that was originated by BGP running on the local router. 5.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 7 bgp bestpath med missing-as-worst (Optional) Configure the switch to consider a missing MED as having a value of infinity, making the path without a MED value the least desirable path. Step 8 bgp always-compare med (Optional) Configure the switch to compare MEDs for paths from neighbors in different autonomous systems. By default, MED comparison is only done among paths in the same autonomous system.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Step 3 Command Purpose set ip next-hop ip-address [...ip-address] [peer-address] (Optional) Set a route map to disable next-hop processing • In an inbound route map, set the next hop of matching routes as the neighbor peering address, overriding third-party next hops. • In an outbound route map of a BGP peer, set the next hop to the peering address of the local router, disabling the next-hop calculation.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 6 show ip bgp neighbors Verify the configuration. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no neighbor distribute-list command to remove the access list from the neighbor. Use the no neighbor route-map map-tag router configuration command to remove the route map from the neighbor.
Chapter 38 Configuring IP Unicast Routing Configuring BGP By default, sequence numbers are generated automatically and incremented in units of five. If you disable the automatic generation of sequence numbers, you must specify the sequence number for each entry. You can specify sequence values in any increment. If you specify increments of one, you cannot insert additional entries into the list. If you choose very large increments, you might run out of values.
Chapter 38 Configuring IP Unicast Routing Configuring BGP A community is a group of destinations that share some common attribute. Each destination can belong to multiple communities. Autonomous-system administrators can define to which communities a destination belongs. By default, all destinations belong to the general Internet community. The community is identified by the COMMUNITIES attribute, an optional, transitive, global attribute in the numerical range from 1 to 4294967200.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Step 9 Step 10 Command Purpose show ip bgp community Verify the configuration. copy running-config startup-config (Optional) Save your entries in the configuration file. Configuring BGP Neighbors and Peer Groups Often many BGP neighbors are configured with the same update policies (that is, the same outbound route maps, distribute lists, filter lists, update source, and so on).
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 11 neighbor {ip-address | peer-group-name} local-as number (Optional) Specify an autonomous-system number to use as the local autonomous system. The range is 1 to 65535. Step 12 neighbor {ip-address | peer-group-name} advertisement-interval seconds (Optional) Set the minimum interval between sending BGP routing updates.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Configuring Aggregate Addresses Classless interdomain routing (CIDR) creates aggregate routes (or supernets) to minimize the size of routing tables. You can configure aggregate routes in BGP either by redistributing an aggregate route into BGP or by creating an aggregate entry in the BGP routing table. An aggregate address is added to the BGP table when there is at least one more specific entry in the BGP table.
Chapter 38 Configuring IP Unicast Routing Configuring BGP To configure a BGP confederation, you must specify a confederation identifier that acts as the autonomous-system number for the autonomous-system group. Beginning in privileged EXEC mode, use these commands to configure a BGP confederation: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enter BGP router configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, use these commands to configure a route reflector and clients: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enter BGP router configuration mode. Step 3 neighbor {ip-address | peer-group-name} route-reflector-client Configure the local router as a BGP route reflector and the specified neighbor as a client.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 8 clear ip bgp flap-statistics [{regexp regexp} | (Optional) Clear BGP flap statistics to make it less likely that a {filter-list list} | {address mask [longer-prefix]} route is dampened. Step 9 clear ip bgp dampening (Optional) Clear route dampening information, and unsuppress the suppressed routes. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing Table 38-11 IP BGP Clear and Show Commands (continued) Command Purpose show ip bgp neighbors [address] Display detailed information on the BGP and TCP connections to individual neighbors. show ip bgp neighbors [address] [advertised-routes | dampened-routes | flap-statistics | paths regular-expression | received-routes | routes] Display routes learned from a particular BGP neighbor.
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing Configuring IS-IS Dynamic Routing IS-IS is an ISO dynamic routing protocol (described in ISO 105890). Unlike other routing protocols, enabling IS-IS requires that you create an IS-IS routing process and assign it to a specific interface, rather than to a network. You can specify more than one IS-IS routing process per Layer 3 switch or router by using the multiarea IS-IS configuration syntax.
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing Default IS-IS Configuration Table 38-12 shows the default IS-IS configuration. Table 38-12 Default IS-IS Configuration Feature Default Setting Ignore link-state PDU (LSP) errors Enabled. IS-IS type Conventional IS-IS: the router acts as both a Level 1 (station) and a Level 2 (area) router. Multiarea IS-IS: the first instance of the IS-IS routing process is a Level 1-2 router. Remaining instances are Level 1 routers.
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing This feature is automatically enabled and requires no configuration. For more information on this feature, see the Integrated IS-IS Nonstop Forwarding (NSF) Awareness Feature Guide at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_white_paper09186a00801541c7.s html Enabling IS-IS Routing To enable IS-IS, you specify a name and NET for each routing process.
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing To disable IS-IS routing, use the no router isis area-tag router configuration command. This example shows how to configure three routers to run conventional IS-IS as an IP routing protocol. In conventional IS-IS, all routers act as Level 1 and Level 2 routers (by default). Router A Switch(config)# clns routing Switch(config)# router isis Switch(config-router)# net 49.0001.0000.0000.000a.
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing • You can configure the LSP refresh interval and the maximum time that an LSP can remain in the router database without a refresh • You can set the throttling timers for LSP generation, shortest path first computation, and partial route computation. • You can configure the switch to generate a log message when an IS-IS adjacency changes state (up or down).
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing Command Purpose Step 10 lsp-refresh-interval seconds (Optional) Set an LSP refresh interval in seconds. The range is from 1 to 65535 seconds. The default is to send LSP refreshes every 900 seconds (15 minutes). Step 11 max-lsp-lifetime seconds (Optional) Set the maximum time that LSP packets remain in the router database without being refreshed. The range is from 1 to 65535 seconds. The default is 1200 seconds (20 minutes).
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing Command Purpose Step 19 show clns Verify your entries. Step 20 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable default route generation, use the no default-information originate router configuration command. Use the no area-password or no domain-password router configuration command to disable passwords.
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing Beginning in privileged EXEC mode, follow these steps to configure IS-IS interface parameters: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured and enter interface configuration mode. If the interface is not already configured as a Layer 3 interface, enter the no switchport command to put it into Layer 3 mode.
Chapter 38 Configuring IP Unicast Routing Configuring ISO CLNS Routing Command Purpose Step 11 isis password password [level-1 | level-2] (Optional) Configure the authentication password for an interface. By default, authentication is disabled. Specifying Level 1 or Level 2 enables the password only for Level 1 or Level 2 routing, respectively. If you do not specify a level, the default is Level 1 and Level 2. Step 12 end Return to privileged EXEC mode.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Table 38-13 ISO CLNS and IS-IS Clear and Show Commands Command Purpose show isis database Display the IS-IS link-state database. show isis routes Display the IS-IS Level 1 routing table. show isis spf-log Display a history of the shortest path first (SPF) calculations for IS-IS. show isis topology Display a list of all connected routers in all areas. show route-map Display all route maps configured or only the one specified.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Understanding Multi-VRF CE Multi-VRF CE is a feature that allows a service provider to support two or more VPNs overlapping IP addresses among the VPNs. Multi-VRF CE uses input interfaces to distinguish routes for different VPNs and forms virtual-packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Figure 38-6 Switches Acting as Multiple Virtual CEs VPN 1 VPN 1 CE1 PE1 PE2 CE2 Service provider VPN 2 101385 VPN 2 CE = Customer-edge device PE = Provider-edge device When the CE switch receives a command to add a Layer 3 interface to a VRF, it sets up the mapping between the VLAN ID and the policy label (PL) in multi-VRF-CE-related data structures and adds the VLAN ID and PL to the VLAN database.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE • VPN forwarding—transports all traffic between all VPN community members across a VPN service-provider network. Default Multi-VRF CE Configuration Table 38-14 shows the default multi-VRF CE configuration. Table 38-14 Default Multi-VRF CE Configuration Feature Default Setting VRF Disabled. No VRFs are defined. Maps No import maps, export maps, or route maps are defined.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE • Multi-VRF CE does not affect the packet switching rate. • VPN multicast is not supported. • You can configure 104 policies whether or not VRFs are configured on the switch or the switch stack. • You can enable VRF on a private VLAN and the reverse. • You cannot enable VRF when policy-based routing (PBR) is enabled on an interface and the reverse.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Configuring VRF-Aware Services IP services can be configured on global interfaces that run within the global routing instance. IP services are enhanced to run on multiple routing instances; they are VRF-aware. Any configured VRF in the system can be specified for a VRF-aware service. VRF-aware services are implemented in platform-independent modules. VRF means multiple routing instances in Cisco IOS.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE User Interface for SNMP Beginning in privileged EXEC mode, follow these steps to configure VRF-aware services for SNMP. For complete syntax and usage information for the commands, refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Beginning in privileged EXEC mode, follow these steps to configure VRF-aware services for uRPF. For complete syntax and usage information for the commands, refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE User Interface for FTP and TFTP So that FTP and TFTP are VRF-aware, you must configure command-line interface (CLI) commands for FTP/TFTP. For example, if you want to use a VRF table that is attached to an interface, say E1/0, you need to configure the CLI ip [t]ftp source-interface E1/0 to inform [t]ftp to use a specific routing table. In this example, the VRF table looks up the destination IP address.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 5 route-target {export | import | both} route-target-ext-community Create a list of import, export, or import and export route target communities for the specified VRF. Enter either an autonomous-system number and an arbitrary number (nnn:y) or an IP address and an arbitrary number (A.B.C.D:y). The route-target-ext-community should be the same as the route-distinguisher entered in Step 4.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 5 network network-number area area-id Define a network address and mask on which OSPF runs and the area ID for that network address. Step 6 end Return to privileged EXEC mode. Step 7 show ip ospf process-id Verify the configuration of the OSPF network. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Switch C and the other customer switches are not included but would be similar. The example also includes commands for configuring traffic to Switch A for a Catalyst 6000 or Catalyst 6500 switch acting as a PE router. Figure 38-7 Multi-VRF CE Configuration Example Switch A Switch B Switch C VPN1 Switch D VPN1 208.0.0.0 Fast Ethernet 8 Switch H Switch E 108.0.0.0 VPN2 Fast Ethernet 7 CE1 Switch F 118.0.0.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Switch(config)# interface loopback2 Switch(config-if)# ip vrf forwarding v12 Switch(config-if)# ip address 8.8.2.8 255.255.255.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Switch(config-router-af)# network 8.8.2.0 mask 255.255.255.0 Switch(config-router-af)# exit Switch(config-router)# address-family ipv4 vrf vl1 Switch(config-router-af)# redistribute ospf 1 match internal Switch(config-router-af)# neighbor 38.0.0.3 remote-as 100 Switch(config-router-af)# neighbor 38.0.0.3 activate Switch(config-router-af)# network 8.8.1.0 mask 255.255.255.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Router(config-vrf)# route-target import 100:2 Router(config-vrf)# exit Router(config)# ip cef Router(config)# interface loopback1 Router(config-if)# ip vrf forwarding v1 Router(config-if)# ip address 3.3.1.3 255.255.255.0 Router(config-if)# exit Router(config)# interface loopback2 Router(config-if)# ip vrf forwarding v2 Router(config-if)# ip address 3.3.2.3 255.255.255.
Chapter 38 Configuring IP Unicast Routing Configuring Unicast Reverse Path Forwarding Configuring Unicast Reverse Path Forwarding The unicast reverse path forwarding (uRPF) feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network. uRPF discards IP packets without a verifiable IP source address.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features to be process-switched using the routing table, instead of fast-switched using the route cache. CEF and dCEF use the Forwarding Information Base (FIB) lookup table for destination-based switching of IP packets. The two main components in CEF and dCEF are the distributed FIB and the distributed adjacency tables.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Step 7 Command Purpose show cef linecard [detail] Display CEF-related interface information on a standalone switch, or or show cef linecard [stack-member-number] [detail] display dCEF-related interface information for all switches in the stack or for the specified stack member. (Optional) For stack-member-number, specify the stack member.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Configuring Static Unicast Routes Static unicast routes are user-defined routes that cause packets moving between a source and a destination to take a specified path. Static routes can be important if the router cannot dynamically build a route to a particular destination and are useful for specifying a gateway of last resort to which all unroutable packets are sent.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features When an interface goes down, all static routes through that interface are removed from the IP routing table. When the software can no longer find a valid next hop for the address specified as the forwarding-router address in a static route, the static route is also removed from the IP routing table. Specifying Default Routes and Networks A router might not be able to learn the routes to all other networks.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features a criterion must be matched. The set command specifies an action to be taken if the routing update meets the conditions defined by the match command. Although redistribution is a protocol-independent feature, some of the match and set route-map configuration commands are specific to a particular protocol. One or more match commands and one or more set commands follow a route-map command.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 5 match ip address {access-list-number | access-list-name} [...access-list-number | ...access-list-name] Match a standard access list by specifying the name or number. It can be an integer from 1 to 199. Step 6 match metric metric-value Match the specified route metric. The metric-value can be an EIGRP metric with a specified value from 0 to 4294967295.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Step 18 Command Purpose set metric bandwidth delay reliability loading mtu Set the metric value to give the redistributed routes (only for EIGRP): • bandwidth—Metric value or IGRP bandwidth of the route in Kb/s in the range 0 to 4294967295 • delay—Route delay in tens of microseconds in the range 0 to 4294967295.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 4 default-metric number Cause the current routing protocol to use the same metric value for all redistributed routes (BGP, RIP and OSPF). Step 5 default-metric bandwidth delay reliability loading mtu Cause the EIGRP routing protocol to use the same metric value for all non-EIGRP redistributed routes. Step 6 end Return to privileged EXEC mode.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features With PBR, you classify traffic using access control lists (ACLs) and then make traffic go through a different path. PBR is applied to incoming packets. All packets received on an interface with PBR enabled are passed through route maps. Based on the criteria defined in the route maps, packets are forwarded (routed) to the appropriate next hop.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features • To use PBR, you must first enable the routing template by using the sdm prefer routing global configuration command. PBR is not supported with the VLAN and default templates. For more information on the SDM templates, see Chapter 9, “Configuring SDM Templates.” • VRF and PBR are mutually exclusive on a switch interface. You cannot enable VRF when PBR is enabled on an interface.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to configure PBR: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 route-map map-tag [permit] [sequence number] Define any route maps used to control from where packets are sent, and enter route-map configuration mode. • map-tag—A meaningful name for the route map.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 11 end Return to privileged EXEC mode. Step 12 show route-map [map-name] (Optional) Display all configured route maps or only the one specified to verify configuration. Step 13 show ip policy (Optional) Display policy route maps attached to interfaces. Step 14 show ip local policy (Optional) Display whether or not local policy routing is enabled and, if so, the route map being used.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 6 network network-address (Optional) Specify the list of networks for the routing process. The network-address is an IP address. Step 7 end Return to privileged EXEC mode. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Filtering Sources of Routing Information Because some routing information might be more accurate than others, you can use filtering to prioritize information coming from different sources. An administrative distance is a rating of the trustworthiness of a routing information source, such as a router or group of routers. In a large network, some routing protocols can be more reliable than others.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features You can configure multiple keys with life times. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in order from lowest to highest and uses the first valid key it encounters. The lifetimes allow for overlap during key changes. Note that the router must know these lifetimes.
