Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide Cisco IOS Release 12.2(40)EX November 2007 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xliii Audience Purpose xliii xliii Conventions xliii Related Publications CHAPTER 1 Overview xliv 1-1 Features 1-1 Deployment Features 1-2 Performance Features 1-3 Management Options 1-5 Manageability Features 1-5 Availability and Redundancy Features VLAN Features 1-7 Security Features 1-8 QoS and CoS Features 1-10 Layer 3 Features 1-11 Monitoring Features 1-12 1-6 Default Settings After Initial Switch Configuration 1-13 Network Configuration Examples 1-16 Design Con
Contents Changing the Command History Buffer Size 2-6 Recalling Commands 2-6 Disabling the Command History Feature 2-7 Using Editing Features 2-7 Enabling and Disabling Editing Features 2-7 Editing Commands through Keystrokes 2-8 Editing Command Lines that Wrap 2-9 Searching and Filtering Output of show and more Commands 2-10 Accessing the CLI 2-10 Accessing the CLI through a Console Connection or through Telnet CHAPTER 3 Assigning the Switch IP Address and Default Gateway Understanding the Boot Proce
Contents CHAPTER 4 Configuring Cisco IOS CNS Agents 4-1 Understanding Cisco Configuration Engine Software 4-1 Configuration Service 4-2 Event Service 4-3 NameSpace Mapper 4-3 What You Should Know About the CNS IDs and Device Hostnames ConfigID 4-3 DeviceID 4-4 Hostname and DeviceID 4-4 Using Hostname, DeviceID, and ConfigID 4-4 Understanding Cisco IOS Agents 4-5 Initial Configuration 4-5 Incremental (Partial) Configuration Synchronized Configuration 4-6 4-3 4-6 Configuring Cisco IOS Agents 4-6 Enabl
Contents Minor Version Number Incompatibility Among Switches 5-12 Understanding Auto-Upgrade and Auto-Advise 5-13 Auto-Upgrade and Auto-Advise Example Messages 5-14 Incompatible Software and Stack Member Image Upgrades 5-16 Switch Stack Configuration Files 5-16 Additional Considerations for System-Wide Configuration on Switch Stacks 5-17 Switch Stack Management Connectivity 5-17 Connectivity to the Switch Stack Through an IP Address 5-18 Connectivity to the Switch Stack Through an SSH Session 5-18 Connecti
Contents Configuring a System Name and Prompt 6-14 Default System Name and Prompt Configuration Configuring a System Name 6-15 Understanding DNS 6-15 Default DNS Configuration 6-16 Setting Up DNS 6-16 Displaying the DNS Configuration 6-17 Creating a Banner 6-17 Default Banner Configuration 6-17 Configuring a Message-of-the-Day Login Banner Configuring a Login Banner 6-19 6-15 6-18 Managing the MAC Address Table 6-19 Building the Address Table 6-20 MAC Addresses and VLANs 6-20 MAC Addresses and Switch St
Contents Controlling Switch Access with TACACS+ 7-10 Understanding TACACS+ 7-10 TACACS+ Operation 7-12 Configuring TACACS+ 7-12 Default TACACS+ Configuration 7-13 Identifying the TACACS+ Server Host and Setting the Authentication Key 7-13 Configuring TACACS+ Login Authentication 7-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting 7-17 Displaying the TACACS+ Configuration 7-17 7-16 Controlling Switch Access with RADIUS 7-17 Understanding RADIU
Contents Configuring SSH 7-39 Configuration Guidelines 7-39 Setting Up the Switch to Run SSH 7-40 Configuring the SSH Server 7-41 Displaying the SSH Configuration and Status 7-42 Configuring the Switch for Secure Socket Layer HTTP 7-42 Understanding Secure HTTP Servers and Clients 7-42 Certificate Authority Trustpoints 7-43 CipherSuites 7-44 Configuring Secure HTTP Servers and Clients 7-45 Default SSL Configuration 7-45 SSL Configuration Guidelines 7-45 Configuring a CA Trustpoint 7-45 Configuring the Secu
Contents Using IEEE 802.1x Authentication with VLAN Assignment 9-10 Using IEEE 802.1x Authentication with Per-User ACLs 9-12 Using IEEE 802.1x Authentication with Guest VLAN 9-13 Using IEEE 802.1x Authentication with Restricted VLAN 9-14 Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass Using IEEE 802.1x Authentication with Voice VLAN Ports 9-16 Using IEEE 802.1x Authentication with Port Security 9-17 Using IEEE 802.1x Authentication with Wake-on-LAN 9-18 Using IEEE 802.
Contents CHAPTER 10 Configuring Interface Characteristics 10-1 Understanding Interface Types 10-1 Port-Based VLANs 10-2 Switch Ports 10-2 Access Ports 10-3 Trunk Ports 10-3 Tunnel Ports 10-4 Routed Ports 10-4 Switch Virtual Interfaces 10-5 EtherChannel Port Groups 10-5 10-Gigabit Ethernet Interfaces 10-6 Connecting Interfaces 10-6 Using Interface Configuration Mode 10-7 Procedures for Configuring Interfaces 10-8 Configuring a Range of Interfaces 10-9 Configuring and Using Interface Range Macros 10-10
Contents CHAPTER 11 Configuring Smartports Macros 11-1 Understanding Smartports Macros 11-1 Configuring Smartports Macros 11-2 Default Smartports Macro Configuration 11-2 Smartports Macro Configuration Guidelines 11-3 Creating Smartports Macros 11-4 Applying Smartports Macros 11-5 Applying Cisco-Default Smartports Macros 11-6 Displaying Smartports Macros CHAPTER 12 Configuring VLANs 11-8 12-1 Understanding VLANs 12-1 Supported VLANs 12-2 VLAN Port Membership Modes 12-3 Configuring Normal-Rang
Contents Configuring an Ethernet Interface as a Trunk Port 12-20 Interaction with Other Features 12-20 Configuring a Trunk Port 12-21 Defining the Allowed VLANs on a Trunk 12-22 Changing the Pruning-Eligible List 12-23 Configuring the Native VLAN for Untagged Traffic 12-24 Configuring Trunk Ports for Load Sharing 12-24 Load Sharing Using STP Port Priorities 12-25 Load Sharing Using STP Path Cost 12-27 Configuring VMPS 12-28 Understanding VMPS 12-28 Dynamic-Access Port VLAN Membership 12-29 Default VMPS Cli
Contents VTP Configuration Guidelines 13-8 Domain Names 13-8 Passwords 13-8 VTP Version 13-9 Configuration Requirements 13-9 Configuring a VTP Server 13-9 Configuring a VTP Client 13-11 Disabling VTP (VTP Transparent Mode) 13-12 Enabling VTP Version 2 13-13 Enabling VTP Pruning 13-14 Adding a VTP Client Switch to a VTP Domain 13-14 Monitoring VTP CHAPTER 14 13-16 Configuring Voice VLAN 14-1 Understanding Voice VLAN 14-1 Cisco IP Phone Voice Traffic 14-2 Cisco IP Phone Data Traffic 14-2 Configuring Vo
Contents Private-VLAN Configuration Guidelines 15-7 Secondary and Primary VLAN Configuration 15-7 Private-VLAN Port Configuration 15-8 Limitations with Other Features 15-9 Configuring and Associating VLANs in a Private VLAN 15-10 Configuring a Layer 2 Interface as a Private-VLAN Host Port 15-11 Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port 15-13 Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface 15-14 Monitoring Private VLANs CHAPTER 16 15-15 Configuring IEEE 802.
