Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide Cisco IOS Release 12.
© 2005-2007 Hewlett-Packard Development Company, L.P. Microsoft®, Windows®, and Windows NT® are trademarks of Microsoft Corporation in the U.S. and other countries. Cisco® is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. SunOS™, Solaris™, and Java™ are trademarks of Sun Microsystems, Inc. in the U.S. and other countries. SecureCRT® is a registered trademark of VanDyke Software, Inc. in the U.S. and/or other countries.
C O N T E N T S Preface xxix Audience Purpose xxix xxix Conventions xxx Related Publications xxx Obtaining Documentation, Obtaining Support, and Security Guidelines CHAPTER 1 Overview 1-1 Features 1-1 Ease-of-Deployment and Ease-of-Use Features Performance Features 1-3 Management Options 1-4 Manageability Features 1-4 Availability and Redundancy Features 1-5 VLAN Features 1-6 Security Features 1-7 QoS and CoS Features 1-8 Monitoring Features 1-9 Default Settings After Initial Switch Configurati
Contents Using Editing Features 2-7 Enabling and Disabling Editing Features 2-7 Editing Commands through Keystrokes 2-7 Editing Command Lines that Wrap 2-9 Searching and Filtering Output of show and more Commands 2-10 Accessing the CLI 2-10 Accessing the CLI through a Console Connection or through Telnet CHAPTER 3 Assigning the Switch IP Address and Default Gateway Understanding the Bootup Process 2-10 3-1 3-1 Assigning Switch Information 3-2 Default Switch Information 3-3 Understanding DHCP-Based
Contents Default NTP Configuration 4-4 Configuring NTP Authentication 4-4 Configuring NTP Associations 4-5 Configuring NTP Broadcast Service 4-6 Configuring NTP Access Restrictions 4-8 Configuring the Source IP Address for NTP Packets 4-10 Displaying the NTP Configuration 4-11 Configuring Time and Date Manually 4-11 Setting the System Clock 4-11 Displaying the Time and Date Configuration 4-12 Configuring the Time Zone 4-12 Configuring Summer Time (Daylight Saving Time) 4-13 Configuring a System Name and Pr
Contents Setting or Changing a Static Enable Password 5-3 Protecting Enable and Enable Secret Passwords with Encryption Disabling Password Recovery 5-5 Setting a Telnet Password for a Terminal Line 5-6 Configuring Username and Password Pairs 5-6 Configuring Multiple Privilege Levels 5-7 Setting the Privilege Level for a Command 5-8 Changing the Default Privilege Level for Lines 5-9 Logging into and Exiting a Privilege Level 5-9 5-3 Controlling Switch Access with TACACS+ 5-10 Understanding TACACS+ 5-10 TA
Contents Configuring Kerberos 5-35 Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Secure Shell 5-37 Understanding SSH 5-38 SSH Servers, Integrated Clients, and Supported Versions Limitations 5-39 Configuring SSH 5-39 Configuration Guidelines 5-39 Setting Up the Switch to Run SSH 5-39 Configuring the SSH Server 5-40 Displaying the SSH Configuration and Status 5-41 5-36 5-38 Configuring the Switch for Secure Socket Layer HTTP 5-42 Understanding Secure HTTP S
Contents Using IEEE 802.1x Authentication with Voice VLAN Ports 6-15 Using IEEE 802.1x Authentication with Port Security 6-16 Using IEEE 802.1x Authentication with Wake-on-LAN 6-16 Using IEEE 802.1x Authentication with MAC Authentication Bypass Using Web Authentication 6-18 6-17 Configuring IEEE 802.1x Authentication 6-19 Default IEEE 802.1x Authentication Configuration 6-19 IEEE 802.1x Authentication Configuration Guidelines 6-21 IEEE 802.
Contents Trunk Ports 7-3 EtherChannel Port Groups 7-3 Connecting Interfaces 7-4 Using Interface Configuration Mode 7-4 Procedures for Configuring Interfaces 7-5 Configuring a Range of Interfaces 7-6 Configuring and Using Interface Range Macros 7-7 Configuring Ethernet Interfaces 7-9 Default Ethernet Interface Configuration 7-9 Interface Speed and Duplex Mode 7-10 Speed and Duplex Configuration Guidelines 7-10 Setting the Interface Speed and Duplex Parameters Configuring IEEE 802.
Contents VLAN Configuration Mode Options 9-6 VLAN Configuration in config-vlan Mode 9-6 VLAN Configuration in VLAN Database Configuration Mode Saving VLAN Configuration 9-7 Default Ethernet VLAN Configuration 9-7 Creating or Modifying an Ethernet VLAN 9-8 Deleting a VLAN 9-10 Assigning Static-Access Ports to a VLAN 9-10 Configuring Extended-Range VLANs 9-11 Default VLAN Configuration 9-12 Extended-Range VLAN Configuration Guidelines Creating an Extended-Range VLAN 9-12 Displaying VLANs 9-6 9-12 9-14 Co
Contents Troubleshooting Dynamic-Access Port VLAN Membership VMPS Configuration Example 9-30 CHAPTER 10 Configuring VTP 9-30 10-1 Understanding VTP 10-1 The VTP Domain 10-2 VTP Modes 10-3 VTP Advertisements 10-3 VTP Version 2 10-4 VTP Pruning 10-4 Configuring VTP 10-6 Default VTP Configuration 10-6 VTP Configuration Options 10-7 VTP Configuration in Global Configuration Mode 10-7 VTP Configuration in VLAN Database Configuration Mode VTP Configuration Guidelines 10-8 Domain Names 10-8 Passwords 10-8 V
Contents CHAPTER 12 Configuring STP 12-1 Understanding Spanning-Tree Features 12-1 STP Overview 12-2 Spanning-Tree Topology and BPDUs 12-3 Bridge ID, Switch Priority, and Extended System ID 12-4 Spanning-Tree Interface States 12-4 Blocking State 12-6 Listening State 12-6 Learning State 12-6 Forwarding State 12-6 Disabled State 12-7 How a Switch or Port Becomes the Root Switch or Root Port 12-7 Spanning Tree and Redundant Connectivity 12-8 Spanning-Tree Address Management 12-8 Accelerated Aging to Retai
Contents CHAPTER 13 Configuring MSTP 13-1 Understanding MSTP 13-2 Multiple Spanning-Tree Regions 13-2 IST, CIST, and CST 13-3 Operations Within an MST Region 13-3 Operations Between MST Regions 13-4 IEEE 802.1s Terminology 13-5 Hop Count 13-5 Boundary Ports 13-6 IEEE 802.1s Implementation 13-6 Port Role Naming Change 13-7 Interoperation Between Legacy and Standard Switches Detecting Unidirectional Link Failure 13-8 Interoperability with IEEE 802.
Contents CHAPTER 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast 14-2 Understanding BPDU Guard 14-2 Understanding BPDU Filtering 14-3 Understanding UplinkFast 14-3 Understanding BackboneFast 14-5 Understanding EtherChannel Guard 14-7 Understanding Root Guard 14-8 Understanding Loop Guard 14-9 14-1 14-1 Configuring Optional Spanning-Tree Features 14-9 Default Optional Spanning-Tree Configuration 14-9 Optional Spanning-Tree Configuratio
Contents CHAPTER 16 Configuring DHCP Features 16-1 Understanding DHCP Features 16-1 DHCP Server 16-2 DHCP Relay Agent 16-2 DHCP Snooping 16-2 Option-82 Data Insertion 16-3 Configuring DHCP Features 16-5 Default DHCP Configuration 16-5 DHCP Snooping Configuration Guidelines 16-6 Configuring the DHCP Relay Agent 16-7 Enabling DHCP Snooping and Option 82 16-7 Enabling the Cisco IOS DHCP Server Database 16-9 Displaying DHCP Snooping Information CHAPTER 17 Configuring IGMP Snooping and MVR 16-9 17-1 U
Contents Configuring MVR 17-19 Default MVR Configuration 17-19 MVR Configuration Guidelines and Limitations Configuring MVR Global Parameters 17-20 Configuring MVR Interfaces 17-21 Displaying MVR Information 17-20 17-23 Configuring IGMP Filtering and Throttling 17-23 Default IGMP Filtering and Throttling Configuration 17-24 Configuring IGMP Profiles 17-24 Applying IGMP Profiles 17-25 Setting the Maximum Number of IGMP Groups 17-26 Configuring the IGMP Throttling Action 17-27 Displaying IGMP Filtering an
Contents CHAPTER 19 Configuring CDP 19-1 Understanding CDP 19-1 Configuring CDP 19-2 Default CDP Configuration 19-2 Configuring the CDP Characteristics 19-2 Disabling and Enabling CDP 19-3 Disabling and Enabling CDP on an Interface Monitoring and Maintaining CDP CHAPTER 20 Configuring LLDP and LLDP-MED 19-4 19-5 20-1 Understanding LLDP and LLDP-MED 20-1 Understanding LLDP 20-1 Understanding LLDP-MED 20-2 Configuring LLDP and LLDP-MED 20-3 Default LLDP Configuration 20-3 Configuring LLDP Charac
Contents SPAN Sessions 22-3 Monitored Traffic 22-4 Source Ports 22-5 Source VLANs 22-6 VLAN Filtering 22-6 Destination Port 22-6 RSPAN VLAN 22-7 SPAN and RSPAN Interaction with Other Features 22-8 Configuring SPAN and RSPAN 22-9 Default SPAN and RSPAN Configuration 22-9 Configuring Local SPAN 22-9 SPAN Configuration Guidelines 22-10 Creating a Local SPAN Session 22-10 Creating a Local SPAN Session and Configuring Incoming Traffic 22-13 Specifying VLANs to Filter 22-14 Configuring RSPAN 22-15 RSPAN Config
Contents Setting the Message Display Destination Device 24-4 Synchronizing Log Messages 24-5 Enabling and Disabling Time Stamps on Log Messages 24-7 Enabling and Disabling Sequence Numbers in Log Messages 24-7 Defining the Message Severity Level 24-8 Limiting Syslog Messages Sent to the History Table and to SNMP 24-9 Configuring UNIX Syslog Servers 24-10 Logging Messages to a UNIX Syslog Daemon 24-10 Configuring the UNIX System Logging Facility 24-11 Displaying the Logging Configuration CHAPTER 25 Confi
Contents Creating Standard and Extended IPv4 ACLs 26-6 Access List Numbers 26-6 Creating a Numbered Standard ACL 26-7 Creating a Numbered Extended ACL 26-8 Resequencing ACEs in an ACL 26-12 Creating Named Standard and Extended ACLs 26-12 Using Time Ranges with ACLs 26-14 Including Comments in ACLs 26-16 Applying an IPv4 ACL to a Terminal Line 26-16 Applying an IPv4 ACL to an Interface 26-17 Hardware and Software Treatment of IP ACLs 26-18 IPv4 ACL Configuration Examples 26-18 Numbered ACLs 26-18 Extended A
Contents Queueing and Scheduling Overview 27-13 Weighted Tail Drop 27-13 SRR Shaping and Sharing 27-14 Queueing and Scheduling on Ingress Queues 27-15 Queueing and Scheduling on Egress Queues 27-17 Packet Modification 27-19 Configuring Auto-QoS 27-20 Generated Auto-QoS Configuration 27-21 Effects of Auto-QoS on the Configuration 27-25 Auto-QoS Configuration Guidelines 27-25 Enabling Auto-QoS for VoIP 27-26 Auto-QoS Configuration Example 27-27 Displaying Auto-QoS Information 27-29 Configuring Standard QoS
Contents Configuring the IP-Precedence-to-DSCP Map 27-59 Configuring the Policed-DSCP Map 27-60 Configuring the DSCP-to-CoS Map 27-61 Configuring the DSCP-to-DSCP-Mutation Map 27-62 Configuring Ingress Queue Characteristics 27-63 Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds 27-64 Allocating Buffer Space Between the Ingress Queues 27-65 Allocating Bandwidth Between the Ingress Queues 27-65 Configuring the Ingress Priority Queue 27-66 Configuring Egress Queue Characteristics 27-6
Contents Configuring the LACP Port Priority 28-16 Displaying EtherChannel, PAgP, and LACP Status 28-17 Understanding Layer 2 Trunk Failover 28-17 Configuring Layer 2 Trunk Failover 28-18 Default Layer 2 Trunk Failover Configuration 28-18 Layer 2 Trunk Failover Configuration Guidelines 28-19 Configuring Layer 2 Trunk Failover 28-19 Displaying Layer 2 Trunk Failover Status 28-20 CHAPTER 29 Troubleshooting 29-1 Recovering from a Software Failure 29-2 Recovering from a Lost or Forgotten Password 29-
Contents Using the show platform forward Command 29-20 Using the crashinfo Files 29-22 Basic crashinfo Files 29-22 Extended crashinfo Files 29-22 APPENDIX A Supported MIBs MIB List A-1 A-1 Using FTP to Access the MIB Files APPENDIX B A-3 Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System B-1 Displaying Available File Systems B-2 Setting the Default File System B-3 Displaying Information about Files on a File System B-3 Changing Di
Contents Clearing Configuration Information B-20 Clearing the Startup Configuration File B-20 Deleting a Stored Configuration File B-20 Working with Software Images B-20 Image Location on the Switch B-21 tar File Format of Images on a Server or Cisco.
Contents Unsupported Global Configuration Commands C-3 Network Address Translation (NAT) Commands C-4 Unsupported Privileged EXEC Commands C-4 QoS C-4 Unsupported Global Configuration Command C-4 Unsupported Interface Configuration Commands C-4 Unsupported Policy-Map Configuration Command C-4 RADIUS C-4 Unsupported Global Configuration Commands C-4 SNMP C-5 Unsupported Global Configuration Commands C-5 Spanning Tree C-5 Unsupported Global Configuration Command C-5 Unsupported Interface Configuratio
Preface Audience This guide is for the networking professional managing the Cisco Gigabit Ethernet Switch Module (CGESM), referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking. Purpose This guide provides the information that you need to configure Cisco IOS software features on your switch.
Preface Conventions Conventions This publication uses these conventions to convey instructions and information: Command descriptions use these conventions: • Commands and keywords are in boldface text. • Arguments for which you supply values are in italic. • Square brackets ([ ]) mean optional elements. • Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.
Preface Obtaining Documentation, Obtaining Support, and Security Guidelines You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation, Obtaining Support, and Security Guidelines” section on page xxxi. • Cisco Small Form-Factor Pluggable Modules Installation Notes (order number DOC-7815160=) • These compatibility matrix documents are available from this Cisco.com site: http://www.cisco.
Preface Obtaining Documentation, Obtaining Support, and Security Guidelines Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide xxxii 380261-003
C H A P T E R 1 Overview This chapter provides these topics about the switch software: • Features, page 1-1 • Default Settings After Initial Switch Configuration, page 1-9 • Design Concepts for Using the Switch, page 1-12 • Where to Go Next, page 1-14 In this document, IP refers to IP Version 4 (IPv4). Features Some features described in this chapter are available only on the cryptographic (supports encryption) version of the software.
Chapter 1 Overview Features Ease-of-Deployment and Ease-of-Use Features The switch ships with these features to make the deployment and the use easier: • Express Setup for quickly configuring a switch for the first time with basic IP information, contact information, switch and Telnet passwords, and Simple Network Management Protocol (SNMP) information through a browser-based program. For more information about Express Setup, see the getting started guide.
Chapter 1 Overview Features Performance Features The switch ships with these performance features: • Autosensing of port speed and autonegotiation of duplex mode on all switch ports for optimizing bandwidth • Automatic-medium-dependent interface crossover (auto-MDIX) capability on 10/100 and 10/100/1000 Mb/s interfaces that enables the interface to automatically detect the required cable connection type (straight-through or crossover) and to configure the connection appropriately • Support for up to
Chapter 1 Overview Features Management Options These are the options for configuring and managing the switch: • An embedded device manager—The device manager is a GUI that is integrated in the software image. You use it to configure and to monitor a single switch. For information about launching the device manager, see the getting started guide. For more information about the device manager, see the switch online help.
Chapter 1 Overview Features Note • Link Layer Discovery Protocol (LLDP) and LLDP Media Endpoint Discovery (LLDP-MED) for interoperability with third-party IP phonesNetwork Time Protocol (NTP) for providing a consistent time stamp to all switches from an external source • Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • Configuration logging to log and to view changes to the switch configuration • Unique device identifier to provide product ide
Chapter 1 Overview Features • Optional spanning-tree features available in PVST+, rapid-PVST+, and MSTP mode: – Port Fast for eliminating the forwarding delay by enabling a port to immediately change from the blocking state to the forwarding state – BPDU guard for shutting down Port Fast-enabled ports that receive bridge protocol data units (BPDUs) – BPDU filtering for preventing a Port Fast-enabled port from sending or receiving BPDUs – Root guard for preventing switches outside the network core from
Chapter 1 Overview Features Security Features The switch ships with these security features: • Password-protected access (read-only and read-write access) to management interfaces (device manager, Network Assistant, and the CLI for protection against unauthorized configuration changes • Multilevel security for a choice of security level, notification, and resulting actions • Static MAC addressing for ensuring security • Protected port option for restricting the forwarding of traffic to designated p
Chapter 1 Overview Features • Kerberos security system to authenticate requests for network resources by using a trusted third party (requires the cryptographic version of the software) • Secure Socket Layer (SSL) Version 3.0 support for the HTTP 1.
Chapter 1 Overview Default Settings After Initial Switch Configuration • Egress queues and scheduling – Four egress queues per port – WTD as the congestion-avoidance mechanism for managing the queue lengths and providing drop precedences for different traffic classifications – SRR as the scheduling service for specifying the rate at which packets are dequeued to the egress interface (shaping or sharing is supported on egress queues).
Chapter 1 Overview Default Settings After Initial Switch Configuration If you do not configure the switch at all, the switch operates with these default settings: • Default switch IP address, subnet mask, and default gateway is 0.0.0.0. For more information, see Chapter 3, “Assigning the Switch IP Address and Default Gateway,” and Chapter 16, “Configuring DHCP Features.” • Default domain name is not configured. For more information, see Chapter 3, “Assigning the Switch IP Address and Default Gateway.
Chapter 1 Overview Default Settings After Initial Switch Configuration • VLANs – Default VLAN is VLAN 1. For more information, see Chapter 9, “Configuring VLANs.” – VLAN trunking setting is dynamic auto (DTP). For more information, see Chapter 9, “Configuring VLANs.” – Trunk encapsulation is negotiate. For more information, see Chapter 9, “Configuring VLANs.” – VTP mode is server. For more information, see Chapter 10, “Configuring VTP.” – VTP version is Version 1.
Chapter 1 Overview Design Concepts for Using the Switch • QoS is disabled. For more information, see Chapter 27, “Configuring QoS.” • No EtherChannels are configured. For more information, see Chapter 28, “Configuring EtherChannels and Layer 2 Trunk Failover.” Design Concepts for Using the Switch As your network users compete for network bandwidth, it takes longer to send and receive data.
Chapter 1 Overview Design Concepts for Using the Switch Table 1-2 Providing Network Services (continued) Network Demands Suggested Design Methods An evolving demand for IP telephony • Use QoS to prioritize applications such as IP telephony during congestion and to help control both delay and jitter within the network. • Use switches that support at least two queues per port to prioritize voice and data traffic as either high- or low-priority, based on IEEE 802.1p/Q.
Chapter 1 Overview Where to Go Next • Server aggregation (Figure 1-2)—You can use the switches to interconnect groups of servers, centralizing physical security and administration of your network. For high-speed IP forwarding at the distribution layer, connect the switches in the access layer to multilayer switches with routing capability. The Gigabit interconnections minimize latency in the data flow. QoS and policing on the blade switches provide preferential treatment for certain data streams.
C H A P T E R 2 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your switch.
Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the hostname Switch. Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with your switch. Switch> Enter logout or quit. Use this mode to • Change terminal settings. • Perform basic tests.
Chapter 2 Using the Command-Line Interface Understanding the Help System Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method Interface configuration While in global configuration mode, enter the interface command (with a specific interface). Switch(config-if)# Use this mode to configure To exit to global configuration mode, parameters for the Ethernet ports. enter exit. To return to privileged EXEC mode, press Ctrl-Z or enter end.
Chapter 2 Using the Command-Line Interface Understanding Abbreviated Commands Table 2-2 Help Summary (continued) Command Purpose ? List all commands available for a particular command mode. For example: Switch> ? command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword.
Chapter 2 Using the Command-Line Interface Understanding CLI Error Messages Understanding CLI Error Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Table 2-3 Common CLI Error Messages Error Message Meaning How to Get Help % Ambiguous command: "show con" You did not enter enough characters for your switch to recognize the command.
Chapter 2 Using the Command-Line Interface Using Command History Using Command History The software provides a history or record of commands that you have entered. The command history feature is particularly useful for recalling long or complex commands or entries, including access lists.
Chapter 2 Using the Command-Line Interface Using Editing Features Disabling the Command History Feature The command history feature is automatically enabled. You can disable it for the current terminal session or for the command line. These procedures are optional. To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Press Ctrl-F, or press the right arrow key. Move the cursor forward one character. Press Ctrl-A. Move the cursor to the beginning of the command line. Press Ctrl-E. Move the cursor to the end of the command line. Press Esc B. Move the cursor back one word. Press Esc F. Move the cursor forward one word. Press Ctrl-T.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Scroll down a line or screen on displays that are longer than the terminal screen can display. Press the Return key. Scroll down one line. Press the Space bar. Scroll down one screen. Press Ctrl-L or Ctrl-R. Redisplay the current command line.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands. This is useful when you need to sort through large amounts of output or if you want to exclude output that you do not need to see. Using these commands is optional.
C H A P T E R 3 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assigning the IP address and default gateway information) by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The bootloader provides access to the flash file system before the operating system is loaded. Normally, the bootloader is used only to load, uncompress, and launch the operating system. After the bootloader gives the operating system control of the CPU, the bootloader is not active until the next system reset or power-on.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information If you are an experienced user familiar with the switch configuration steps, manually configure the switch. Otherwise, use the setup program described previously.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DHCP Client Request Process When you boot up your switch, the DHCP client is invoked and requests configuration information from a DHCP server when the configuration file is not present on the switch.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring DHCP-Based Autoconfiguration These sections contain this configuration information: • DHCP Server Configuration Guidelines, page 3-5 • Configuring the TFTP Server, page 3-6 • Configuring the DNS, page 3-6 • Configuring the Relay Device, page 3-6 • Obtaining Configuration Files, page 3-7 • Example Configuration, page 3-8 If your DHCP server is a Cisco device, see the “Configuring DHCP” section
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the TFTP Server Based on the DHCP server configuration, the switch attempts to download one or more configuration files from the TFTP server.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information For example, in Figure 3-2, configure the router interfaces as follows: On interface 10.0.0.2: router(config-if)# ip helper-address 20.0.0.2 router(config-if)# ip helper-address 20.0.0.3 router(config-if)# ip helper-address 20.0.0.4 On interface 20.0.0.1 router(config-if)# ip helper-address 10.0.0.1 Figure 3-2 Relay Device Used in Autoconfiguration Switch (DHCP client) Cisco router (Relay) 10.0.0.2 10.0.0.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The default configuration file contains the hostnames-to-IP-address mapping for the switch. The switch fills its host table with the information in the file and obtains its hostname. If the hostname is not found in the file, the switch uses the hostname in the DHCP reply. If the hostname is not specified in the DHCP reply, the switch uses the default Switch as its hostname.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Table 3-2 DHCP Server Configuration (continued) Switch A Switch B Switch C Switch D Boot filename (configuration file) (optional) switcha-confg switchb-confg switchc-confg switchd-confg Hostname (optional) switcha switchb switchc switchd DNS Server Configuration The DNS server maps the TFTP server name tftpserver to IP address 10.0.0.3.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface vlan vlan-id Enter interface configuration mode, and enter the VLAN to which the IP information is assigned. The VLAN range is 1 to 4094.
Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Checking and Saving the Running Configuration You can check the configuration settings that you entered or changes that you made by entering this privileged EXEC command: Switch# show running-config Building configuration... Current configuration : 1833 bytes ! version 12.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration To store the configuration or changes you have made to your startup configuration in flash memory, enter this privileged EXEC command: Switch# copy running-config startup-config Destination filename [startup-config]? Building configuration... This command saves the configuration settings that you made. If you fail to do this, your configuration will be lost the next time you reload the system.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Automatically Downloading a Configuration File You can automatically download a configuration file to your switch by using the DHCP-based autoconfiguration feature. For more information, see the “Understanding DHCP-Based Autoconfiguration” section on page 3-3. Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Step 4 Command Purpose show boot Verify your entries. The boot manual global command changes the setting of the MANUAL_BOOT environment variable. The next time you reboot the system, the switch is in bootloader mode, shown by the switch: prompt. To boot up the system, use the boot filesystem:/file-url bootloader command. • For filesystem:, use flash: for the system board flash device.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Controlling Environment Variables With a normally operating switch, you enter the boot loader mode only through a switch console connection configured for 9600 bps. Unplug the switch power cord, and press the switch Mode button while reconnecting the power cord. You can release the Mode button a second or two after the LED above port 1 turns off. Then the boot loader switch: prompt appears.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Table 3-4 describes the function of the most common environment variables. Table 3-4 Environment Variables Variable Bootloader Command Cisco IOS Global Configuration Command BOOT set BOOT filesystem:/file-url ... boot system filesystem:/file-url ... A semicolon-separated list of executable files to Specifies the Cisco IOS image to load during the next bootup cycle.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Configuring a Scheduled Reload To configure your switch to reload the software image at a later time, use one of these commands in privileged EXEC mode: • reload in [hh:]mm [text] This command schedules a reload of the software to take affect in the specified minutes or hours and minutes. The reload must take place within approximately 24 days.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Displaying Scheduled Reload Information To display information about a previously scheduled reload or to find out if a reload has been scheduled on the switch, use the show reload privileged EXEC command. It displays reload information including the time the reload is scheduled to occur and the reason for the reload (if it was specified when the reload was scheduled).
C H A P T E R 4 Administering the Switch This chapter describes how to perform one-time operations to administer the switch.
Chapter 4 Administering the Switch Managing the System Time and Date The system clock can provide time to these services: • User show commands • Logging and debugging messages The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight saving time) so that the time appears correctly for the local time zone.
Chapter 4 Administering the Switch Managing the System Time and Date Figure 4-1 shows a typical network example using NTP. Switch A is the NTP master, with Switches B, C, and D configured in NTP server mode, in server association with Switch A. Switch E is configured as an NTP peer to the upstream and downstream switches, Switch B and Switch F.
Chapter 4 Administering the Switch Managing the System Time and Date These sections contain this configuration information: • Default NTP Configuration, page 4-4 • Configuring NTP Authentication, page 4-4 • Configuring NTP Associations, page 4-5 • Configuring NTP Broadcast Service, page 4-6 • Configuring NTP Access Restrictions, page 4-8 • Configuring the Source IP Address for NTP Packets, page 4-10 • Displaying the NTP Configuration, page 4-11 Default NTP Configuration Table 4-1 shows the
Chapter 4 Administering the Switch Managing the System Time and Date Step 3 Command Purpose ntp authentication-key number md5 value Define the authentication keys. By default, none are defined. • For number, specify a key number. The range is 1 to 4294967295. • md5 specifies that message authentication support is provided by using the message digest algorithm 5 (MD5). • For value, enter an arbitrary string of up to eight characters for the key.
Chapter 4 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to form an NTP association with another device: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp peer ip-address [version number] [key keyid] [source interface] [prefer] Configure the switch system clock to synchronize a peer or to be synchronized by a peer (peer association).
Chapter 4 Administering the Switch Managing the System Time and Date The switch can send or receive NTP broadcast packets on an interface-by-interface basis if there is an NTP broadcast server, such as a router, broadcasting time information on the network. The switch can send NTP broadcast packets to a peer so that the peer can synchronize to it. The switch can also receive NTP broadcast packets to synchronize its own clock.
Chapter 4 Administering the Switch Managing the System Time and Date Step 5 Command Purpose ntp broadcastdelay microseconds (Optional) Change the estimated round-trip delay between the switch and the NTP broadcast server. The default is 3000 microseconds; the range is 1 to 999999. Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 4 Administering the Switch Managing the System Time and Date Step 3 Command Purpose access-list access-list-number permit source [source-wildcard] Create the access list. • For access-list-number, enter the number specified in Step 2. • Enter the permit keyword to permit access if the conditions are matched. • For source, enter the IP address of the device that is permitted access to the switch. • (Optional) For source-wildcard, enter the wildcard bits to be applied to the source.
Chapter 4 Administering the Switch Managing the System Time and Date Disabling NTP Services on a Specific Interface NTP services are enabled on all interfaces by default. Beginning in privileged EXEC mode, follow these steps to disable NTP packets from being received on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to disable.
Chapter 4 Administering the Switch Managing the System Time and Date Displaying the NTP Configuration You can use two privileged EXEC commands to display NTP information: • show ntp associations [detail] • show ntp status For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 4 Administering the Switch Managing the System Time and Date Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command. The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source such as NTP, the flag is set. If the time is not authoritative, it is used only for display purposes.
Chapter 4 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 4 Administering the Switch Configuring a System Name and Prompt Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 Configure summer time to start on the first date and end on the second clock summer-time zone date [month date year hh:mm month date year hh:mm date.
Chapter 4 Administering the Switch Configuring a System Name and Prompt These sections contain this configuration information: • Default System Name and Prompt Configuration, page 4-15 • Configuring a System Name, page 4-15 • Understanding DNS, page 4-15 Default System Name and Prompt Configuration The default switch system name and prompt is Switch.
Chapter 4 Administering the Switch Configuring a System Name and Prompt These sections contain this configuration information: • Default DNS Configuration, page 4-16 • Setting Up DNS, page 4-16 • Displaying the DNS Configuration, page 4-17 Default DNS Configuration Table 4-2 shows the default DNS configuration. Table 4-2 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
Chapter 4 Administering the Switch Creating a Banner Command Purpose Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.
Chapter 4 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day.
Chapter 4 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message.
Chapter 4 Administering the Switch Managing the MAC Address Table These sections contain this configuration information: • Building the Address Table, page 4-20 • MAC Addresses and VLANs, page 4-20 • Default MAC Address Table Configuration, page 4-21 • Changing the Address Aging Time, page 4-21 • Removing Dynamic Address Entries, page 4-22 • Configuring MAC Address Notification Traps, page 4-22 • Adding and Removing Static Address Entries, page 4-24 • Configuring Unicast MAC Address Filter
Chapter 4 Administering the Switch Managing the MAC Address Table Default MAC Address Table Configuration Table 4-3 shows the default MAC address table configuration. Table 4-3 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned Static addresses None configured Changing the Address Aging Time Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use.
Chapter 4 Administering the Switch Managing the MAC Address Table Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode.
Chapter 4 Administering the Switch Managing the MAC Address Table Step 5 Command Purpose mac address-table notification [interval value] | [history-size value] Enter the trap interval time and the history table size. • (Optional) For interval value, specify the notification trap interval in seconds between each set of traps that are generated to the NMS. The range is 0 to 2147483647 seconds; the default is 1 second.
Chapter 4 Administering the Switch Managing the MAC Address Table Adding and Removing Static Address Entries A static address has these characteristics: • It is manually entered in the address table and must be manually removed. • It can be a unicast or multicast address. • It does not age and is retained when the switch restarts. You can add and remove static addresses and define the forwarding behavior for them.
Chapter 4 Administering the Switch Managing the MAC Address Table Configuring Unicast MAC Address Filtering When unicast MAC address filtering is enabled, the switch drops packets with specific source or destination MAC addresses. This feature is disabled by default and only supports unicast static addresses. Follow these guidelines when using this feature: • Multicast MAC addresses, broadcast MAC addresses, and router MAC addresses are not supported.
Chapter 4 Administering the Switch Managing the ARP Table This example shows how to enable unicast MAC address filtering and to configure the switch to drop packets that have a source or destination address of c2f3.220a.12f4. When a packet is received in VLAN 4 with this MAC address as its source or destination, the packet is dropped: Switch(config)# mac address-table static c2f3.220a.
C H A P T E R 5 Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the switch.
Chapter 5 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands • If you want to use username and password pairs, but you want to store them centrally on a server instead of locally, you can store them in a database on a security server. Multiple networking devices can then use the same database to obtain user authentication (and, if necessary, authorization) information. For more information, see the “Controlling Switch Access with TACACS+” section on page 5-10.
Chapter 5 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 5 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable secret passwords: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password [level level] {password | encryption-type encrypted-password} Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 5 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2: Switch(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8 Disabling Password Recovery By default, any end user with physical access to the switch can recover from a lost password by interrupting the bootup process while the switch is powering on and then by entering a new password.
Chapter 5 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting a Telnet Password for a Terminal Line When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use. The setup program also prompts you to configure your switch for Telnet access through a password.
Chapter 5 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username and a password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 username name [privilege level] {password encryption-type password} Enter the username, privilege level, and password for each user.
Chapter 5 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting the Privilege Level for a Command Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 privilege mode level level command Set the privilege level for a command.
Chapter 5 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line vty line Select the virtual terminal line on which to restrict access. Step 3 privilege level level Change the default privilege level for the line.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Controlling Switch Access with TACACS+ This section describes how to enable and configure Terminal Access Controller Access Control System Plus (TACACS+), which provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 5-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ server 1) Catalyst 6500 series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) 171.20.10.8 119942 Configure the Blade switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers). Enable AAA. Create a login authentication method list.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: 1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user. The user enters a username, and the switch then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ authorize, or to keep accounts on users; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 3 aaa new-model Enable AAA. Step 4 aaa group server tacacs+ group-name (Optional) Define the AAA server-group with a group name. This command puts the switch in a server group subconfiguration mode. Step 5 server ip-address (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Starting TACACS+ Accounting The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Understanding RADIUS RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco routers and switches. Clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Transitioning from RADIUS to TACACS+ Services Remote PC R1 RADIUS server R2 RADIUS server T1 TACACS+ server T2 TACACS+ server Workstation 86891 Figure 5-2 RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: 1. The user is prompted to enter a username and password. 2.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS software uses the first method listed to authenticate, to authorize, or to keep accounts on users; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted. You should have access to and should configure a RADIUS server before configuring RADIUS features on your switch.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange responses. To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon and a secret text (key) string that it shares with the switch.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 6403 key rad1 Switch(config)# radius-server host 172.20.36.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 8 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 5-23. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information). Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the switch and all RADIUS servers.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“ This example shows how to specify an authorized VLAN in the RADIUS server database: cisco-avpair= ”tunnel-type(#64)=VLAN(13)” cisco-avpair= ”tunnel-medium-type(#65)=802 media(6)” cisco-avpair= ”tunnel-private-group-ID(#81)=vlanid” This example shows how to apply an in
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring the Switch for Vendor-Proprietary RADIUS Server Communication Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Controlling Switch Access with Kerberos This section describes how to enable and configure the Kerberos security system, which authenticates requests for network resources by using a trusted third party. To use this feature, the cryptographic (that is, supports encryption) versions of the switch software must be installed on your switch.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos The Kerberos credential scheme uses a process called single logon. This process authenticates a user once and then allows secure authentication (without encrypting another password) wherever that user credential is accepted.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 5-2 Kerberos Terms (continued) Term Definition Kerberos server A daemon that is running on a network host. Users and network services register their identity with the Kerberos server. Network services query the Kerberos server to authenticate to other network services. KEYTAB3 A password that a network service shares with the KDC.
Chapter 5 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos 3. The switch requests a TGT from the KDC for this user. 4. The KDC sends an encrypted TGT that includes the user identity to the switch. 5. The switch attempts to decrypt the TGT by using the password that the user entered. • If the decryption is successful, the user is authenticated to the switch.
Chapter 5 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization Note A Kerberos server can be a switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol. To set up a Kerberos-authenticated server-client system, follow these steps: • Configure the KDC by using Kerberos commands. • Configure the switch to use the Kerberos protocol.
Chapter 5 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Step 6 Command Purpose username name [privilege level] {password encryption-type password} Enter the local database, and establish a username-based authentication system. Repeat this command for each user. • For name, specify the user ID as one word. Spaces and quotation marks are not allowed. • (Optional) For level, specify the privilege level the user has after gaining access. The range is 0 to 15.
Chapter 5 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell For SSH configuration examples, see the “SSH Configuration Examples” section in the “Configuring Secure Shell” chapter of the Cisco IOS Security Configuration Guide, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_book09186a 0080087df1.
Chapter 5 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Limitations These limitations apply to SSH: • The switch supports Rivest, Shamir, and Adelman (RSA) authentication. • SSH supports only the execution-shell application. • The SSH server and the SSH client are supported only on DES (56-bit) and 3DES (168-bit) data encryption software. • The switch does not support the Advanced Encryption Standard (AES) symmetric encryption algorithm.
Chapter 5 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell 3. Generate an RSA key pair for the switch, which automatically enables SSH. Follow this procedure only if you are configuring the switch as an SSH server. 4. Configure user authentication for local or remote access. This step is required. For more information, see the “Configuring the Switch for Local Authentication and Authorization” section on page 5-36.
Chapter 5 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Step 3 Command Purpose ip ssh {timeout seconds | authentication-retries number} Configure the SSH control parameters: • Specify the time-out value in seconds; the default is 120 seconds. The range is 0 to 120 seconds. This parameter applies to the SSH negotiation phase. After the connection is established, the switch uses the default time-out values of the CLI-based sessions.
Chapter 5 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Configuring the Switch for Secure Socket Layer HTTP This section describes how to configure Secure Socket Layer (SSL) version 3.0 support for the HTTP 1.1 server and client. SSL provides server authentication, encryption, and message integrity, as well as HTTP client authentication, to allow secure HTTP communications.
Chapter 5 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP adequate security, the connecting client generates a notification that the certificate is self-certified, and the user has the opportunity to accept or reject the connection. This option is useful for internal network topologies (such as testing).
Chapter 5 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP CipherSuites A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection. When connecting to the HTTPS server, the client Web browser offers a list of supported CipherSuites, and the client and server negotiate the best encryption algorithm to use from those on the list that are supported by both. For example, Netscape Communicator 4.76 supports U.S.
Chapter 5 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP SSL Configuration Guidelines When SSL is used in a switch cluster, the SSL session terminates at the cluster commander. Cluster member switches must run standard HTTP. Before you configure a CA trustpoint, you should ensure that the system clock is set. If the clock is not set, the certificate is rejected due to an incorrect date.
Chapter 5 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Use the no crypto ca trustpoint name global configuration command to delete all identity information and certificates associated with the CA. Configuring the Secure HTTP Server If you are using a certificate authority for certification, you should use the previous procedure to configure the CA trustpoint on the switch before enabling the HTTP server.
Chapter 5 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Command Step 11 Purpose ip http timeout-policy idle seconds life (Optional) Specify how long a connection to the HTTP server can remain seconds requests value open under the defined circumstances: • idle—the maximum time period when no data is received or response data cannot be sent. The range is 1 to 600 seconds. The default is 180 seconds (3 minutes).
Chapter 5 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Command Purpose Step 3 ip http client secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-md5] [rc4-128-sha] [des-cbc-sha]} (Optional) Specify the CipherSuites (encryption algorithms) to be used for encryption over the HTTPS connection. If you do not have a reason to specify a particular CipherSuite, you should allow the server and client to negotiate a CipherSuite that they both support.
Chapter 5 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Information About Secure Copy To configure Secure Copy feature, you should understand these concepts. The behavior of SCP is similar to that of remote copy (rcp), which comes from the Berkeley r-tools suite, except that SCP relies on SSH for security.
Chapter 5 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide 5-50 380261-003
C H A P T E R 6 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the switch. IEEE 802.1x authentication prevents unauthorized devices (clients) from gaining access to the network. Note For complete syntax and usage information for the commands used in this chapter, see the “RADIUS Commands” section in the Cisco IOS Security Command Reference, Release 12.2 and the command reference for this release.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • IEEE 802.1x Accounting Attribute-Value Pairs, page 6-9 • Using IEEE 802.1x Authentication with VLAN Assignment, page 6-10 • Using IEEE 802.1x Authentication with Per-User ACLs, page 6-11 • Using IEEE 802.1x Authentication with Guest VLAN, page 6-12 • Using IEEE 802.1x Authentication with Restricted VLAN, page 6-13 • Using IEEE 802.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients. • Switch (edge switch or wireless access point)—controls the physical access to the network based on the authentication status of the client.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 6-2 shows the authentication process. Figure 6-2 Authentication Flowchart Start No Is the client IEEE 802.1x capable? IEEE 802.1x authentication process times out. Is MAC authentication bypass enabled? 1 Yes Yes Start IEEE 802.1x port-based authentication. Client identity is invalid The switch gets an EAPOL message, and the EAPOL message exchange begins.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The Termination-Action RADIUS attribute (Attribute [29]) specifies the action to take during re-authentication. The actions are Initialize and ReAuthenticate. When the Initialize action is set (the attribute value is DEFAULT), the IEEE 802.1x session ends, and connectivity is lost during re-authentication.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The specific exchange of EAP frames depends on the authentication method being used. Figure 6-3 shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 6-4 Message Exchange During MAC Authentication Bypass Client Authentication server (RADIUS) Switch EAPOL Request/Identity EAPOL Request/Identity EAPOL Request/Identity RADIUS Access/Request RADIUS Access/Accept 141681 Ethernet packet Ports in Authorized and Unauthorized States During IEEE 802.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication If the client is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated client are allowed through the port. If the authentication fails, the port remains in the unauthorized state, but authentication can be retried.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication IEEE 802.1x Accounting The IEEE 802.1x standard defines how users are authorized and authenticated for network access but does not keep track of network usage. IEEE 802.1x accounting is disabled by default. You can enable IEEE 802.1x accounting to monitor this activity on IEEE 802.1x-enabled ports: • User successfully authenticates. • User logs off. • Link-down occurs.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Table 6-1 Accounting AV Pairs (continued) Attribute Number AV Pair Name START INTERIM STOP Attribute[46] Acct-Session-Time Never Never Always Attribute[49] Acct-Terminate-Cause Never Never Always Attribute[61] NAS-Port-Type Always Always Always 1.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The IEEE 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS). To configure VLAN assignment you need to perform these tasks: • Enable AAA authorization by using the network keyword to allow interface configuration from the RADIUS server. • Enable IEEE 802.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The maximum size of the per-user ACL is 4000 ASCII characters but is limited by the maximum size of RADIUS-server per-user ACLs. For examples of vendor-specific attributes, see the “Configuring the Switch to Use Vendor-Specific RADIUS Attributes” section on page 5-29. For more information about configuring ACLs, see Chapter 26, “Configuring Network Security with ACLs.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Guest VLANs are supported on IEEE 802.1x ports in single-host or multiple-hosts mode. You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x guest VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access ports. The switch supports MAC authentication bypass in Cisco IOS Release 12.2(25)SEE and later.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Restricted VLANs are supported only on IEEE 802.1x ports in single-host mode and on Layer 2 ports. You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x restricted VLAN. The restricted VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports. This feature works with port security.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication – If all the RADIUS servers are not available and the client is not connected to a critical port, the switch might not assign clients to the guest VLAN if one is configured. – If all the RADIUS servers are not available and if a client is connected to a critical port and was previously assigned to a guest VLAN, the switch keeps the port in the guest VLAN.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Using IEEE 802.1x Authentication with Port Security You can configure an IEEE 802.1x port with port security in either single-host or multiple-hosts mode. (You also must configure port security on the port by using the switchport port-security interface configuration command.) When you enable port security and IEEE 802.1x authentication on a port, IEEE 802.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication When the switch uses IEEE 802.1x authentication with WoL, the switch forwards traffic to unauthorized IEEE 802.1x ports, including magic packets. While the port is unauthorized, the switch continues to block ingress traffic other than EAPOL packets. The host can receive packets but cannot send packets to other devices in the network.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication MAC authentication bypass interacts with the features: • IEEE 802.1x authentication—You can enable MAC authentication bypass only if IEEE 802.1x authentication is enabled on the port. • Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a guest VLAN if one is configured.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring IEEE 802.1x Authentication These sections contain this configuration information: • Default IEEE 802.1x Authentication Configuration, page 6-19 • IEEE 802.1x Authentication Configuration Guidelines, page 6-21 • Configuring IEEE 802.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Table 6-2 Default IEEE 802.1x Authentication Configuration (continued) Feature Default Setting RADIUS server • IP address • None specified. • UDP authentication port • 1812. • Key • None specified. Host mode Single-host mode. Control direction Bidirectional control. Periodic re-authentication Disabled. Number of seconds between re-authentication attempts 3600 seconds.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication IEEE 802.1x Authentication Configuration Guidelines These section has configuration guidelines for these features: • IEEE 802.1x Authentication, page 6-21 • VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass, page 6-22 • MAC Authentication Bypass, page 6-22 IEEE 802.1x Authentication These are the IEEE 802.1x authentication configuration guidelines: • When IEEE 802.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass These are the configuration guidelines for VLAN assignment, guest VLAN, restricted VLAN, and inaccessible authentication bypass: • When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN. • The IEEE 802.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Upgrading from a Previous Software Release In Cisco IOS Release 12.2(25)SEE, the implementation for IEEE 802.1x authentication changed from the previous releases. When IEEE 802.1x authentication is enabled, information about Port Fast is no longer added to the configuration and this information appears in the running configuration: dot1x pae authenticator Configuring IEEE 802.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 5 Command Purpose aaa authorization network {default} group radius (Optional) Configure the switch to use user-RADIUS authorization for all network-related service requests, such as per-user ACLs or VLAN assignment. Note For per-user ACLs, single-host mode must be configured. This setting is the default.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on the switch. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Configure the RADIUS server parameters.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring the Host Mode Beginning in privileged EXEC mode, follow these steps to allow multiple hosts (clients) on an IEEE 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Step 4 Purpose dot1x timeout reauth-period {seconds | Set the number of seconds between re-authentication attempts. server} The keywords have these meanings: • seconds—Sets the number of seconds from 1 to 65535; the default is 3600 seconds.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 3 Command Purpose dot1x timeout quiet-period seconds Set the number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client. The range is 1 to 65535 seconds; the default is 60. Step 4 end Return to privileged EXEC mode. Step 5 show dot1x interface interface-id Verify your entries.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Setting the Switch-to-Client Frame-Retransmission Number In addition to changing the switch-to-client retransmission time, you can change the number of times that the switch sends an EAP-request/identity frame (assuming no response is received) to the client before restarting the authentication process.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 3 dot1x max-reauth-req count Set the number of times that the switch restarts the authentication process before the port changes to the unauthorized state. The range is 0 to 10; the default is 2. Step 4 end Return to privileged EXEC mode. Step 5 show dot1x interface interface-id Verify your entries.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 5 end Return to privileged EXEc mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file. Use the show radius statistics privileged EXEC command to display the number of RADIUS messages that do not receive the accounting response message. This example shows how to configure IEEE 802.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Switch(config-if)# dot1x guest-vlan 2 This example shows how to set 3 as the quiet time on the switch, to set 15 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before re-sending the request, and to enable VLAN 2 as an IEEE 802.1x guest VLAN when an IEEE 802.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure the maximum number of allowed authentication attempts. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the “IEEE 802.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure the port as a critical port and enable the inaccessible authentication bypass feature. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 4 Command Purpose radius-server host ip-address [acct-port udp-port] [auth-port udp-port] [test username name [idle-time time] [ignore-acct-port] [ignore-auth-port]] [key string] (Optional) Configure the RADIUS server parameters by using these keywords: • acct-port udp-port—Specify the UDP port for the RADIUS accounting server. The range for the UDP port number is from 0 to 65536.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 6 interface interface-id Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the “IEEE 802.1x Authentication Configuration Guidelines” section on page 6-21.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 3 Command Purpose dot1x control-direction {both | in} Enable IEEE 802.1x authentication with WoL on the port, and use these keywords to configure the port as bidirectional or unidirectional. • both—Sets the port as bidirectional. The port cannot receive packets from or send packets to the host. By default, the port is bidirectional. • in—Sets the port as unidirectional.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring IEEE 802.1x Authentication Using a RADIUS Server You can configure IEEE 802.1x authentication with a RADIUS server. Beginning in privileged EXEC mode, follow these steps to configure IEEE 802.1x authentication with a RADIUS server. The procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 3 Command Purpose aaa authentication login default group radius Use RADIUS authentication. Before you can use this authentication method, you must configure the RADIUS server. For more information, see Chapter 5, “Configuring Switch-Based Authentication.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 3 interface interface-id Specify the port to be configured, and enter interface configuration mode. Step 4 switchport mode access Set the port to access mode. Step 5 ip access-group access-list in Specify the default access control list to be applied to network traffic before web authentication. Step 6 ip admission rule Apply an IP admission rule to the interface.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 11 exit Return to privileged EXEC mode. Step 12 show dot1x interface interface-id Verify your configuration. Step 13 copy running-config startup-config (Optional) Save your entries in the configuration file. This example shows how to configure IEEE 802.1x authentication with web authentication as a fallback method.