Chapter 38 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Monitoring and Maintaining the IP Network You can remove all contents of a particular cache, table, or database. You can also display specific statistics. Use the privileged EXEC commands in Table 38-17 to clear routes or display status: Table 38-17 Commands to Clear IP Routes or Display Route Status Command Purpose clear ip route {network [mask | *]} Clear one or more routes from the IP routing table.
Chapter 38 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-108 OL-13270-03
CH A P T E R 39 Configuring IPv6 Unicast Routing Internet Protocol Version 6 (IPv6) is the network-layer Internet Protocol intended to replace Version 4 (IPv4) in the TCP/IP suite of protocols. This chapter describes how to configure IPv6 unicast routing on the switch. For information about configuring IPv4 unicast routing, see Chapter 38, “Configuring IP Unicast Routing.” For information about configuring IPv6 Multicast Listener Discovery (MLD) snooping, see Chapter 25, “Configuring IPv6 MLD Snooping.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 • Use the Search field to locate the Cisco IOS software documentation. For example, if you want information about static routes, you can enter Implementing Static Routes for IPv6 in the search field to get this document about static routes: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-stat_routes_ps6441_TSD_Pro ducts_Configuration_Guide_Chapter.html This section describes IPv6 implementation on the switch.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 • ICMPv6, page 39-4 • Neighbor Discovery, page 39-4 • Default Router Preference, page 39-4 • IPv6 Stateless Autoconfiguration and Duplicate Address Detection, page 39-5 • IPv6 Applications, page 39-5 • Dual IPv4 and IPv6 Protocol Stacks, page 39-5 • DHCP for IPv6 Address Assignment, page 39-6 • Static Routes for IPv6, page 39-6 • RIP for IPv6, page 39-6 • OSPF for IPv6, page 39-6 • EIGRP for IPv6, page 39-7 • HSRP for IP
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 DNS for IPv6 IPv6 supports Domain Name System (DNS) record types in the DNS name-to-address and address-to-name lookup processes. The DNS AAAA resource record types support IPv6 addresses and are equivalent to an A address record in IPv4. The switch supports DNS resolution for IPv4 and IPv6. Path MTU Discovery for IPv6 Unicast The switch supports advertising the system MTU to IPv6 nodes and path MTU discovery.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 IPv6 Stateless Autoconfiguration and Duplicate Address Detection The switch uses stateless autoconfiguration to manage link, subnet, and site addressing changes, such as management of host and mobile IP addresses. A host autonomously configures its own link-local address, and booting nodes send router solicitations to request router advertisements for configuring interfaces.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 The dual IPv4 and IPv6 templates allow the switch to be used in dual stack environments. • If you try to configure IPv6 without first selecting a dual IPv4 and IPv6 template, a warning message appears. • In IPv4-only environments, the switch routes IPv4 packets and applies IPv4 QoS and ACLs in hardware. IPv6 packets are not supported.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 EIGRP for IPv6 The switch supports Enhanced Interior Gateway Routing Protocol (EIGRP) for IPv6. It is configured on the interfaces on which it runs and does not require a global IPv6 address. Before running, an instance of EIGRP IPv6 requires an implicit or explicit router ID. An implicit router ID is derived from a local IPv4 address, so any IPv4 node always has an available router ID.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 For information about syslog over IPv6, including configuration procedures, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. HTTP(S) Over IPv6 The HTTP client sends requests to both IPv4 and IPv6 HTTP servers, which respond to requests from both IPv4 and IPv6 HTTP clients.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 • The switch cannot forward SNAP-encapsulated IPv6 packets. Note There is a similar limitation for IPv4 SNAP-encapsulated packets, but the packets are dropped at the switch and are not forwarded. • The switch routes IPv6-to-IPv4 and IPv4-to-IPv6 packets in hardware, but the switch cannot be an IPv6-to-IPv4 or IPv4-to-IPv6 tunnel endpoint. • Bridged IPv6 packets with hop-by-hop extension headers are forwarded in software.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 These are the functions of IPv6 stack master and members: • Stack master: – runs IPv6 routing protocols – generates routing tables – distributes CEFv6 routing tables to stack members that use dCEFv6 – runs IPv6 host functionality and IPv6 applications • Stack member (must be running the IP services feature set): – receives CEFv6 routing tables from the stack master – programs the routes into hardware Note IPv6 packets are routed in hardwar
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Default IPv6 Configuration Table 39-1 shows the default IPv6 configuration. Table 39-1 Default IPv6 Configuration Feature Default Setting SDM template IPv6 routing Default desktop. 1 CEFv6 or dCEFv6 Disabled globally and on all interfaces. 1 Disabled (IPv4 CEF and dCEF are enabled by default). Note IPv6 addresses When IPv6 routing is enabled, CEFv6 and dCEFv6 are automatically enabled. None configured. 1.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these steps to assign an IPv6 address to a Layer 3 interface and enable IPv6 routing: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 sdm prefer dual-ipv4-and-ipv6 {default | routing | vlan} Select an SDM template that supports IPv4 and IPv6. • default—Set the switch to the default template to balance system resources.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 without arguments. To disable IPv6 processing on an interface that has not been explicitly configured with an IPv6 address, use the no ipv6 enable interface configuration command. To globally disable IPv6 routing, use the no ipv6 unicast-routing global configuration command. This example shows how to enable IPv6 with both a link-local address and a global address based on the IPv6 prefix 2001:0DB8:c18:1::/64.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Use the no ipv6 nd router-preference interface configuration command to disable an IPv6 DRP. This example shows how to configure a DRP of high for the router on an interface.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 To disable IPv4 routing, use the no ip routing global configuration command. To disable IPv6 routing, use the no ipv6 unicast-routing global configuration command. To remove an IPv4 address from an interface, use the no ip address ip-address mask interface configuration command.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Enabling DHCPv6 Server Function Beginning in privileged EXEC mode, follow these steps to enable the DHCPv6 server function on an interface. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 dhcp pool poolname Enter DHCP pool configuration mode, and define the name for the IPv6 DHCP pool. The pool name can be a symbolic string (such as Engineering) or an integer (such as 0).
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Step 10 Command Purpose ipv6 dhcp server [poolname | automatic] [rapid-commit] [preference value] [allow-hint] Enable DHCPv6 server function on an interface. • poolname—(Optional) User-defined name for the IPv6 DHCP pool. The pool name can be a symbolic string (such as Engineering) or an integer (such as 0). • automatic—(Optional) Enables the system to automatically determine which pool to use when allocating addresses for a client.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Switch(config-dhcpv6-vs)# suboption 1 address 1000:235D::1 Switch(config-dhcpv6-vs)# suboption 2 ascii "IP-Phone" Switch(config-dhcpv6-vs)# end Enabling DHCPv6 Client Function Beginning in privileged EXEC mode, follow these steps to enable DHCPv6 client function on an interface. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these steps to change the ICMP rate-limiting parameters: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 icmp error-interval interval [bucketsize] Configure the interval and bucket size for IPv6 ICMP error messages: • interval—The interval (in milliseconds) between tokens being added to the bucket. The range is from 0 to 2147483647 milliseconds.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these steps to configure an IPv6 static route: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 route ipv6-prefix/prefix length {ipv6-address | interface-id [ipv6-address]} [administrative distance] Configure a static IPv6 route. • ipv6-prefix—The IPv6 network that is the destination of the static route.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Step 4 Command Purpose show ipv6 static [ipv6-address | ipv6-prefix/prefix length] [interface interface-id] [recursive] [detail] Verify your entries by displaying the contents of the IPv6 routing table. or • interface interface-id—(Optional) Display only those static routes with the specified interface as an egress interface. • recursive—(Optional) Display only recursive static routes.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Step 7 Command Purpose ipv6 rip name default-information {only | originate} (Optional) Originate the IPv6 default route (::/0) in the RIP routing process updates sent from the specified interface. Note To avoid routing loops after the IPv6 default route (::/0) is originated from any interface, the routing process ignores all default routes received on any interface.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these required and optional steps to configure IPv6 OSPF: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 router ospf process-id Enable OSPF router configuration mode for the process. The process ID is the number administratively assigned when enabling the OSPF for IPv6 routing process. It is locally assigned and can be a positive integer from 1 to 65535.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 To disable an OSPF routing process, use the no ipv6 router ospf process-id global configuration command. To disable the OSPF routing process for an interface, use the no ipv6 ospf process-id area area-id interface configuration command. For more information about configuring OSPF routing for IPv6, see the “Implementing OSPF for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Enabling HSRP Version 2 Beginning in privileged EXEC mode, follow these steps to enable HSRP version 2 on a Layer 3 interface. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the Layer 3 interface on which you want to specify the standby version. Step 3 standby version {1 | 2} Enter 2 to change the HSRP version. The default is 1.
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 Step 4 Command Purpose standby [group-number] preempt [delay {minimum seconds | reload seconds | sync seconds}] Configure the router to preempt, which means that when the local router has a higher priority than the active router, it assumes control as the active router. • (Optional) group-number—The group number to which the command applies.
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 Table 39-2 shows the privileged EXEC commands for monitoring IPv6 on the switch. Table 39-2 Commands for Monitoring IPv6 Command Purpose show ipv6 access-list show ipv6 cef Display a summary of access lists. 1 Display Cisco Express Forwarding for IPv6. show ipv6 interface interface-id Display IPv6 interface status and configuration. show ipv6 mtu Display IPv6 MTU per destination cache.
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 Table 39-4 Commands for Displaying IPv4 and IPv6 Address Types (continued) Command Purpose show ip http client connection Display the configuration values for HTTP client connections to HTTP servers. show ip http client history Display a list of the last 20 requests made by the HTTP client to the server.
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 This is an example of the output from the show ipv6 protocols privileged EXEC command: Switch# show ipv6 protocols IPv6 Routing Protocol is “connected” IPv6 Routing Protocol is “static” IPv6 Routing Protocol is “rip fer” Interfaces: Vlan6 GigabitEthernet2/0/4 GigabitEthernet2/0/11 GigabitEthernet1/0/12 Redistribution: None This is an example of the output from the show ipv6 rip privileged EXEC command: Switch# show ipv6 rip RIP process "fer", po
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 C L C L C L 3FFE:C000:111:1::/64 [0/0] via ::, GigabitEthernet1/0/11 3FFE:C000:111:1:20B:46FF:FE2F:D945/128 [0/0] 3FFE:C000:168:1::/64 [0/0] via ::, GigabitEthernet2/0/4 3FFE:C000:168:1:20B:46FF:FE2F:D94B/128 [0/0] via ::, GigabitEthernet2/0/4 3FFE:C000:16A:1::/64 [0/0] via ::, Loopback10 3FFE:C000:16A:1:20B:46FF:FE2F:D900/128 [0/0] via ::, Loopback10
CH A P T E R 40 Configuring HSRP This chapter describes how to use Hot Standby Router Protocol (HSRP) on the switch to provide routing redundancy for routing IP traffic without being dependent on the availability of any single router.Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 40 Configuring HSRP Understanding HSRP HSRP is useful for hosts that do not support a router discovery protocol and cannot switch to a new router when their selected router reloads or loses power. When HSRP is configured on a network segment, it provides a virtual MAC address and an IP address that is shared among router interfaces in a group of router interfaces running HSRP.
Chapter 40 Configuring HSRP Understanding HSRP Figure 40-1 Typical HSRP Configuration Blade server B 172.20.130.5 172.20.128.1 Virtual router Standby router 172.20.128.3 172.20.128.2 Router A Router B 172.20.128.55 172.20.128.32 Blade server C Blade server A 201787 Active router HSRP Versions Cisco IOS Release 12.2(46)SE and later support these Hot Standby Router Protocol (HSRP) versions: • HSRPv1—Version 1 of the HSRP, the default version of HSRP.
Chapter 40 Configuring HSRP Understanding HSRP – HSRPv2 has a different packet format than HRSPv1. A switch running HSRPv1 cannot identify the physical router that sent a hello packet because the source MAC address of the router is the virtual MAC address. HSRPv2 has a different packet format than HSRPv1. A HSRPv2 packet uses the type-length-value (TLV) format and has a 6-byte identifier field with the MAC address of the physical router that sent the packet.
Chapter 40 Configuring HSRP Configuring HSRP Figure 40-2 MHSRP Load Sharing Active router for group 1 Standby router for group 2 Active router for group 2 Standby router for group 1 Router A Router B 10.0.0.1 10.0.0.2 Active link Active link Standby link Standby link Blade switch enclosure with a management module 201791 Blade switch enclosure with a management module HSRP and Switch Stacks HSRP hello messages are generated by the stack master.