Contents Forwarding State 17-7 Disabled State 17-7 How a Switch or Port Becomes the Root Switch or Root Port 17-8 Spanning Tree and Redundant Connectivity 17-8 Spanning-Tree Address Management 17-9 Accelerated Aging to Retain Connectivity 17-9 Spanning-Tree Modes and Protocols 17-10 Supported Spanning-Tree Instances 17-10 Spanning-Tree Interoperability and Backward Compatibility 17-11 STP and IEEE 802.
Contents IEEE 802.1s Implementation 18-6 Port Role Naming Change 18-7 Interoperation Between Legacy and Standard Switches Detecting Unidirectional Link Failure 18-8 MSTP and Switch Stacks 18-8 Interoperability with IEEE 802.
Contents How CSUF Works 19-6 Events that Cause Fast Convergence 19-7 Understanding BackboneFast 19-7 Understanding EtherChannel Guard 19-10 Understanding Root Guard 19-10 Understanding Loop Guard 19-11 Configuring Optional Spanning-Tree Features 19-11 Default Optional Spanning-Tree Configuration 19-12 Optional Spanning-Tree Configuration Guidelines 19-12 Enabling Port Fast 19-12 Enabling BPDU Guard 19-13 Enabling BPDU Filtering 19-14 Enabling UplinkFast for Use with Redundant Links 19-15 Enabling Cross-Sta
Contents Option-82 Data Insertion 21-3 Cisco IOS DHCP Server Database 21-6 DHCP Snooping Binding Database 21-6 DHCP Snooping and Switch Stacks 21-8 Configuring DHCP Features 21-8 Default DHCP Configuration 21-8 DHCP Snooping Configuration Guidelines 21-9 Configuring the DHCP Server 21-10 DHCP Server and Switch Stacks 21-10 Configuring the DHCP Relay Agent 21-11 Specifying the Packet Forwarding Address 21-11 Enabling DHCP Snooping and Option 82 21-12 Enabling DHCP Snooping on Private VLANs 21-14 Enabling th
Contents Displaying Dynamic ARP Inspection Information CHAPTER 23 Configuring IGMP Snooping and MVR 22-15 23-1 Understanding IGMP Snooping 23-2 IGMP Versions 23-3 Joining a Multicast Group 23-3 Leaving a Multicast Group 23-5 Immediate Leave 23-6 IGMP Configurable-Leave Timer 23-6 IGMP Report Suppression 23-6 IGMP Snooping and Switch Stacks 23-7 Configuring IGMP Snooping 23-7 Default IGMP Snooping Configuration 23-7 Enabling or Disabling IGMP Snooping 23-8 Setting the Snooping Method 23-9 Configuring
Contents Setting the Maximum Number of IGMP Groups Configuring the IGMP Throttling Action 23-27 23-27 Displaying IGMP Filtering and Throttling Configuration CHAPTER 24 Configuring IPv6 MLD Snooping 23-29 24-1 Understanding MLD Snooping 24-1 MLD Messages 24-3 MLD Queries 24-3 Multicast Client Aging Robustness 24-3 Multicast Router Discovery 24-4 MLD Reports 24-4 MLD Done Messages and Immediate-Leave 24-4 Topology Change Notification Processing 24-5 MLD Snooping in Switch Stacks 24-5 Configuring IPv6
Contents Configuring Port Security 25-7 Understanding Port Security 25-8 Secure MAC Addresses 25-8 Security Violations 25-9 Default Port Security Configuration 25-10 Port Security Configuration Guidelines 25-10 Enabling and Configuring Port Security 25-12 Enabling and Configuring Port Security Aging 25-16 Port Security and Switch Stacks 25-17 Port Security and Private VLANs 25-17 Displaying Port-Based Traffic Control Settings CHAPTER 26 Configuring CDP 25-18 26-1 Understanding CDP 26-1 CDP and Switch
Contents Configuring UDLD 28-3 Default UDLD Configuration 28-4 Configuration Guidelines 28-4 Enabling UDLD Globally 28-5 Enabling UDLD on an Interface 28-6 Resetting an Interface Disabled by UDLD Displaying UDLD Status CHAPTER 29 28-6 28-7 Configuring SPAN and RSPAN 29-1 Understanding SPAN and RSPAN 29-1 Local SPAN 29-2 Remote SPAN 29-3 SPAN and RSPAN Concepts and Terminology 29-4 SPAN Sessions 29-4 Monitored Traffic 29-6 Source Ports 29-7 Source VLANs 29-7 VLAN Filtering 29-8 Destination Port 29-8
Contents CHAPTER 30 Configuring RMON 30-1 Understanding RMON 30-1 Configuring RMON 30-2 Default RMON Configuration 30-3 Configuring RMON Alarms and Events 30-3 Collecting Group History Statistics on an Interface 30-5 Collecting Group Ethernet Statistics on an Interface 30-5 Displaying RMON Status CHAPTER 31 30-6 Configuring System Message Logging 31-1 Understanding System Message Logging 31-1 Configuring System Message Logging 31-2 System Log Message Format 31-2 Default System Message Logging
Contents Configuring SNMP 32-6 Default SNMP Configuration 32-6 SNMP Configuration Guidelines 32-6 Disabling the SNMP Agent 32-7 Configuring Community Strings 32-8 Configuring SNMP Groups and Users 32-9 Configuring SNMP Notifications 32-11 Setting the Agent Contact and Location Information Limiting TFTP Servers Used Through SNMP 32-15 SNMP Examples 32-16 Displaying SNMP Status CHAPTER 33 32-15 32-17 Configuring Embedded Event Manager 33-1 Understanding Embedded Event Manager 33-1 Event Detectors 33-2
Contents Using Time Ranges with ACLs 34-17 Including Comments in ACLs 34-19 Applying an IPv4 ACL to a Terminal Line 34-19 Applying an IPv4 ACL to an Interface 34-20 Hardware and Software Treatment of IP ACLs 34-22 IPv4 ACL Configuration Examples 34-22 Numbered ACLs 34-24 Extended ACLs 34-24 Named ACLs 34-25 Time Range Applied to an IP ACL 34-25 Commented IP ACL Entries 34-25 ACL Logging 34-26 Creating Named MAC Extended ACLs 34-27 Applying a MAC ACL to a Layer 2 Interface 34-28 Configuring VLAN Maps 34-2
Contents Creating IPv6 ACLs 35-5 Applying an IPv6 ACL to an Interface Displaying IPv6 ACLs CHAPTER 36 Configuring QoS 35-8 35-9 36-1 Understanding QoS 36-2 Basic QoS Model 36-3 Classification 36-5 Classification Based on QoS ACLs 36-7 Classification Based on Class Maps and Policy Maps Policing and Marking 36-8 Policing on Physical Ports 36-9 Policing on SVIs 36-10 Mapping Tables 36-12 Queueing and Scheduling Overview 36-13 Weighted Tail Drop 36-13 SRR Shaping and Sharing 36-14 Queueing and Schedulin