Chapter 6 Configuring IEEE 802.1x Port-Based Authentication Displaying IEEE 802.1x Statistics and Status Resetting the IEEE 802.1x Authentication Configuration to the Default Values Beginning in privileged EXEC mode, follow these steps to reset the IEEE 802.1x authentication configuration to the default values. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
C H A P T E R 7 Configuring Interface Characteristics This chapter defines the types of interfaces on the switch and describes how to configure them.
Chapter 7 Configuring Interface Characteristics Understanding Interface Types VLAN partitions provide hard firewalls for traffic in the VLAN, and each VLAN has its own MAC address table. A VLAN comes into existence when a local port is configured to be associated with the VLAN, when the VLAN Trunking Protocol (VTP) learns of its existence from a neighbor on a trunk, or when a user creates a VLAN.
Chapter 7 Configuring Interface Characteristics Understanding Interface Types Trunk Ports A trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN database. These trunk port types are supported: • In an ISL trunk port, all received packets are expected to be encapsulated with an ISL header, and all transmitted packets are sent with an ISL header. Native (non-tagged) frames received from an ISL trunk port are dropped. • An IEEE 802.
Chapter 7 Configuring Interface Characteristics Using Interface Configuration Mode Connecting Interfaces Devices within a single VLAN can communicate directly through any switch. Ports in different VLANs cannot exchange data without going through a routing device. In the configuration shown in Figure 7-1, when Blade Server A in VLAN 20 sends data to Blade Server B in VLAN 30, the data must go from Blade Server A to the switch, to the router, back to the switch, and then to Blade Server B.
Chapter 7 Configuring Interface Characteristics Using Interface Configuration Mode Procedures for Configuring Interfaces These general instructions apply to all interface configuration processes. Step 1 Enter the configure terminal command at the privileged EXEC prompt: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# Step 2 Enter the interface global configuration command. Identify the interface type and the number of the connector.
Chapter 7 Configuring Interface Characteristics Using Interface Configuration Mode Configuring a Range of Interfaces You can use the interface range global configuration command to configure multiple interfaces with the same configuration parameters. When you enter the interface-range configuration mode, all command parameters that you enter are attributed to all interfaces within that range until you exit this mode.
Chapter 7 Configuring Interface Characteristics Using Interface Configuration Mode • You must add a space between the first interface number and the hyphen when using the interface range command. For example, the command interface range gigabitethernet0/1 - 4 is a valid range; the command interface range gigabitethernet0/1-4 is not a valid range. • The interface range command only works with VLAN interfaces that have been configured with the interface vlan command.
Chapter 7 Configuring Interface Characteristics Using Interface Configuration Mode When using the define interface-range global configuration command, note these guidelines: • Valid entries for interface-range: – vlan vlan-ID, where the VLAN ID is 1 to 4094 Note Although the command-line interface shows options to set multiple VLANs, these options are not supported.
Chapter 7 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Ethernet Interfaces These sections contain this configuration information: • Default Ethernet Interface Configuration, page 7-9 • Interface Speed and Duplex Mode, page 7-10 • Configuring IEEE 802.
Chapter 7 Configuring Interface Characteristics Configuring Ethernet Interfaces Table 7-1 Default Layer 2 Ethernet Interface Configuration (continued) Feature Default Setting Port Fast Disabled. See the “Default Optional Spanning-Tree Configuration” section on page 14-9. Auto-MDIX Enabled. Note The switch might not support a pre-standard powered device—such as Cisco IP phones and access points that do not fully support IEEE 802.
Chapter 7 Configuring Interface Characteristics Configuring Ethernet Interfaces Caution • If you are connected to a device that does not support autonegotiation, you can configure speed on copper SFP module ports; however, you can only configure fiber SFP module ports to not negotiate (nonegotiate). • If both ends of the line support autonegotiation, we highly recommend the default setting of auto negotiation.
Chapter 7 Configuring Interface Characteristics Configuring Ethernet Interfaces Use the no speed and no duplex interface configuration commands to return the interface to the default speed and duplex settings (autonegotiate). To return all interface settings to the defaults, use the default interface interface-id interface configuration command.
Chapter 7 Configuring Interface Characteristics Configuring Ethernet Interfaces To disable flow control, use the flowcontrol receive off interface configuration command.
Chapter 7 Configuring Interface Characteristics Configuring the System MTU To disable auto-MDIX, use the no mdix auto interface configuration command. This example shows how to enable auto-MDIX on a port: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# speed auto Switch(config-if)# duplex auto Switch(config-if)# mdix auto Switch(config-if)# end Adding a Description for an Interface You can add a description about an interface to help you remember its function.
Chapter 7 Configuring Interface Characteristics Configuring the System MTU Gigabit Ethernet ports are not affected by the system mtu command; 10/100 ports are not affected by the system jumbo mtu command. If you do not configure the system mtu jumbo command, the setting of the system mtu command applies to all Gigabit Ethernet interfaces. You cannot set the MTU size for an individual interface; you set it for all 10/100 or all Gigabit Ethernet interfaces on the switch.
Chapter 7 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Monitoring and Maintaining the Interfaces These sections contain interface monitoring and maintenance information: • Monitoring Interface Status, page 7-16 • Clearing and Resetting Interfaces and Counters, page 7-17 • Shutting Down and Restarting the Interface, page 7-17 Monitoring Interface Status Commands entered at the privileged EXEC prompt display information about the interface, including the versions of
Chapter 7 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Clearing and Resetting Interfaces and Counters Table 7-4 lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces. Table 7-4 Clear Commands for Interfaces Command Purpose clear counters [interface-id] Clear interface counters. clear interface interface-id Reset the hardware logic on an interface.
Chapter 7 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide 7-18 380261-003
C H A P T E R 8 Configuring Smartports Macros This chapter describes how to configure and apply Smartports macros on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 8 Configuring Smartports Macros Configuring Smartports Macros Table 8-1 Cisco-Default Smartports Macros (continued) Macro Name1 Description cisco-phone Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Chapter 8 Configuring Smartports Macros Configuring Smartports Macros Smartports Macro Configuration Guidelines Follow these guidelines when configuring macros on your switch: • When creating a macro, do not use the exit or end commands or change the command mode by using interface interface-id. This could cause commands that follow exit, end, or interface interface-id to execute in a different command mode. • When creating a macro, all CLI commands should be in the same configuration mode.
Chapter 8 Configuring Smartports Macros Configuring Smartports Macros Follow these guidelines when you apply a Cisco-default Smartports macro on an interface: • Display all macros on the switch by using the show parser macro user EXEC command. Display the contents of a specific macro by using the show parser macro macro-name user EXEC command. • Keywords that begin with $ mean that a unique parameter value is required.
Chapter 8 Configuring Smartports Macros Configuring Smartports Macros Applying Smartports Macros Beginning in privileged EXEC mode, follow these steps to apply a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro global {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Apply each individual command defined in the macro to the switch by entering macro global apply macro-name.
Chapter 8 Configuring Smartports Macros Configuring Smartports Macros This example shows how to apply the user-created macro called snmp, to set the hostname address to test-server, and to set the IP precedence value to 7: Switch(config)# macro global apply snmp ADDRESS test-server VALUE 7 This example shows how to debug the user-created macro called snmp by using the macro global trace global configuration command to find any syntax or configuration errors in the macro when it is applied to the switch.
Chapter 8 Configuring Smartports Macros Configuring Smartports Macros Step 7 Command Purpose macro {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Append the Cisco-default macro with the required values by using the parameter value keywords, and apply the macro to the interface. Keywords that begin with $ mean that a unique parameter value is required. You can use the macro apply macro-name ? command to display a list of any required values in the macro.
Chapter 8 Configuring Smartports Macros Displaying Smartports Macros Displaying Smartports Macros To display the Smartports macros, use one or more of the privileged EXEC commands in Table 8-2. Table 8-2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros. show parser macro name macro-name Displays a specific macro. show parser macro brief Displays the configured macro names.
C H A P T E R 9 Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS). Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 9 Configuring VLANs Understanding VLANs Figure 9-1 shows an example of VLANs segmented into logically defined networks. Figure 9-1 VLANs as Logically Defined Networks Engineering VLAN Marketing VLAN Accounting VLAN Cisco router Floor 3 Gigabit Ethernet Floor 2 90571 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Chapter 9 Configuring VLANs Understanding VLANs VLAN Port Membership Modes You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries and the number of VLANs to which it can belong. Table 9-1 lists the membership modes and membership and VTP characteristics.
Chapter 9 Configuring VLANs Configuring Normal-Range VLANs Configuring Normal-Range VLANs Normal-range VLANs are VLANs with VLAN IDs 1 to 1005. If the switch is in VTP server or VTP transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database. (VLAN IDs 1 and 1002 to 1005 are automatically created and cannot be removed.
Chapter 9 Configuring VLANs Configuring Normal-Range VLANs These sections contain normal-range VLAN configuration information: • Token Ring VLANs, page 9-5 • Normal-Range VLAN Configuration Guidelines, page 9-5 • VLAN Configuration Mode Options, page 9-6 • Saving VLAN Configuration, page 9-7 • Default Ethernet VLAN Configuration, page 9-7 • Creating or Modifying an Ethernet VLAN, page 9-8 • Deleting a VLAN, page 9-10 • Assigning Static-Access Ports to a VLAN, page 9-10 Token Ring VLANs Alt
Chapter 9 Configuring VLANs Configuring Normal-Range VLANs the network, this could create a loop in the new VLAN that would not be broken, particularly if there are several adjacent switches that all have run out of spanning-tree instances. You can prevent this possibility by setting allowed lists on the trunk ports of switches that have used up their allocation of spanning-tree instances.
Chapter 9 Configuring VLANs Configuring Normal-Range VLANs Saving VLAN Configuration The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN database (vlan.dat file). If the VTP mode is transparent, they are also saved in the switch running configuration file. You can enter the copy running-config startup-config privileged EXEC command to save the configuration in the startup configuration file. To display the VLAN configuration, enter the show vlan privileged EXEC command.
Chapter 9 Configuring VLANs Configuring Normal-Range VLANs Table 9-2 Ethernet VLAN Defaults and Ranges (continued) Parameter Default Range Translational bridge 1 0 0 to 1005 Translational bridge 2 0 0 to 1005 VLAN state active active, suspend Remote SPAN disabled enabled, disabled Creating or Modifying an Ethernet VLAN Each Ethernet VLAN in the VLAN database has a unique, 4-digit ID that can be a number from 1 to 1001. VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs.
Chapter 9 Configuring VLANs Configuring Normal-Range VLANs To return the VLAN name to the default settings, use the no name, no mtu, or no remote-span config-vlan commands. This example shows how to use config-vlan mode to create Ethernet VLAN 20, name it test20, and add it to the VLAN database: Switch# configure terminal Switch(config)# vlan 20 Switch(config-vlan)# name test20 Switch(config-vlan)# end You can also create or modify Ethernet VLANs by using the VLAN database configuration mode.
Chapter 9 Configuring VLANs Configuring Normal-Range VLANs Deleting a VLAN When you delete a VLAN from a switch that is in VTP server mode, the VLAN is removed from the VLAN database for all switches in the VTP domain. When you delete a VLAN from a switch that is in VTP transparent mode, the VLAN is deleted only on that specific switch. You cannot delete the default VLANs for the different media types: Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005.
Chapter 9 Configuring VLANs Configuring Extended-Range VLANs Command Purpose Step 3 switchport mode access Define the VLAN membership mode for the port (Layer 2 access port). Step 4 switchport access vlan vlan-id Assign the port to a VLAN. Valid VLAN IDs are 1 to 4094. Step 5 end Return to privileged EXEC mode. Step 6 show running-config interface interface-id Verify the VLAN membership mode of the interface.
Chapter 9 Configuring VLANs Configuring Extended-Range VLANs Default VLAN Configuration See Table 9-2 on page 9-7 for the default configuration for Ethernet VLANs. You can change only the MTU size and the remote SPAN configuration state on extended-range VLANs; all other characteristics must remain at the default state.
Chapter 9 Configuring VLANs Configuring Extended-Range VLANs Beginning in privileged EXEC mode, follow these steps to create an extended-range VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp mode transparent Configure the switch for VTP transparent mode, disabling VTP. Step 3 vlan vlan-id Enter an extended-range VLAN ID and enter config-vlan mode. The range is 1006 to 4094. Step 4 mtu mtu-size (Optional) Modify the VLAN by changing the MTU size.
Chapter 9 Configuring VLANs Displaying VLANs Displaying VLANs Use the show vlan privileged EXEC command to display a list of all VLANs on the switch, including extended-range VLANs. The display includes VLAN status, ports, and configuration information. To view normal-range VLANs in the VLAN database (1 to 1005), use the show VLAN database configuration command (accessed by entering the vlan database privileged EXEC command). Table 9-3 lists the commands for monitoring VLANs.
Chapter 9 Configuring VLANs Configuring VLAN Trunks Figure 9-2 shows a network of blade switches that are connected by ISL trunks. Figure 9-2 Blade Switches in an ISL Trunking Environment Catalyst 6500 series switch ISL trunk ISL trunk ISL trunk ISL trunk Blade switch Blade switch VLAN1 Blade switch VLAN3 VLAN2 VLAN2 VLAN1 VLAN3 119945 Blade switch You can configure a trunk on a single Ethernet interface or on an EtherChannel bundle.
Chapter 9 Configuring VLANs Configuring VLAN Trunks Table 9-4 Layer 2 Interface Modes Mode Function switchport mode access Puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface regardless of whether or not the neighboring interface is a trunk interface. switchport mode dynamic auto Makes the interface able to convert the link to a trunk link.
Chapter 9 Configuring VLANs Configuring VLAN Trunks • Make sure the native VLAN for an IEEE 802.1Q trunk is the same on both ends of the trunk link. If the native VLAN on one end of the trunk is different from the native VLAN on the other end, spanning-tree loops might result. • Disabling spanning tree on the native VLAN of an IEEE 802.1Q trunk without disabling spanning tree on every VLAN in the network can potentially cause spanning-tree loops.
Chapter 9 Configuring VLANs Configuring VLAN Trunks Interaction with Other Features Trunking interacts with other features in these ways: • A trunk port cannot be a secure port. • Trunk ports can be grouped into EtherChannel port groups, but all trunks in the group must have the same configuration. When a group is first created, all ports follow the parameters set for the first port to be added to the group.
Chapter 9 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 5 switchport access vlan vlan-id (Optional) Specify the default VLAN, which is used if the interface stops trunking. Step 6 switchport trunk native vlan vlan-id Specify the native VLAN for IEEE 802.1Q trunks. Step 7 end Return to privileged EXEC mode.
Chapter 9 Configuring VLANs Configuring VLAN Trunks A trunk port can become a member of a VLAN if the VLAN is enabled, if VTP knows of the VLAN, and if the VLAN is in the allowed list for the port. When VTP detects a newly enabled VLAN and the VLAN is in the allowed list for a trunk port, the trunk port automatically becomes a member of the enabled VLAN. When VTP detects a new VLAN and the VLAN is not in the allowed list for a trunk port, the trunk port does not become a member of the new VLAN.
Chapter 9 Configuring VLANs Configuring VLAN Trunks Step 3 Command Purpose switchport trunk pruning vlan {add | except | none | remove} vlan-list [,vlan[,vlan[,,,]] Configure the list of VLANs allowed to be pruned from the trunk. (See the “VTP Pruning” section on page 10-4). For explanations about using the add, except, none, and remove keywords, see the command reference for this release. Separate nonconsecutive VLAN IDs with a comma and no spaces; use a hyphen to designate a range of IDs.
Chapter 9 Configuring VLANs Configuring VLAN Trunks To return to the default native VLAN, VLAN 1, use the no switchport trunk native vlan interface configuration command. If a packet has a VLAN ID that is the same as the outgoing port native VLAN ID, the packet is sent untagged; otherwise, the switch sends the packet with a tag. Configuring Trunk Ports for Load Sharing Load sharing divides the bandwidth supplied by parallel trunks connecting switches.
Chapter 9 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 9-3. Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A. Step 2 vtp domain domain-name Configure a VTP administrative domain. The domain name can be 1 to 32 characters. Step 3 vtp mode server Configure Switch A as the VTP server. Step 4 end Return to privileged EXEC mode.
Chapter 9 Configuring VLANs Configuring VLAN Trunks Load Sharing Using STP Path Cost You can configure parallel trunks to share VLAN traffic by setting different path costs on a trunk and associating the path costs with different sets of VLANs, blocking different ports for different VLANs. The VLANs keep the traffic separate and maintain redundancy in the event of a lost link. In Figure 9-4, Trunk ports 1 and 2 are configured as 100BASE-T ports.
Chapter 9 Configuring VLANs Configuring VMPS Command Purpose Step 12 spanning-tree vlan 2-4 cost 30 Set the spanning-tree path cost to 30 for VLANs 2 through 4. Step 13 end Return to global configuration mode. Step 14 Repeat Steps 9 through 13 on the other configured trunk interface on Switch A, and set the spanning-tree path cost to 30 for VLANs 8, 9, and 10. Step 15 exit Return to privileged EXEC mode. Step 16 show running-config Verify your entries.
Chapter 9 Configuring VLANs Configuring VMPS • If the VLAN is not allowed on the port and the VMPS is in secure mode, the VMPS sends a port-shutdown response. If the port already has a VLAN assignment, the VMPS provides one of these responses: • If the VLAN in the database matches the current VLAN on the port, the VMPS sends an success response, allowing access to the host.
Chapter 9 Configuring VLANs Configuring VMPS Table 9-7 Default VMPS Client and Dynamic-Access Port Configuration Feature Default Setting VMPS server retry count 3 Dynamic-access ports None configured VMPS Configuration Guidelines These guidelines and restrictions apply to dynamic-access port VLAN membership: • You should configure the VMPS before you configure ports as dynamic-access ports.
Chapter 9 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to enter the IP address of the VMPS: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vmps server ipaddress primary Enter the IP address of the switch acting as the primary VMPS server. Step 3 vmps server ipaddress (Optional) Enter the IP address of the switch acting as a secondary VMPS server. You can enter up to three secondary server addresses.
Chapter 9 Configuring VLANs Configuring VMPS Reconfirming VLAN Memberships Beginning in privileged EXEC mode, follow these steps to confirm the dynamic-access port VLAN membership assignments that the switch has received from the VMPS: Command Purpose Step 1 vmps reconfirm Reconfirm dynamic-access port VLAN membership. Step 2 show vmps Verify the dynamic VLAN reconfirmation status.
Chapter 9 Configuring VLANs Configuring VMPS Monitoring the VMPS You can display information about the VMPS by using the show vmps privileged EXEC command. The switch displays this information about the VMPS: • VMPS VQP Version—the version of VQP used to communicate with the VMPS. The switch queries the VMPS that is using VQP Version 1. • Reconfirm Interval—the number of minutes the switch waits before reconfirming the VLAN-to-MAC-address assignments.
Chapter 9 Configuring VLANs Configuring VMPS • End stations are connected to the clients, Switch B and Switch I. • The database configuration file is stored on the TFTP server with the IP address 172.20.22.7. Figure 9-5 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6500 series switch A Primary VMPS Server 1 Router 172.20.26.150 172.20.22.7 Client switch B End station 1 Dynamic-access port 172.20.26.151 Trunk port Switch C 172.20.26.152 Switch D 172.20.26.153 Switch E 172.