Chapter 40 Configuring HSRP Configuring HSRP • Configuring HSRP Authentication and Timers, page 40-11 • Enabling HSRP Support for ICMP Redirect Messages, page 40-12 Default HSRP Configuration Table 40-1 shows the default HSRP configuration. Table 40-1 Default HSRP Configuration Feature Default Setting HSRP version Version 1 HSRP groups None configured Standby group number 0 Standby MAC address System assigned as: 0000.0c07.
Chapter 40 Configuring HSRP Configuring HSRP Enabling HSRP The standby ip interface configuration command activates HSRP on the configured interface. If an IP address is specified, that address is used as the designated address for the Hot Standby group. If no IP address is specified, the address is learned through the standby function. You must configure at least one Layer 3 port on the LAN with the designated address.
Chapter 40 Configuring HSRP Configuring HSRP This example shows how to activate HSRP for group 1 on an interface. The IP address used by the hot standby group is learned by using HSRP. Note This procedure is the minimum number of steps required to enable HSRP. Other configuration is optional.
Chapter 40 Configuring HSRP Configuring HSRP Beginning in privileged EXEC mode, use one or more of these steps to configure HSRP priority characteristics on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the HSRP interface on which you want to set priority.
Chapter 40 Configuring HSRP Configuring HSRP Use the no standby [group-number] priority priority [preempt [delay delay]] and no standby [group-number] [priority priority] preempt [delay delay] interface configuration commands to restore default priority, preempt, and delay values. Use the no standby [group-number] track type number [interface-priority] interface configuration command to remove the tracking.
Chapter 40 Configuring HSRP Configuring HSRP Configuring HSRP Authentication and Timers You can optionally configure an HSRP authentication string or change the hello-time interval and holdtime. When configuring these attributes, follow these guidelines: • The authentication string is sent unencrypted in all HSRP messages. You must configure the same authentication string on all routers and access servers on a cable to ensure interoperation.
Chapter 40 Configuring HSRP Displaying HSRP Configurations This example shows how to configure word as the authentication string required to allow Hot Standby routers in group 1 to interoperate: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# no switchport Switch(config-if)# standby 1 authentication word Switch(config-if)# end This example shows how to set the timers on standby group 1 with the time between hello packets at 5 seconds and the time after which
Chapter 40 Configuring HSRP Displaying HSRP Configurations Standby router is unknown expired Standby virtual mac address is 0000.0c07.
Chapter 40 Configuring HSRP Displaying HSRP Configurations Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 40-14 OL-13270-03
CH A P T E R 41 Configuring Cisco IOS IP SLAs Operations This chapter describes how to use Cisco IOS IP Service Level Agreements (SLAs) on the switch. Cisco IP SLAs is a part of Cisco IOS software that allows Cisco customers to analyze IP service levels for IP applications and services by using active traffic monitoring—the generation of traffic in a continuous, reliable, and predictable manner—for measuring network performance.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs Because Cisco IP SLAs is Layer 2 transport independent, you can configure end-to-end operations over disparate networks to best reflect the metrics that an end user is likely to experience.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs on the type of IP SLAs operation, it responds with time-stamp information for the source to make the calculation on performance metrics. An IP SLAs operation performs a network measurement from the source device to a destination in the network using a specific protocol such as UDP.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs Note The IP SLAs responder can be a Cisco IOS Layer 2, responder-configurable switch, such as a Catalyst 2960 or Cisco ME 2400 switch. The responder does not need to support full IP SLAs functionality. Figure 41-1 shows where the Cisco IOS IP SLAs responder fits in the IP network. The responder listens on a specific port for control protocol messages sent by an IP SLAs operation.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs IP SLAs Operation Scheduling When you configure an IP SLAs operation, you must schedule the operation to begin capturing statistics and collecting error information. You can schedule an operation to start immediately or to start at a certain month, day, and hour. You can use the pending option to set the operation to start at a later time.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Configuring IP SLAs Operations This section does not include configuration information for all available operations as the configuration information details are included in the Cisco IOS IP SLAs Configuration Guide.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Type Type Type Type Type Type Type Type Type Type Type Type of of of of of of of of of of of of Supported Operation Operation Operation Operation Operation Operation Operation Operation Operation Operation Operation Operation Operation Types to Perform: 802.1agEcho to Perform: 802.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Analyzing IP Service Levels by Using the UDP Jitter Operation Jitter means interpacket delay variance. When multiple packets are sent consecutively 10 ms apart from source to destination, if the network is behaving correctly, the destination should receive them 10 ms apart.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Command Step 3 Purpose udp-jitter {destination-ip-address Configure the IP SLAs operation as a UDP jitter operation, and enter UDP | destination-hostname} jitter configuration mode. destination-port [source-ip • destination-ip-address | destination-hostname—Specify the destination IP {ip-address | hostname}] address or hostname.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Command Purpose Step 7 end Return to privileged EXEC mode. Step 8 show ip sla configuration [operation-number] (Optional) Display configuration values, including all defaults for all IP SLAs operations or a specified operation. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Note This operation does not require the IP SLAs responder to be enabled. Beginning in privileged EXEC mode, follow these steps to configure an ICMP echo operation on the source device: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip sla operation-number Create an IP SLAs operation and enter IP SLAs configuration mode.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Command Purpose Step 8 show ip sla configuration [operation-number] (Optional) Display configuration values including all defaults for all IP SLAs operations or a specified operation. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the IP SLAs operation, enter the no ip sla operation-number global configuration command.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Monitoring IP SLAs Operations Monitoring IP SLAs Operations Use the user EXEC or privileged EXEC commands in Table 41-1 to display IP SLAs operations configuration and results. Table 41-1 Monitoring IP SLAs Operations Command Purpose show ip sla application Display global information about Cisco IOS IP SLAs. show ip sla authentication Display IP SLAs authentication information.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Monitoring IP SLAs Operations Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 41-14 OL-13270-03
CH A P T E R 42 Configuring Enhanced Object Tracking This chapter describes how to configure enhanced object tracking on the switch. This feature provides a more complete alternative to the Hot Standby Routing Protocol (HSRP) tracking mechanism. which allows you to track the line-protocol state of an interface. If the line protocol state of an interface goes down, the HSRP priority of the interface is reduced and another HSRP device with a higher priority becomes active.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring Enhanced Object Tracking Features These sections describe configuring enhanced object tracking: • Default Configuration, page 42-2 • Tracking Interface Line-Protocol or IP Routing State, page 42-2 • Configuring a Tracked List, page 42-3 • Configuring HSRP Object Tracking, page 42-7 • Configuring Other Tracking Characteristics, page 42-8 • Configuring IP SLAs Object Tracking, page 42-9 Def
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Command Purpose Step 6 delay {up seconds [down seconds] (Optional) Specify a period of time in seconds to delay communicating state | [up seconds] down seconds} changes of a tracked object. The range is from 1 to 180 seconds. Step 7 end Return to privileged EXEC mode. Step 8 show track object-number Verify that the specified objects are being tracked.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Beginning in privileged EXEC mode, follow these steps to configure a tracked list of objects with a Boolean expression: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 track track-number list boolean {and | or} Configure a tracked list object, and enter tracking configuration mode. The track-number can be from 1 to 500.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Beginning in privileged EXEC mode, follow these steps to configure a tracked list of objects by using a weight threshold and to configure a weight for each object: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 track track-number list threshold weight Configure a tracked list object and enter tracking configuration mode. The track-number can be from 1 to 500.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Beginning in privileged EXEC mode, follow these steps to configure a tracked list of objects by using a percentage threshold: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 track track-number list threshold percentage Configure a tracked list object and enter tracking configuration mode. The track-number can be from 1 to 500.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring HSRP Object Tracking Beginning in privileged EXEC mode, follow these steps to configure a standby HSRP group to track an object and change the HSRP priority based on the object state: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Step 6 Command Purpose standby [group-number] track object-number [decrement [priority-decrement]] Configure HSRP to track an object and change the hot standby priority based on the state of the object. • (Optional) group-number—Enter the group number to which the tracking applies. • object-number—Enter a number representing the object to be tracked. The range is from 1 to 500; the default is 1.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring IP SLAs Object Tracking Cisco IOS IP Service Level Agreements (IP SLAs) is a network performance measurement and diagnostics tool that uses active monitoring by generating traffic to measure network performance. Cisco IP SLAs operations collects real-time metrics that you can use for network troubleshooting, design, and analysis.
Chapter 42 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking This example shows how to configure and display IP SLAs state tracking: Switch(config)# track 2 200 state Switch(config)# end Switch# show track 2 Track 2 Response Time Reporter 1 state State is Down 1 change, last change 00:00:47 Latest operation return code: over threshold Latest RTT (millisecs) 4 Tracked by: HSRP Ethernet0/1 3 This example output shows whether a route is reachable: Switch(config)# track 3 500 reachabi
CH A P T E R 43 Configuring Web Cache Services By Using WCCP This chapter describes how to configure your switch to redirect traffic to wide-area application engines (such as the Cisco Cache Engine 550) by using the Web Cache Communication Protocol (WCCP). This software release supports only WCCP Version 2 (WCCPv2). WCCP is a Cisco-developed content-routing technology that you can use to integrate wide-area application engines—referred to as application engines—into your network infrastructure.
Chapter 43 Configuring Web Cache Services By Using WCCP Understanding WCCP Understanding WCCP The WCCP and Cisco cache engines (or other application engines running WCCP) localize traffic patterns in the network, enabling content requests to be fulfilled locally. WCCP enables supported Cisco routers and switches to transparently redirect content requests. With transparent redirection, users do not have to configure their browsers to use a web proxy.
Chapter 43 Configuring Web Cache Services By Using WCCP Understanding WCCP WCCP Message Exchange This sequence of events describes the WCCP message exchange: 1. The application engines send their IP addresses to the WCCP-enabled switch by using WCCP, signaling their presence through a Here I am message. The switch and application engines communicate to each other through a control channel based on UDP port 2048. 2.
Chapter 43 Configuring Web Cache Services By Using WCCP Understanding WCCP MD5 Security WCCP provides an optional security component in each protocol message to enable the switch to use MD5 authentication on messages between the switch and the application engine. Messages that do not authenticate by MD5 (when authentication of the switch is enabled) are discarded by the switch.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP When packets are redirected, the output ACLs associated with the redirected interface are applied to the packets. Any ACLs associated with the original port are not applied unless you specifically configure the required output ACLs on the redirected interfaces. WCCP and Switch Stacks WCCP support is the same for a switch stack as for a standalone switch. WCCP configuration information is propagated to all switches in the stack.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP Default WCCP Configuration Table 43-1 shows the default WCCP configuration. Table 43-1 Default WCCP Configuration Feature Default Setting WCCP enable state WCCP services are disabled. Protocol version WCCPv2. Redirecting traffic received on an interface Disabled.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP Beginning in privileged EXEC mode, follow these steps to enable the web cache service, to set a multicast group address or group list, to configure routed interfaces, to redirect inbound packets received from a client to the application engine, enable an interface to listen for a multicast address, and to set a password. This procedure is required.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP Command Purpose Step 12 ip wccp {web-cache | service-number} redirect in Redirect packets received from the client to the application engine. Enable this on the interface connected to the client. Step 13 ip wccp {web-cache | service-number} group-listen (Optional) When using a multicast group address, group-listen enables the interface to listen for the multicast address.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP Switch(config-if)# ip address 175.20.50.40 255.255.255.0 Switch(config-if)# no shutdown Switch(config-if)# ip wccp web-cache redirect in Switch(config-if)# exit Switch(config)# interface gigabitethernet1/0/6 Switch(config-if)# no switchport Switch(config-if)# ip address 175.20.60.50 255.255.255.
Chapter 43 Configuring Web Cache Services By Using WCCP Monitoring and Maintaining WCCP Monitoring and Maintaining WCCP To monitor and maintain WCCP, use one or more of the privileged EXEC commands in Table 43-2: Table 43-2 Commands for Monitoring and Maintaining WCCP Command Purpose clear ip wccp web-cache Removes statistics for the web-cache service. show ip wccp web-cache Displays global information related to WCCP.
CH A P T E R 44 Configuring IP Multicast Routing This chapter describes how to configure IP multicast routing on the switch. IP multicasting is a more efficient way to use network resources, especially for bandwidth-intensive services such as audio and video. IP multicast routing enables a host (source) to send packets to a group of hosts (receivers) anywhere within the IP network by using a special form of IP address called the IP multicast group address.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing The Cisco IOS software supports these protocols to implement IP multicast routing: • Internet Group Management Protocol (IGMP) is used among hosts on a LAN and the routers (and multilayer switches) on that LAN to track the multicast groups of which hosts are members.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding IGMP To participate in IP multicasting, multicast hosts, routers, and multilayer switches must have the IGMP operating. This protocol defines the querier and host roles: • A querier is a network device that sends query messages to discover which network devices are members of a given multicast group.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding PIM PIM is called protocol-independent: regardless of the unicast routing protocols used to populate the unicast routing table, PIM uses this information to perform multicast forwarding instead of maintaining a separate multicast routing table. PIM is defined in RFC 2362, Protocol-Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing When a new receiver on a previously pruned branch of the tree joins a multicast group, the PIM DM device detects the new receiver and immediately sends a graft message up the distribution tree toward the source.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing The redundant PIM stub router topology is not supported. The redundant topology exists when there is more than one PIM router forwarding multicast traffic to a single access domain. PIM messages are blocked, and the PIM asset and designated router election mechanisms are not supported on the PIM passive interfaces. Only the nonredundant access router topology is supported by the PIM stub feature.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Auto-RP This proprietary feature eliminates the need to manually configure the RP information in every router and multilayer switch in the network. For auto-RP to work, you configure a Cisco router or multilayer switch as the mapping agent. It uses IP multicast to learn which routers or switches in the network are possible candidate RPs to receive candidate RP announcements.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Multicast Forwarding and Reverse Path Check With unicast routing, routers and multilayer switches forward traffic through the network along a single path from the source to the destination host whose IP address appears in the destination address field of the IP packet.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing PIM uses both source trees and RP-rooted shared trees to forward datagrams (described in the “PIM DM” section on page 44-4 and the “PIM-SM” section on page 44-5).