Contents Configuring Classification Using Port Trust States 36-35 Configuring the Trust State on Ports within the QoS Domain 36-35 Configuring the CoS Value for an Interface 36-37 Configuring a Trusted Boundary to Ensure Port Security 36-38 Enabling DSCP Transparency Mode 36-39 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain 36-40 Configuring a QoS Policy 36-42 Classifying Traffic by Using ACLs 36-43 Classifying Traffic by Using Class Maps 36-46 Classifying, Policing, and Marking Tr
Contents Port Aggregation Protocol 37-5 PAgP Modes 37-5 PAgP Interaction with Other Features 37-6 Link Aggregation Control Protocol 37-6 LACP Modes 37-6 LACP Interaction with Other Features 37-7 EtherChannel On Mode 37-7 Load-Balancing and Forwarding Methods 37-7 EtherChannel and Switch Stacks 37-9 Configuring EtherChannels 37-10 Default EtherChannel Configuration 37-10 EtherChannel Configuration Guidelines 37-11 Configuring Layer 2 EtherChannels 37-12 Configuring Layer 3 EtherChannels 37-14 Creating Port-
Contents Configuring Address Resolution Methods 38-9 Define a Static ARP Cache 38-10 Set ARP Encapsulation 38-11 Enable Proxy ARP 38-12 Routing Assistance When IP Routing is Disabled 38-12 Proxy ARP 38-12 Default Gateway 38-12 ICMP Router Discovery Protocol (IRDP) 38-13 Configuring Broadcast Packet Handling 38-14 Enabling Directed Broadcast-to-Physical Broadcast Translation Forwarding UDP Broadcast Packets and Protocols 38-16 Establishing an IP Broadcast Address 38-17 Flooding IP Broadcasts 38-17 Monitorin
Contents Configuring BGP 38-44 Default BGP Configuration 38-46 Nonstop Forwarding Awareness 38-48 Enabling BGP Routing 38-49 Managing Routing Policy Changes 38-51 Configuring BGP Decision Attributes 38-53 Configuring BGP Filtering with Route Maps 38-55 Configuring BGP Filtering by Neighbor 38-55 Configuring Prefix Lists for BGP Filtering 38-57 Configuring BGP Community Filtering 38-58 Configuring BGP Neighbors and Peer Groups 38-59 Configuring Aggregate Addresses 38-61 Configuring Routing Domain Confederat
Contents Configuring Static Unicast Routes 38-83 Specifying Default Routes and Networks 38-84 Using Route Maps to Redistribute Routing Information 38-85 Configuring Policy-Based Routing 38-88 PBR Configuration Guidelines 38-89 Enabling PBR 38-90 Filtering Routing Information 38-92 Setting Passive Interfaces 38-92 Controlling Advertising and Processing in Routing Updates Filtering Sources of Routing Information 38-93 Managing Authentication Keys 38-94 Monitoring and Maintaining the IP Network CHAPTER 39
Contents Displaying IPv6 CHAPTER 40 Configuring HSRP 39-24 40-1 Understanding HSRP 40-1 Multiple HSRP 40-3 HSRP and Switch Stacks 40-4 Configuring HSRP 40-4 Default HSRP Configuration 40-5 HSRP Configuration Guidelines 40-5 Enabling HSRP 40-5 Configuring HSRP Priority 40-7 Configuring MHSRP 40-9 Configuring HSRP Authentication and Timers 40-9 Enabling HSRP Support for ICMP Redirect Messages Configuring HSRP Groups and Clustering 40-11 Displaying HSRP Configurations CHAPTER 41 40-11 40-11 Confi
Contents Configuring a Tracked List with a Boolean Expression 42-3 Configuring a Tracked List with a Weight Threshold 42-4 Configuring a Tracked List with a Percentage Threshold 42-5 Configuring HSRP Object Tracking 42-7 Configuring Other Tracking Characteristics 42-8 Configuring IP SLAs Object Tracking 42-9 Monitoring Enhanced Object Tracking CHAPTER 43 42-10 Configuring Web Cache Services By Using WCCP Understanding WCCP 43-1 WCCP Message Exchange 43-2 WCCP Negotiation 43-3 MD5 Security 43-3 Packet R
Contents Configuring IP Multicast Routing 44-10 Default Multicast Routing Configuration 44-10 Multicast Routing Configuration Guidelines 44-11 PIMv1 and PIMv2 Interoperability 44-11 Auto-RP and BSR Configuration Guidelines 44-12 Configuring Basic Multicast Routing 44-12 Configuring PIM Stub Routing 44-14 PIM Stub Routing Configuration Guidelines 44-14 Enabling PIM Stub Routing 44-15 Configuring a Rendezvous Point 44-16 Manually Assigning an RP to Multicast Groups 44-16 Configuring Auto-RP 44-18 Configuring
Contents Advertising Network 0.0.0.
Contents CHAPTER 46 Configuring Fallback Bridging 46-1 Understanding Fallback Bridging 46-1 Fallback Bridging Overview 46-1 Fallback Bridging and Switch Stacks 46-3 Configuring Fallback Bridging 46-3 Default Fallback Bridging Configuration 46-3 Fallback Bridging Configuration Guidelines 46-4 Creating a Bridge Group 46-4 Adjusting Spanning-Tree Parameters 46-6 Changing the VLAN-Bridge Spanning-Tree Priority 46-6 Changing the Interface Priority 46-7 Assigning a Path Cost 46-7 Adjusting BPDU Intervals 4
Contents Using TDR 47-15 Understanding TDR 47-15 Running TDR and Displaying the Results 47-16 Using Debug Commands 47-16 Enabling Debugging on a Specific Feature 47-17 Enabling All-System Diagnostics 47-17 Redirecting Debug and Error Message Output 47-18 Using the show platform forward Command 47-18 Using the crashinfo Files 47-21 Basic crashinfo Files 47-21 Extended crashinfo Files 47-21 Using On-Board Failure Logging 47-22 Understanding OBFL 47-22 Configuring OBFL 47-22 Displaying OBFL Information 47
Contents Deleting Files B-5 Creating, Displaying, and Extracting Files B-6 Working with Configuration Files B-9 Guidelines for Creating and Using Configuration Files B-10 Configuration File Types and Location B-10 Creating a Configuration File By Using a Text Editor B-11 Copying Configuration Files By Using TFTP B-11 Preparing to Download or Upload a Configuration File By Using TFTP B-11 Downloading the Configuration File By Using TFTP B-12 Uploading the Configuration File By Using TFTP B-12 Copying Conf
Contents Copying Image Files By Using RCP B-34 Preparing to Download or Upload an Image File By Using RCP Downloading an Image File By Using RCP B-36 Uploading an Image File By Using RCP B-38 Copying an Image File from One Stack Member to Another B-39 APPENDIX C Unsupported Commands in Cisco IOS Release 12.