Chapter 9 Configuring VLANs Configuring VMPS Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide 9-32 380261-003
C H A P T E R 10 Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 10 Configuring VTP Understanding VTP These sections contain this conceptual information: • The VTP Domain, page 10-2 • VTP Modes, page 10-3 • VTP Advertisements, page 10-3 • VTP Version 2, page 10-4 • VTP Pruning, page 10-4 The VTP Domain A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name. A switch can be in only one VTP domain.
Chapter 10 Configuring VTP Understanding VTP VTP Modes You can configure a supported switch to be in one of the VTP modes listed in Table 10-1. Table 10-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
Chapter 10 Configuring VTP Understanding VTP • MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN. • Frame format VTP advertisements distribute this VLAN information for each configured VLAN: • VLAN IDs (ISL and IEEE 802.1Q) • VLAN name • VLAN type • VLAN state • Additional VLAN configuration information specific to the VLAN type VTP Version 2 If you use VTP in your network, you must decide whether to use Version 1 or Version 2.
Chapter 10 Configuring VTP Understanding VTP Figure 10-1 shows a switched network without VTP pruning enabled. Port 1 on Switch A and Port 2 on Switch D are assigned to the Red VLAN. If a broadcast is sent from the host connected to Switch A, Switch A floods the broadcast and every switch in the network receives it, even though Switches C, E, and F have no ports in the Red VLAN.
Chapter 10 Configuring VTP Configuring VTP See the “Enabling VTP Pruning” section on page 10-14. VTP pruning takes effect several seconds after you enable it. VTP pruning does not prune traffic from VLANs that are pruning-ineligible. VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs cannot be pruned. Extended-range VLANs (VLAN IDs higher than 1005) are also pruning-ineligible. VTP pruning is not designed to function in VTP transparent mode.
Chapter 10 Configuring VTP Configuring VTP VTP Configuration Options You can configure VTP by using these configuration modes. • VTP Configuration in Global Configuration Mode, page 10-7 • VTP Configuration in VLAN Database Configuration Mode, page 10-7 You access VLAN database configuration mode by entering the vlan database privileged EXEC command. For detailed information about vtp commands, see the command reference for this release.
Chapter 10 Configuring VTP Configuring VTP VTP Configuration Guidelines These sections describe guidelines you should follow when implementing VTP in your network. Domain Names When configuring VTP for the first time, you must always assign a domain name. You must configure all switches in the VTP domain with the same domain name. Switches in VTP transparent mode do not exchange VTP messages with other switches, and you do not need to configure a VTP domain name for them.
Chapter 10 Configuring VTP Configuring VTP • Do not enable VTP Version 2 on a switch unless all of the switches in the same VTP domain are Version-2-capable. When you enable Version 2 on a switch, all of the Version-2-capable switches in the domain enable Version 2. If there is a Version 1-only switch, it does not exchange VTP information with switches that have Version 2 enabled.
Chapter 10 Configuring VTP Configuring VTP When you configure a domain name, it cannot be removed; you can only reassign a switch to a different domain. To return the switch to a no-password state, use the no vtp password global configuration command.
Chapter 10 Configuring VTP Configuring VTP Configuring a VTP Client When a switch is in VTP client mode, you cannot change its VLAN configuration. The client switch receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly. Follow these guidelines: Caution • If extended-range VLANs are configured on the switch, you cannot change VTP mode to client. You receive an error message, and the configuration is not allowed.
Chapter 10 Configuring VTP Configuring VTP Disabling VTP (VTP Transparent Mode) When you configure the switch for VTP transparent mode, VTP is disabled on the switch. The switch does not send VTP updates and does not act on VTP updates received from other switches. However, a VTP transparent switch running VTP Version 2 does forward received VTP advertisements on its trunk links.
Chapter 10 Configuring VTP Configuring VTP Enabling VTP Version 2 VTP Version 2 is disabled by default on VTP Version 2-capable switches. When you enable VTP Version 2 on a switch, every VTP Version 2-capable switch in the VTP domain enables Version 2. You can only configure the version when the switches are in VTP server or transparent mode. Caution VTP Version 1 and VTP Version 2 are not interoperable on switches in the same VTP domain. Every switch in the VTP domain must use the same VTP version.
Chapter 10 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode. Beginning in privileged EXEC mode, follow these steps to enable VTP pruning in the VTP domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 10 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to verify and reset the VTP configuration revision number on a switch before adding it to a VTP domain: Step 1 Command Purpose show vtp status Check the VTP configuration revision number. If the number is 0, add the switch to the VTP domain. If the number is greater than 0, follow these steps: a. Write down the domain name. b. Write down the configuration revision number. c.
Chapter 10 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 10-3 shows the privileged EXEC commands for monitoring VTP activity. Table 10-3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information.
C H A P T E R 11 Configuring Voice VLAN This chapter describes how to configure the voice VLAN feature on the switch. Voice VLAN is referred to as an auxiliary VLAN in some Catalyst 6500 family switch documentation. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 11 Configuring Voice VLAN Understanding Voice VLAN Figure 11-1 shows one way to connect a Cisco 7960 IP Phone. Figure 11-1 Cisco 7960 IP Phone Connected to a Switch Cisco IP Phone 7960 Phone ASIC P2 3-port switch P3 Access port 101351 P1 PC Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone.
Chapter 11 Configuring Voice VLAN Configuring Voice VLAN Note Untagged traffic from the device attached to the Cisco IP Phone passes through the phone unchanged, regardless of the trust state of the access port on the phone.
Chapter 11 Configuring Voice VLAN Configuring Voice VLAN • If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the same IP subnet. These conditions indicate that they are in the same VLAN: – They both use IEEE 802.1p or untagged frames. – The Cisco IP Phone uses IEEE 802.1p frames, and the device uses untagged frames. – The Cisco IP Phone uses untagged frames, and the device uses IEEE 802.1p frames. – The Cisco IP Phone uses IEEE 802.
Chapter 11 Configuring Voice VLAN Configuring Voice VLAN Configuring Cisco IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value. It can use IEEE 802.1p priority tagging to give voice traffic a higher priority and forward all voice traffic through the native (access) VLAN.
Chapter 11 Configuring Voice VLAN Displaying Voice VLAN To return the port to its default setting, use the no switchport voice vlan interface configuration command. Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.
C H A P T E R 12 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.
Chapter 12 Configuring STP Understanding Spanning-Tree Features • Spanning-Tree Interoperability and Backward Compatibility, page 12-10 • STP and IEEE 802.1Q Trunks, page 12-10 For configuration information, see the “Configuring Spanning-Tree Features” section on page 12-10. For information about optional spanning-tree features, see Chapter 14, “Configuring Optional Spanning-Tree Features.
Chapter 12 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch. • The spanning-tree path cost to the root switch. • The port identifier (port priority and MAC address) associated with each Layer 2 interface.
Chapter 12 Configuring STP Understanding Spanning-Tree Features Bridge ID, Switch Priority, and Extended System ID The IEEE 802.1D standard requires that each switch has an unique bridge identifier (bridge ID), which controls the selection of the root switch. Because each VLAN is considered as a different logical bridge with PVST+ and rapid PVST+, the same switch must have a different bridge IDs for each configured VLAN. Each VLAN on the switch has a unique 8-byte bridge ID.
Chapter 12 Configuring STP Understanding Spanning-Tree Features An interface moves through these states: • From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled • From learning to forwarding or to disabled • From forwarding to disabled Figure 12-1 illustrates how an interface moves through the states.
Chapter 12 Configuring STP Understanding Spanning-Tree Features Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each switch interface. A switch initially functions as the root until it exchanges BPDUs with other switches. This exchange establishes which switch in the network is the root or root switch.
Chapter 12 Configuring STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational.
Chapter 12 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices, as shown in Figure 12-3. Spanning tree automatically disables one interface but enables it if the other one fails. If one link is high-speed and the other is low-speed, the low-speed link is always disabled.
Chapter 12 Configuring STP Understanding Spanning-Tree Features Because each VLAN is a separate spanning-tree instance, the switch accelerates aging on a per-VLAN basis. A spanning-tree reconfiguration on one VLAN can cause the dynamic addresses learned on that VLAN to be subject to accelerated aging. Dynamic addresses on other VLANs can be unaffected and remain subject to the aging interval entered for the switch.
Chapter 12 Configuring STP Configuring Spanning-Tree Features Spanning-Tree Interoperability and Backward Compatibility Table 12-2 lists the interoperability and compatibility among the supported spanning-tree modes in a network.
Chapter 12 Configuring STP Configuring Spanning-Tree Features • Disabling Spanning Tree, page 12-14 (optional) • Configuring the Root Switch, page 12-14 (optional) • Configuring a Secondary Root Switch, page 12-16 (optional) • Configuring Port Priority, page 12-16 (optional) • Configuring Path Cost, page 12-18 (optional) • Configuring the Switch Priority of a VLAN, page 12-19 (optional) • Configuring Spanning-Tree Timers, page 12-20 (optional) Default Spanning-Tree Configuration Table 12-3 s
Chapter 12 Configuring STP Configuring Spanning-Tree Features Spanning-Tree Configuration Guidelines If more VLANs are defined in the VTP than there are spanning-tree instances, you can enable PVST+ or rapid PVST+ on only 128 VLANs on the switch. The remaining VLANs operate with spanning tree disabled. However, you can map multiple VLANs to the same spanning-tree instances by using MSTP. For more information, see Chapter 13, “Configuring MSTP.
Chapter 12 Configuring STP Configuring Spanning-Tree Features Changing the Spanning-Tree Mode. The switch supports three spanning-tree modes: PVST+, rapid PVST+, or MSTP. By default, the switch runs the PVST+ protocol. Beginning in privileged EXEC mode, follow these steps to change the spanning-tree mode. If you want to enable a mode that is different from the default mode, this procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 12 Configuring STP Configuring Spanning-Tree Features Disabling Spanning Tree Spanning tree is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit specified in the “Supported Spanning-Tree Instances” section on page 12-9. Disable spanning tree only if you are sure there are no loops in the network topology.
Chapter 12 Configuring STP Configuring Spanning-Tree Features Note The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not configure an access switch as the spanning-tree primary root. Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).
Chapter 12 Configuring STP Configuring Spanning-Tree Features Configuring a Secondary Root Switch When you configure a switch as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified VLAN if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch.
Chapter 12 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure the port priority of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports and port-channel logical interfaces (port-channel port-channel-number).
Chapter 12 Configuring STP Configuring Spanning-Tree Features Configuring Path Cost The spanning-tree path cost default value is derived from the media speed of an interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 12 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree path costs, see the “Configuring Trunk Ports for Load Sharing” section on page 9-22. Configuring the Switch Priority of a VLAN You can configure the switch priority and make it more likely that the switch will be chosen as the root switch.
Chapter 12 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 12-4 describes the timers that affect the entire spanning-tree performance. Table 12-4 Spanning-Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches. Forward-delay timer Controls how long each of the listening and learning states last before the interface begins forwarding.
Chapter 12 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id forward-time seconds Configure the forward time of a VLAN.
Chapter 12 Configuring STP Displaying the Spanning-Tree Status Configuring the Transmit Hold-Count You can configure the BPDU burst size by changing the transmit hold count value. Note Changing this parameter to a higher value can have a significant impact on CPU utilization, especially in Rapid-PVST mode. Lowering this value can slow down convergence in certain scenarios. We recommend that you maintain the default setting.
C H A P T E R 13 Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the switch. Note The multiple spanning-tree (MST) implementation in Cisco IOS Release 12.2(25)SEDis based on the IEEE 802.1s standard.The MST implementations in earlier Cisco IOS releases are prestandard.
Chapter 13 Configuring MSTP Understanding MSTP Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning-tree instances required to support a large number of VLANs.
Chapter 13 Configuring MSTP Understanding MSTP IST, CIST, and CST Unlike PVST+ and rapid PVST+ in which all the spanning-tree instances are independent, the MSTP establishes and maintains two types of spanning trees: • An internal spanning tree (IST), which is the spanning tree that runs in an MST region. Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance for a region, known as the internal spanning tree (IST).
Chapter 13 Configuring MSTP Understanding MSTP For correct operation, all switches in the MST region must agree on the same CIST regional root. Therefore, any two switches in the region only synchronize their port roles for an MST instance if they converge to a common CIST regional root. Operations Between MST Regions If there are multiple regions or legacy IEEE 802.
Chapter 13 Configuring MSTP Understanding MSTP hello time, forward time, max-age, and max-hops) are configured only on the CST instance but affect all MST instances. Parameters related to the spanning-tree topology (for example, switch priority, port VLAN cost, and port VLAN priority) can be configured on both the CST instance and the MST instance. MSTP switches use Version 3 RSTP BPDUs or IEEE 802.1D STP BPDUs to communicate with legacy IEEE 802.1D switches.
Chapter 13 Configuring MSTP Understanding MSTP maximum value. When a switch receives this BPDU, it decrements the received remaining hop count by one and propagates this value as the remaining hop count in the BPDUs it generates. When the count reaches zero, the switch discards the BPDU and ages the information held for the port.
Chapter 13 Configuring MSTP Understanding MSTP Port Role Naming Change The boundary role is no longer in the final MST standard, but this boundary concept is maintained in Cisco’s implementation. However, an MST instance port at a boundary of the region might not follow the state of the corresponding CIST port.
Chapter 13 Configuring MSTP Understanding RSTP Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
Chapter 13 Configuring MSTP Understanding RSTP These sections describe how the RSTP works: • Port Roles and the Active Topology, page 13-9 • Rapid Convergence, page 13-10 • Synchronization of Port Roles, page 13-11 • Bridge Protocol Data Unit Format and Processing, page 13-12 For configuration information, see the “Configuring MSTP Features” section on page 13-14.
Chapter 13 Configuring MSTP Understanding RSTP Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN. It provides rapid convergence for edge ports, new root ports, and ports connected through point-to-point links as follows: • Edge ports—If you configure a port as an edge port on an RSTP switch by using the spanning-tree portfast interface configuration command, the edge port immediately transitions to the forwarding state.
Chapter 13 Configuring MSTP Understanding RSTP Proposal and Agreement Handshaking for Rapid Convergence Switch A Proposal Switch B Root Agreement Designated switch F DP F RP Root F DP Proposal Designated switch Agreement F RP Root F DP Designated switch F RP F DP Switch C F RP DP = designated port RP = root port F = forwarding 88760 Figure 13-4 Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new root port
Chapter 13 Configuring MSTP Understanding RSTP After ensuring that all of the ports are synchronized, the switch sends an agreement message to the designated switch corresponding to its root port. When the switches connected by a point-to-point link are in agreement about their port roles, the RSTP immediately transitions the port states to forwarding. The sequence of events is shown in Figure 13-5. Figure 13-5 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5.
Chapter 13 Configuring MSTP Understanding RSTP The sending switch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN. The port role in the proposal message is always set to the designated port. The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal. The port role in the agreement message is always set to the root port. The RSTP does not have a separate topology change notification (TCN) BPDU.
Chapter 13 Configuring MSTP Configuring MSTP Features • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them. • Protocol migration—For backward compatibility with IEEE 802.1D switches, RSTP selectively sends IEEE 802.
Chapter 13 Configuring MSTP Configuring MSTP Features Table 13-4 Default MSTP Configuration (continued) Feature Default Setting Spanning-tree port priority (configurable on a per-CIST port basis) 128. Spanning-tree port cost (configurable on a per-CIST port basis) 1000 Mb/s: 4. 100 Mb/s: 19. 10 Mb/s: 100. Hello time 2 seconds. Forward-delay time 15 seconds. Maximum-aging time 20 seconds. Maximum hop count 20 hops.
Chapter 13 Configuring MSTP Configuring MSTP Features • Partitioning the network into a large number of regions is not recommended. However, if this situation is unavoidable, we recommend that you partition the switched LAN into smaller LANs interconnected by routers or non-Layer 2 devices. • For configuration guidelines about , see the “Optional Spanning-Tree Configuration Guidelines” section on page 14-10.
Chapter 13 Configuring MSTP Configuring MSTP Features Command Purpose Step 9 end Return to privileged EXEC mode. Step 10 show running-config Verify your entries. Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default MST region configuration, use the no spanning-tree mst configuration global configuration command.
Chapter 13 Configuring MSTP Configuring MSTP Features The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not configure an access switch as the spanning-tree primary root. Use the diameter keyword, which is available only for MST instance 0, to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).
Chapter 13 Configuring MSTP Configuring MSTP Features You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree mst instance-id root primary global configuration command. Beginning in privileged EXEC mode, follow these steps to configure a switch as the secondary root switch. This procedure is optional.
Chapter 13 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the MSTP port priority of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports and port-channel logical interfaces. The port-channel range is 1 to 48.
Chapter 13 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the MSTP cost of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports and port-channel logical interfaces. The port-channel range is 1 to 48.
Chapter 13 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the switch priority. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst instance-id priority priority Configure the switch priority. • For instance-id, you can specify a single instance, a range of instances separated by a hyphen, or a series of instances separated by a comma. The range is 0 to 4094.
Chapter 13 Configuring MSTP Configuring MSTP Features Configuring the Forwarding-Delay Time Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst forward-time seconds Configure the forward time for all MST instances.
Chapter 13 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Hop Count Beginning in privileged EXEC mode, follow these steps to configure the maximum-hop count for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-hops hop-count Specify the number of hops in a region before the BPDU is discarded, and the information held for a port is aged.
Chapter 13 Configuring MSTP Configuring MSTP Features Designating the Neighbor Type A topology could contain both prestandard and IEEE 802.1s standard compliant devices. By default, ports can automatically detect prestandard devices, but they can still receive both standard and prestandard BPDUs. When there is a mismatch between a device and its neighbor, only the CIST runs on the interface. You can choose to set a port to send only prestandard BPDUs.
Chapter 13 Configuring MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 13-5: Table 13-5 Commands for Displaying MST Status Command Purpose show spanning-tree mst configuration Displays the MST region configuration. show spanning-tree mst configuration digest Displays the MD5 digest included in the current MSTCI.
C H A P T E R 14 Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+). You can configure only the noted features when your switch is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol.
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states.
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred. At the interface level, you enable BPDU guard on any port by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature.
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 14-2 Switches in a Hierarchical Network Backbone switches Root bridge 126763 Distribution switches Active link Blocked link Blade switches If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port.
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 14-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B L1 L2 L3 43575 Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features The switch tries to find if it has an alternate path to the root switch. If the inferior BPDU arrives on a blocked interface, the root port and other blocked interfaces on the switch become alternate paths to the root switch. (Self-looped ports are not considered alternate paths to the root switch.
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 14-6 BackboneFast Example After Indirect Link Failure Switch A (Root) Switch B L1 Link failure L3 BackboneFast changes port through listening and learning states to forwarding state.
Chapter 14 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Root Guard The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. In such a topology, the spanning tree can reconfigure itself and select a customer switch as the root switch, as shown in Figure 14-8. You can avoid this situation by enabling root guard on SP switch interfaces that connect to switches in your customer’s network.
Chapter 14 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Understanding Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. This feature is most effective when it is enabled on the entire switched network. Loop guard prevents alternate and root ports from becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports.
Chapter 14 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Optional Spanning-Tree Configuration Guidelines You can configure PortFast, BPDU guard, BPDU filtering, EtherChannel guard, root guard, or loop guard if your switch is running PVST+, rapid PVST+, or MSTP. You can configure the UplinkFast or the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
Chapter 14 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Note You can use the spanning-tree portfast default global configuration command to globally enable the Port Fast feature on all nontrunking ports. To disable the Port Fast feature, use the spanning-tree portfast disable interface configuration command.
Chapter 14 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features To disable BPDU guard, use the no spanning-tree portfast bpduguard default global configuration command. You can override the setting of the no spanning-tree portfast bpduguard default global configuration command by using the spanning-tree bpduguard enable interface configuration command.
Chapter 14 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling UplinkFast for Use with Redundant Links UplinkFast cannot be enabled on VLANs that have been configured with a switch priority. To enable UplinkFast on a VLAN with switch priority configured, first restore the switch priority on the VLAN to the default value by using the no spanning-tree vlan vlan-id priority global configuration command.
Chapter 14 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can configure the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+. Beginning in privileged EXEC mode, follow these steps to enable BackboneFast. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 14 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Root Guard Root guard enabled on an interface applies to all the VLANs to which the interface belongs. Do not enable the root guard on interfaces to be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in the blocked state) replace the root port in the case of a failure.
Chapter 14 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Step 3 Command Purpose spanning-tree loopguard default Enable loop guard. By default, loop guard is disabled. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To globally disable loop guard, use the no spanning-tree loopguard default global configuration command.
C H A P T E R 15 Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 15 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature You configure Flex Links on one Layer 2 interface (the active link) by assigning another Layer 2 interface as the Flex Link or backup link. When one of the links is up and forwarding traffic, the other link is in standby mode, ready to begin forwarding traffic if the other link shuts down.
Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Figure 15-2 VLAN Flex Links Load Balancing Configuration Example Uplink switch B Uplink switch C Forwarding Not Forwarding gi2/0/6 gi2/0/8 Switch A 201398 Chapter 15 MAC Address-Table Move Update The MAC address-table move update feature allows the switch to provide rapid bidirectional convergence when a primary (forwarding) link goes down and the standby link begins f
Chapter 15 Understanding Flex Links and the MAC Address-Table Move Update Figure 15-3 Configuring Flex Links and the MAC Address-Table Move Update Feature MAC Address-Table Move Update Example Server Switch C Port 4 Port 3 Switch B Switch D Port 1 Port 2 141223 Switch A PC Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide 15-4 380261-003
Chapter 15 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links and MAC Address-Table Move Update These sections contain this information: • Configuration Guidelines, page 15-5 • Default Configuration, page 15-5 Configuration Guidelines Follow these guidelines to configure Flex Links: • You can configure only one Flex Link backup link for any active link, and it must be a different interface from the activ
Chapter 15 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links and MAC Address-Table Move Update This section contains this information: • Configuring Flex Links, page 15-6 • Configuring VLAN Load Balancing on Flex Links, page 15-8 • Configuring the MAC Address-Table Move Update Feature, page 15-9 Configuring Flex Links Beginning in privileged EXEC mode, follow these steps to configure a pair of Flex Li
Chapter 15 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Beginning in privileged EXEC mode, follow these steps to configure a preemption scheme for a pair of Flex Links: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface, and enter interface configuration mode.
Chapter 15 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring VLAN Load Balancing on Flex Links Beginning in privileged EXEC mode, follow these steps to configure VLAN load balancing on Flex Links: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface, and enter interface configuration mode.
Chapter 15 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update When a Flex Link interface comes up, VLANs preferred on this interface are blocked on the peer interface and moved to the forwarding state on the interface that has just come up. In this example, if interface Gi0/6 comes up, VLANs preferred on this interface are blocked on the peer interface Gi0/8 and forwarded on Gi0/6.