Chapter 44 Configuring IP Multicast Routing Multicast Routing and Switch Stacks CGMP is necessary because the Layer 2 switch cannot distinguish between IP multicast data packets and IGMP report messages, which are both at the MAC-level and are addressed to the same group address. CGMP is mutually exclusive with HSRPv1. You cannot enable CGMP leaving processing and HSRPv1 at the same time. However, you can enable CGMP and HSRPv2 at the same time.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing • Monitoring the RP Mapping Information, page 44-35 (optional) • Troubleshooting PIMv1 and PIMv2 Interoperability Problems, page 44-35 (optional) Default Multicast Routing Configuration Table 44-2 shows the default multicast routing configuration. Table 44-2 Default Multicast Routing Configuration Feature Default Setting Multicast routing Disabled on all interfaces. PIM version Version 2. PIM mode No mode is defined.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing When PIMv2 devices interoperate with PIMv1 devices, Auto-RP should have already been deployed. A PIMv2 BSR that is also an Auto-RP mapping agent automatically advertises the RP elected by Auto-RP. That is, Auto-RP sets its single RP on every router or multilayer switch in the group. Not all routers and switches in the domain use the PIMv2 hash function to select multiple RPs.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Note If you enable PIM on multiple interfaces, when most of these interfaces are not on the outgoing interface list, and IGMP snooping is disabled, the outgoing interface might not be able to sustain line rate for multicast traffic because of the extra replication. In populating the multicast routing table, dense-mode interfaces are always added to the table.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 5 Command Purpose ip pim {dense-mode | sparse-mode | sparse-dense-mode} Enable a PIM mode on the interface. By default, no mode is configured. The keywords have these meanings: • dense-mode—Enables dense mode of operation. • sparse-mode—Enables sparse mode of operation. If you configure sparse mode, you must also configure an RP. For more information, see the “Configuring a Rendezvous Point” section on page 44-24.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing How SSM Differs from Internet Standard Multicast The current IP multicast infrastructure in the Internet and many enterprise intranets is based on the PIM-SM protocol and Multicast Source Discovery Protocol (MSDP). These protocols have the limitations of the Internet Standard Multicast (ISM) service model.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Use the ip pim ssm global configuration command to configure the SSM range and to enable SSM. This configuration has the following effects: • For groups within the SSM range, (S, G) channel subscriptions are accepted through IGMPv3 include-mode membership reports. • PIM operations within the SSM range of addresses change to PIM-SSM, a mode derived from PIM-SM.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing IGMP Snooping and CGMP Limitations IGMPv3 uses new membership report messages that might not be correctly recognized by older IGMP snooping switches. For more information about switching issues related to IGMP (especially with CGMP), refer to the “Understanding IGMP” section on page 44-3.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Source Specific Multicast Mapping The Source Specific Multicast (SSM) mapping feature supports SSM transition when supporting SSM on the end system is impossible or unwanted due to administrative or technical reasons. You can use SSM mapping to leverage SSM for video delivery to legacy STBs that do not support IGMPv3 or for applications that do not use the IGMPv3 host stack.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing When the router receives an IGMPv1 or IGMPv2 membership report for a group, the router uses SSM mapping to determine one or more source IP addresses for the group. SSM mapping then translates the membership report as an IGMPv3 report and continues as if it had received an IGMPv3 report.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Figure 44-4 DNS-Based SSM-Mapping Source (S, G) Join (S, G) Join DNS server DNS response Reverse DNS lookup 146906 IGMPv2 membership report STB host 1 STB host 2 STB host 3 The SSM mapping mechanism that enables the last hop router to join multiple sources for a group can provide source redundancy for a TV broadcast.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Static SSM Mapping Beginning in privileged EXEC mode, follow these steps to configure static SSM mapping: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp ssm-map enable Enable SSM mapping for groups in the configured SSM range. Note Step 3 no ip igmp ssm-map query dns (Optional) Disable DNS-based SSM mapping.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 3 Command Purpose ip igmp ssm-map query dns (Optional) Enable DNS-based SSM mapping. By default, the ip igmp ssm-map command enables DNS-based SSM mapping. Only the no form of this command is saved to the running configuration. Note Step 4 ip domain multicast domain-prefix Use this command to re-enable DNS-based SSM mapping if DNS-based SSM mapping is disabled.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Monitoring SSM Mapping Use the privileged EXEC commands in Table 44-3 to monitor SSM mapping. Table 44-3 SSM Mapping Monitoring Commands Command Purpose show ip igmp ssm-mapping Display information about SSM mapping. show ip igmp ssm-mapping group-address Display the sources that SSM mapping uses for a particular group.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing In this example, IP multicast routing is enabled, Switch A PIM uplink port 25 is configured as a routed uplink port with spare-dense-mode enabled. PIM stub routing is enabled on the VLAN 100 interfaces and on Gigabit Ethernet port 20 in Figure 44-2: Switch(config)# ip multicast-routing distributed Switch(config)# interface GigabitEthernet3/0/25 Switch(config-if)# no switchport Switch(config-if)# ip address 3.1.1.2 255.255.255.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Manually Assigning an RP to Multicast Groups This section explains how to manually configure an RP. If the RP for a group is learned through a dynamic mechanism (such as auto-RP or BSR), you need not perform this task for that RP. Senders of multicast traffic announce their existence through register messages received from the source first-hop router (designated router) and forwarded to the RP.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove an RP address, use the no ip pim rp-address ip-address [access-list-number] [override] global configuration command. This example shows how to configure the address of the RP to 147.106.6.22 for multicast group 225.2.2.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Adding Auto-RP to an Existing Sparse-Mode Cloud This section contains some suggestions for the initial deployment of Auto-RP into an existing sparse-mode cloud to minimize disruption of the existing multicast infrastructure. Beginning in privileged EXEC mode, follow these steps to deploy Auto-RP in an existing sparse-mode cloud. This procedure is optional.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 5 Command Purpose ip pim send-rp-discovery scope ttl Find a switch whose connectivity is not likely to be interrupted, and assign it the role of RP-mapping agent. For scope ttl, specify the time-to-live value in hops to limit the RP discovery packets. All devices within the hop count from the source device receive the Auto-RP discovery messages.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to filter incoming RP announcement messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip pim rp-announce-filter rp-list access-list-number group-list access-list-number Filter incoming RP announcement messages. Enter this command on each mapping agent in the network.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Switch(config)# access-list 20 deny 239.0.0.0 0.0.255.255 Switch(config)# access-list 20 permit 224.0.0.0 15.255.255.255 In this example, the mapping agent accepts candidate RP announcements from only two devices, 172.16.5.1 and 172.16.2.1. The mapping agent accepts candidate RP announcements from these two devices only for multicast groups that fall in the group range of 224.0.0.0 to 239.255.255.255.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Figure 44-5 Constraining PIMv2 BSR Messages PIMv2 sparse-mode network Configure the ip pim bsr-border command on this interface. Layer 3 switch BSR messages BSR Layer 3 switch Neighboring PIMv2 domain 101243 Neighboring PIMv2 domain BSR messages Configure the ip pim bsr-border command on this interface.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows a portion of an IP multicast boundary configuration that denies Auto-RP information: Switch(config)# access-list 1 deny 224.0.1.39 Switch(config)# access-list 1 deny 224.0.1.40 Switch(config)# access-list 1 permit all Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip multicast boundary 1 Configuring Candidate BSRs You can configure one or more candidate BSRs.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Candidate RPs You can configure one or more candidate RPs. Similar to BSRs, the RPs should also have good connectivity to other devices and be in the backbone portion of the network. An RP can serve the entire IP multicast address space or a portion of it. Candidate RPs send candidate RP advertisements to the BSR.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows how to configure the switch to advertise itself as a candidate RP to the BSR in its PIM domain. Standard access list number 4 specifies the group prefix associated with the RP that has the address identified by a port. That RP is responsible for the groups with the prefix 239. Switch(config)# ip pim rp-candidate gigabitethernet1/0/2 group-list 4 Switch(config)# access-list 4 permit 239.0.0.0 0.255.255.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced PIM Features Monitoring the RP Mapping Information To monitor the RP mapping information, use these commands in privileged EXEC mode: • show ip pim bsr displays information about the elected BSR. • show ip pim rp-hash group displays the RP that was selected for the specified group. • show ip pim rp [group-name | group-address | mapping] displays how the switch learns of the RP (through the BSR or the Auto-RP mechanism).
Chapter 44 Configuring IP Multicast Routing Configuring Advanced PIM Features Figure 44-6 Shared Tree and Source Tree (Shortest-Path Tree) Source Source tree (shortest path tree) Router A Router B Shared tree from RP RP 44967 Router C Receiver If the data rate warrants, leaf routers (routers without any downstream connections) on the shared tree can use the data distribution tree rooted at the source. This type of distribution tree is called a shortest-path tree or source tree.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced PIM Features Delaying the Use of PIM Shortest-Path Tree The change from shared to source tree happens when the first data packet arrives at the last-hop router (Router C in Figure 44-6). This change occurs because the ip pim spt-threshold global configuration command controls that timing. The shortest-path tree requires more memory than the shared tree but reduces delay. You might want to postpone its use.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip pim spt-threshold {kbps | infinity} global configuration command.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features • Modifying the IGMP Host-Query Message Interval, page 44-41 (optional) • Changing the IGMP Query Timeout for IGMPv2, page 44-42 (optional) • Changing the Maximum Query Response Time for IGMPv2, page 44-43 (optional) • Configuring the Switch as a Statically Connected Member, page 44-43 (optional) Default IGMP Configuration Table 44-4 shows the default IGMP configuration.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show ip igmp interface [interface-id] Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To cancel membership in a group, use the no ip igmp join-group group-address interface configuration command. This example shows how to enable the switch to join multicast group 255.2.2.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 7 show ip igmp interface [interface-id] Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable groups on an interface, use the no ip igmp access-group interface configuration command. This example shows how to configure hosts attached to a port as able to join only group 255.2.2.2: Switch(config)# access-list 1 255.2.2.2 0.0.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features The switch elects a PIM designated router (DR) for the LAN (subnet). The DR is the router or multilayer switch with the highest IP address for IGMPv2. For IGMPv1, the DR is elected according to the multicast routing protocol that runs on the LAN. The designated router is responsible for sending IGMP host-query messages to all hosts on the LAN.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 5 show ip igmp interface [interface-id] Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip igmp querier-timeout interface configuration command.
Chapter 44 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Beginning in privileged EXEC mode, follow these steps to configure the switch itself to be a statically connected member of a group (and enable fast switching). This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Chapter 44 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Step 3 Command Purpose ip cgmp [proxy] Enable CGMP on the interface. By default, CGMP is disabled on all interfaces. Enabling CGMP triggers a CGMP join message. Enable CGMP only on Layer 3 interfaces connected to Layer 2 Catalyst switches. (Optional) When you enter the proxy keyword, the CGMP proxy function is enabled.
Chapter 44 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Enabling sdr Listener Support By default, the switch does not listen to session directory advertisements. Beginning in privileged EXEC mode, follow these steps to enable the switch to join the default session directory group (224.2.127.254) on the interface and listen to session directory advertisements. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 44 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features administratively-scoped boundary on a routed interface, multicast traffic whose multicast group addresses fall in this range can not enter or exit this interface, thereby providing a firewall for multicast traffic in this address range. Note Multicast boundaries and TTL thresholds control the scoping of multicast domains; however, TTL thresholds are not supported by the switch.
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to set up an administratively-scoped boundary. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list, repeating the command as many times as necessary.
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Configuring DVMRP Interoperability Cisco multicast routers and multilayer switches using PIM can interoperate with non-Cisco multicast routers that use the DVMRP. PIM devices dynamically discover DVMRP multicast routers on attached networks by listening to DVMR probe messages.
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Command Step 4 Purpose ip dvmrp metric metric [list Configure the metric associated with a set of destinations for DVMRP access-list-number] [[protocol process-id] reports. | [dvmrp]] • For metric, the range is 0 to 32. A value of 0 means that the route is not advertised. A value of 32 is equivalent to infinity (unreachable).
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Configuring a DVMRP Tunnel The software supports DVMRP tunnels to the MBONE. You can configure a DVMRP tunnel on a router or multilayer switch if the other end is running DVMRP. The software then sends and receives multicast packets through the tunnel. This strategy enables a PIM domain to connect to the DVMRP router when all routers on the path do not support multicast routing.
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Step 9 Command Purpose ip dvmrp accept-filter access-list-number [distance] neighbor-list access-list-number Configure an acceptance filter for incoming DVMRP reports. By default, all destination reports are accepted with a distance of 0. Reports from all neighbors are accepted. • For access-list-number, specify the access list number created in Step 2.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to advertise network 0.0.0.0 to DVMRP neighbors on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface that is connected to the DVMRP router, and enter interface configuration mode.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features These sections contain this configuration information: • Enabling DVMRP Unicast Routing, page 44-54 (optional) • Rejecting a DVMRP Nonpruning Neighbor, page 44-55 (optional) • Controlling Route Exchanges, page 44-56 (optional) For information on basic DVMRP features, see the “Configuring Basic DVMRP Interoperability Features” section on page 44-48.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Rejecting a DVMRP Nonpruning Neighbor By default, Cisco devices accept all DVMRP neighbors as peers, regardless of their DVMRP capability. However, some non-Cisco devices run old versions of DVMRP that cannot prune, so they continuously receive forwarded packets, wasting bandwidth. Figure 44-8 shows this scenario.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 44-9 Router Rejects Nonpruning DVMRP Neighbor Source router or RP RP Router A Multicast traffic gets to receiver, not to leaf DVMRP device Router B Receiver Layer 3 switch Leaf nonpruning DVMRP device 101245 Configure the ip dvmrp reject-non-pruners command on this interface. Note that the ip dvmrp reject-non-pruners interface configuration command prevents peering with neighbors only.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features • Configuring a DVMRP Summary Address, page 44-58 (optional) • Disabling DVMRP Autosummarization, page 44-60 (optional) • Adding a Metric Offset to the DVMRP Route, page 44-60 (optional) Limiting the Number of DVMRP Routes Advertised By default, only 7000 DVMRP routes are advertised over an interface enabled to run DVMRP (that is, a DVMRP tunnel, an interface where a DVMRP neighbor has been discovered, o
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features To return to the default setting use the no ip dvmrp routehog-notification global configuration command. Use the show ip igmp interface privileged EXEC command to display a running count of routes. When the count is exceeded, *** ALERT *** is appended to the line.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 44-10 On Connected Unicast Routes Are Advertised by Default interface tunnel 0 ip unnumbered gigabitethernet1/0/1 DVMRP Report 151.16.0.0/16 m = 39 172.34.15.0/24 m = 42 202.13.3.0/24 m = 40 176.32.10.0/24 m=1 176.32.15.0/24 m=1 interface gigabitethernet1/0/1 ip addr 176.32.10.1 255.255.255.0 ip pim dense-mode DVMRP router interface gigabitethernet1/0/2 ip addr 176.32.15.1 255.255.255.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Disabling DVMRP Autosummarization By default, the software automatically performs some level of DVMRP summarization. Disable this function if you want to advertise all routes, not just a summary. In some special cases, you can use the neighboring DVMRP router with all subnet information to better control the flow of multicast traffic in the DVMRP network.