Contents IP Multicast Routing C-6 Unsupported Privileged EXEC Commands C-6 Unsupported Global Configuration Commands C-7 Unsupported Interface Configuration Commands C-7 IP Unicast Routing C-7 Unsupported Privileged EXEC or User EXEC Commands C-7 Unsupported Global Configuration Commands C-8 Unsupported Interface Configuration Commands C-8 Unsupported BGP Router Configuration Commands C-8 Unsupported VPN Configuration Commands C-9 Unsupported Route Map Commands C-9 MAC Address Commands C-9 Unsupported Priv
Contents VTP C-13 Unsupported Privileged EXEC Command C-13 INDEX Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide xlii OL-12247-01
Preface Audience This guide is for the networking professional managing the standalone Cisco Catalyst Blade Switch 3120 for HP or blade switch stack, referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking. You install the switch in the HP BladeSystem server chassis, referred to as the enclosure.
Preface Related Publications • Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements. • Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional element. Interactive examples use these conventions: • Terminal sessions and system displays are in screen font. • Information you enter is in boldface • Nonprinting characters, such as passwords or tabs, are in angle brackets (< >). screen font.
Preface Related Publications • Cisco Catalyst Blade Switch 3120 for HP System Message Guide (not orderable but available on Cisco.com) • Cisco Software Activation Document for HP • Device manager online help (available on the switch) • Cisco Catalyst Blade Switch 3120 for HP Hardware Installation Guide (not orderable but available on Cisco.com) • Cisco Catalyst Blade Switch 3000 Series for HP Getting Started Guide (not orderable but available on Cisco.
Preface Related Publications Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide xlvi OL-12247-01
CH A P T E R 1 Overview This chapter provides these topics about the switch software: • Features, page 1-1 • Default Settings After Initial Switch Configuration, page 1-13 • Network Configuration Examples, page 1-16 • Where to Go Next, page 1-20 The term switch refers to a standalone switch and to a switch stack. In this document, IP refers to IP Version 4 (IPv4) unless there is a specific reference to IP Version 6 (IPv6).
Chapter 1 Overview Features For more information, see Chapter 24, “Configuring IPv6 MLD Snooping,” and Chapter 35, “Configuring IPv6 ACLs.” • Note Advanced IP services feature set, which provides full IPv6 support. It includes all IP service features with IPv6 routing and IPv6 ACLs. For more information on IPv6 routing, see Chapter 39, “Configuring IPv6 Unicast Routing.” For more information about IPv6 ACLs, see Chapter 35, “Configuring IPv6 ACLs.
Chapter 1 Overview Features – Interactive guide mode that guides you in configuring complex features such as VLANs, ACLs, and quality of service (QoS). – Configuration wizards that prompt you to provide only the minimum required information to configure complex features such as QoS priorities for video traffic, priority levels for data applications, and security. – Downloading an image to a switch.
Chapter 1 Overview Features • Support for the maximum packet size or maximum transmission unit (MTU) size for these types of frames: – Up to 9216 bytes for routed frames – Up to 9216 bytes for frames that are bridged in hardware and software through Gigabit Ethernet ports and 10-Gigabit Ethernet ports • IEEE 802.
Chapter 1 Overview Features Management Options These are the options for configuring and managing the switch: • An embedded device manager—The device manager is a GUI that is integrated in the universal software image. You use it to configure and to monitor a single switch. For information about starting the device manager, see the getting started guide. For more information about the device manager, see the switch online help.
Chapter 1 Overview Features Note • Address Resolution Protocol (ARP) for identifying a switch through its IP address and its corresponding MAC address • Unicast MAC address filtering to drop packets with specific source or destination MAC addresses • Cisco Discovery Protocol (CDP) Versions 1 and 2 for network topology discovery and mapping between the switch and other Cisco devices on the network • Link Layer Discovery Protocol (LLDP) and LLDP Media Endpoint Discovery (LLDP-MED) for interoperabil
Chapter 1 Overview Features • Cross-stack EtherChannel for providing redundant links across the switch stack • UniDirectional Link Detection (UDLD) and aggressive UDLD for detecting and disabling unidirectional links on fiber-optic interfaces caused by incorrect fiber-optic wiring or port faults • IEEE 802.1D Spanning Tree Protocol (STP) for redundant backbone connections and loop-free networks.
Chapter 1 Overview Features • Inter-Switch Link (ISL) and IEEE 802.1Q trunking encapsulation on all ports for network moves, adds, and changes; management and control of broadcast and multicast traffic; and network security by establishing VLAN groups for high-security users and network resources • Dynamic Trunking Protocol (DTP) for negotiating trunking on a link between two devices and for negotiating the type of trunking encapsulation (IEEE 802.
Chapter 1 Overview Features • VLAN ACLs (VLAN maps) for providing intra-VLAN security by filtering traffic based on information in the MAC, IP, and TCP/UDP headers • Source and destination MAC-based ACLs for filtering non-IP traffic • IPv6 ACLs to be applied to interfaces to filter IPv6 traffic • DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers • IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP snooping data
Chapter 1 Overview Features – IEEE 802.1x inaccessible authentication bypass. For information about configuring this feature, see the “Configuring the Inaccessible Authentication Bypass Feature” section on page 9-37. – Authentication, authorization, and accounting (AAA) down policy for a NAC Layer 2 IP validation of a host if the AAA server is not available when the posture validation occurs. For information about this feature, see the Network Admission Control Software Configuration Guide.
Chapter 1 Overview Features • Out-of-Profile – Out-of-profile markdown for packets that exceed bandwidth utilization limits • Ingress queueing and scheduling – Two configurable ingress queues for user traffic (one queue can be the priority queue) – Weighted tail drop (WTD) as the congestion-avoidance mechanism for managing the queue lengths and providing drop precedences for different traffic classifications – Shaped round robin (SRR) as the scheduling service for specifying the rate at which packets
Chapter 1 Overview Features • Fallback bridging for forwarding non-IP traffic between two or more VLANs (requires the IP services feature set) • Static IP routing for manually building a routing table of network path information • Equal-cost routing for load-balancing and redundancy • Internet Control Message Protocol (ICMP) and ICMP Router Discovery Protocol (IRDP) for using router advertisement and router solicitation messages to discover the addresses of routers on directly attached subnets •
Chapter 1 Overview Default Settings After Initial Switch Configuration • Time Domain Reflector (TDR) to diagnose and resolve cabling problems on 10/100 and 10/100/1000 copper Ethernet ports • SFP module diagnostic management interface to monitor physical or operational status of an SFP module • Online diagnostics to test the hardware functionality of the supervisor engine, modules, and switch while the switch is connected to a live network • On-board failure logging (OBFL) to collect information ab
Chapter 1 Overview Default Settings After Initial Switch Configuration • DNS is enabled. For more information, see Chapter 6, “Administering the Switch.” • TACACS+ is disabled. For more information, see Chapter 7, “Configuring Switch-Based Authentication.” • RADIUS is disabled. For more information, see Chapter 7, “Configuring Switch-Based Authentication.” • The standard HTTP server and Secure Socket Layer (SSL) HTTPS server are both enabled.