Chapter 15 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Command Purpose Step 4 end Return to global configuration mode. Step 5 mac address-table move update transmit Enable the access switch to send MAC address-table move updates to other switches in the network if the primary link goes down and the switch starts forwarding traffic through the standby link. Step 6 end Return to privileged EXEC mode.
Chapter 15 Configuring Flex Links and the MAC Address-Table Move Update Feature Monitoring Flex Links and the MAC Address-Table Move Update Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show mac address-table move update Verify the configuration. Step 5 copy running-config startup config (Optional) Save your entries in the switch startup configuration file.
Chapter 15 Configuring Flex Links and the MAC Address-Table Move Update Feature Monitoring Flex Links and the MAC Address-Table Move Update Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide 15-12 380261-003
C H A P T E R 16 Configuring DHCP Features This chapter describes how to configure DHCP snooping and the option-82 data insertion features on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release, and see the “DHCP Commands” section in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2.
Chapter 16 Configuring DHCP Features Understanding DHCP Features DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them. If the DHCP server cannot give the DHCP client the requested configuration parameters from its database, it forwards the request to one or more secondary DHCP servers defined by the network administrator.
Chapter 16 Configuring DHCP Features Understanding DHCP Features The switch drops a DHCP packet when one of these situations occurs: • A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received from outside the network or firewall. • A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match.
Chapter 16 Configuring DHCP Features Understanding DHCP Features Figure 16-1 DHCP Relay Agent in a Metropolitan Ethernet Network DHCP server Blade switch (DHCP relay agent) Access layer VLAN 10 Subscribers Blade Server B (DHCP client) 126707 Blade Server A (DHCP client) When you enable the DHCP snooping information option 82 on the switch, this sequence of events occurs: • The Blade Server (DHCP client) generates a DHCP request and broadcasts it on the network.
Chapter 16 Configuring DHCP Features Configuring DHCP Features In the port field of the circuit ID suboption, the port numbers start at 1. For example, on a CGESM switch, which has 24 ports, port 1 is the Gigabit Ethernet 0/1 port, port 2 is the Gigabit Ethernet 0/2 port, port 3 is the Gigabit Ethernet 0/3 port, and so on.
Chapter 16 Configuring DHCP Features Configuring DHCP Features Table 16-1 Default DHCP Configuration Feature Default Setting DHCP server Enabled in Cisco IOS software, requires configuration1 DHCP relay agent Enabled2 DHCP packet forwarding address None configured Checking the relay agent information Enabled (invalid messages are dropped) 2 DHCP relay agent forwarding policy Replace the existing relay agent information2 DHCP snooping enabled globally Disabled DHCP snooping information opt
Chapter 16 Configuring DHCP Features Configuring DHCP Features • If a switch port is connected to a DHCP server, configure a port as trusted by entering the ip dhcp snooping trust interface configuration command. • If a switch port is connected to a DHCP client, configure a port as untrusted by entering the no ip dhcp snooping trust interface configuration command.
Chapter 16 Configuring DHCP Features Configuring DHCP Features Command Purpose Step 4 ip dhcp snooping information option Enable the switch to insert and remove DHCP relay information (option-82 field) in forwarded DHCP request messages to the DHCP server. This is the default setting.
Chapter 16 Configuring DHCP Features Displaying DHCP Snooping Information Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database, see the “DHCP Configuration Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Chapter 16 Configuring DHCP Features Displaying DHCP Snooping Information Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide 16-10 380261-003
C H A P T E R 17 Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on the switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action.
Chapter 17 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Note For more information on IP multicast and IGMP, see RFC 1112 and RFC 2236. The multicast router sends out periodic general queries to all VLANs. All hosts interested in this multicast traffic send join requests and are added to the forwarding table entry. The switch creates one entry per VLAN in the IGMP snooping IP multicast forwarding table for each group from which it receives an IGMP join request.
Chapter 17 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Note IGMPv3 join and leave messages are not supported on switches running IGMP filtering or MVR. An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast (SSM) feature. For more information about source-specific multicast with IGMPv3 and IGMP, see the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t5/dtssm5t.
Chapter 17 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Router A sends a general query to the switch, which forwards the query to ports 2 through 5, which are all members of the same VLAN. Blade Server 1 wants to join multicast group 224.1.2.3 and multicasts an IGMP membership report (IGMP join message) to the group.
Chapter 17 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Leaving a Multicast Group The router sends periodic multicast general queries, and the switch forwards these queries through all ports in the VLAN. Interested blade servers respond to the queries. If at least one blade server in the VLAN wishes to receive multicast traffic, the router continues forwarding the multicast traffic to the VLAN.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. This feature is not supported when the query includes IGMPv3 reports. The switch uses IGMP report suppression to forward only one IGMP report per multicast router query to multicast devices.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Table 17-3 Default IGMP Snooping Configuration (continued) Feature Default Setting Multicast router learning (snooping) method PIM-DVMRP IGMP snooping Immediate Leave Disabled Static groups None configured 1 TCN flood query count 2 TCN query solicitation Disabled IGMP snooping querier Disabled IGMP report suppression Enabled 1.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable IGMP snooping on a VLAN interface, use the no ip igmp snooping vlan vlan-id global configuration command for the specified VLAN number.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping To return to the default learning method, use the no ip igmp snooping vlan vlan-id mrouter learn cgmp global configuration command.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to add a Layer 2 port as a member of a multicast group: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id static ip_address Statically configure a Layer 2 port as a member of a multicast interface interface-id group: • vlan-id is the multicast group VLAN ID. The range is 1 to 1001 and 1006 to 4094.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping To disable IGMP Immediate Leave on a VLAN, use the no ip igmp snooping vlan vlan-id immediate-leave global configuration command.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Controlling the Multicast Flooding Time After a TCN Event You can control the time that multicast traffic is flooded after a TCN event by using the ip igmp snooping tcn flood query count global configuration command. This command configures the number of general queries for which multicast data traffic is flooded after a TCN event.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 4 show ip igmp snooping Verify the TCN settings. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default query solicitation, use the no ip igmp snooping tcn query solicit global configuration command.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Snooping • When administratively enabled, the IGMP snooping querier moves to the nonquerier state if it detects the presence of a multicast router in the network. • When it is administratively enabled, the IGMP snooping querier moves to the operationally disabled state under these conditions: – IGMP snooping is disabled in the VLAN. – PIM is enabled on the SVI of the corresponding VLAN.
Chapter 17 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information This example shows how to set the IGMP snooping querier feature to version 2: Switch# configure terminal Switch(config)# no ip igmp snooping querier version 2 Switch(config)# end Disabling IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. This feature is not supported when the query includes IGMPv3 reports.
Chapter 17 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information To display IGMP snooping information, use one or more of the privileged EXEC commands in Table 17-4. Table 17-4 Commands for Displaying IGMP Snooping Information Command Purpose show ip igmp snooping [vlan vlan-id] Display the snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.
Chapter 17 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service-provider network (for example, the broadcast of multiple television channels over a service-provider network). MVR allows a subscriber on a port to subscribe and unsubscribe to a multicast stream on the network-wide multicast VLAN.
Chapter 17 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Using MVR in a Multicast Television Application In a multicast television application, a PC or a television with a set-top box can receive the multicast stream. Multiple set-top boxes or PCs can be connected to one subscriber port, which is a switch port configured as an MVR receiver port. Figure 17-3 is an example configuration. DHCP assigns an IP address to the set-top box or the PC.
Chapter 17 Configuring IGMP Snooping and MVR Configuring MVR When a subscriber changes channels or turns off the television, the set-top box sends an IGMP leave message for the multicast stream. The switch CPU sends a MAC-based general query through the receiver port VLAN. If there is another set-top box in the VLAN still subscribing to this group, that set-top box must respond within the maximum response time specified in the query.
Chapter 17 Configuring IGMP Snooping and MVR Configuring MVR Table 17-5 Default MVR Configuration (continued) Feature Default Setting Interface (per port) default Neither a receiver nor a source port Immediate Leave Disabled on all ports MVR Configuration Guidelines and Limitations Follow these guidelines when configuring MVR: • Receiver ports can only be access ports; they cannot be trunk ports. Receiver ports on a switch can be in different VLANs, but should not belong to the multicast VLAN.
Chapter 17 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 4 mvr querytime value (Optional) Define the maximum time to wait for IGMP report memberships on a receiver port before removing the port from multicast group membership. The value is in units of tenths of a second. The range is 1 to 100, and the default is 5 tenths or one-half second. Step 5 mvr vlan vlan-id (Optional) Specify the VLAN in which multicast data is received; all source ports must belong to this VLAN.
Chapter 17 Configuring IGMP Snooping and MVR Configuring MVR Step 4 Command Purpose mvr type {source | receiver} Configure an MVR port as one of these: • source—Configure uplink ports that receive and send multicast data as source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN. • receiver—Configure a port as a receiver port if it is a subscriber port and should only receive multicast data.
Chapter 17 Configuring IGMP Snooping and MVR Displaying MVR Information Displaying MVR Information You can display MVR information for the switch or for a specified interface.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling IGMP filtering is applicable only to the dynamic learning of IP multicast group addresses, not static configuration. With the IGMP throttling feature, you can set the maximum number of IGMP groups that a Layer 2 interface can join.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling • permit: Specifies that matching addresses are permitted. • range: Specifies a range of IP addresses for the profile. You can enter a single IP address or a range with a start and an end address. The default is for the switch to have no IGMP profiles configured. When a profile is configured, if neither the permit nor deny keyword is included, the default is to deny access to the range of IP addresses.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Beginning in privileged EXEC mode, follow these steps to apply an IGMP profile to a switch port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the physical interface, and enter interface configuration mode. The interface must be a Layer 2 port that does not belong to an EtherChannel port group.
Chapter 17 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling To remove the maximum group limitation and return to the default of no maximum, use the no ip igmp max-groups interface configuration command. This example shows how to limit to 25 the number of IGMP groups that a port can join.
Chapter 17 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config interface interface-id Verify the configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default action of dropping the report, use the no ip igmp max-groups action interface configuration command.
C H A P T E R 18 Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 18 Configuring Port-Based Traffic Control Configuring Storm Control Storm control uses one of these methods to measure traffic activity: • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received (Cisco IOS Release 12.
Chapter 18 Configuring Port-Based Traffic Control Configuring Storm Control You use the storm-control interface configuration commands to set the threshold value for each traffic type. Default Storm Control Configuration By default, unicast, broadcast, and multicast storm control are disabled on the switch interfaces; that is, the suppression level is 100 percent.
Chapter 18 Configuring Port-Based Traffic Control Configuring Storm Control Step 3 Command Purpose storm-control {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]} Configure broadcast, multicast, or unicast storm control. By default, storm control is disabled. The keywords have these meanings: • For level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage (up to two decimal places) of the bandwidth.
Chapter 18 Configuring Port-Based Traffic Control Configuring Protected Ports Command Purpose Step 6 show storm-control [interface-id] [broadcast | Verify the storm control suppression levels set on the interface for multicast | unicast] the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Blocking Default Protected Port Configuration The default is to have no protected ports defined. Protected Port Configuration Guidelines You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group.
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security Default Port Blocking Configuration The default is to not block flooding of unknown multicast and unicast traffic out of a port, but to flood these packets to all ports. Blocking Flooded Traffic on an Interface Note The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group.
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security These sections contain this conceptual and configuration information: • Understanding Port Security, page 18-8 • Default Port Security Configuration, page 18-10 • Port Security Configuration Guidelines, page 18-10 • Enabling and Configuring Port Security, page 18-11 • Enabling and Configuring Port Security Aging, page 18-16 Understanding Port Security These sections contain this conceptual information: • Secure MAC Add
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. This number is the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces.
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security Table 18-1 Security Violation Mode Actions (continued) Violation Mode Traffic is forwarded1 Sends SNMP trap Sends syslog message Displays error message2 Violation counter increments Shuts down port shutdown No Yes Yes No Yes Yes shutdown vlan No Yes Yes No Yes No 3 1. Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses. 2.
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security Step 6 Command Purpose switchport port-security [maximum value [vlan {vlan-list | {access | voice}}]] (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system.
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security Step 7 Command Purpose switchport port-security violation {protect | restrict | shutdown | shutdown vlan} (Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these: • Note protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security Step 8 Command Purpose switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}] (Optional) Enter a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table. All addresses are now dynamically learned.
Chapter 18 Configuring Port-Based Traffic Control Configuring Port Security Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# switchport switchport switchport switchport switchport port-security port-security port-security port-security port-security mac-address 0000.0000.0003 mac-address sticky 0000.0000.0001 vlan voice mac-address 0000.0000.
Chapter 18 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings To disable port security aging for all secure addresses on a port, use the no switchport port-security aging time interface configuration command. To disable aging for only statically configured secure addresses, use the no switchport port-security aging static interface configuration command.
Chapter 18 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide 18-18 380261-003
C H A P T E R 19 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 19 Configuring CDP Configuring CDP Configuring CDP These sections contain this configuration information: • Default CDP Configuration, page 19-2 • Configuring the CDP Characteristics, page 19-2 • Disabling and Enabling CDP, page 19-3 • Disabling and Enabling CDP on an Interface, page 19-4 Default CDP Configuration Table 19-1 shows the default CDP configuration.
Chapter 19 Configuring CDP Configuring CDP Command Purpose Step 6 show cdp Verify your settings. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure CDP characteristics.
Chapter 19 Configuring CDP Configuring CDP Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and to receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on a port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you are disabling CDP, and enter interface configuration mode.
Chapter 19 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors. show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent.
Chapter 19 Configuring CDP Monitoring and Maintaining CDP Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide 19-6 380261-003
C H A P T E R 20 Configuring LLDP and LLDP-MED This chapter describes how to configure the Link Layer Discovery Protocol (LLDP) and LLDP Media Endpoint Discovery (LLDP-MED) on the switch. For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 20 Configuring LLDP and LLDP-MED Understanding LLDP and LLDP-MED • Port description TLV • System name TLV • System description • System capabilities TLV • Management address TLV These organizationally specific LLDP TLVs are also advertised to support LLDP-MED. Note • Port VLAN ID TLV ((IEEE 802.1 organizationally specific TLVs) • MAC/PHY configuration/status TLV(IEEE 802.3 organizationally specific TLVs) A switch stack appears as a single switch in the network.
Chapter 20 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED This section contains this configuration information: • Default LLDP Configuration, page 20-3 • Configuring LLDP Characteristics, page 20-3 • Disabling and Enabling LLDP Globally, page 20-4 • Disabling and Enabling LLDP on an Interface, page 20-5 • Configuring LLDP-MED TLVs, page 20-6 Default LLDP Configuration Table 20-1 shows the default LLDP configuration.
Chapter 20 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 lldp holdtime seconds (Optional) Specify the amount of time a receiving device should hold the information sent by your device before discarding it. The range is 0 to 65535 seconds; the default is 120 seconds. Step 3 lldp reinit (Optional) Specify the delay time in seconds for LLDP to initialize on any interface.
Chapter 20 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED This example shows how to disable LLDP. Switch# configure terminal Switch(config)# no lldp run Switch(config)# end This example shows how to enable LLDP. Switch# configure terminal Switch(config)# lldp run Switch(config)# end Disabling and Enabling LLDP on an Interface LLDP is enabled by default on all supported interfaces to send and to receive LLDP information.
Chapter 20 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Configuring LLDP-MED TLVs By default, the switch only sends LLDP packets until it receives LLDP-MED packets from the end device. The device continues to send LLDP-MED packets until it receives LLDP packets only.
Chapter 20 Configuring LLDP and LLDP-MED Monitoring and Maintaining LLDP and LLDP-MED Monitoring and Maintaining LLDP and LLDP-MED To monitor and maintain LLDP and LLDP-MED on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear lldp counters Reset the traffic counters to zero. clear lldp table Delete the LLDP table of information about neighbors.
Chapter 20 Configuring LLDP and LLDP-MED Monitoring and Maintaining LLDP and LLDP-MED Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide 20-8 380261-003
C H A P T E R 21 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 21 Configuring UDLD Understanding UDLD In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection. If the ports are connected correctly but the traffic is one way, UDLD does not detect the unidirectional link because the Layer 1 mechanism, which is supposed to detect this condition, does not do so.
Chapter 21 Configuring UDLD Configuring UDLD If the detection window ends and no valid reply message is received, the link might shut down, depending on the UDLD mode. When UDLD is in normal mode, the link might be considered undetermined and might not be shut down. When UDLD is in aggressive mode, the link is considered unidirectional, and the port is disabled.
Chapter 21 Configuring UDLD Configuring UDLD Default UDLD Configuration Table 21-1 shows the default UDLD configuration.
Chapter 21 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 21 Configuring UDLD Displaying UDLD Status Step 3 Command Purpose udld port [aggressive] UDLD is disabled by default. • udld port—Enables UDLD in normal mode on the specified port. • udld port aggressive—Enables UDLD in aggressive mode on the specified port. Note Use the no udld port interface configuration command to disable UDLD on a specified fiber-optic port. For more information about aggressive and normal modes, see the “Modes of Operation” section on page 21-1.
C H A P T E R 22 Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN These sections contain this conceptual information: • Local SPAN, page 22-2 • Remote SPAN, page 22-2 • SPAN and RSPAN Concepts and Terminology, page 22-3 • SPAN and RSPAN Interaction with Other Features, page 22-8 Local SPAN Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and destination ports are in the same switch.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 22-2 Example of RSPAN Configuration RSPAN destination ports RSPAN destination session Switch C Intermediate switches must support RSPAN VLAN RSPAN VLAN RSPAN source session A RSPAN source ports Switch B RSPAN source session B RSPAN source ports 101366 Switch A SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed over normal trunk ports to the destination switch. An RSPAN destination session takes all packets received on the RSPAN VLAN, strips off the VLAN tagging, and presents them on the destination port.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • Transmit (Tx) SPAN—The goal of transmit (or egress) SPAN is to monitor as much as possible all the packets sent by the source interface after all modification and processing is performed by the switch. A copy of each packet sent by the source is sent to the destination port for that SPAN session. The copy is provided after the packet is modified.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • It can be an access port, trunk port, or voice VLAN port. • It cannot be a destination port. • Source ports can be in the same or different VLANs. • You can monitor multiple source ports in a single session. Source VLANs VLAN-based SPAN (VSPAN) is the monitoring of the network traffic in one or more VLANs. The SPAN or RSPAN source interface in VSPAN is a VLAN ID, and traffic is monitored on all the ports for that VLAN.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN A destination port has these characteristics: • For a local SPAN session, the destination port must reside on the same switch as the source port. For an RSPAN session, it is located on the switch containing the RSPAN destination session. There is no destination port on a switch running only an RSPAN source session. • When a port is configured as a SPAN destination port, the configuration overwrites the original port configuration.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN For VLANs 1 to 1005 that are visible to VLAN Trunking Protocol (VTP), the VLAN ID and its associated RSPAN characteristic are propagated by VTP. If you assign an RSPAN VLAN ID in the extended VLAN range (1006 to 4094), you must manually configure all intermediate switches. It is normal to have multiple RSPAN VLANs in a network at the same time with each RSPAN VLAN defining a network-wide RSPAN session.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • A secure port cannot be a SPAN destination port. For SPAN sessions, do not enable port security on ports with monitored egress when ingress forwarding is enabled on the destination port. For RSPAN source sessions, do not enable port security on any ports with monitored egress. • An IEEE 802.1x port can be a SPAN source port. You can enable IEEE 802.1x on a port that is a SPAN destination port; however, IEEE 802.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN SPAN Configuration Guidelines Follow these guidelines when configuring SPAN: • For SPAN sources, you can monitor traffic for a single port or VLAN or a series or range of ports or VLANs for each session. You cannot mix source ports and source VLANs within a single SPAN session. • The destination port cannot be a source port; a source port cannot be a destination port. • You cannot have two SPAN sessions using the same destination port.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 3 Command Purpose monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx] Specify the SPAN session and the source port (monitored port). For session_number, the range is 1 to 66. For interface-id, specify the source port or source VLAN to monitor. • For source interface-id, specify the source port to monitor.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 6 Command Purpose show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating a Local SPAN Session and Configuring Incoming Traffic Beginning in privileged EXEC mode, follow these steps to create a SPAN session, to specify the source ports or VLANs and the destination ports, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance).
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN To delete a SPAN session, use the no monitor session session_number global configuration command. To remove a source or destination port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command or the no monitor session session_number destination interface interface-id global configuration command.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 5 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]} Specify the SPAN session and the destination port (monitoring port). For session_number, specify the session number entered in Step 3. For interface-id, specify the destination port. The destination interface must be a physical port; it cannot be an EtherChannel, and it cannot be a VLAN.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets. Specify these ACLs on the RSPAN VLAN in the RSPAN source switches. • For RSPAN configuration, you can distribute the source ports and the destination ports across multiple switches in your network. • RSPAN does not support BPDU packet monitoring or other Layer 2 switch protocols.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Beginning in privileged EXEC mode, follow these steps to create an RSPAN VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan vlan-id Enter a VLAN ID to create a VLAN, or enter the VLAN ID of an existing VLAN, and enter VLAN configuration mode. The range is 2 to 1001 and 1006 to 4094.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 3 Command Purpose monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx] Specify the RSPAN session and the source port (monitored port). For session_number, the range is 1 to 66. Enter a source port or source VLAN for the RSPAN session: • For interface-id, specify the source port to monitor.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating an RSPAN Destination Session You configure the RSPAN destination session on a different switch; that is, not the switch on which the source session was configured.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to configure VLAN 901 as the source remote VLAN and port 1 as the destination interface: Switch(config)# monitor session 1 source remote vlan 901 Switch(config)# monitor session 1 destination interface gigabitethernet0/1 Switch(config)# end Creating an RSPAN Destination Session and Configuring Incoming Traffic Beginning in privileged EXEC mode, follow these steps to create an RSPAN destination session, to specify the
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Step 4 Purpose Specify the SPAN session, the destination port, the packet monitor session session_number encapsulation, and the incoming VLAN and encapsulation. destination {interface interface-id [, | -] [ingress {dot1q vlan vlan-id | isl | untagged For session_number, enter the number defined in Step 4.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to configure the RSPAN source session to limit RSPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Remove any existing SPAN configuration for the session. For session_number, the range is 1 to 66.
Chapter 22 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions.
Chapter 22 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide 22-24 380261-003
C H A P T E R 23 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the switch. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information.
Chapter 23 Configuring RMON Configuring RMON Figure 23-1 Remote Monitoring Example Network management station with generic RMON console application RMON history and statistic collection enabled. Blade Servers RMON alarms and events configured. SNMP configured.
Chapter 23 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station. We recommend that you use a generic RMON console application on the network management station (NMS) to take advantage of the RMON network management capabilities.