Chapter 44 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Step 3 Command Purpose ip dvmrp metric-offset [in | out] increment Change the metric added to DVMRP routes advertised in incoming reports. The keywords have these meanings: • (Optional) in—Specifies that the increment value is added to incoming DVMRP reports and is reported in mrinfo replies.
Chapter 44 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Table 44-5 Commands for Clearing Caches, Tables, and Databases (continued) Command Purpose clear ip igmp group [group-name | group-address | interface] Delete entries from the IGMP cache. clear ip mroute {* | group [source]} Delete entries from the IP multicast routing table. clear ip pim auto-rp rp-address Clear the auto-RP cache.
Chapter 44 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Table 44-6 Commands for Displaying System and Network Statistics (continued) Command Purpose show ip pim rp [group-name | group-address] Display the RP routers associated with a sparse-mode multicast group. This command is available in all software images.
Chapter 44 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 44-64 OL-13270-03
CH A P T E R 45 Configuring MSDP This chapter describes how to configure the Multicast Source Discovery Protocol (MSDP) on the switch. The MSDP connects multiple Protocol-Independent Multicast sparse-mode (PIM-SM) domains. MSDP is not fully supported in this software release because of a lack of support for Multicast Border Gateway Protocol (MBGP), which works closely with MSDP. However, it is possible to create default peers that MSDP can operate with if MBGP is not running.
Chapter 45 Configuring MSDP Understanding MSDP MSDP Operation Figure 45-1 shows MSDP operating between two MSDP peers. PIM uses MSDP as the standard mechanism to register a source with the RP of a domain. When MSDP is configured, this sequence occurs. When a source sends its first multicast packet, the first-hop router (designated router or RP) directly connected to the source sends a PIM register message to the RP.
Chapter 45 Configuring MSDP Configuring MSDP Figure 45-1 MSDP Running Between RP Peers MSDP peer RP + MSDP peer MSDP SA M SD P SA Peer RPF flooding MSDP SA TCP connection BGP Receiver MSDP peer 201788 Register Multicast Source (S,G) Join PIM DR PIM sparse-mode domain MSDP Benefits MSDP has these benefits: • It breaks up the shared multicast distribution tree. You can make the shared tree local to your domain.
Chapter 45 Configuring MSDP Configuring MSDP • Controlling Source Information that Your Switch Originates, page 45-8 (optional) • Controlling Source Information that Your Switch Forwards, page 45-11 (optional) • Controlling Source Information that Your Switch Receives, page 45-13 (optional) • Configuring an MSDP Mesh Group, page 45-15 (optional) • Shutting Down an MSDP Peer, page 45-15 (optional) • Including a Bordering PIM Dense-Mode Region in MSDP, page 45-16 (optional) • Configuring an Or
Chapter 45 Configuring MSDP Configuring MSDP Figure 45-2 Default MSDP Peer Network Router C Default MSDP peer ISP C PIM domain SA SA SA 10.1.1.1 Default MSDP peer Default MSDP peer ISP A PIM domain Customer PIM domain 86515 Switch B Router A Beginning in privileged EXEC mode, follow these steps to specify a default MSDP peer. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 45 Configuring MSDP Configuring MSDP Step 3 Step 4 Command Purpose ip prefix-list name [description string] | seq number {permit | deny} network length (Optional) Create a prefix list using the name specified in Step 2. ip msdp description {peer-name | peer-address} text • (Optional) For description string, enter a description of up to 80 characters to describe this prefix list. • For seq number, enter the sequence number of the entry. The range is 1 to 4294967294.
Chapter 45 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to enable the caching of source/group pairs. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp cache-sa-state [list access-list-number] Enable the caching of source/group pairs (create an SA state). Those pairs that pass the access list are cached. For list access-list-number, the range is 100 to 199.
Chapter 45 Configuring MSDP Configuring MSDP Requesting Source Information from an MSDP Peer Local RPs can send SA requests and get immediate responses for all active sources for a given group. By default, the switch does not send any SA request messages to its MSDP peers when a new member joins a group and wants to receive multicast traffic. The new member waits to receive the next periodic SA message.
Chapter 45 Configuring MSDP Configuring MSDP Redistributing Sources SA messages originate on RPs to which sources have registered. By default, any source that registers with an RP is advertised. The A flag is set in the RP when a source is registered, which means the source is advertised in an SA unless it is filtered. Beginning in privileged EXEC mode, follow these steps to further restrict which registered sources are advertised. This procedure is optional.
Chapter 45 Configuring MSDP Configuring MSDP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] Create an IP standard access list, repeating the command as many times as necessary. or or access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended access list, repeating the command as many times as necessary.
Chapter 45 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to configure one of these options. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp filter-sa-request ip-address | name Filter all SA request messages from the specified MSDP peer.
Chapter 45 Configuring MSDP Configuring MSDP Using a Filter By creating a filter, you can perform one of these actions: • Filter all source/group pairs • Specify an IP extended access list to pass only certain source/group pairs • Filter based on match criteria in a route map Beginning in privileged EXEC mode, follow these steps to apply a filter. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 45 Configuring MSDP Configuring MSDP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the filter, use the no ip msdp sa-filter out {ip-address | name} [list access-list-number] [route-map map-tag] global configuration command. This example shows how to allow only (S,G) pairs that pass access list 100 to be forwarded in an SA message to the peer named switch.cisco.
Chapter 45 Configuring MSDP Configuring MSDP You can perform one of these actions: • Filter all incoming SA messages from an MSDP peer • Specify an IP extended access list to pass certain source/group pairs • Filter based on match criteria in a route map Beginning in privileged EXEC mode, follow these steps to apply a filter. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 45 Configuring MSDP Configuring MSDP To remove the filter, use the no ip msdp sa-filter in {ip-address | name} [list access-list-number] [route-map map-tag] global configuration command. This example shows how to filter all SA messages from the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet1/0/1 Switch(config)# ip msdp sa-filter in switch.cisco.
Chapter 45 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to shut down a peer. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp shutdown {peer-name | peer address} Administratively shut down the specified MSDP peer without losing configuration information. For peer-name | peer address, enter the IP address or name of the MSDP peer to shut down. Step 3 end Return to privileged EXEC mode.
Chapter 45 Configuring MSDP Configuring MSDP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note that the ip msdp originator-id global configuration command also identifies an interface to be used as the RP address.
Chapter 45 Configuring MSDP Monitoring and Maintaining MSDP Monitoring and Maintaining MSDP To monitor MSDP SA messages, peers, state, or peer status, use one or more of the privileged EXEC commands in Table 45-1: Table 45-1 Commands for Monitoring and Maintaining MSDP Command Purpose debug ip msdp [peer-address | name] [detail] [routes] Debugs an MSDP activity. debug ip msdp resets Debugs MSDP peer reset reasons.
CH A P T E R 46 Configuring Fallback Bridging This chapter describes how to configure fallback bridging (VLAN bridging) on the switch. With fallback bridging, you can forward non-IP packets that the switch does not route between VLAN bridge domains and routed ports. To use this feature, the switch or stack master must be running the IP services feature set. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 46 Configuring Fallback Bridging Understanding Fallback Bridging acts like a port on a router, but it is not connected to a router. A routed port is not associated with a particular VLAN, does not support VLAN subinterfaces, but behaves like a normal routed port. For more information about SVIs and routed ports, see Chapter 11, “Configuring Interface Characteristics.” A bridge group is an internal organization of network interfaces on a switch.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Fallback Bridging and Switch Stacks When the stack master fails, a stack member becomes the new stack master by using the election process described in Chapter 6, “Managing Switch Stacks.” The new stack master creates new VLAN-bridge spanning-tree instance, which temporarily puts the spanning-tree ports used for fallback bridging into a nonforwarding state.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Default Fallback Bridging Configuration Table 46-1 shows the default fallback bridging configuration. Table 46-1 Default Fallback Bridging Configuration Feature Default Setting Bridge groups None are defined or assigned to a port. No VLAN-bridge STP is defined. Switch forwards frames for stations that it has dynamically learned Enabled. Spanning tree parameters: • Switch priority • 32768. • Port priority • 128.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Beginning in privileged EXEC mode, follow these steps to create a bridge group and to assign an interface to it. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 bridge bridge-group protocol vlan-bridge Assign a bridge group number, and specify the VLAN-bridge spanning-tree protocol to run in the bridge group. The ibm and dec keywords are not supported.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging This example shows how to create bridge group 10 and to specify that the VLAN-bridge STP runs in the bridge group.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Command Purpose Step 4 show running-config Verify your entry. Step 5 copy running-config startup-config (Optional) Save your entry in the configuration file. To return to the default setting, use the no bridge bridge-group priority global configuration command. To change the priority on a port, use the bridge-group priority interface configuration command (described in the next section).
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Beginning in privileged EXEC mode, follow these steps to assign a path cost. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to set the path cost, and enter interface configuration mode. Step 3 bridge-group bridge-group path-cost cost Assign the path cost of a port. • For bridge-group, specify the bridge group number.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Adjusting the Interval between Hello BPDUs Beginning in privileged EXEC mode, follow these step to adjust the interval between hello BPDUs. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 bridge bridge-group hello-time seconds Specify the interval between hello BPDUs. • For bridge-group, specify the bridge group number. The range is 1 to 255.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Changing the Maximum-Idle Interval If a switch does not receive BPDUs from the root switch within a specified interval, it recomputes the spanning-tree topology. Beginning in privileged EXEC mode, follow these steps to change the maximum-idle interval (maximum aging time). This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 46 Configuring Fallback Bridging Monitoring and Maintaining Fallback Bridging This example shows how to disable spanning tree on a port in bridge group 10: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# bridge group 10 spanning-disabled Monitoring and Maintaining Fallback Bridging To monitor and maintain the network, use one or more of the privileged EXEC commands in Table 46-2: Table 46-2 Commands for Monitoring and Maintaining Fallback Bridging Command Purpose clear bridg
Chapter 46 Configuring Fallback Bridging Monitoring and Maintaining Fallback Bridging Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 46-12 OL-13270-03
CH A P T E R 47 Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the switch. Depending on the nature of the problem, you can use the command-line interface (CLI), the device manager, or Network Assistant to identify and solve problems. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 47 Troubleshooting Recovering from a Software Failure Recovering from a Software Failure Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity. This procedure uses boot loader commands and TFTP to recover from a corrupted or wrong image file.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password Step 6 Press the Mode button, and at the same time, power on the switch by using one of these methods: • If you powered off the switch by using the CMC GUI, use the GUI to power on the switch or the stack. • If you powered off the switch by removing the switch or stack members from the enclosure, re-insert the standalone switch or the stack members in the enclosure.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password These sections describes how to recover a forgotten or lost switch password: • Procedure with Password Recovery Enabled, page 47-5 • Procedure with Password Recovery Disabled, page 47-7 You enable or disable password recovery by using the service password-recovery global configuration command.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password Proceed with reload? [confirm] y On a stacking-capable switch: Switch> reload slot Proceed with reload? [confirm] y Step 6 For stacking-capable switches, power on the rest of the switch stack. Procedure with Password Recovery Enabled If the password-recovery mechanism is enabled, this message appears: The system has been interrupted prior to initializing the flash file system.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password Step 7 At the switch prompt, enter privileged EXEC mode: Switch> enable Step 8 Rename the configuration file to its original name: Switch# rename flash:config.text.old flash:config.text Note Step 9 Before continuing to Step 9, power on any connected stack members and wait until they have completely initialized. Failure to follow this step can result in a lost configuration depending on how your switch is set up.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password Procedure with Password Recovery Disabled If the password-recovery mechanism is disabled, this message appears: The password-recovery mechanism has been triggered, but is currently disabled. Access to the boot loader prompt through the password-recovery mechanism is disallowed at this point. However, if you agree to let the system be reset back to the default system configuration, access to the boot loader prompt can still be allowed.
Chapter 47 Troubleshooting Preventing Switch Stack Problems The secret password can be from 1 to 25 alphanumeric characters, can start with a number, is case sensitive, and allows spaces but ignores leading spaces. Step 8 Return to privileged EXEC mode: Switch (config)# exit Switch# Note Step 9 Before continuing to Step 9, power on any connected stack members and wait until they have completely initialized.
Chapter 47 Troubleshooting Preventing Autonegotiation Mismatches Use the switch current-stack-member-number renumber new-stack-member-number global configuration command to manually assign a stack member number. For more information about stack member numbers, see the “Stack Member Numbers” section on page 6-8. If you replace a stack member with an identical model, the new switch functions with the exact same configuration as the replaced switch.