Chapter 1 Overview Default Settings After Initial Switch Configuration • Dynamic ARP inspection is disabled on all VLANs. For more information, see Chapter 22, “Configuring Dynamic ARP Inspection.” • IGMP snooping is enabled. No IGMP filters are applied. For more information, see Chapter 23, “Configuring IGMP Snooping and MVR.” • IGMP throttling setting is deny. For more information, see Chapter 23, “Configuring IGMP Snooping and MVR.” • The IGMP snooping querier feature is disabled.
Chapter 1 Overview Network Configuration Examples Network Configuration Examples This section provides network configuration concepts and includes examples of using the switch to create dedicated network segments and interconnecting the segments through Gigabit Ethernet and 10-Gigabit Ethernet connections.
Chapter 1 Overview Network Configuration Examples Bandwidth alone is not the only consideration when designing your network. As your network traffic profiles evolve, consider providing network services that can support applications for voice and data integration, multimedia integration, application prioritization, and security. Table 1-2 describes some network demands and how you can meet them.
Chapter 1 Overview Network Configuration Examples Figure 1-1 Data Center Core Distribution layer Catalyst 4500 or 6500 multilayer switch Si Blade switch Layer 3 StackWise Plus switch stack Blade servers • 201756 Access layer Expanded data center (Figure 1-2)—You can use standalone switches and switch stacks to interconnect groups of servers, centralizing physical security and administration of your network.
Chapter 1 Overview Network Configuration Examples Figure 1-2 Expanded Data Center Campus core Catalyst 6500 switches Si Si Si Si Si Si Catalyst 6500 multilayer switches Blade server enclosures 201757 Blade switch StackWise switch stacks Small to Medium-Sized Network Figure 1-3 shows a configuration for a network of up to 500 employees. This network uses a Layer 3 switch stack with high-speed connections to two routers.
Chapter 1 Overview Where to Go Next With the multilayer switches providing inter-VLAN routing and other network services, the routers focus on firewall services, Network Address Translation (NAT) services, voice-over-IP (VoIP) gateway services, and WAN and Internet access.
CH A P T E R 2 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your standalone switch or a switch stack, referred to as the switch.
Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the hostname Switch. Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with your switch. Switch> Enter logout or quit. Use this mode to • Change terminal settings. • Perform basic tests.
Chapter 2 Using the Command-Line Interface Understanding the Help System Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method Interface configuration While in global configuration mode, enter the interface command (with a specific interface). Switch(config-if)# Use this mode to configure To exit to global configuration mode, parameters for the Ethernet ports. enter exit. To return to privileged EXEC mode, press Ctrl-Z or enter end.
Chapter 2 Using the Command-Line Interface Understanding Abbreviated Commands Table 2-2 Help Summary (continued) Command Purpose ? List all commands available for a particular command mode. For example: Switch> ? command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword.
Chapter 2 Using the Command-Line Interface Understanding CLI Error Messages Understanding CLI Error Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Table 2-3 Common CLI Error Messages Error Message Meaning How to Get Help % Ambiguous command: "show con" You did not enter enough characters for your switch to recognize the command.
Chapter 2 Using the Command-Line Interface Using Command History Using Command History The software provides a history or record of commands that you have entered. The command history feature is particularly useful for recalling long or complex commands or entries, including access lists.
Chapter 2 Using the Command-Line Interface Using Editing Features Disabling the Command History Feature The command history feature is automatically enabled. You can disable it for the current terminal session or for the command line. These procedures are optional. To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command.
Chapter 2 Using the Command-Line Interface Using Editing Features Editing Commands through Keystrokes Table 2-5 shows the keystrokes that you need to edit command lines. These keystrokes are optional. Table 2-5 Editing Commands through Keystrokes Capability Keystroke1 Move around the command line to make changes or corrections. Press Ctrl-B, or press the Move the cursor back one character. left arrow key. Purpose Press Ctrl-F, or press the right arrow key. Move the cursor forward one character.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Scroll down a line or screen on displays that are longer than the terminal screen can display. Press the Return key. Scroll down one line. Press the Space bar. Scroll down one screen. Press Ctrl-L or Ctrl-R. Redisplay the current command line.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Use line wrapping with the command history feature to recall and modify previous complex command entries. For information about recalling previous command entries, see the “Editing Commands through Keystrokes” section on page 2-8. Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands.
Chapter 2 Using the Command-Line Interface Accessing the CLI Accessing the CLI through a Console Connection or through Telnet Before you can access the CLI, you must connect a terminal or a PC to the switch console or connect a PC to the Ethernet management port and then power on the switch, as described in the hardware installation guide that shipped with your switch.
Chapter 2 Using the Command-Line Interface Accessing the CLI Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 2-12 OL-12247-01
CH A P T E R 3 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assigning the IP address and default gateway information) by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration. Unless otherwise noted, the term switch refers to a switch and to a switch stack.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The normal boot process involves the operation of the boot loader software, which performs these activities: • Performs low-level CPU initialization. It initializes the CPU registers, which control where physical memory is mapped, its quantity, its speed, and so forth. • Performs power-on self-test (POST) for the CPU subsystem.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Note Stack members retain their IP address when you remove them from a switch stack. To avoid a conflict by having two devices with the same IP address in your network, change the IP address of the switch that you removed from the switch stack. Use a DHCP server for centralized control and automatic assignment of IP information after the server is configured.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information With DHCP-based autoconfiguration, no DHCP client-side configuration is needed on your switch. However, you need to configure the DHCP server for various lease options associated with IP addresses. If you are using DHCP to relay the configuration file location on the network, you might also need to configure a Trivial File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The DHCP server sends the client a DHCPNAK denial broadcast message, which means that the offered configuration parameters have not been assigned, that an error has occurred during the negotiation of the parameters, or that the client has been slow in responding to the DHCPOFFER message (the DHCP server assigned the parameters to another client).
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information If you do not configure the DHCP server with the lease options described previously, it replies to client requests with only those parameters that are configured. If the IP address and the subnet mask are not in the reply, the switch is not configured. If the router IP address or the TFTP server name are not found, the switch might send broadcast, instead of unicast, TFTP requests.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the Relay Device You must configure a relay device, also referred to as a relay agent, when a switch sends broadcast packets that require a response from a host on a different LAN. Examples of broadcast packets that the switch might send are DHCP, DNS, and in some cases, TFTP packets. You must configure this relay device to forward received broadcast packets on an interface to the destination host.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information • The IP address and the configuration filename is reserved for the switch, but the TFTP server address is not provided in the DHCP reply (one-file read method). The switch receives its IP address, subnet mask, and the configuration filename from the DHCP server.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Table 3-2 shows the configuration of the reserved leases on the DHCP server. Table 3-2 DHCP Server Configuration Switch A Switch B Switch C Switch D Binding key (hardware address) 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 IP address 10.0.0.21 10.0.0.22 10.0.0.23 10.0.0.24 Subnet mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Router address 10.0.0.10 10.0.0.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Switches B through D retrieve their configuration files and IP addresses in the same way.
Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration By default, VLAN 1 is the interface that connects to the management network. When the switch boots up, the DHCP client (switch) requests an IP address from a DHCP server by using the MAC address of VLAN 1. For information on setting the switch system name, protecting access to privileged EXEC commands, and setting time and calendar services, see Chapter 6, “Administering the Switch.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration This command saves the configuration settings that you made. If you fail to do this, your configuration will be lost the next time you reload the system. To display information stored in the NVRAM section of flash memory, use the show startup-config or more startup-config privileged EXEC command.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot cycle. Note This command only works properly from a standalone switch.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Step 4 Command Purpose show boot Verify your entries. The boot manual global command changes the setting of the MANUAL_BOOT environment variable. The next time you reboot the system, the switch is in boot loader mode, shown by the switch: prompt. To boot up the system, use the boot filesystem:/file-url boot loader command. • For filesystem:, use flash: for the system board flash device.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Step 5 Command Purpose show boot Verify your entries. The boot system global command changes the setting of the BOOT environment variable. During the next boot cycle, the switch attempts to automatically boot up the system using information in the BOOT environment variable. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Table 3-4 describes the function of the most common environment variables. Table 3-4 Environment Variables Variable Boot Loader Command Cisco IOS Global Configuration Command BOOT set BOOT filesystem:/file-url ... boot system {filesystem:/file-url ...| switch {number | all}} A semicolon-separated list of executable files to try to load and execute when automatically booting.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image When the switch is connected to a PC through the internal Ethernet management port, you can download or upload a configuration file to the boot loader by using TFTP. Make sure the environment variables in Table 3-5 are configured. Table 3-5 Environment Variables for TFTP Variable Description MAC_ADDR Specifies the MAC address of the switch. Note We recommend that you do not modify this variable.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Note Use the at keyword only if the switch system clock has been set (through Network Time Protocol (NTP), the hardware calendar, or manually). The time is relative to the configured time zone on the switch. To schedule reloads across several switches to occur simultaneously, the time on each switch must be synchronized with NTP. The reload command halts the system.
CH A P T E R 4 Configuring Cisco IOS CNS Agents This chapter describes how to configure the Cisco IOS Cisco Network Services (CNS) agents on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete configuration information for the Cisco Configuration Engine, see this URL on Cisco.com http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software Figure 4-1 Configuration Engine Architectural Overview Service provider network Configuration engine Data service directory Configuration server Event service 141327 Web-based user interface Order entry configuration management These sections contain this conceptual information: • Configuration Service, page 4-2 • Event Service, page 4-3 • What You Should Know About the CNS IDs and Device Hostnames, p
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software Event Service The Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine. The Event Service is a highly capable publish-and-subscribe communication method.
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software DeviceID Each configured switch participating on the event bus has a unique DeviceID, which is analogous to the switch source address so that the switch can be targeted as a specific destination on the bus. All switches configured with the cns config partial global configuration command must access the event bus.
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco IOS Agents Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Incremental (Partial) Configuration After the network is running, new services can be added by using the Cisco IOS agent. Incremental (partial) configurations can be sent to the switch. The actual configuration can be sent as an event payload by way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation. The switch can check the syntax of the configuration before applying it.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Table 4-1 Prerequisites for Enabling Automatic Configuration Device Required Configuration Access switch Factory default (no configuration file) Distribution switch DHCP server TFTP server CNS Configuration Engine Note • IP helper address • Enable DHCP relay agent • IP routing (if used as default gateway) • IP address assignment • TFTP server IP address • Path to bootstrap configuration file on the TFTP server •
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Enabling the CNS Event Agent Note You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: • The cns config initial global configuration command enables the Cisco IOS agent and initiates an initial configuration on the switch.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Step 7 Command Purpose discover {controller controller-type | dlci [subinterface subinterface-number] | interface [interface-type] | line line-type} Specify the interface parameters in the CNS connect profile. • For controller controller-type, enter the controller type. • For dlci, enter the active data-link connection identifiers (DLCIs).
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Step 13 Command Purpose cns id interface num {dns-reverse | ipaddress | mac-address} [event] [image] (Optional) Set the unique EventID or ConfigID used by the Configuration Engine. or • For interface num, enter the type of interface–for example, ethernet, group-async, loopback, or virtual-template. This setting specifies from which interface the IP or MAC address should be retrieved to define the unique ID.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Step 14 Command Purpose cns config initial {hostname | ip-address} [port-number] [event] [no-persist] [page page] [source ip-address] [syntax-check] Enable the Cisco IOS agent, and initiate an initial configuration. • For {hostname | ip-address}, enter the hostname or the IP address of the configuration server. • (Optional) For port-number, enter the port number of the configuration server. The default port number is 80.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents This example shows how to configure an initial configuration on a remote switch when the switch IP address is known. The Configuration Engine IP address is 172.28.129.22. Switch(config)# cns template connect template-dhcp Switch(config-tmpl-conn)# cli ip address dhcp Switch(config-tmpl-conn)# exit Switch(config)# cns template connect ip-route Switch(config-tmpl-conn)# cli ip route 0.0.0.0 0.0.0.
Chapter 4 Configuring Cisco IOS CNS Agents Displaying CNS Configuration Displaying CNS Configuration You can use the privileged EXEC commands in Table 4-2 to display CNS configuration information. Table 4-2 Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed.