Chapter 23 Configuring RMON Configuring RMON Command Step 3 Purpose rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535. • (Optional) For description string, specify a description of the event. • (Optional) Use the log keyword to generate an RMON log entry when the event is triggered.
Chapter 23 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 23 Configuring RMON Displaying RMON Status Command Step 3 Purpose rmon collection stats index [owner ownername] Enable RMON statistic collection on the interface. • For index, specify the RMON group of statistics. The range is from 1 to 65535. • (Optional) For owner ownername, enter the name of the owner of the RMON group of statistics. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries.
C H A P T E R 24 Configuring System Message Logging This chapter describes how to configure system message logging on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Configuring System Message Logging These sections contain this configuration information: • System Log Message Format, page 24-2 • Default System Message Logging Configuration, page 24-3 • Disabling Message Logging, page 24-3 (optional) • Setting the Message Display Destination Device, page 24-4 (optional) • Synchronizing Log Messages, page 24-5 (optional) • Enabling and Disabling Time Stamps on Log Messages, page
Chapter 24 Configuring System Message Logging Configuring System Message Logging Table 24-1 System Log Message Elements (continued) Element Description MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to disable message logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no logging console Disable message logging. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server. To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 24-10.
Chapter 24 Configuring System Message Logging Configuring System Message Logging is returned. Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt. Beginning in privileged EXEC mode, follow these steps to configure synchronous logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Time Stamps on Log Messages By default, log messages are not time-stamped. Beginning in privileged EXEC mode, follow these steps to enable time-stamping of log messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log time stamps.
Chapter 24 Configuring System Message Logging Configuring System Message Logging To disable sequence numbers, use the no service sequence-numbers global configuration command. This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message, which are described in Table 24-3.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Table 24-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging history size number Specify the number of syslog messages that can be stored in the history table. The default is to store one message. The range is 0 to 500 messages. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. 1.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Step 3 Make sure the syslog daemon reads the new changes: $ kill -HUP `cat /etc/syslog.pid` For more information, see the man syslog.conf and man syslogd commands on your UNIX system. Configuring the UNIX System Logging Facility When sending system log messages to an external device, you can cause the switch to identify its messages as originating from any of the UNIX syslog facilities.
Chapter 24 Configuring System Message Logging Displaying the Logging Configuration Table 24-4 Logging Facility-Type Keywords (continued) Facility Type Keyword Description mail Mail system news USENET news sys9-14 System use syslog System log user User process uucp UNIX-to-UNIX copy system Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command.
C H A P T E R 25 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 25 Configuring SNMP Understanding SNMP • Using SNMP to Access MIB Variables, page 25-4 • SNMP Notifications, page 25-5 • SNMP ifIndex MIB Object Values, page 25-6 SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157.
Chapter 25 Configuring SNMP Understanding SNMP Table 25-1 identifies the characteristics of the different combinations of security models and levels. Table 25-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication.
Chapter 25 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. • Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Chapter 25 Configuring SNMP Understanding SNMP As shown in Figure 25-1, the SNMP agent gathers data from the MIB. The agent can send traps, or notification of certain events, to the SNMP manager, which receives and processes the traps. Traps alert the SNMP manager to a condition on the network such as improper user authentication, restarts, link status (up or down), MAC address tracking, and so forth.
Chapter 25 Configuring SNMP Configuring SNMP SNMP ifIndex MIB Object Values In an NMS, the IF-MIB generates and assigns an interface index (ifIndex) object value that is a unique number greater than zero to identify a physical or a logical interface. When the switch reboots or the switch software is upgraded, the switch uses this same value for the interface. For example, if the switch assigns a port 2 an ifIndex value of 10003, this value is the same after the switch reboots.
Chapter 25 Configuring SNMP Configuring SNMP Default SNMP Configuration Table 25-4 shows the default SNMP configuration. Table 25-4 Default SNMP Configuration Feature Default Setting SNMP agent Disabled1. SNMP trap receiver None configured. SNMP traps None enabled except the trap for TCP connections (tty). SNMP version If no version keyword is present, the default is Version 1. SNMPv3 authentication If no keyword is entered, the default is the noauth (noAuthNoPriv) security level.
Chapter 25 Configuring SNMP Configuring SNMP invalid, and you need to reconfigure SNMP users by using the snmp-server user username global configuration command. Similar restrictions require the reconfiguration of community strings when the engine ID changes. Disabling the SNMP Agent Beginning in privileged EXEC mode, follow these steps to disable the SNMP agent: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no snmp-server Disable the SNMP agent operation.
Chapter 25 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure a community string on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server community string [view view-name] [ro | rw] [access-list-number] Configure the community string.
Chapter 25 Configuring SNMP Configuring SNMP This example shows how to assign the string comaccess to SNMP, to allow read-only access, and to specify that IP access list 4 can use the community string to gain access to the switch SNMP agent: Switch(config)# snmp-server community comaccess ro 4 Configuring SNMP Groups and Users You can specify an identification name (engine ID) for the local or remote SNMP server engine on the switch.
Chapter 25 Configuring SNMP Configuring SNMP Command Step 3 Purpose snmp-server group groupname {v1 | v2c | v3 Configure a new SNMP group on the remote device. {auth | noauth | priv}} [read readview] • For groupname, specify the name of the group. [write writeview] [notify notifyview] [access • Specify a security model: access-list] – v1 is the least secure of the possible security models. – v2c is the second least secure model. It allows transmission of informs and integers twice the normal width.
Chapter 25 Configuring SNMP Configuring SNMP Command Step 4 Purpose Add a new user for an SNMP group. snmp-server user username groupname {remote host [udp-port port]} {v1 [access • The username is the name of the user on the host that connects access-list] | v2c [access access-list] | v3 to the agent. [encrypted] [access access-list] [auth {md5 | • The groupname is the name of the group to which the user is sha} auth-password]} associated.
Chapter 25 Configuring SNMP Configuring SNMP Table 25-5 Note Switch Notification Types (continued) Notification Type Keyword Description cluster Generates a trap when the cluster configuration changes. config Generates a trap for SNMP configuration changes. copy-config Generates a trap for SNMP copy configuration changes. entity Generates a trap for SNMP entity changes. envmon Generates environmental monitor traps.
Chapter 25 Configuring SNMP Configuring SNMP You can use the snmp-server host global configuration command to a specific host to receive the notification types listed in Table 25-5. Beginning in privileged EXEC mode, follow these steps to configure the switch to send traps or informs to a host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID remote ip-address engineid-string Specify the engine ID for the remote host.
Chapter 25 Configuring SNMP Configuring SNMP Command Purpose Step 8 snmp-server queue-length length (Optional) Establish the message queue length for each trap host. The range is 1 to 1000; the default is 10. Step 9 snmp-server trap-timeout seconds (Optional) Define how often to resend trap messages. The range is 1 to 1000; the default is 30 seconds. Step 10 end Return to privileged EXEC mode. Step 11 show running-config Verify your entries.
Chapter 25 Configuring SNMP Configuring SNMP Limiting TFTP Servers Used Through SNMP Beginning in privileged EXEC mode, follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP to the servers specified in an access list: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server tftp-server-list access-list-number Limit TFTP servers used for configuration file copies through SNMP to the servers in the access list.
Chapter 25 Configuring SNMP Displaying SNMP Status This example shows how to allow read-only access for all objects to members of access list 4 that use the comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco.com using the community string public. Switch(config)# snmp-server community comaccess ro 4 Switch(config)# snmp-server enable traps snmp authentication Switch(config)# snmp-server host cisco.
Chapter 25 Configuring SNMP Displaying SNMP Status Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide 25-18 380261-003
C H A P T E R 26 Configuring Network Security with ACLs This chapter describes how to configure network security on the switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists. Note Information in this chapter about IP ACLs is specific to IP Version 4 (IPv4).
Chapter 26 Configuring Network Security with ACLs Understanding ACLs An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny depends on the context in which the ACL is used.
Chapter 26 Configuring Network Security with ACLs Understanding ACLs 2 input would allow Blade Server A to access the Human Resources network, but prevent Blade Server B from accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction.
Chapter 26 Configuring Network Security with ACLs Understanding ACLs With VLAN maps, forwarding of packets is permitted or denied, based on the action specified in the map. Figure 26-2 shows how a VLAN map is applied to prevent a specific type of traffic from Host A in VLAN 10 from being forwarded. You can apply only one VLAN map to a VLAN.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs • Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on the Telnet port. If this packet is fragmented, the first fragment matches the second ACE (a deny) because all Layer 3 and Layer 4 information is present. The remaining fragments in the packet do not match the second ACE because they are missing Layer 4 information. Instead, they match the third ACE (a permit). Because the first fragment was denied, host 10.1.1.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Creating Standard and Extended IPv4 ACLs This section describes IP ACLs. An ACL is a sequential collection of permit and deny conditions. One by one, the switch tests packets against the conditions in an access list. The first match determines whether the switch accepts or rejects the packet. Because the switch stops testing after the first match, the order of the conditions is critical.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Table 26-1 Note Access List Numbers (continued) Access List Number Type Supported 1300–1999 IP standard access list (expanded range) Yes 2000–2699 IP extended access list (expanded range) Yes In addition to numbered standard and extended ACLs, you can also create standard and extended named IP ACLs by using the supported numbers.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Note When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny statement for all packets that it did not find a match for before reaching the end. With standard access lists, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed to be the mask. This example shows how to create a standard ACL to deny access to IP host 171.69.198.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Note The switch does not support dynamic or reflexive access lists. It also does not support filtering based on the type of service (ToS) minimize-monetary-cost bit. Supported parameters can be grouped into these categories: TCP, UDP, ICMP, IGMP, or other IP. Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs or or Step 2b Command Purpose access-list access-list-number {deny | permit} protocol any any [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [dscp dscp] In access-list configuration mode, define an extended IP access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and an abbreviation for a destination and destination wildcard of 0.0.0.0 255.255.255.255.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Step 2d Step 2e Command Purpose access-list access-list-number {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [dscp dscp] (Optional) Define an extended ICMP access list and the access conditions. Enter icmp for Internet Control Message Protocol.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs After creating a numbered extended ACL, you can apply it to terminal lines (see the “Applying an IPv4 ACL to a Terminal Line” section on page 26-16), to interfaces (see the “Applying an IPv4 ACL to an Interface” section on page 26-17), or to VLANs (see the “Configuring VLAN Maps” section on page 26-22). Resequencing ACEs in an ACL In Cisco IOS Release 12.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Step 3 Command Purpose deny {source [source-wildcard] | host source | any} In access-list configuration mode, specify one or more conditions denied or permitted to decide if the packet is forwarded or dropped. or • host source—A source and source wildcard of source 0.0.0.0. permit {source [source-wildcard] | host source | any} • any—A source and source wildcard of 0.0.0.0 255.255.255.255.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACL entries to a specific ACL. However, you can use no permit and no deny access-list configuration mode commands to remove entries from a named ACL.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show time-range Verify the time-range configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Repeat the steps if you have multiple items that you want in effect at different times. To remove a configured time-range limitation, use the no time-range time-range-name global configuration command.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Including Comments in ACLs You can use the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters. The remark can go before or after a permit or deny statement.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Display the access list configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove an ACL from a terminal line, use the no access-class access-list-number {in | out} line configuration command.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Hardware and Software Treatment of IP ACLs ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to the CPU for software processing. If the hardware reaches its capacity to store ACL configurations, packets are sent to the CPU for forwarding. The forwarding rate for software-forwarded traffic is substantially less than for hardware-forwarded traffic.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same port numbers are used throughout the life of the connection. Mail packets coming in from the Internet have a destination port of 25. Because the secure system of the network always accepts mail connections on port 25, the incoming services are controlled. Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.
Chapter 26 Configuring Network Security with ACLs Creating Named MAC Extended ACLs In this example of a numbered ACL, the Winter and Smith servers are not allowed to browse the web: Switch(config)# Switch(config)# Switch(config)# Switch(config)# access-list access-list access-list access-list 100 100 100 100 remark Do deny host remark Do deny host not allow Winter to browse the web 171.69.3.85 any eq www not allow Smith to browse the web 171.69.3.
Chapter 26 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Step 3 Command Purpose {deny | permit} {any | host source MAC address | source MAC address mask} {any | host destination MAC address | destination MAC address mask} [type mask | lsap lsap mask | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump | msdos | mumps | netbios | vines-echo |vines-ip | xns-idp | 0-65535] [cos cos] In extended MAC acces
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps • A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one. Beginning in privileged EXEC mode, follow these steps to apply a MAC access list to control access to a Layer 2 interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps To create a VLAN map and apply it to one or more VLANs, perform these steps: Step 1 Create the standard or extended IPv4 ACLs or named MAC extended ACLs that you want to apply to the VLAN. See the “Creating Standard and Extended IPv4 ACLs” section on page 26-6 and the “Creating a VLAN Map” section on page 26-24. Step 2 Enter the vlan access-map global configuration command to create a VLAN ACL map entry.
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps Creating a VLAN Map Each VLAN map consists of an ordered series of entries. Beginning in privileged EXEC mode, follow these steps to create, add to, or delete a VLAN map entry: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan access-map name [number] Create a VLAN map, and give it a name and (optionally) a number. The number is the sequence number of the entry within the map.
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps This example shows how to create a VLAN map to permit a packet. ACL ip2 permits UDP packets and any packets that match the ip2 ACL are forwarded. In this map, any IP packets that did not match any of the previous ACLs (that is, packets that are not TCP packets or UDP packets) would get dropped.
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps Switch(config-ext-macl)# permit any any vines-ip Switch(config-ext-nacl)# exit Switch(config)# vlan access-map drop-mac-default 10 Switch(config-access-map)# match mac address good-hosts Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan access-map drop-mac-default 20 Switch(config-access-map)# match mac address good-protocols Switch(config-access-map)# action forward Example 4 In this exa
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps Using VLAN Maps in Your Network These sections describes some typical uses for VLAN maps: • Wiring Closet Configuration, page 26-27 • Denying Access to a Server on a VLAN, page 26-28 Wiring Closet Configuration In a wiring closet configuration, the switch can support a VLAN map and a QoS classification ACL. In Figure 26-3, assume that Host X and Host Y are in different VLANs and are connected to wiring closet switches A and C.
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps Next, create VLAN access map map2 so that traffic that matches the http access list is dropped and all other IP traffic is forwarded.
Chapter 26 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Switch(config)# vlan access-map SERVER1_MAP 20 Switch(config-access-map)# action forward Switch(config-access-map)# exit Step 3 Apply the VLAN map to VLAN 10. Switch(config)# vlan filter SERVER1_MAP vlan-list 10. Displaying IPv4 ACL Configuration You can display the ACLs that are configured on the switch, and you can display the ACLs that have been applied to interfaces and VLANs.
Chapter 26 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide 26-30 380261-003
C H A P T E R 27 Configuring QoS This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 27 Configuring QoS Understanding QoS The QoS implementation is based on the Differentiated Services (Diff-Serv) architecture, an emerging standard from the Internet Engineering Task Force (IETF). This architecture specifies that each packet is classified upon entry into the network. The classification is carried in the IP packet header, using 6 bits from the deprecated IP type of service (ToS) field to carry the classification (class) information.
Chapter 27 Configuring QoS Understanding QoS Figure 27-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 header IP header Data Layer 2 ISL Frame ISL header (26 bytes) Encapsulated frame 1... (24.5 KB) FCS (4 bytes) 3 bits used for CoS Layer 2 802.1Q and 802.
Chapter 27 Configuring QoS Understanding QoS Figure 27-2 shows the basic QoS model. Actions at the ingress port include classifying traffic, policing, marking, queueing, and scheduling: • Classifying a distinct path for a packet by associating it with a QoS label. The switch maps the CoS or DSCP in the packet to a QoS label to distinguish one kind of traffic from another. The QoS label that is generated identifies all future QoS actions to be performed on this packet.
Chapter 27 Configuring QoS Understanding QoS Classification Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification is enabled only if QoS is globally enabled on the switch. By default, QoS is globally disabled, so no classification occurs. During classification, the switch performs a lookup and assigns a QoS label to the packet.
Chapter 27 Configuring QoS Understanding QoS After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Figure 27-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface configuration for classification. Trust DSCP (IP traffic). IP and non-IP traffic Trust DSCP or IP precedence (non-IP traffic). Trust IP precedence (IP traffic). Assign DSCP identical to DSCP in packet.
Chapter 27 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: Note • If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken.
Chapter 27 Configuring QoS Understanding QoS The policy map can contain the police and police aggregate policy-map class configuration commands, which define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded. To enable the policy map, you attach it to a port by using the service-policy interface configuration command. You can apply a nonhierarchical policy map to a physical port or an SVI.
Chapter 27 Configuring QoS Understanding QoS Policing on Physical Ports In policy maps on physical ports, you can create these types of policers: • Individual—QoS applies the bandwidth limits specified in the policer separately to each matched traffic class. You configure this type of policer within a policy map by using the police policy-map class configuration command. • Aggregate—QoS applies the bandwidth limits specified in an aggregate policer cumulatively to all matched traffic flows.
Chapter 27 Configuring QoS Understanding QoS Figure 27-4 Policing and Marking Flowchart on Physical Ports Start Get the clasification result for the packet. No Is a policer configured for this packet? Yes Check if the packet is in profile by querying the policer. No Yes Pass through Check out-of-profile action configured for this policer. Drop Drop packet. Mark Done 86835 Modify DSCP according to the policed-DSCP map. Generate a new QoS label.
Chapter 27 Configuring QoS Understanding QoS When configuring policing on an SVI, you can create and configure a hierarchical policy map with these two levels: • VLAN level—Create this primary level by configuring class maps and classes that specify the port trust state or set a new DSCP or IP precedence value in the packet. The VLAN-level policy map applies only to the VLAN in an SVI and does not support policers.
Chapter 27 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an QoS label based on the DSCP or CoS value from the classification stage: • During classification, QoS uses configurable mapping tables to derive a corresponding DSCP or CoS value from a received CoS, DSCP, or IP precedence value. These maps include the CoS-to-DSCP map and the IP-precedence-to-DSCP map.
Chapter 27 Configuring QoS Understanding QoS Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 27-6.
Chapter 27 Configuring QoS Understanding QoS CoS 6-7 CoS 4-5 CoS 0-3 WTD and Queue Operation 100% 1000 60% 600 40% 400 0 86692 Figure 27-7 For more information, see the “Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds” section on page 27-64, the “Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set” section on page 27-68, and the “Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID” section on page 27-70.
Chapter 27 Configuring QoS Understanding QoS Queueing and Scheduling on Ingress Queues Figure 27-8 shows the queueing and scheduling flowchart for ingress ports. Figure 27-8 Queueing and Scheduling Flowchart for Ingress Ports Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds. Are thresholds being exceeded? Yes No Drop packet. Send packet to the internal ring. Note 90564 Queue the packet.
Chapter 27 Configuring QoS Understanding QoS You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Chapter 27 Configuring QoS Understanding QoS Queueing and Scheduling on Egress Queues Figure 27-9 shows the queueing and scheduling flowchart for egress ports. Note If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Figure 27-9 Queueing and Scheduling Flowchart for Egress Ports Start Receive packet from the internal ring. Read QoS label (DSCP or CoS value). Determine egress queue number and threshold based on the label.
Chapter 27 Configuring QoS Understanding QoS Figure 27-10 shows the egress queue buffer. The buffer space is divided between the common pool and the reserved pool. The switch uses a buffer allocation scheme to reserve a minimum amount of buffers for each egress queue, to prevent any queue or port from consuming all the buffers and depriving other queues, and to control whether to grant buffer space to a requesting queue.
Chapter 27 Configuring QoS Understanding QoS WTD Thresholds You can assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an egress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue output dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue output cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Chapter 27 Configuring QoS Configuring Auto-QoS • During policing, IP and non-IP packets can have another DSCP assigned to them (if they are out of profile and the policer specifies a markdown DSCP). Once again, the DSCP in the packet is not modified, but an indication of the marked-down value is carried along. For IP packets, the packet modification occurs at a later stage; for non-IP packets the DSCP is converted to CoS and used for queueing and scheduling decisions.
Chapter 27 Configuring QoS Configuring Auto-QoS Generated Auto-QoS Configuration By default, auto-QoS is disabled on all ports. When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress and egress queues as shown in Table 27-2.
Chapter 27 Configuring QoS Configuring Auto-QoS trust the QoS label received in the packet. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet. The switch configures ingress and egress queues on the port according to the settings in Table 27-3 and Table 27-4.
Chapter 27 Configuring QoS Configuring Auto-QoS Table 27-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically maps DSCP values to an ingress queue and to a threshold ID.
Chapter 27 Configuring QoS Configuring Auto-QoS Table 27-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically configures the egress queue buffer sizes. It configures the bandwidth and the SRR mode (shaped or shared) on the egress queues mapped to the port.
Chapter 27 Configuring QoS Configuring Auto-QoS Effects of Auto-QoS on the Configuration When auto-QoS is enabled, the auto qos voip interface configuration command and the generated configuration are added to the running configuration. The switch applies the auto-QoS-generated commands as if the commands were entered from the CLI. An existing user configuration can cause the application of the generated commands to fail or to be overridden by the generated commands. These actions occur without warning.
Chapter 27 Configuring QoS Configuring Auto-QoS Enabling Auto-QoS for VoIP Beginning in privileged EXEC mode, follow these steps to enable auto-QoS for VoIP within a QoS domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring QoS Configuring Auto-QoS Auto-QoS Configuration Example This section describes how you could implement auto-QoS in a network, as shown in Figure 27-11. For optimum QoS performance, enable auto-QoS on all the devices in the network. Figure 27-11 Auto-QoS Configuration Example Network Cisco router To Internet Trunk link Trunk link Video server 172.20.10.
Chapter 27 Configuring QoS Configuring Auto-QoS Note You should not configure any standard QoS commands before entering the auto-QoS commands. You can fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoS configuration is completed. Beginning in privileged EXEC mode, follow these steps to configure the switch at the edge of the QoS domain to prioritize the VoIP traffic over all other traffic: Command Purpose Step 1 debug auto qos Enable debugging for auto-QoS.
Chapter 27 Configuring QoS Displaying Auto-QoS Information Displaying Auto-QoS Information To display the initial auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings.
Chapter 27 Configuring QoS Configuring Standard QoS Default Standard QoS Configuration QoS is disabled. There is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
Chapter 27 Configuring QoS Configuring Standard QoS Default Egress Queue Configuration Table 27-9 shows the default egress queue configuration for each queue-set when QoS is enabled. All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited.
Chapter 27 Configuring QoS Configuring Standard QoS Default Mapping Table Configuration The default CoS-to-DSCP map is shown in Table 27-12 on page 27-58. The default IP-precedence-to-DSCP map is shown in Table 27-13 on page 27-59. The default DSCP-to-CoS map is shown in Table 27-14 on page 27-61. The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value.