Chapter 47 Troubleshooting Monitoring SFP Module Status Note The security error message references the GBIC_SECURITY facility. The switch supports SFP modules and does not support GBIC modules. Although the error message text refers to GBIC interfaces and modules, the security messages actually refer to the SFP modules and module interfaces. For more information about error messages, see the system message guide for this release.
Chapter 47 Troubleshooting Using Ping Understanding Ping The switch supports IP ping, which you can use to test connectivity to remote hosts. Ping sends an echo request packet to an address and waits for a reply. Ping returns one of these responses: • Normal response—The normal response (hostname is alive) occurs in 1 to 10 seconds, depending on network traffic. • Destination does not respond—If the host does not respond, a no-answer message is returned.
Chapter 47 Troubleshooting Using Layer 2 Traceroute Table 47-1 describes the possible ping character output. Table 47-1 Ping Output Display Characters Character Description ! Each exclamation point means receipt of a reply. . Each period means the network server timed out while waiting for a reply. U A destination unreachable error PDU was received. C A congestion experienced packet was received. I User interrupted test. ? Unknown packet type. & Packet lifetime exceeded.
Chapter 47 Troubleshooting Using IP Traceroute • A switch is reachable from another switch when you can test connectivity by using the ping privileged EXEC command. All switches in the physical path must be reachable from each other. • The maximum number of hops identified in the path is ten. • You can enter the traceroute mac or the traceroute mac ip privileged EXEC command on a switch that is not in the physical path from the source device to the destination device.
Chapter 47 Troubleshooting Using IP Traceroute Understanding IP Traceroute You can use IP traceroute to identify the path that packets take through the network on a hop-by-hop basis. The command output displays all network layer (Layer 3) devices, such as routers, that the traffic passes through on the way to the destination. Your switches can participate as the source or destination of the traceroute privileged EXEC command and might or might not appear as a hop in the traceroute command output.
Chapter 47 Troubleshooting Using TDR 4 171.9.4.5 0 msec 4 msec 0 msec 5 171.9.121.34 0 msec 4 msec 4 msec 6 171.9.15.9 120 msec 132 msec 128 msec 7 171.9.15.10 132 msec 128 msec 128 msec Switch# The display shows the hop count, the IP address of the router, and the round-trip time in milliseconds for each of the three probes that are sent. Table 47-2 Traceroute Output Display Characters Character Description * The probe timed out. ? Unknown packet type. A Administratively unreachable.
Chapter 47 Troubleshooting Using Debug Commands Use TDR to diagnose and resolve cabling problems in these situations: • Replacing a switch • Setting up a wiring closet • Troubleshooting a connection between two devices when a link cannot be established or when it is not operating properly When you run TDR, the switch reports accurate information if • The cable for the Gigabit link is a solid-core cable. • The open-ended cable is not terminated.
Chapter 47 Troubleshooting Using Debug Commands Enabling Debugging on a Specific Feature In a switch stack, when you enable debugging, it is enabled only on the stack master. To enable debugging on a stack member, you must start a session from the stack master by using the session switch-number privileged EXEC command. Then, enter the debug command at the command-line prompt of the stack member. All debug commands are entered in privileged EXEC mode, and most debug commands take no arguments.
Chapter 47 Troubleshooting Using the show platform forward Command Possible destinations include the console, virtual terminals, internal buffer, and UNIX hosts running a syslog server. The syslog format is compatible with 4.3 Berkeley Standard Distribution (BSD) UNIX and its derivatives. Note Be aware that the debugging destination you use affects system overhead. Logging messages to the console produces very high overhead, whereas logging messages to a virtual terminal produces less overhead.
Chapter 47 Troubleshooting Using the show platform forward Command Lookup Key-Used OutptACL 50_0D020202_0D010101-00_40000014_000A0000 Port Gi1/0/1 Vlan SrcMac 0005 0001.0001.0001 DstMac Cos 0002.0002.0002 -----------------------------------------Packet 2 Lookup Key-Used OutptACL 50_0D020202_0D010101-00_40000014_000A0000 Port Gi1/0/2 Vlan SrcMac 0005 0001.0001.0001 DstMac Cos 0002.0002.
Chapter 47 Troubleshooting Using the crashinfo Files Lookup Used:Secondary Station Descriptor:02260000, DestIndex:0226, RewriteIndex:0000 This is an example of the output when the packet coming in on port 1 in VLAN 5 has a destination MAC address set to the router MAC address in VLAN 5 and the destination IP address set to an IP address that is in the IP routing table. It should be forwarded as specified in the routing table. Switch# show platform forward gigabitethernet1/0/1 vlan 5 1.1.1 03.e319.
Chapter 47 Troubleshooting Using On-Board Failure Logging file is created, you can use the rename privileged EXEC command to rename it, but the contents of the renamed file will not be displayed by the show stacks or the show tech-support privileged EXEC command. You can delete crashinfo files by using the delete privileged EXEC command.
Chapter 47 Troubleshooting Using On-Board Failure Logging • Uptime data—Time when a standalone switch or a stack member starts, the reason the switch restarts, and the length of time the switch has been running since it last restarted • Voltage—System voltages of a standalone switch or a stack member You should manually set the system clock or configure it by using Network Time Protocol (NTP).
Chapter 47 Troubleshooting Troubleshooting CPU Utilization Table 47-3 Commands for Displaying OBFL Information (continued) Command Purpose show logging onboard [module [switch-number]] poe Display the power consumption of PoE ports on a standalone switch or the specified stack members. show logging onboard [module [switch-number]] temperature Display the temperature of a standalone switch or the specified switch stack members.
Chapter 47 Troubleshooting Troubleshooting CPU Utilization Verifying the Problem and Cause To determine if high CPU utilization is a problem, enter the show processes cpu sorted privileged EXEC command. Note the underlined information in the first line of the output example. Switch# show processes cpu sorted CPU utilization for five seconds: 8%/0%; one minute: 7%; five minutes: 8% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 309 42289103 752750 56180 1.75% 1.20% 1.
CH A P T E R 48 Configuring Online Diagnostics This chapter describes how to configure the online diagnostics on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 48 Configuring Online Diagnostics Configuring Online Diagnostics Configuring Online Diagnostics You must configure the failure threshold and the interval between tests before enabling diagnostic monitoring. This section has this information: • Scheduling Online Diagnostics, page 48-2 • Configuring Health-Monitoring Diagnostics, page 48-3 Scheduling Online Diagnostics You can schedule online diagnostics to run at a designated time of day or on a daily, weekly, or monthly basis for a switch.
Chapter 48 Configuring Online Diagnostics Configuring Online Diagnostics This example shows how to schedule diagnostic testing to occur weekly at a specific time on member switch 6 when this command is entered on a stack master: Switch(config)# diagnostic schedule switch 6 test 1-4,7 weekly saturday 10:30 For more examples, see the “Examples” section of the diagnostic schedule command in the command reference for this release.
Chapter 48 Configuring Online Diagnostics Configuring Online Diagnostics Step 4 Command Purpose diagnostic monitor threshold switch number test {name | test-id | test-id-range | all} failure count count (Optional) Set the failure threshold for the health-monitoring tests. The switch number keyword is supported only on stacking-capable switches. The range is from 1 to 9.
Chapter 48 Configuring Online Diagnostics Running Online Diagnostic Tests • To configure the switch to not generate a syslog message when the health-monitoring test fails, use the no diagnostic monitor syslog global configuration command. • To return to the default failure threshold, use the no diagnostic monitor threshold switch number test {name | test-id | test-id-range | all} failure count count global configuration command.
Chapter 48 Configuring Online Diagnostics Running Online Diagnostic Tests This example shows how to start a diagnostic test by using the test name: Switch# diagnostic start switch 2 test TestInlinePwrCtlr This example shows how to start all of the basic diagnostic tests: Switch# diagnostic start switch 1 test all Displaying Online Diagnostic Tests and Test Results You can display the online diagnostic tests that are configured for the switch or switch stack and check the test results by using the privi
A P P E N D I X A Supported MIBs This appendix lists the supported management information base (MIBs) for this release on theswitch. It contains these sections: • MIB List, page A-1 • Using FTP to Access the MIB Files, page A-4 • BRIDGE-MIB MIB List Note The BRIDGE-MIB supports the context of a single VLAN. By default, SNMP messages using the configured community string always provide information for VLAN 1.
Appendix A Supported MIBs MIB List • CISCO-IETF-ISIS-MIB (Only with the IP services feature sets) • CISCO-IF-EXTENSIONS-MIB • CISCO-IGMP-FILTER-MIB • CISCO-IMAGE-MIB (Only stack master feature set details are shown.) • CISCO IP-STAT-MIB • CISCO-L2L3-INTERFACE-CONFIG-MIB • CISCO-LAG-MIB • CISCO-MAC-NOTIFICATION-MIB • CISCO-MEMORY-POOL-MIB (Only stack master feature set details are shown.
Appendix A Supported MIBs MIB List Note • IEEE8021-PAE-MIB • IEEE8023-LAG-MIB • IF-MIB (In and out counters for VLANs are not supported.) • IGMP-MIB • INET-ADDRESS-MIB • IPMROUTE-MIB • OLD-CISCO-CHASSIS-MIB (Partial support on stacking-capable switches; some objects reflect only the stack master.) • OLD-CISCO-CPU-MIB • OLD-CISCO-FLASH-MIB (Supports only the stack master in a switch stack. Use CISCO-FLASH_MIB.
Appendix A Supported MIBs Using FTP to Access the MIB Files Using FTP to Access the MIB Files You can get each MIB file by using this procedure: Step 1 Make sure that your FTP client is in passive mode. Note Some FTP clients do not support passive mode. Step 2 Use FTP to access the server ftp.cisco.com. Step 3 Log in with the username anonymous. Step 4 Enter your e-mail username when prompted for the password. Step 5 At the ftp> prompt, change directories to /pub/mibs/v1 and /pub/mibs/v2.
A P P E N D I X B Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the switch flash file system, how to copy configuration files, and how to archive (upload and download) software images to a switch or to a switch stack. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System • Changing Directories and Displaying the Working Directory, page B-4 • Creating and Removing Directories, page B-5 • Copying Files, page B-5 • Deleting Files, page B-6 • Creating, Displaying, and Extracting Files, page B-6 Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown i
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table B-1 show file systems Field Descriptions (continued) Field Value Type Type of file system. flash—The file system is for a flash memory device. nvram—The file system is for a NVRAM device. opaque—The file system is a locally generated pseudo file system (for example, the system) or a download interface, such as brimux. unknown—The file system is an unknown type.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System To display information about files on a file system, use one of the privileged EXEC commands in Table B-2: Table B-2 Commands for Displaying Information About Files Command Description dir [/all] [filesystem:][filename] Display a list of files on a file system. show file systems Display more information about each of the files on a file system.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Step 1 Command Purpose dir filesystem: Display the directories on the specified file system. For filesystem:, use flash: for the system board flash device. Step 2 mkdir old_configs Create a new directory.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Some invalid combinations of source and destination exist.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Beginning in privileged EXEC mode, follow these steps to create a file, display the contents, and extract it. Step 1 Command Purpose archive /create destination-url flash:/file-url Create a file and add files to it. For destination-url, specify the destination URL alias for the local or network file system and the name of the file to create. The -filename.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Step 3 Command Purpose archive /xtract source-url flash:/file-url [dir/file...] Extract a file into a directory on the flash file system. For source-url, specify the source URL alias for the local file system. The -filename. is the file from which to extract files.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files service service service !