CH A P T E R 5 Managing Switch Stacks This chapter provides the concepts and procedures to manage switch stacks. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks All stack members are eligible to be stack masters. If the stack master becomes unavailable, the remaining stack members elect a new stack master from among themselves. The switch with the highest stack member priority value becomes the new stack master. The system-level features supported on the stack master are supported on the entire switch stack.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks – Switch Stack Management Connectivity, page 5-17 – Switch Stack Configuration Scenarios, page 5-19 Switch Stack Membership A switch stack has up to nine stack members connected through their StackWise Plus ports. A switch stack always has one stack master. A standalone switch is a switch stack with one stack member that also operates as the stack master.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Figure 5-1 Creating a Switch Stack from Two Standalone Switches in Two Enclosures Enclosure 1 Blade switch Enclosure 2 2 Blade switch 1 1 Stack member 1 Blade switch Blade switch Stack member 1 Blade switch Blade switch 2 Enclosure 1 Blade switch Stack member 1 Blade switch Blade switch Enclosure 2 Blade switch Blade switch Stack member 2 and stack master 3 201911 Blade switch Cisco Catalyst Blade Switch 3120 for HP Software
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Figure 5-2 Creating a Switch Stack from Two Standalone Switches in the Same Enclosures Enclosure Stack member 1 Blade switch 2 1 Blade switch Stack member 1 Blade switch 2 Enclosure Stack member 1 Blade switch Blade switch Stack member 2 and stack master 3 201912 Blade switch Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL-12247-01 5-5
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Figure 5-3 Adding a Standalone Switch to a Switch Stack Enclosure 1 Stack member 1 and stack master Blade switch Enclosure 2 3 Blade switch 1 Stack member 2 3 1 3 Blade switch Blade switch Stack member 1 Stack member 3 Blade switch Blade switch 3 Enclosure 1 Stack member 1 and stack master Blade switch 3 Stack member 2 Blade switch Stack member 3 Blade switch Enclosure 2 Blade switch 3 3 Blade switch Stack member 4 2 20
Chapter 5 Managing Switch Stacks Understanding Switch Stacks 4. The switch with the higher priority feature set and software image combination.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Switch Stack Bridge ID and Router MAC Address The bridge ID and router MAC address identify the switch stack in the network. When the switch stack initializes, the MAC address of the stack master determines the bridge ID and router MAC address. If the stack master changes, the MAC address of the new stack master determines the new bridge ID and router MAC address.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Stack Member Priority Values A higher priority value for a stack member increases its likelihood of being elected stack master and retaining its stack member number. The priority value can be 1 to 15. The default priority value is 1. You can display the stack member priority value by using the show switch user EXEC command. Note We recommend assigning the highest priority value to the switch that you prefer to be the stack master.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Table 5-1 Results of Comparing the Provisioned Configuration with the Provisioned Switch Scenario Result The stack member numbers and the switch types match. The stack member numbers match but the switch types do not match. 1. If the stack member number of the provisioned switch matches the stack member number in the provisioned configuration on the stack, and 2.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks If you add a provisioned switch that is a different type than specified in the provisioned configuration to a powered-down switch stack and then apply power, the switch stack rejects the (now incorrect) switch stack-member-number provision type global configuration command in the startup configuration file.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks All stack members must run the same Cisco IOS software image and feature set to ensure compatibility between stack members. For example, all stack members should run the cryptographic universal software image and have the IP services feature set enabled for Cisco IOS Release 12.2(40)EX or later. For more information, see the “Stack Protocol Version Compatibility” section on page 5-12.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Understanding Auto-Upgrade and Auto-Advise When the software detects mismatched software and tries to upgrade the switch in VM mode, two software processes are involved: automatic upgrade and automatic advise. • The automatic upgrade (auto-upgrade) process includes an auto-copy process and an auto-extract process. By default, auto-upgrade is enabled (the boot auto-copy-sw global configuration command is enabled).
Chapter 5 Managing Switch Stacks Understanding Switch Stacks You can use the archive-download-sw /allow-feature-upgrade privileged EXEC command to allow installing an different software image. Auto-Upgrade and Auto-Advise Example Messages When you add a switch that has a different minor version number to the switch stack, the software displays messages in sequence (assuming that there are no other system messages generated by the switch).
Chapter 5 Managing Switch Stacks Understanding Switch Stacks *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting cbs31x0-universal-mz.122-0.0.313.EX/cbs31x0-universal-mz.122-40.EX (4945851 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting cbs31x0-universal-mz.122-40.EX/info (450 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting info (104 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: *Mar 11 20:36:15.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Note Auto-advise and auto-copy identify which images are running by examining the info file and by searching the directory structure on the switch stack. If you download your image by using the copy tftp: boot loader command instead of the archive download-sw privileged EXEC command, the proper directory structure is not created. For more information about the info file, see the “File Format of Images on a Server or Cisco.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks You back up and restore the stack configuration in the same way as you would for a standalone switch configuration. For more information about file systems and configuration files, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Connectivity to the Switch Stack Through an IP Address The switch stack is managed through a single IP address. The IP address is a system-level setting and is not specific to the stack master or to any other stack member. You can still manage the stack through the same IP address even if you remove the stack master or any other stack member from the stack, provided there is IP connectivity.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Switch Stack Configuration Scenarios Table 5-2 provides switch stack configuration scenarios. Most of the scenarios assume that at least two switches are connected through their StackWise Plus ports. Table 5-2 Switch Stack Configuration Scenarios Scenario Result Stack master election Connect two powered-on switch stacks specifically determined through the StackWise Plus ports.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Table 5-2 Switch Stack Configuration Scenarios (continued) Scenario Result Assuming that all stack members have the The stack member with the cryptographic image and Stack master election same priority value: the IP base feature set is elected stack master. specifically determined by the cryptographic 1.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Configuring the Switch Stack These sections contain this configuration information: • Default Switch Stack Configuration, page 5-21 • Enabling Persistent MAC Address, page 5-21 • Assigning Stack Member Information, page 5-23 Default Switch Stack Configuration Table 5-3 shows the default switch stack configuration. Table 5-3 Default Switch Stack Configuration Feature Default Setting Stack MAC address timer Disabled.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack • Note If you enter a time delay of 1 to 60 minutes, the stack MAC address of the previous stack master is used until the configured time period expires or until you enter the no stack-mac persistent timer command. If the entire switch stack reloads, it uses the MAC address of the stack master as the stack MAC address. Beginning in privileged EXEC mode, follow these steps to enable persistent MAC address. This procedure is optional.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack WARNING: not appear elsewhere in this network domain. If it does, WARNING: user traffic may be blackholed. Switch(config)# end Switch# show switch Switch/Stack Mac Address : 0016.4727.a900 Mac persistency wait time: 7 mins H/W Current Switch# Role Mac Address Priority Version State ---------------------------------------------------------*1 Master 0016.4727.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Beginning in privileged EXEC mode, follow these steps to assign a priority value to a stack member: This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 switch stack-member-number priority new-priority-number Specify the stack member number and the new priority for the stack member. The stack member number range is 1 to 9. The priority value range is 1 to 15.
Chapter 5 Managing Switch Stacks Accessing the CLI of a Specific Stack Member To remove provisioned information and to avoid receiving an error message, remove the specified switch from the stack before you use the no form of this command.
Chapter 5 Managing Switch Stacks Displaying Switch Stack Information Table 5-4 Commands for Displaying Switch Stack Information Command Description show platform stack-manager all Displays all switch stack information. show switch Displays summary information about the switch stack, including the status of provisioned switches. show switch stack-member-number Displays information about a specific member. show switch detail Displays detailed information about the stack ring.
CH A P T E R 6 Administering the Switch This chapter describes how to perform one-time operations to administer the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 6 Administering the Switch Managing the System Time and Date The system clock can provide time to these services: • User show commands • Logging and debugging messages The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight saving time) so that the time appears correctly for the local time zone.
Chapter 6 Administering the Switch Managing the System Time and Date Figure 6-1 shows a typical network example using NTP. Switch A is the NTP master, with the Switch E, Switch B, and Switch C configured in NTP server mode, in server association with Switch A. Switch D is configured as an NTP peer to the upstream and downstream switches, Switch E and the blade switch, respectively.