Chapter 27 Configuring QoS Configuring Standard QoS • Follow these guidelines when configuring policy maps on physical ports or SVIs: – You cannot apply the same policy map to a physical port and to an SVI. – If VLAN-based QoS is configured on a physical port, the switch removes all the port-based policy maps on the port. The traffic on this physical port is now affected by the policy map attached to the SVI to which the physical port belongs.
Chapter 27 Configuring QoS Configuring Standard QoS Enabling QoS Globally By default, QoS is disabled on the switch. Beginning in privileged EXEC mode, follow these steps to enable QoS. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS globally.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring Classification Using Port Trust States These sections describe how to classify incoming traffic by using port trust states.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be trusted, and enter interface configuration mode. Valid interfaces include physical ports. Step 3 mls qos trust [cos | dscp | ip-precedence] Configure the port trust state.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the CoS Value for an Interface QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports. Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring QoS Configuring Standard QoS the telephone is connected to trust the CoS labels of all traffic received on that port. Use the mls qos trust dscp interface configuration command to configure a routed port to which the telephone is connected to trust the DSCP labels of all traffic received on that port.
Chapter 27 Configuring QoS Configuring Standard QoS Enabling DSCP Transparency Mode The switch supports the DSCP transparency feature. It affects only the DSCP field of a packet at egress. By default, DSCP transparency is disabled. The switch modifies the DSCP field in an incoming packet, and the DSCP field in the outgoing packet is based on the quality of service (QoS) configuration, including the port trust setting, policing and marking, and the DSCP-to-DSCP mutation map.
Chapter 27 Configuring QoS Configuring Standard QoS Figure 27-13 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. 101235 IP traffic Beginning in privileged EXEC mode, follow these steps to configure the DSCP-trusted state on a port and modify the DSCP-to-DSCP-mutation map.
Chapter 27 Configuring QoS Configuring Standard QoS To return a port to its non-trusted state, use the no mls qos trust interface configuration command. To return to the default DSCP-to-DSCP-mutation map values, use the no mls qos map dscp-mutation dscp-mutation-name global configuration command.
Chapter 27 Configuring QoS Configuring Standard QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify non-IP traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended ACL, repeating the command as many times as necessary. • For access-list-number, enter the access list number.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Create a Layer 2 MAC ACL by specifying the name of the list. After entering this command, the mode changes to extended MAC ACL configuration.
Chapter 27 Configuring QoS Configuring Standard QoS Classifying Traffic by Using Class Maps You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. The class map defines the criteria to use to match against a specific traffic flow to further classify it. Match statements can include criteria such as an ACL, IP precedence values, or DSCP values.
Chapter 27 Configuring QoS Configuring Standard QoS Command Step 4 Purpose match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported. • For access-group acl-index-or-name, specify the number or name of the ACL created in Step 2.
Chapter 27 Configuring QoS Configuring Standard QoS Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps You can configure a nonhierarchical policy map on a physical port that specifies which traffic class to act on.
Chapter 27 Configuring QoS Configuring Standard QoS Step 3 Command Purpose policy-map policy-map-name Create a policy map by entering the policy map name, and enter policy-map configuration mode. By default, no policy maps are defined. The default behavior of a policy map is to set the DSCP to 0 if the packet is an IP packet and to set the CoS to 0 if the packet is tagged. No policing is performed.
Chapter 27 Configuring QoS Configuring Standard QoS Step 7 Command Purpose police rate-bps burst-byte [exceed-action {drop | policed-dscp-transmit}] Define a policer for the classified traffic. By default, no policer is defined. For information on the number of policers supported, see the “Standard QoS Configuration Guidelines” section on page 27-32. • For rate-bps, specify average traffic rate in bits per second (b/s). The range is 8000 to 1000000000.
Chapter 27 Configuring QoS Configuring Standard QoS Switch(config-pmap-c)# police 1000000 8000 exceed-action policed-dscp-transmit Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet0/1 Switch(config-if)# service-policy input flow1t This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to an ingress port. The first permit statement allows traffic from the host with MAC address 0001.0000.
Chapter 27 Configuring QoS Configuring Standard QoS precedence value to a new value by using the set ip precedence new-precedence policy-map class configuration command, the egress DSCP value is not affected by the IP-precedence-to-DSCP map. If you want the egress DSCP value to be different than the ingress value, use the set dscp new-dscp policy-map class configuration command. • If you enter or have used the set ip dscp command, the switch changes this command to set dscp in its configuration.
Chapter 27 Configuring QoS Configuring Standard QoS Command Step 3 Purpose match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported. • For access-group acl-index-or-name, specify the number or name of the ACL.
Chapter 27 Configuring QoS Configuring Standard QoS Step 11 Command Purpose class-map class-map-name Define an interface-level traffic classification, and enter policy-map configuration mode. By default, no policy-map class-maps are defined. If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command.
Chapter 27 Configuring QoS Configuring Standard QoS Step 17 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, omit Step 18. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 27 Configuring QoS Configuring Standard QoS Step 23 Command Purpose service-policy input policy-map-name Specify the VLAN-level policy-map name, and apply it to the SVI. Repeat the previous step and this command to apply the policy map to other SVIs. If the hierarchical VLAN-level policy map has more than one interface-level policy map, all class maps must be configured to the same VLAN-level policy map specified in the service-policy policy-map-name command.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an aggregate policer: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos aggregate-policer aggregate-policer-name rate-bps burst-byte exceed-action {drop | policed-dscp-transmit} Define the policer parameters that can be applied to multiple traffic classes within the same policy map. By default, no aggregate policer is defined.
Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 11 show mls qos aggregate-policer [aggregate-policer-name] Verify your entries. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the specified aggregate policer from a policy map, use the no police aggregate aggregate-policer-name policy map configuration mode.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the CoS-to-DSCP Map You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. Table 27-12 shows the default CoS-to-DSCP map. Table 27-12 Default CoS-to-DSCP Map CoS Value DSCP Value 0 0 1 8 2 16 3 24 4 32 5 40 6 48 7 56 If these values are not appropriate for your network, you need to modify them.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the IP-Precedence-to-DSCP Map You use the IP-precedence-to-DSCP map to map IP precedence values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the Policed-DSCP Map You use the policed-DSCP map to mark down a DSCP value to a new value as the result of a policing and marking action. The default policed-DSCP map is a null map, which maps an incoming DSCP value to the same DSCP value. Beginning in privileged EXEC mode, follow these steps to modify the policed-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the DSCP-to-CoS Map You use the DSCP-to-CoS map to generate a CoS value, which is used to select one of the four egress queues. Table 27-14 shows the default DSCP-to-CoS map. Table 27-14 Default DSCP-to-CoS Map DSCP Value CoS Value 0–7 0 8–15 1 16–23 2 24–31 3 32–39 4 40–47 5 48–55 6 56–63 7 If these values are not appropriate for your network, you need to modify them.
Chapter 27 Configuring QoS Configuring Standard QoS 3 4 5 6 Note : : : : 03 00 00 07 03 05 06 07 00 05 06 07 04 04 04 04 04 04 04 05 05 05 05 05 00 06 06 06 06 07 07 07 07 07 In the above DSCP-to-CoS map, the CoS values are shown in the body of the matrix. The d1 column specifies the most-significant digit of the DSCP; the d2 row specifies the least-significant digit of the DSCP. The intersection of the d1 and d2 values provides the CoS value.
Chapter 27 Configuring QoS Configuring Standard QoS To return to the default map, use the no mls qos dscp-mutation dscp-mutation-name global configuration command. This example shows how to define the DSCP-to-DSCP-mutation map.
Chapter 27 Configuring QoS Configuring Standard QoS Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and to set WTD thresholds. This procedure is optional.
Chapter 27 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to allocate bandwidth between the ingress queues. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input bandwidth weight1 weight2 Assign shared round robin weights to the ingress queues. The default setting for weight1 and weight2 is 4 (1/2 of the bandwidth is equally shared between the two queues).
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the priority queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input priority-queue queue-id bandwidth weight Assign a queue as the priority queue and guarantee bandwidth on the internal ring if the ring is congested.
Chapter 27 Configuring QoS Configuring Standard QoS These sections contain this configuration information: • Configuration Guidelines, page 27-68 • Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set, page 27-68 (optional) • Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID, page 27-70 (optional) • Configuring SRR Shaped Weights on Egress Queues, page 27-72 (optional) • Configuring SRR Shared Weights on Egress Queues, page 27-73 (optional) • Configur
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and to drop thresholds for a queue-set. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos queue-set output qset-id buffers allocation1 ... allocation4 Allocate buffers to a queue-set. By default, all allocation values are equally mapped among the four queues (25, 25, 25, 25).
Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 7 show mls qos interface [interface-id] buffers Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos queue-set output qset-id buffers global configuration command.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an egress queue and to a threshold ID. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue output dscp-map queue queue-id threshold threshold-id dscp1...dscp8 Map DSCP or CoS values to an egress queue and to a threshold ID.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring SRR Shaped Weights on Egress Queues You can specify how much of the available bandwidth is allocated to each queue. The ratio of the weights is the ratio of frequency in which the SRR scheduler sends packets from each queue. You can configure the egress queues for shaped or shared weights, or both. Use shaping to smooth bursty traffic or to provide a smoother output over time.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring SRR Shared Weights on Egress Queues In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue empties and does not require a share of the link, the remaining queues can expand into the unused bandwidth and share it among them.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the Egress Expedite Queue You can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. SRR services this queue until it is empty before servicing the other queues. Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring QoS Displaying Standard QoS Information Step 3 Command Purpose srr-queue bandwidth limit weight1 Specify the percentage of the port speed to which the port should be limited. The range is 10 to 90. By default, the port is not rate limited and is set to 100 percent. Step 4 end Return to privileged EXEC mode. Step 5 show mls qos interface [interface-id] queueing Verify your entries.
Chapter 27 Configuring QoS Displaying Standard QoS Information Table 27-15 Commands for Displaying Standard QoS Information (continued) Command Purpose show policy-map [policy-map-name [class class-map-name]] Display QoS policy maps, which define classification criteria for incoming traffic. Note show running-config | include rewrite Do not use the show policy-map interface privileged EXEC command to display classification information for incoming traffic.
C H A P T E R 28 Configuring EtherChannels and Layer 2 Trunk Failover This chapter describes how to configure EtherChannels on Layer 2 ports on the switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding EtherChannels EtherChannel Overview An EtherChannel consists of individual Gigabit Ethernet links bundled into a single logical link as shown in Figure 28-1.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding EtherChannels Port-Channel Interfaces When you create a Layer 2 EtherChannel, a port-channel logical interface is involved. You can create the EtherChannel in these ways: • Use the channel-group interface configuration command. This command automatically creates the port-channel logical interface when the channel group gets its first physical port.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding EtherChannels Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding EtherChannels PAgP Interaction with Other Features The Dynamic Trunking Protocol (DTP) and the Cisco Discovery Protocol (CDP) send and receive packets over the physical ports in the EtherChannel. Trunk ports send and receive PAgP protocol data units (PDUs) on the lowest numbered VLAN. In Layer 2 EtherChannels, the first port in the channel that comes up provides its MAC address to the EtherChannel.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding EtherChannels LACP Interaction with Other Features The DTP and the CDP send and receive packets over the physical ports in the EtherChannel. Trunk ports send and receive LACP PDUs on the lowest numbered VLAN. In Layer 2 EtherChannels, the first port in the channel that comes up provides its MAC address to the EtherChannel.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding EtherChannels With source-IP address-based forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the EtherChannel based on the source-IP address of the incoming packet. Therefore, to provide load-balancing, packets from different IP addresses use different ports in the channel, but packets from the same IP address use the same port in the channel.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Figure 28-3 Blade Server 1 Load Distribution and Forwarding Methods Blade Server 16 Blade Switch with source-based forwarding enabled EtherChannel 119705 Cisco router with destination-based forwarding enabled Client Client Configuring EtherChannels These sections contain this configuration information: • Default EtherChannel Configuration, page 28-9 • EtherChannel Configuration Guidelines, page 28-9 •
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Default EtherChannel Configuration Table 28-3 shows the default EtherChannel configuration. Table 28-3 Default EtherChannel Configuration Feature Default Setting Channel groups None assigned. Port-channel logical interface None defined. PAgP mode No default. PAgP learn method Aggregate-port learning on all ports. PAgP priority 128 on all ports. LACP mode No default.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels • Do not configure an EtherChannel in both the PAgP and LACP modes. EtherChannel groups running PAgP and LACP can coexist on the same switch. Individual EtherChannel groups can run either PAgP or LACP, but they cannot interoperate. • Do not configure a Switched Port Analyzer (SPAN) destination port as part of an EtherChannel. • Do not configure a secure port as part of an EtherChannel or the reverse.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Step 3 Command Purpose switchport mode {access | trunk} Assign all ports as static-access ports in the same VLAN, or configure them as trunks. switchport access vlan vlan-id If you configure the port as a static-access port, assign it to only one VLAN. The range is 1 to 4094.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels This example shows how to configure an EtherChannel.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Command Purpose Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to configure your switch as a PAgP physical-port learner and to adjust the priority so that the same port in the bundle is selected for sending packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels If you configure more than eight links for an EtherChannel group, the software automatically decides which of the hot-standby ports to make active based on the LACP priority.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Configuring the LACP Port Priority By default, all ports use the same port priority. If the local system has a lower value for the system priority and the system ID than the remote system, you can affect which of the hot-standby links become active first by changing the port priority of LACP EtherChannel ports to a lower value than the default.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Displaying EtherChannel, PAgP, and LACP Status Displaying EtherChannel, PAgP, and LACP Status To display EtherChannel, PAgP, and LACP status information, use the privileged EXEC commands described in Table 28-4: Table 28-4 Commands for Displaying EtherChannel, PAgP, and LACP Status Command Description show etherchannel [channel-group-number {detail | port | port-channel | protocol | summary}] {detail | load-balance | port | port-channel |
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding Layer 2 Trunk Failover In a link-state group, the link states of the downstream interfaces are dependent on the link states of the upstream interfaces. If all of the upstream interfaces in a link-state group are in the link-down state, the associated downstream interfaces are forced into the link-down state.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding Layer 2 Trunk Failover Layer 2 Trunk Failover Configuration Guidelines Follow these guidelines to avoid configuration problems: • Do not configure a cross-connect interface (gi0/17 or gi0/18) as a member of a link-state group. • Do not configure an EtherChannel as a downstream interface. • Only interfaces gi0/1 through gi0/16 can be configured as downstream ports in a specific link-state group.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding Layer 2 Trunk Failover Note If the interfaces are part of an EtherChannel, you must specify the port channel name as part of the link-state group, not the individual port members.
C H A P T E R 29 Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the switch. Depending on the nature of the problem, you can use the command-line interface (CLI) or the device manager to identify and solve problems. Additional troubleshooting information, such as LED descriptions, is provided in the hardware installation guide.
Chapter 29 Troubleshooting Recovering from a Software Failure Recovering from a Software Failure Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity. This procedure uses the Xmodem Protocol to recover from a corrupt or wrong image file.
Chapter 29 Troubleshooting Recovering from a Lost or Forgotten Password Note Initialize the flash file system: switch: flash_init Step 7 If you had set the console port speed to anything other than 9600, it has been reset to that particular speed. Change the emulation software line speed to match that of the switch console port. Step 8 Load any helper files: switch: load_helper Step 9 Start the file transfer by using the Xmodem Protocol. switch: copy xmodem: flash:image_filename.
Chapter 29 Troubleshooting Recovering from a Lost or Forgotten Password Step 3 Use a pointed device, such as a ballpoint pen, to press the Pwr/Rst button on the front panel of the switch. Step 4 within 15 seconds, press the Mode button while the System LED is still flashing green. Continue pressing the Mode button until the System LED turns briefly amber and then solid green; then release the Mode button.
Chapter 29 Troubleshooting Recovering from a Lost or Forgotten Password Step 5 Rename the configuration file to config.text.old. This file contains the password definition. switch: rename flash:config.text flash:config.text.old Step 6 Boot up the system: switch: boot You are prompted to start the setup program.
Chapter 29 Troubleshooting Recovering from a Lost or Forgotten Password Step 13 Write the running configuration to the startup configuration file: Switch# copy running-config startup-config The new password is now in the startup configuration. Note Step 14 This procedure is likely to leave your switch virtual interface in a shutdown state. You can see which interface is in this state by entering the show running-config privileged EXEC command.
Chapter 29 Troubleshooting Recovering from a Lost or Forgotten Password The switch file system appears: Directory of flash: 13 drwx 192 Mar 01 1993 22:30:48 16128000 bytes total (10003456 bytes free) Step 4 Boot up the system: Switch: boot You are prompted to start the setup program.
Chapter 29 Troubleshooting Recovering from a Command Switch Failure Recovering from a Command Switch Failure This section describes how to recover from a failed command switch. You can configure a redundant command switch group by using the Hot Standby Router Protocol (HSRP). For more information, see Chapter 6, “Clustering Switches.”For more information, see Chapter 6, “Clustering Switches”. Also see the Getting Started with Cisco Network Assistant, available on Cisco.com.
Chapter 29 Troubleshooting Recovering from a Command Switch Failure Step 8 Return to privileged EXEC mode. Switch(config)# end Switch# Step 9 Use the setup program to configure the switch IP information. This program prompts you for IP address information and passwords. From privileged EXEC mode, enter setup, and press Return. Switch# setup --- System Configuration Dialog --Continue with configuration dialog? [yes/no]: y At any point you may enter a question mark '?' for help.
Chapter 29 Troubleshooting Recovering from a Command Switch Failure Replacing a Failed Command Switch with Another Switch To replace a failed command switch with a switch that is command-capable but not part of the cluster, follow these steps: Step 1 Insert the new switch in place of the failed command switch, and duplicate its connections to the cluster members. Step 2 Start a CLI session on the new command switch.
Chapter 29 Troubleshooting Recovering from Lost Cluster Member Connectivity Step 10 When prompted, assign a name to the cluster, and press Return. The cluster name can be 1 to 31 alphanumeric characters, dashes, or underscores. Step 11 When the initial configuration displays, verify that the addresses are correct. Step 12 If the displayed information is correct, enter Y, and press Return. If this information is not correct, enter N, press Return, and begin again at Step 9.
Chapter 29 Troubleshooting SFP Module Security and Identification To maximize switch performance and ensure a link, follow one of these guidelines when changing the settings for duplex and speed: Note • Let both ports autonegotiate both speed and duplex. • Manually set the speed and duplex parameters for the ports on both ends of the connection. If a remote device does not autonegotiate, configure the duplex settings on the two ports to match.
Chapter 29 Troubleshooting Using Ping Using Ping These sections contain this information: • Understanding Ping, page 29-13 • Executing Ping, page 29-13 Understanding Ping The switch supports IP ping, which you can use to test connectivity to remote hosts. Ping sends an echo request packet to an address and waits for a reply. Ping returns one of these responses: • Normal response—The normal response (hostname is alive) occurs in 1 to 10 seconds, depending on network traffic.
Chapter 29 Troubleshooting Using Layer 2 Traceroute Table 29-1 describes the possible ping character output. Table 29-1 Ping Output Display Characters Character Description ! Each exclamation point means receipt of a reply. . Each period means the network server timed out while waiting for a reply. U A destination unreachable error PDU was received. C A congestion experienced packet was received. I User interrupted test. ? Unknown packet type. & Packet lifetime exceeded.
Chapter 29 Troubleshooting Using Layer 2 Traceroute Usage Guidelines These are the Layer 2 traceroute usage guidelines: • Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 traceroute to function properly, do not disable CDP. For a list of switches that support Layer 2 traceroute, see the “Usage Guidelines” section on page 29-15. If any devices in the physical path are transparent to CDP, the switch cannot identify the path through these devices.
Chapter 29 Troubleshooting Using IP Traceroute Displaying the Physical Path You can display the physical path that a packet takes from a source device to a destination device by using one of these privileged EXEC commands: • tracetroute mac [interface interface-id] {source-mac-address} [interface interface-id] {destination-mac-address} [vlan vlan-id] [detail] • tracetroute mac ip {source-ip-address | source-hostname}{destination-ip-address | destination-hostname} [detail] For more information, see th
Chapter 29 Troubleshooting Using IP Traceroute Executing IP Traceroute Beginning in privileged EXEC mode, follow this step to trace the path that packets take through the network: Note Command Purpose traceroute ip host Trace the path that packets take through the network. Though other protocol keywords are available with the traceroute privileged EXEC command, they are not supported in this release. This example shows how to perform a traceroute to an IP host: Switch# traceroute ip 171.9.15.
Chapter 29 Troubleshooting Using TDR Using TDR These sections contain this information: • Understanding TDR, page 29-18 • Running TDR and Displaying the Results, page 29-18 Understanding TDR You can use the Time Domain Reflector (TDR) feature to diagnose and resolve cabling problems. When running TDR, a local device sends a signal through a cable and compares the reflected signal to the initial signal. TDR is supported only on 10/100 and 10/100/1000 copper Ethernet ports.
Chapter 29 Troubleshooting Using Debug Commands Caution Note Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users.
Chapter 29 Troubleshooting Using the show platform forward Command The no debug all privileged EXEC command disables all diagnostic output. Using the no debug all command is a convenient way to ensure that you have not accidentally left any debug commands enabled. Redirecting Debug and Error Message Output By default, the network server sends the output from debug commands and system error messages to the console.
Chapter 29 Troubleshooting Using the show platform forward Command Egress:Asic 2, switch 1 Output Packets: -----------------------------------------Packet 1 Lookup Key-Used OutptACL 50_0D020202_0D010101-00_40000014_000A0000 Port Gi0/1 Vlan SrcMac 0005 0001.0001.0001 DstMac 0002.0002.0002 Cos -----------------------------------------Packet 2 Lookup Key-Used OutptACL 50_0D020202_0D010101-00_40000014_000A0000 Port Gi0/2 Vlan SrcMac 0005 0001.0001.0001 DstMac 0002.0002.
Chapter 29 Troubleshooting Using the crashinfo Files Using the crashinfo Files The crashinfo files save information that helps Cisco technical support representatives to debug problems that caused the Cisco IOS image to fail (crash). The switch writes the crash information to the console at the time of the failure. The switch creates two types of crashinfo files: • Basic crashinfo file—The switch automatically creates this file the next time you boot up the Cisco IOS image after the failure.
A P P E N D I X A Supported MIBs This appendix lists the supported management information base (MIBs) for this release on the switch. It contains these sections: • MIB List, page A-1 • Using FTP to Access the MIB Files, page A-3 • BRIDGE-MIB MIB List Note The BRIDGE-MIB supports the context of a single VLAN. By default, SNMP messages using the configured community string always provide information for VLAN 1.