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Guidelines for Creating and Using Configuration Files Creating configuration files can aid in your switch configuration. Configuration files can contain some or all of the commands needed to configure one or more switches. For example, you might want to download the same configuration file to several switches that have the same hardware configuration.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Creating a Configuration File By Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately. This is one method of creating a configuration file: Step 1 Copy an existing configuration from a switch to a server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation). • For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 3 Upload the switch configuration to the TFTP server. Specify the IP address or hostname of the TFTP server and the destination filename.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files These sections contain this configuration information: • Preparing to Download or Upload a Configuration File By Using FTP, page B-14 • Downloading a Configuration File By Using FTP, page B-14 • Uploading a Configuration File By Using FTP, page B-15 Preparing to Download or Upload a Configuration File By Using FTP Before you begin downloading or uploading a configuration file
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 copy Using FTP, copy the configuration file from a network ftp:[[[//[username[:password]@]location]/directory] server to the running configuration or to the startup /filename] system:running-config configuration file.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 3 Command Purpose configure terminal Enter global configuration mode. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username. Step 5 ip ftp password password (Optional) Change the default password.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: • The username specified in the copy command if a username is specified.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using RCP” section on page B-17.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using RCP” section on page B-17.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Clearing the Startup Configuration File To clear the contents of your startup configuration, use the erase nvram: or the erase startup-config privileged EXEC command. Caution You cannot restore the startup configuration file after it has been deleted.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files You use the archive config privileged EXEC command to save configurations in the configuration archive by using a standard location and filename prefix that is automatically appended with an incremental version number (and optional timestamp) as each consecutive file is saved. You can specify how many versions of the running configuration are kept in the archive.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • Make sure that the switch also has sufficient free memory to execute the configuration replacement or rollback configuration commands. • Certain configuration commands, such as those pertaining to physical components of a networking device (for example, physical interfaces), cannot be added or removed from the running configuration.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Performing a Configuration Replacement or Rollback Operation Starting in privileged EXEC mode, follow these steps to replace the running configuration file with a saved configuration file: Step 1 Command Purpose archive config (Optional) Save the running configuration file to the configuration archive.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command, we recommend using the archive download-sw and archive upload-sw privileged EXEC commands to download and upload software image files. For switch stacks, the archive download-sw and archive upload-sw privileged EXEC commands can only be used through the stack master.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management. The image is stored on the system board flash memory (flash:). You can use the show version privileged EXEC command to see the software version that is currently running on your switch.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Table B-3 info File Description (continued) Field Description total_image_file_size Specifies the size of all the images (the Cisco IOS image and the web management files) in the file, which is an approximate measure of the flash memory needed.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files. To restart the daemon, either stop the inetd process and restart it, or enter a fastboot command (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x). For more information on the TFTP daemon, see the documentation for your workstation.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 3 Step 4 Step 5 Command Purpose archive download-sw /allow-feature-upgrade [/directory] /overwrite /reload tftp:[[//location]/directory]/image-name1.tar [image-name2.tar image-name3.tar image-name4.tar] (Optional) Download the image files from the TFTP server to the switch, and overwrite the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image on the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images You upload a switch image file to a server for backup purposes. You can use this uploaded image for future downloads to the switch or another switch of the same type.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Before you begin downloading or uploading an image file by using FTP, do these tasks: • Ensure that the switch has a route to the FTP server. The switch and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the FTP server by using the ping command.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 7 Step 8 Step 9 Command Purpose archive download-sw /allow-feature-upgrade [/directory] /overwrite /reload tftp:[[//location]/directory]/image-name1.tar [image-name2.tar image-name3.tar image-name4.tar] (Optional) Download the image files from the FTP server to the switch, and overwrite the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The download algorithm verifies that the image is appropriate for the switch model and that enough DRAM is present, or it aborts the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the flash device, whether or not it is the same as the new one, downloads the new image, and then reloads the software.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 archive upload-sw Upload the currently running switch image to the FTP ftp:[[//[username[:password]@]location]/directory]/ server. image-name.tar. • For //username:password, specify the username and password. These must be associated with an account on the FTP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Preparing to Download or Upload an Image File By Using RCP RCP provides another method of downloading and uploading image files between remote hosts and the switch. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection-oriented. To use RCP to copy files, the server from or to which you will be copying files must support RCP.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images • When you upload an image to the RCP to the server, it must be properly configured to accept the RCP write request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 6 Step 7 Step 8 Command Purpose archive download-sw /allow-feature-upgrade [/directory] /overwrite /reload tftp:[[//location]/directory]/image-name1.tar [image-name2.tar image-name3.tar image-name4.tar] Download the images file from the RCP server to the switch and overwrite the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The download algorithm verifies that the image is appropriate for the switch model and that enough DRAM is present, or it aborts the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the flash device whether or not it is the same as the new one, downloads the new image, and then reloads the software.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 archive upload-sw rcp:[[[//[username@]location]/directory]/image-na me.tar] Upload the currently running switch image to the RCP server. • For //username, specify the username; for the RCP copy request to execute, define an account on the network server for the remote username.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Beginning in privileged EXEC mode from the stack member that you want to upgrade, follow these steps to copy the running image file from the flash memory of a different stack member: Step 1 Command Purpose archive copy-sw /destination-system destination-stack-member-number /force-reload source-stack-member-number Copy the running image file from a stack member, and then unconditio
A P P E N D I X C Unsupported Commands in Cisco IOS Release 12.2(50)SE This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the switch prompt but are not supported in this release, either because they are not tested or because of switch hardware limitations. This is not a complete list. The unsupported commands are listed by software feature and command mode.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(50)SE Debug Commands Debug Commands Note This section applies only to stacking-capable switches.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(50)SE IP Unicast Routing The show ip mpacket commands are supported but are only useful for packets received at the switch CPU. If the route is hardware-switched, the command has no effect because the CPU does not receive the packet and cannot display it.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(50)SE Network Address Translation (NAT) Commands Network Address Translation (NAT) Commands Unsupported Privileged EXEC Commands show ip nat statistics show ip nat translations QoS Unsupported Global Configuration Command priority-list Unsupported Interface Configuration Commands priority-group rate-limit Unsupported Policy-Map Configuration Command class class-default where class-default is the class-map-name.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
INDEX ACEs Numerics and QoS 10-Gigabit Ethernet interfaces 11-6 defined 36-7 34-2 Ethernet IP A 34-2 34-2 ACLs AAA down policy, NAC Layer 2 IP validation abbreviating commands ABRs 1-11 ACEs 34-2 any keyword 2-4 34-13 applying 38-26 on bridged packets access templates 34-38 on multicast packets 9-1 access-class command on routed packets 34-20 34-39 on switched packets access control entries See ACEs access-denied response, VMPS 13-29 applying IPv4 ACLs to interfaces 34-17
Index ACLs (continued) ACLs (continued) matching criteria undefined router ACLs and VLAN map configuration guidelines 34-36 34-8 34-21 standard IP, configuring for QoS classification IPv4 applying to interfaces creating named standard IPv4 34-20 creating 34-8 matching criteria support for unsupported features time ranges 34-19 and stacking 35-3 applying to interfaces configuring 35-7 interactions with other features logging messages 35-3 34-37 21-2 40-1 address aliasing addresses
Index addresses (continued) area routing static IS-IS adding and removing defined ISO IGRP 7-24 configuring 7-28, 38-10 Address Resolution Protocol defined See ARP address resolution 38-106 managing routing protocol defaults ASBRs 38-94 advertisements RIP 38-26 38-56 vendor-proprietary vendor-specific 13-20, 14-3 aggregatable global unicast addresses aggregate addresses, BGP 39-3 attribute-value pairs 8-31 8-29 10-17, 10-18 authentication 38-62 aggregated ports EIGRP See Eth
Index authentication manager CLI commands B 10-9 compatibility with older 802.1x CLI commands overview 10-9 10-7 authoritative time source, described 7-2 authorization with RADIUS auto enablement 20-7 disabling 20-17 enabling 20-16 1-7 backup interfaces 8-11, 8-16 authorized ports with IEEE 802.
Index BGP (continued) supernets BPDU filtering (continued) support for 38-62 support for Version 4 BPDU guard 1-12 38-46 binding database address, DHCP server See DHCP, Cisco IOS server database DHCP snooping 20-2 disabling 20-14 enabling 20-13 support for 1-8 34-38 bridge groups bindings See fallback bridging address, Cisco IOS DHCP server DHCP snooping database IP source guard 22-6 bridge protocol data unit See BPDU 22-6 broadcast flooding 22-16 binding table, DHCP snooping blockin
Index CDP (continued) overview CISP CIST regional root 27-1 support for See MSTP 1-6 switch stack considerations CIST root 27-2 transmission timer and holdtime, setting updates See MSTP 27-2 civic location 27-2 CEF 28-3 classless interdomain routing defined IPv6 See CIDR 38-91 distributed classless routing 38-92 38-8 class maps for QoS 39-19 CGMP configuring as IGMP snooping learning method clearing cached group entries enabling server support 44-44 joining multicast group 2
Index CLNS configuration files See ISO CLNS archiving clock See system clock CNS B-20 clearing the startup configuration B-20 creating and using, guidelines for B-10 creating using a text editor Configuration Engine default name configID, deviceID, hostname configuration service described described 5-2 preparing 5-5 enabling automated configuration enabling configuration agent enabling event agent management functions 5-9 5-7 3-17 B-11, B-14, B-17 reasons for B-9 using FTP B-14 u
Index configuring port-based authentication violation modes 10-36 configuring small-frame arrival rate config-vlan mode cryptographic software image Kerberos 26-5 SSL 2-2, 13-7 8-42 switch stack considerations connections, secure remote connectivity problems 8-32 8-38 customer edge devices 6-2, 6-18, 8-38 38-77 47-10, 47-12, 47-13 consistency checks in VTP Version 2 console port, connecting to 14-4 D 2-11 content-routing technology DACL See WCCP See downloadable ACL control protocol,
Index default configuration (continued) IGMP filtering default configuration (continued) TACACS+ 24-25 8-13 IGMP snooping 24-7, 25-5, 25-6 UDLD IGMP throttling 24-25 VLAN, Layer 2 Ethernet interfaces 29-4 initial switch information 3-3 VLANs 13-8 IP addressing, IP routing 38-6 VMPS 13-30 IP multicast routing IP SLAs voice VLAN 44-11 VTP 41-6 IP source guard 43-6 IPv6 39-11 default gateway IS-IS 38-68 default networks Layer 2 interfaces 38-95 See DRP 17-11 28-4 MAC addre
Index DHCP (continued) DHCP option 82 (continued) enabling remote ID suboption relay agent server DHCP server port-based address allocation 22-11 configuration guidelines 22-10 DHCP-based autoconfiguration client request message exchange default configuration described 3-4 configuring DNS 3-6 server-side 22-10 TFTP server and private VLANs See DHCP snooping binding database for IP address information default configuration 3-6 for receiving the configuration file 3-6 relay support 2
Index DHCP snooping binding database (continued) displaying support for 22-16 binding entries 22-16 22-15 DNS 7-15 VTP 14-8 Domain Name System 22-6 renewing database See DNS 22-15 resetting domains, ISO IGRP routing delay value DHCP snooping binding table IEEE 802.
Index DSCP output queue threshold map for QoS DSCP-to-CoS map for QoS limiting unicast route advertisements 36-63 DSCP-to-DSCP-mutation map for QoS DSCP transparency DTP DVMRP (continued) 36-19 routing table 36-64 support for 1-8, 13-18 dual-action detection dual IPv4 and IPv6 templates 44-51 displaying neighbor information 9-2, 39-5, 39-6 characteristics 39-6 configuring 39-6 DVMRP defined autosummarization 13-4 13-31 11-3 dynamic addresses configuring a summary address See addr
Index dynamic ARP inspection (continued) interface trust states editing features (continued) wrapped lines 23-3 log buffer EIGRP clearing authentication 23-15 configuring 23-12 displaying 23-15 logging of dropped packets, described man-in-the middle attack, described rate limiting of ARP packets configuring described 38-37 configuring 38-40 23-3 interface parameters, configuring monitoring 38-44 stub routing 38-43 1-12 See stack master 23-4 ELIN location statistics 28-3 enable pas
Index EtherChannel (continued) EtherChannel (continued) configuring stack changes, effects of Layer 2 interfaces support for 37-12 Layer 3 physical interfaces described 37-14 37-10 37-2 displaying status described 20-10 disabling 20-17 enabling 20-17 Ethernet management port 37-22 forwarding methods 1-4 EtherChannel guard 37-15 Layer 3 port-channel logical interfaces default configuration and switch stacks 37-8, 37-17 IEEE 802.
Index extended-range VLANs (continued) defined fallback bridging (continued) STP 13-1 extended system ID MSTP STP disabling on an interface forward-delay interval 19-17 hello BPDU interval 18-4, 18-16 extended universal identifier interface priority See EUI path cost See EBGP 18-2 46-10 46-7 VLAN-bridge spanning-tree priority external neighbors, BGP VLAN-bridge STP 38-49 support for F See Ethernet management port, internal failover support SVIs and routed ports 46-1 unsupported prot
Index file system forward-delay time displaying available file systems displaying file information local file system names STP B-3 19-23 18-23 Forwarding Information Base B-1 network file system names setting the default MSTP B-2 See FIB B-5 forwarding nonroutable protocols B-3 filtering 46-1 FTP in a VLAN 34-30 accessing MIB files IPv6 traffic 35-3, 35-7 configuration files non-IP traffic downloading 34-28 show and more command output overview 2-10 filtering show and more com
Index HSRP (continued) H tracking hardware limitations and Layer 3 interfaces 11-24 HSRP for IPv6 hello time configuring MSTP STP 40-8 19-22 guidelines 18-22 39-24 HTTP over SSL help, for the command line hierarchical policy maps 2-3 configuring see HTTPS 36-8 configuration guidelines described 39-25 HTTPS 36-32 configuring 36-52 described 36-11 8-46 8-43 self-signed certificate history HTTP secure server changing the buffer size described 2-6 disabling 2-7 2-6 2-6 IBPG
Index IEEE 802.1p IGMP (continued) 15-1 IEEE 802.1Q recovering from flood mode and trunk ports host-query interval, modifying 11-3 configuration limitations encapsulation joining multicast group 13-19 join messages 13-16 native VLAN for untagged traffic 13-24 tunneling defaults described 17-6 multicast reachability queries 17-1 tunnel ports with other features 17-6 IEEE 802.1s See MSTP IEEE 802.
Index IGMP profile interface configuration mode applying interfaces 24-27 configuration mode configuring auto-MDIX, configuring 24-25 IGMP snooping procedure and address aliasing and stack changes described 24-7 24-7, 25-5, 25-6 global configuration Immediate Leave 24-8, 25-7 24-8 24-6 in the switch stack configuring 24-14 restarting 11-28 11-8 11-10 11-29 11-29 interface types 24-25 11-20 11-8 11-1 interfaces range macro command 24-28 11-19 11-28 supported 24-8 11-28 11-2
Index Intrusion Detection System IP multicast routing (continued) See IDS appliances configuration guidelines inventory management TLV filtering incoming RP announcement messages 44-28 28-2, 28-7 IP ACLs for QoS classification implicit deny named overview 36-7 setting up in a new internetwork using with BSR 34-21 44-28 44-26 44-34 bootstrap router IP addresses 128-bit configuration guidelines 39-2 classes of discovering configuring candidate RPs 38-6 overview MAC address association
Index IP multicast routing (continued) IP routing monitoring connecting interfaces with packet rate loss 44-63 disabling 38-20 peering devices 44-63 enabling 38-20 tracing a path IP Service Level Agreements 44-63 multicast forwarding, described See IP SLAs 44-8 PIMv1 and PIMv2 interoperability protocol interaction IP service levels, analyzing 44-11 IP services feature set 44-2 reverse path check (RPF) benefits 41-2 Control Protocol assigning manually definition 44-26 configurin
Index IP source guard (continued) and routed ports configuring static routes 22-18 and trunk interfaces and VRF IP unicast routing (continued) default 22-18 addressing configuration 22-18 binding configuration automatic manual 22-16 22-16 binding table 22-16 configuration guidelines default configuration gateways 38-13 networks 38-95 routes 38-95 routing 38-3 directed broadcasts 22-18 disabling 22-17 22-16 dynamic routing disabling 22-19 enabling displaying 38-15 38-3 38-20
Index IP unicast routing (continued) IPv6 (continued) See also BGP neighbor discovery See also EIGRP OSPF See also OSPF path MTU discovery See also RIP SDM templates IPv4 ACLs 39-6 39-4 9-2, 25-1, 35-1 stack master functions applying to interfaces extended, creating named 39-4 34-20 34-11 39-10 supported features 39-2 switch limitations 39-8 understanding static routes 34-15 standard, creating IPv6 traffic, filtering 34-10 IPv6 39-6 35-3 IRDP ACLs configuring displaying 3
Index Layer 2 interfaces, default configuration J 11-17 Layer 2 protocol tunneling join messages, IGMP 24-3 configuring 17-10 configuring for EtherChannels default configuration K defined described See also Kerberos 18-2 and ARP 47-13 and CDP 47-12 broadcast traffic Kerberos described authenticating to boundary switch KDC configuring multicast traffic 8-35 unicast traffic Layer 3 features 8-32 47-13 47-12 47-12 1-12 Layer 3 interfaces 8-32 assigning IP addresses to 8-32 opera
Index link redundancy loop guard See Flex Links described links, unidirectional enabling 29-1 link state advertisements (LSAs) link-state protocols described 20-18 support for 38-31 1-8 38-3 link-state tracking configuring 20-11 M 37-24 37-22 MAC/PHY configuration status TLV LLDP 28-2 MAC addresses configuring 28-4 aging time characteristics 28-5 default configuration enabling and VLAN association 28-4 default configuration monitoring and maintaining 28-10 discovering 28-2
Index MAC authentication bypass maximum aging time 10-14 MAC extended access lists MSTP applying to Layer 2 interfaces configuring for QoS creating 34-28 defined 34-28 19-23 STP 34-29 18-23 maximum hop count, MSTP 36-45 19-24 maximum number of allowed devices, port-based authentication 10-35 for QoS classification maximum-paths command 36-5 38-53, 38-93 MDA macros configuration guidelines See Smartports macros magic packet described 10-23 manageability features membership mode,
Index monitoring (continued) monitoring (continued) IGMP VLANs filters snooping interfaces VMPS 24-29 VTP 24-16, 25-11 11-28 IP address tables routes 34-40 39-27 mrouter port 21-5 45-3 forwarded by switch 45-11 originated by switch 45-8 received by switch 35-8 Layer 2 protocol tunneling sending SA messages to 17-18 MAC address-table move update incoming SA messages 24-17, 25-12 45-14 SA messages to a peer 38-90 45-12 SA requests from a peer 24-24 network traffic for analy
Index MSDP (continued) MSTP (continued) filtering incoming filtering to a peer 19-16 EtherChannel guard 45-13 described 45-18 restricting advertised sources support for 19-26 enabling the mode 45-12 limiting data with TTL monitoring displaying status 45-14 enabling 45-9 20-10 20-17 extended system ID 1-13 MSTP effects on root switch boundary ports effects on secondary root switch configuration guidelines described unexpected behavior 19-16 implementation described 20-3 enablin
Index MSTP (continued) multidomain authentication Port Fast See MDA described 20-2 enabling 20-12 multioperations scheduling, IP SLAs multiple authentication preventing root switch selection 10-12 Multiple HSRP 20-10 root guard See MHSRP described multiple VPN routing/forwarding in customer edge devices 20-10 enabling 20-18 See multi-VRF CE root switch configuring multi-VRF CE 19-18 effects of extended system ID unexpected behavior stack changes, effects of status, displaying confi
Index network configuration examples N data center NAC expanded data center AAA down policy 1-11 critical authentication 10-20, 10-51 providing network services IEEE 802.1x validation using RADIUS server inaccessible authentication bypass Layer 2 IEEE 802.
Index NTP open1x associations configuring authenticating defined open1x authentication 7-4 overview 7-2 enabling broadcast messages peer See OSPF optimizing system resources 7-5 default configuration options, management 7-4 displaying the configuration overview 1-5 area parameters, configuring 7-2 configuring creating an access group source IP address, configuring 38-29 metrics 7-10 route 7-10 38-33 38-33 settings 7-2 described 1-6 synchronizing devices for IPv6 7-5 time
Index passwords PIM (continued) default configuration 8-2 enabling a mode disabling recovery of 8-5 overview encrypting overview 1-9 8-1 recovery of 44-35 shortest path tree, delaying the use of 44-37 sparse mode 47-3 join messages and shared tree enable overview 8-3 enable secret Telnet RPF lookups with usernames 44-5 44-9 stub routing 8-6 14-8 path cost MSTP 44-5 44-5 prune messages 8-3 8-6 VTP domain 44-38 shared tree and source tree, overview setting STP 44-4 rou
Index policy-based routing port-based authentication (continued) See PBR switch-to-client frame-retransmission number 10-46 policy maps for QoS characteristics of described switch-to-client retransmission time 36-48 violation mode 36-7 displaying violation modes 36-79 hierarchical described hierarchical on SVIs configuration guidelines configuring described 10-32 10-2 displaying statistics 10-67 downloadable ACLs and redirect URLs 36-11 configuring nonhierarchical on physical ports co
Index port-based authentication (continued) port-channel ports See EtherChannel authorization state and dot1x port-control command 10-10 authorized and unauthorized critical 10-10 10-20 voice VLAN 10-21 Port Fast described 20-2 enabling 20-12 support for and voice VLAN described 10-23 MSTP 10-12 STP readiness check 10-38 10-66 stack changes, effects of statistics, displaying protected 10-3 RADIUS client 10-3 10-57 10-30 11-4 secure 26-8 10-36 switch 11-2 trunks 13-3, 13-16
Index port VLAN ID TLV private VLANs (continued) 28-2 power management TLV isolated 28-2, 28-7 preemption, default configuration promiscuous 21-8 preemption delay, default configuration 21-8 preferential treatment of traffic See QoS prefix lists, BGP 16-2 16-1, 16-3 promiscuous ports 16-2 secondary VLANs 16-2 traffic in 8-1 16-1 16-5 privileged EXEC mode 21-2 primary VLANs primary VLANs subdomains 38-57 preventing unauthorized access primary links 16-2 2-2 privilege levels 16
Index pruning-eligible list changing QoS (continued) policy maps, described 13-23 for VTP pruning VLANs 14-5 14-14 PVST+ 36-7 trust DSCP, described 36-5 trusted CoS, described 36-5 trust IP precedence, described described class maps 18-10 IEEE 802.
Index QoS (continued) QoS (continued) flowchart marked-down actions 36-17 mapping DSCP or CoS values scheduling, described enabling globally overview 36-4 setting WTD thresholds WTD, described marking, described 36-73 configuring flowcharts described 36-6 egress queueing and scheduling 36-17 ingress queueing and scheduling implicit deny 36-78 number of 36-33 36-9 36-8 policing allocating bandwidth 36-4, 36-8 token bucket algorithm 36-68 allocating buffer space configuring shared
Index queries, IGMP Rapid Spanning Tree Protocol 24-4 query solicitation, IGMP See RSTP 24-13 RARP 38-10 RCP R configuration files downloading RADIUS overview attributes vendor-proprietary vendor-specific B-16 preparing the server 8-31 uploading 8-29 accounting B-19 deleting old image 8-28 authentication authorization downloading 8-23 multiple UDP ports uploading 8-21, 8-29 communication, per-server default configuration 8-20, 8-21 port-based authentication 8-20 displaying
Index Remote Network Monitoring RFC (continued) See RMON 2273-2275, SNMPv3 Remote SPAN RIP See RSPAN remote SPAN advertisements 38-21 authentication 30-3 report suppression, IGMP configuring 38-23 38-22 described 24-6 default configuration disabling 24-16, 25-11 described resequencing ACL entries resets, in BGP for IPv6 34-15 29-6 responder, IP SLAs described 38-24 1-12 41-4 default configuration 31-3 31-6 enabling alarms and events 10-49 groups supported 10-19 using with
Index route maps BGP RSPAN (continued) 30-3 sessions 38-55 policy-based routing 38-101 router ACLs creating 30-18 defined 30-4 defined 34-2 limiting source traffic to specific VLANs types of 34-4 specifying monitored ports 30-18 with ingress traffic enabled 30-22 route reflectors, BGP router ID, OSPF 38-63 source ports 38-35 route selection, BGP route summarization, OSPF route targets, VPN VLAN-based 38-32 19-9 BPDU 38-3 dynamic format 38-3 redistribution of information
Index service-provider networks S and customer VLANs scheduled reloads 3-21 17-2 and IEEE 802.
Index Smartports macros (continued) default configuration defined status, displaying 12-2 tracing 33-18 system contact and location 12-1 displaying SNAP SNMP (continued) trap manager, configuring 12-8 33-16 33-13 traps 12-3 described 27-1 SNMP 33-3, 33-5 differences from informs accessing MIB variables with 33-4 agent disabling 33-15 enabling 33-11 33-5 described 33-4 enabling MAC address notification disabling 33-7 overview and IP SLAs types of 41-2 authentication level
Index SPAN SSH and stack changes configuring 30-10 configuration guidelines default configuration 8-39 described 30-12 1-6, 8-38 encryption methods 30-11 8-38 destination ports 30-8 switch stack considerations displaying status 30-28 user authentication methods, supported interaction with other features monitored ports overview configuration guidelines 30-8 1-14, 30-1 ports, restrictions received traffic session limits 8-45 configuring a secure HTTP client 8-48 configuring a secu
Index stack changes stack member (continued) effects on displaying information of IPv6 routing IPv6 39-9 stack changes, effects on ACL configuration CDP EtherChannel replacing 37-12 46-3 40-5 IEEE 802.
Index stacks, switch (continued) managing version-mismatch (VM) mode 6-1 membership merged stacks, switch (continued) automatic upgrades with auto-upgrade 6-3 6-3 MSTP instances supported 18-10 multicast routing, stack master and member roles 44-10 StackWise Plus technology, Cisco 6-10 6-11 effects of replacing a provisioned switch 6-11 provisioned configuration, defined provisioned switch, defined 6-9 provisioning a new member 6-25 6-9 6-11 standby links 40-7 21-2 40-1 manually 40-1
Index statistics CDP STP (continued) configuring 27-5 IEEE 802.
Index STP (continued) STP (continued) interface states root switch blocking 18-6 configuring disabled 18-7 effects of extended system ID forwarding election 18-6, 18-7 18-16 18-3 learning 18-7 unexpected behavior listening 18-7 shutdown Port Fast-enabled port overview 18-5 stack changes, effects of interoperability and compatibility among modes 18-11 keepalive messages 18-2 status, displaying 17-8 superior BPDU 18-11 load sharing 13-24 using path costs enabling 20-15 18-11
Index Switch Database Management system message logging (continued) See SDM level keywords, described switched packets, ACLs on limiting messages 34-37 Switched Port Analyzer message format See SPAN overview switched ports 32-2 32-1 switchport block unicast command switchport command setting the display destination device 21-4, 21-5 switchport block multicast command stack changes, effects of 26-8 syslog facility 11-17 switchport protected command 1-14 configuring the daemon facilit
Index TACACS+ (continued) TFTP (continued) configuring image files accounting deleting 8-17 authentication key authorization downloading 8-13 login authentication uploading 8-14 displaying the configuration overview TFTP server 8-17 See TDR 8-17 17-3 Layer 2 protocol time-range command 34-17 time ranges in ACLs 34-17 time stamps in log messages 17-7 tar files time zones 7-12 defined B-7 LLDP B-8 image file format 28-1 28-2 LLDP-MED B-25 28-2 Token Ring VLANs 1-14 Te
Index tracked lists troubleshooting (continued) configuring types with CiscoWorks 42-3 with debug commands 42-3 tracked objects with ping by Boolean expression by threshold weight 42-1 tracking process 42-1 trunking encapsulation configuring defined 42-9 13-21 11-3, 13-3 encapsulation blocking flooded 13-21, 13-26, 13-27 trunks 26-8 allowed-VLAN list 34-5 fragmented IPv6 configuring 35-2 ISL 34-5 13-22 13-21, 13-26, 13-27 13-16 load sharing 1-11 traffic suppression 1-8 t
Index tunnel ports described unicast MAC address filtering (continued) 11-4, 17-1 IEEE 802.
Index User Datagram Protocol VLAN link state See UDP 11-5 VLAN load balancing on flex links user EXEC mode configuration guidelines 2-2 username-based authentication described 8-6 21-8 21-2 VLAN management domain 14-2 VLAN Management Policy Server V See VMPS version-dependent transparent mode VLAN map entries, order of 14-4 VLAN maps version-mismatch (VM) mode automatic upgrades with auto-upgrade described upgrades with auto-extract 6-14 6-13 Virtual Private Network configuring
Index VLANs (continued) VMPS (continued) creating in config-vlan mode dynamic port membership 13-9 creating in VLAN configuration mode described 13-10 customer numbering in service-provider networks 17-3 default configuration deleting features retry count, changing configuring in the switch stack 13-6 described limiting source traffic with RSPAN limiting source traffic with SPAN normal-range voice-over-IP 15-1 15-3 override CoS of incoming frame 1-8 trust CoS priority of incoming fram
Index VRF VTP (continued) defining tables 38-78 38-76 VRF-aware services ARP ping disabling 14-12 domains 14-2 38-82 38-81 client 14-3, 14-11 server 14-3, 14-9 38-82 transitions syslog 38-83 transparent monitoring 38-84 traceroute uRPF 17-8 modes SNMP tftp 14-8 Layer 2 protocol tunneling 38-81 38-84 HSRP 14-1 domain names 38-81 configuring ftp described VRFs, configuring multicast 38-84 VTP adding a client to a domain advertisements 14-14 13-20, 14-3 and extended-ran
Index weight thresholds in tracked lists W 42-5 wired location service WCCP configuring authentication 43-4 displaying configuration guidelines default configuration described 43-6 43-2 displaying 43-10 28-3 1-3 described 43-5 forwarding method 36-13 egress queue-sets 43-3 Layer-2 header rewrite ingress queues 43-3 support for 36-71 36-67 1-12 43-4 message exchange 43-3 monitoring and maintaining 43-10 43-3 packet redirection 43-4 packet-return method 43-3 redirecting t
Index Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide IN-56 OL-13270-03