Appendix A Supported MIBs MIB List • CISCO-MEMORY-POOL-MIB • CISCO-PAE-MIB • CISCO-PAGP-MIB • CISCO-PING-MIB • CISCO-PRODUCTS-MIB • CISCO-PROCESS-MIB • CISCO-RTTMON-MIB • CISCO-SMI-MIB • CISCO-STP-EXTENSIONS-MIB • CISCO-SYSLOG-MIB • CISCO-TC-MIB • CISCO-TCP-MIB • CISCO-UDLDP-MIB • CISCO-VLAN-IFTABLE-RELATIONSHIP-MIB • CISCO-VLAN-MEMBERSHIP-MIB • CISCO-VTP-MIB • ENTITY-MIB • ETHERLIKE-MIB • IEEE8021-PAE-MIB • IEEE8023-LAG-MIB • IF-MIB (In and out counters for VLANs
Appendix A Supported MIBs Using FTP to Access the MIB Files Note • TCP-MIB • UDP-MIB You can access other information about MIBs and Cisco products on the Cisco web site: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Using FTP to Access the MIB Files You can get each MIB file by using this procedure: Step 1 Make sure that your FTP client is in passive mode. Note Some FTP clients do not support passive mode. Step 2 Use FTP to access the server ftp.cisco.com.
Appendix A Supported MIBs Using FTP to Access the MIB Files Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide A-4 380261-003
A P P E N D I X B Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the switch flash file system, how to copy configuration files, and how to archive (upload and download) software images to a switch. Note For complete syntax and usage information for the commands used in this chapter, see the switch command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown in this example.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Setting the Default File System You can specify the file system or directory that the system uses as the default file system by using the cd filesystem: privileged EXEC command. You can set the default file system to omit the filesystem: argument from related commands.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Step 1 Command Purpose dir filesystem: Display the directories on the specified file system. For filesystem:, use flash: for the system board flash device. Step 2 mkdir old_configs Create a new directory.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Local writable file systems include flash:. Some invalid combinations of source and destination exist.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating a tar File To create a tar file and write files into it, use this privileged EXEC command: archive tar /create destination-url flash:/file-url For destination-url, specify the destination URL alias for the local or network file system and the name of the tar file to create.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System This example shows how to display the contents of a switch tar file that is in flash memory: Switch# archive tar /table flash:cgesm-i6l2-mz.122-25.SE1.tar info (219 bytes) cgesm-i6l2-mz.122-25.SE1/ (directory) cgesm-i6l2-mz.122-25.SE1/html/ (directory) cgesm-i6l2-mz.122-25.SE1/html/troubleshooting_OS.htm (2508 bytes) cgesm-i6l2-mz.122-25.SE1/html/helpframework.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Extracting a tar File To extract a tar file into a directory on the flash file system, use this privileged EXEC command: archive tar /xtract source-url flash:/file-url [dir/file...] For source-url, specify the source URL alias for the local file system.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files You can copy (download) configuration files from a TFTP, FTP, or RCP server to the running configuration or startup configuration of the switch. You might want to perform this for one of these reasons: • To restore a backed-up configuration file. • To use the configuration file for another switch.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • Copying Configuration Files By Using RCP, page B-17 • Clearing Configuration Information, page B-20 Guidelines for Creating and Using Configuration Files Creating configuration files can aid in your switch configuration. Configuration files can contain some or all of the commands needed to configure one or more switches.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Creating a Configuration File By Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately. This is one method of creating a configuration file: Step 1 Copy an existing configuration from a switch to a server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation). • For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 3 Upload the switch configuration to the TFTP server. Specify the IP address or hostname of the TFTP server and the destination filename. Use one of these privileged EXEC commands: • copy system:running-config tftp:[[[//location]/directory]/filename] • copy nvram:startup-config tftp:[[[//location]/directory]/filename] The file is uploaded to the TFTP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files These sections contain this configuration information: • Preparing to Download or Upload a Configuration File By Using FTP, page B-14 • Downloading a Configuration File By Using FTP, page B-14 • Uploading a Configuration File By Using FTP, page B-15 Preparing to Download or Upload a Configuration File By Using FTP Before you begin downloading or uploading a configuration file
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 Using FTP, copy the configuration file from a network copy ftp:[[[//[username[:password]@]location]/directory] server to the running configuration or to the startup configuration file.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 3 Command Purpose configure terminal Enter global configuration mode. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username. Step 5 ip ftp password password (Optional) Change the default password.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Copying Configuration Files By Using RCP The RCP provides another method of downloading, uploading, and copying configuration files between remote hosts and the switch. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection-oriented.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • When you upload a file to the RCP server, it must be properly configured to accept the RCP write request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to specify a remote username of netadmin1. Then it copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Switch# copy nvram:startup-config rcp: Remote host[]? 172.16.101.101 Name of configuration file to write [switch2-confg]? Write file switch2-confg on host 172.16.101.101?[confirm] ![OK] Clearing Configuration Information You can clear the configuration information from the startup configuration.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images You upload a switch image file to a TFTP, FTP, or RCP server for backup purposes. You can use this uploaded image for future downloads to the same switch or to another of the same type. The protocol that you use depends on which type of server you are using. The FTP and RCP transport mechanisms provide faster performance and more reliable delivery of data than TFTP.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images image_feature:LAYER_2|MIN_DRAM_MEG=32 image_family:cgesm stacking_number:1.0 board_ids:0x00000008 info_end: Note Table B-3 Disregard the stacking_number field. It does not apply to the switch.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Preparing to Download or Upload an Image File By Using TFTP Before you begin downloading or uploading an image file by using TFTP, do these tasks: • Ensure that the workstation acting as the TFTP server is properly configured. On a Sun workstation, make sure that the /etc/inetd.conf file contains this line: tftp dgram udp wait root /usr/etc/in.tftpd in.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 3 Step 4 Command Purpose archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tar Download the image file from the TFTP server to the switch, and overwrite the current image. archive download-sw /leave-old-sw /reload tftp:[[//location]/directory]/image-name.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Uploading an Image File By Using TFTP You can upload an image from the switch to a TFTP server. You can later download this image to the switch or to another switch of the same type. Use the upload feature only if the web management pages associated with the embedded device manager have been installed with the existing image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images These sections contain this configuration information: • Preparing to Download or Upload an Image File By Using FTP, page B-26 • Downloading an Image File By Using FTP, page B-27 • Uploading an Image File By Using FTP, page B-28 Preparing to Download or Upload an Image File By Using FTP You can copy images files to or from an FTP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images • When you upload an image file to the FTP server, it must be properly configured to accept the write request from the user on the switch. For more information, see the documentation for your FTP server. Downloading an Image File By Using FTP You can download a new image file and overwrite the current image or keep the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Step 8 Purpose archive download-sw /leave-old-sw /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and keep the current image. /image-name.tar • The /leave-old-sw option keeps the old software version after a download.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Beginning in privileged EXEC mode, follow these steps to upload an image to an FTP server: Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using FTP” section on page B-14. Step 2 Log into the switch through the console port or a Telnet session.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command, we recommend using the archive download-sw and archive upload-sw privileged EXEC commands to download and upload software image files.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images operations. The new username is stored in NVRAM. If you are accessing the switch through a Telnet session and you have a valid username, this username is used, and there is no need to set the RCP username. Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify a username only for that operation.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 6 Step 7 Command Purpose archive download-sw /overwrite /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Download the image file from the RCP server to the switch, and overwrite the current image. archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-na me.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format. Caution For the download and upload algorithms to operate properly, do not rename image names.
A P P E N D I X C Unsupported Commands in Cisco IOS Release 12.2(37)SE This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the switch prompt but are not supported in this release, either because they are not tested or because of switch hardware limitations. This is not a complete list. The unsupported commands are listed by software feature and command mode.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(37)SE VTP VTP Unsupported Privileged EXEC Command vtp {password password | pruning | version number} Note This command has been replaced by the vtp global configuration command.
I N D EX ACLs (continued) A extended IP, configuring for QoS classification abbreviating commands access-class command 2-4 extended IPv4 26-16 creating access control entries 9-25 access groups, applying IPv4 ACLs to interfaces access lists host keyword 26-17 26-6 implicit deny accounting 6-30 with RADIUS 6-9 undefined 5-28 with TACACS+ 26-17 applying to interfaces creating 27-7 named 26-2 26-17 26-6 matching criteria 26-2 26-6 26-12 numbers 26-2 26-6 terminal lines, setting
Index standard IPv4 creating aging time accelerated 26-7 matching criteria support for for MSTP 26-6 for STP 1-7 support in hardware time ranges for MSTP 26-2 for STP 26-5 VLAN maps configuration guidelines defined 15-2 9-19 1-4, 4-26 table 17-2 address resolution displaying the MAC address table 4-26 dynamic managing 4-26 4-26 attributes, RADIUS accelerated aging vendor-proprietary 12-8 changing the aging time default aging defined vendor-specific 4-21 audience 12-8 xxi
Index automatic QoS boot loader See QoS accessing 3-15 auto-MDIX described 3-2 configuring environment variables 7-13 described prompt 7-13 autonegotiation 3-15 trap-door mechanism duplex mode 3-2 BPDU 1-3 interface configuration guidelines mismatches 3-15 7-11 error-disabled state filtering 29-11 autosensing, port speed 14-3 RSTP format 1-3 auxiliary VLAN 14-2 13-12 BPDU filtering See voice VLAN availability, features 1-5 described 14-3 disabling 14-12 enabling 14-
Index CDP (continued) CLI (continued) enabling and disabling on an interface on a switch monitoring described editing features 19-4 enabling and disabling 19-3 keystroke editing 19-5 overview wrapped lines 19-1 support for 19-2 CGMP joining multicast group CipherSuites 17-8 17-3 5-44 Cisco 7960 IP Phone 2-10 2-3 changing the buffer size described 2-6 disabling 2-7 recalling commands 11-1 Cisco Discovery Protocol client mode, VTP Cisco Intelligence Engine 2100 Series Configurat
Index community strings configuring configuration files (continued) uploading 25-8 for cluster switches overview 25-4 compatibility, feature config.
Index default configuration (continued) D SPAN daylight saving time 4-13 SSL debugging 22-9 5-44 standard QoS enabling all system diagnostics 29-19 enabling for a specific feature 29-19 redirecting error message output using commands default commands STP 29-20 TACACS+ 2-4 UDLD 21-4 VLAN, Layer 2 Ethernet interfaces 27-21 VLANs 9-7 VMPS 9-26 4-17 voice VLAN booting 3-12 VTP 19-2 DHCP 16-5 10-6 default gateway 3-10 deleting VLANs 9-10 16-6 denial-of-service attack DHCP
Index DHCP-based autoconfiguration DHCP snooping binding database client request message exchange binding entries, displaying 3-4 configuring default configuration client side DNS displaying 3-3 relay device Differentiated Services architecture, QoS 3-5 TFTP server Differentiated Services Code Point 3-6 directed unicast requests 3-8 lease options changing 3-5 for receiving the configuration file 3-5 3-3 relationship to BOOTP relay support 1-4 circuit ID suboption default configura
Index downloading (continued) E image files deleting old image preparing editing features B-24 enabling and disabling B-23, B-26, B-30 reasons for B-20 keystrokes used using CMS 1-2 wrapped lines 2-9 using FTP B-27 enable password 5-3 using HTTP using RCP DSCP output queue threshold map for QoS DSCP-to-CoS map for QoS DSCP transparency 27-19 BPDU 14-2 error messages during command entry 2-5 27-62 automatic creation of 28-4, 28-5 binding physical and logical interfaces character
Index PAgP F aggregate-port learners 28-13 compatibility with Catalyst 1900 described 28-13 basic crashinfo description 28-4 location 1-3 copying port-channel interfaces 29-22 29-22 B-4 crashinfo 28-3 numbering of description 28-3 29-22 port groups 7-3 deleting support for 1-3 displaying the contents of B-5 described 14-7 description disabling 14-14 location enabling 14-14 29-22 29-22 tar creating Ethernet VLANs B-6 displaying the contents of 9-8 defaults and range
Index Flex Links get-next-request operation configuration guidelines configuring get-request operation 15-5 configuring preferred VLAN description global leave, IGMP 17-12 guest VLAN and 802.
Index IGMP (continued) I flooded multicast traffic ICMP controlling the length of time time-exceeded messages traceroute and 29-16 disabling on an interface 29-16 global leave ICMP ping 29-13 overview 29-13 joining multicast group join messages and ingress RSPAN and ingress SPAN 22-20 17-3 leaving multicast group queries See STP 17-12 17-3 leave processing, enabling 22-13 IEEE 802.1D 17-10 17-5 17-4 report suppression 11-1 IEEE 802.
Index IGMP snooping interfaces (continued) and address aliasing configuring described 17-6 global configuration Immediate Leave 17-7 17-5 flow control 7-12 management 1-4 monitoring naming 17-15 querier configuring support for status 17-7 IGMP throttling types of default configuration 7-1 interface types 17-24 displaying action 7-4 See ISL 17-5 inaccessible authentication bypass 6-14 initial configuration Intrusion Detection System See IDS appliances IP ACLs 1-9 for QoS clas
Index IP multicast routing Kerberos (continued) and IGMP snooping credentials 17-1 IP phones cryptographic software image and QoS described 11-1 automatic classification and queueing configuring KDC 27-20 trusted boundary for QoS IP precedence 27-37 27-37 IP-precedence-to-DSCP map for QoS IP protocols in ACLs realm 5-33 server 5-34 terms 26-9 TGT 29-17 overview 29-16 5-34 1-8 switch as trusted third party 27-59 IP traceroute executing 5-32 support for 27-2 5-32 5-32 oper
Index Link Aggregation Control Protocol loop guard See EtherChannel Link Failure detecting unidirectional described 14-9 enabling 14-15 support for 13-8 1-6 Link Layer Discovery Protocol See CDP M link redundancy MAC See Flex Links links, unidirectional MAC addresses 21-1 aging time LLDP configuring default configuration 20-3 discovering disabling and enabling displaying 20-4 on an interface in ACLs 20-1 20-3 26-20 monitoring and maintaining 20-7 20-1, 20-2 supported tlvs
Index MAC extended access lists maximum hop count, MSTP applying to Layer 2 interfaces configuring for QoS creating 26-20 defined 26-20 membership mode, VLAN port 26-21 recovering from lost connectivity to users through banners 27-5 4-17 messages, to users through banners accessing files with FTP 6-16 manageability features location of files 1-4 management access overview in-band 25-1 CLI session 1-5 device manager SNMP supported 1-5 1-5 out-of-band console port connection mirror
Index monitoring (continued) MSTP (continued) VLAN default configuration filters default optional feature configuration 26-29 maps 26-29 displaying status VLANs 9-14 enabling the mode VMPS VTP more 14-9 13-26 13-16 EtherChannel guard 9-30 10-16 6-41 MSTP described 14-7 enabling 14-14 extended system ID boundary ports effects on root switch configuration guidelines described unexpected behavior 13-6 13-18 13-17 IEEE 802.
Index MSTP (continued) MVR (continued) Port Fast monitoring described 14-2 enabling 14-10 17-23 multicast television application setting global parameters preventing root switch selection support for 14-8 17-18 17-20 1-3 root guard described 14-8 enabling 14-15 N NAC root switch configuring critical authentication 13-17 effects of extended system ID unexpected behavior named IPv4 ACLs 14-2 configuring Immediate Leave 17-3 leaving 17-5 default 17-5 26-12 9-21 9-21 See NAC
Index no commands 2-4 P nonhierarchical policy maps configuration guidelines configuring See EtherChannel 27-9 non-IP traffic filtering nontrunking mode passwords 26-20 9-16 normal-range VLANs 9-4 configuration guidelines configuration modes configuring disabling recovery of 5-5 5-3 5-6 with usernames enabling broadcast messages VTP domain 4-6 5-6 10-8 path cost 4-5 MSTP 4-5 default configuration STP 4-4 displaying the configuration 13-20 12-18 performance, network design 4
Index policers (continued) number of types of port-based authentication (continued) configuring 27-33 802.
Index port-based authentication (continued) Port Fast per-user ACLs described 14-2 14-10 AAA authorization 6-23 enabling configuration tasks 6-12 mode, spanning tree described support for 6-11 RADIUS server attributes 9-27 1-6 port membership modes, VLAN 6-11 ports 9-3 port priority authorization state and dot1x port-control command 6-7 authorized and unauthorized critical 6-7 MSTP STP 13-19 12-16 ports 6-14 access voice VLAN 6-15 7-2 blocking port security 18-6 dynamic a
Index priority Q overriding CoS trusting CoS 11-6 QoS 11-6 and MQC commands private VLAN edge ports auto-QoS See protected ports privileged EXEC mode categorizing traffic 2-2 changing the default for lines configuration guidelines 5-9 5-9 logging into overview 5-9 setting a command with protected ports described 27-20 disabling 27-26 effects on running configuration egress queue defaults pruning, VTP enabling for VoIP disabling 10-14 9-21 on a port 27-27 ingress queue defaults
Index QoS (continued) QoS (continued) configuration guidelines auto-QoS flowcharts classification 27-25 standard QoS egress queueing and scheduling 27-32 configuring 27-17 ingress queueing and scheduling aggregate policers auto-QoS 27-6 policing and marking 27-55 implicit deny 27-20 default port CoS value DSCP maps 27-10 27-7 ingress queues 27-37 allocating bandwidth 27-57 DSCP transparency 27-65 allocating buffer space 27-39 DSCP trust states bordering another domain egress que
Index QoS (continued) R policers configuring described RADIUS 27-49, 27-53, 27-56 attributes 27-8 displaying 27-75 vendor-proprietary number of 27-33 vendor-specific types of policies, attaching to an interface 27-8 accounting 5-28 authentication policing authorization 27-4, 27-8 token bucket algorithm 5-23 5-27 communication, global 27-9 characteristics of displaying 27-47 27-76 hierarchical 27-8 hierarchical on SVIs 27-50 nonhierarchical on physical ports QoS label, defin
Index RCP resetting a UDLD-shutdown interface configuration files restricted VLAN downloading configuring overview B-18 described B-17 preparing the server uploading 6-32 6-13 using with IEEE 802.
Index RSPAN RSTP (continued) characteristics rapid convergence 22-7 configuration guidelines default configuration defined described 22-15 edge ports and Port Fast 22-9 point-to-point links 22-2 destination ports 22-6 displaying status 22-23 root ports monitored ports S scheduled reloads sessions 22-16 defined 22-3 configuring specifying monitored ports 22-16 with ingress traffic enabled 22-20 22-22 transmitted traffic 5-48 configuring displaying 5-46 5-48 secure MAC address
Index severity levels, defining in system messages 24-8 SFPs authentication level monitoring status of status, displaying configuring 29-12 overview See SRR 26-18 show and more command output, filtering 2-10 show cdp traffic command 25-4 show forward command 29-20 25-7 25-6 and trap keyword described 1-5 25-12 25-5 differences from traps 26-17, 26-24, 26-26 7-14 shutdown command on interfaces 7-17 Simple Network Management Protocol disabling 25-15 enabling 25-15 25-5 limiting
Index SNMP (continued) users SPAN (continued) source ports 25-7, 25-10 versions supported SNMPv1 SNMPv3 transmitted traffic 25-2 VLAN-based 25-2 SNMPv2C 22-6 9-17 Spanning Tree Protocol 25-2 See STP 17-1 software images SPAN traffic location in flash scheduling reloads 22-4 SRR B-21 recovery procedures configuring 29-2 3-17 tar file format, described B-21 See also downloading and uploading source addresses, in IPv4 ACLs shaped weights on egress queues 27-72 shared weights on egr
Index static access ports assigning to VLAN defined STP (continued) BPDU guard 9-10 described 14-2 static addresses disabling 14-12 See addresses enabling 14-11 7-2, 9-3 static MAC addressing BPDU message exchange 1-7 static VLAN membership configuration guidelines 9-2 statistics forward-delay time 6-42 hello time 19-5 interface LLDP 12-21 12-20 maximum aging time 7-16 path cost 20-7 LLDP-MED 12-18 port priority 20-7 12-21 12-16 QoS ingress and egress 27-75 root switch
Index STP (continued) STP (continued) inferior BPDU root switch 12-3 instances supported configuring 12-9 interface state, blocking to forwarding effects of extended system ID 14-2 interface states election blocking 12-6 disabled 12-7 forwarding 12-14 12-3 unexpected behavior status, displaying learning 12-6 superior BPDU listening 12-6 timers, described overview 12-4 UplinkFast interoperability and compatibility among modes limitations with IEEE 802.
Index system clock (continued) overview T 4-1 TACACS+ See also NTP accounting, defined system message logging default configuration authentication, defined 24-3 defining error message severity levels disabling accounting 24-12 level keywords, described limiting messages authorization 24-11 5-16 default configuration 24-9 5-14 5-13 displaying the configuration 24-2 identifying the server sequence numbers, enabling and disabling setting the display destination device synchronizing log m
Index TFTP traceroute, Layer 2 (continued) configuration files downloading multiple devices on a port unicast traffic B-12 preparing the server uploading 29-15 traceroute command B-12 configuration files in base directory configuring for autoconfiguration 3-6 3-6 image files 29-17 See also IP traceroute traffic blocking flooded deleting fragmented B-24 downloading uploading 26-4 1-8 traffic suppression B-25 limiting access by servers TFTP server traffic policing B-23 18-7 26-4 unf
Index trunk ports UDLD (continued) configuring defined enabling 9-18 globally 7-3, 9-3 encapsulation per interface 9-18, 9-23, 9-24 trunks 21-5 link-detection mechanism allowed-VLAN list configuring ISL 21-5 neighbor database 9-19 overview 9-18, 9-23, 9-24 load sharing 21-1 status, displaying setting STP path costs support for 9-24 using STP port priorities 9-21 9-24 pruning-eligible list to non-DTP device unicast MAC address filtering 1-4 and adding static addresses 4-25 c
Index uploading VLAN load balancing on flex links configuration guidelines configuration files preparing reasons for B-9 using FTP B-15 using RCP B-19 using TFTP See VMPS VLAN map entries, order of applying 26-26 common uses for B-23, B-26, B-30 using FTP B-28 configuring using RCP B-33 creating 26-24 defined 26-2, 26-3 B-25 user EXEC mode 26-22 denying and permitting packets 5-6 displaying 26-28 26-24 26-29 examples of ACLs and VLAN maps V removing version-dependent trans
Index VLANs (continued) deleting VMPS (continued) reconfirming membership 9-10 described 7-1, 9-1 displaying 9-14 voice-over-IP extended-range features retry count, changing configuration guidelines limiting source traffic with RSPAN 22-22 limiting source traffic with SPAN modifying 9-8 multicast 17-17 normal-range 22-14 number supported override CoS of incoming frame 802.
Index VTP (continued) W configuring client mode 10-11 server mode 10-9 transparent mode consistency checks default configuration configuring 6-38 to 6-41 10-12 described 10-4 fallback for IEEE 802.
Index Cisco Gigabit Ethernet Switch Module for HP p-Class BladeSystem Software Configuration Guide IN-36 380261-003