Chapter 6 Administering the Switch Managing the System Time and Date These sections contain this configuration information: • Default NTP Configuration, page 6-4 • Configuring NTP Authentication, page 6-4 • Configuring NTP Associations, page 6-5 • Configuring NTP Broadcast Service, page 6-6 • Configuring NTP Access Restrictions, page 6-8 • Configuring the Source IP Address for NTP Packets, page 6-10 • Displaying the NTP Configuration, page 6-11 Default NTP Configuration Table 6-1 shows the
Chapter 6 Administering the Switch Managing the System Time and Date Step 3 Command Purpose ntp authentication-key number md5 value Define the authentication keys. By default, none are defined. • For number, specify a key number. The range is 1 to 4294967295. • md5 specifies that message authentication support is provided by using the message digest algorithm 5 (MD5). • For value, enter an arbitrary string of up to eight characters for the key.
Chapter 6 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to form an NTP association with another device: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp peer ip-address [version number] [key keyid] [source interface] [prefer] Configure the switch system clock to synchronize a peer or to be synchronized by a peer (peer association).
Chapter 6 Administering the Switch Managing the System Time and Date The switch can send or receive NTP broadcast packets on an interface-by-interface basis if there is an NTP broadcast server, such as a router, broadcasting time information on the network. The switch can send NTP broadcast packets to a peer so that the peer can synchronize to it. The switch can also receive NTP broadcast packets to synchronize its own clock.
Chapter 6 Administering the Switch Managing the System Time and Date Step 5 Command Purpose ntp broadcastdelay microseconds (Optional) Change the estimated round-trip delay between the switch and the NTP broadcast server. The default is 3000 microseconds; the range is 1 to 999999. Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 6 Administering the Switch Managing the System Time and Date Step 3 Command Purpose access-list access-list-number permit source [source-wildcard] Create the access list. • For access-list-number, enter the number specified in Step 2. • Enter the permit keyword to permit access if the conditions are matched. • For source, enter the IP address of the device that is permitted access to the switch. • (Optional) For source-wildcard, enter the wildcard bits to be applied to the source.
Chapter 6 Administering the Switch Managing the System Time and Date Disabling NTP Services on a Specific Interface NTP services are enabled on all interfaces by default. Beginning in privileged EXEC mode, follow these steps to disable NTP packets from being received on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to disable.
Chapter 6 Administering the Switch Managing the System Time and Date Displaying the NTP Configuration You can use two privileged EXEC commands to display NTP information: • show ntp associations [detail] • show ntp status For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 6 Administering the Switch Managing the System Time and Date Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command. The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source such as NTP, the flag is set. If the time is not authoritative, it is used only for display purposes.
Chapter 6 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 6 Administering the Switch Configuring a System Name and Prompt Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 Configure summer time to start on the first date and end on the second clock summer-time zone date [month date year hh:mm month date year hh:mm date.
Chapter 6 Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Chapter 6 Administering the Switch Configuring a System Name and Prompt To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the hostnames, specify the name server that is present on your network, and enable the DNS.
Chapter 6 Administering the Switch Creating a Banner Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.
Chapter 6 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day.
Chapter 6 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message.
Chapter 6 Administering the Switch Managing the MAC Address Table These sections contain this configuration information: • Building the Address Table, page 6-20 • MAC Addresses and VLANs, page 6-20 • MAC Addresses and Switch Stacks, page 6-21 • Default MAC Address Table Configuration, page 6-21 • Changing the Address Aging Time, page 6-21 • Removing Dynamic Address Entries, page 6-22 • Configuring MAC Address Notification Traps, page 6-22 • Adding and Removing Static Address Entries, page
Chapter 6 Administering the Switch Managing the MAC Address Table When private VLANs are configured, address learning depends on the type of MAC address: • Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the associated VLANs. For example, a MAC address learned in a private-VLAN secondary VLAN is replicated in the primary VLAN. • Static MAC addresses configured in a primary or secondary VLAN are not replicated in the associated VLANs.
Chapter 6 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the dynamic address table aging time: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table aging-time [0 | 10-1000000] [vlan vlan-id] Set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated. The range is 10 to 1000000 seconds. The default is 300.
Chapter 6 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message. | 2c | 3}} community-string notification-type • For host-addr, specify the name or address of the NMS.
Chapter 6 Administering the Switch Managing the MAC Address Table Step 9 Command Purpose show mac address-table notification interface Verify your entries. show running-config Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the switch from sending MAC address notification traps, use the no snmp-server enable traps mac-notification global configuration command.
Chapter 6 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to add a static address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table static mac-addr vlan vlan-id interface interface-id Add a static address to the MAC address table. • For mac-addr, specify the destination MAC unicast address to add to the address table.
Chapter 6 Administering the Switch Managing the MAC Address Table • If you add a unicast MAC address as a static address and configure unicast MAC address filtering, the switch either adds the MAC address as a static address or drops packets with that MAC address, depending on which command was entered last. The second command that you entered overrides the first command.
Chapter 6 Administering the Switch Managing the ARP Table Displaying Address Table Entries You can display the MAC address table by using one or more of the privileged EXEC commands described in Table 6-4: Table 6-4 Commands for Displaying the MAC Address Table Command Description show ip igmp snooping groups Displays the Layer 2 multicast entries for all VLANs or the specified VLAN. show mac address-table address Displays MAC address table information for the specified MAC address.
Chapter 6 Administering the Switch Managing the ARP Table Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 6-28 OL-12247-01
CH A P T E R 7 Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands • If you want to use username and password pairs, but you want to store them centrally on a server instead of locally, you can store them in a database on a security server. Multiple networking devices can then use the same database to obtain user authentication (and, if necessary, authorization) information. For more information, see the “Controlling Switch Access with TACACS+” section on page 7-10.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable secret passwords: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password [level level] {password | encryption-type encrypted-password} Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2: Switch(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8 Disabling Password Recovery By default, any end user with physical access to the switch can recover from a lost password by interrupting the boot process while the switch is powering on and then by entering a new password.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting a Telnet Password for a Terminal Line When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use. The setup program also prompts you to configure your switch for Telnet access through a password.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username and a password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 username name [privilege level] {password encryption-type password} Enter the username, privilege level, and password for each user.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting the Privilege Level for a Command Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 privilege mode level level command Set the privilege level for a command.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line vty line Select the virtual terminal line on which to restrict access. Step 3 privilege level level Change the default privilege level for the line.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Controlling Switch Access with TACACS+ This section describes how to enable and configure Terminal Access Controller Access Control System Plus (TACACS+), which provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 7-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ server 1) Catalyst 6500 series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) Servers Configure the blade switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers). Enable AAA. Create a login authentication method list. Apply the list to the terminal lines.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: 1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user. The user enters a username, and the switch then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ • Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 7-16 • Starting TACACS+ Accounting, page 7-17 Default TACACS+ Configuration TACACS+ and AAA are disabled by default. To prevent a lapse in security, you cannot configure TACACS+ through a network management application. When enabled, TACACS+ can authenticate users accessing the switch through the CLI.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 show tacacs Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the specified TACACS+ server name or address, use the no tacacs-server host hostname global configuration command.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Note To secure the switch for HTTP access by using AAA methods, you must configure the switch with the ip http authentication aaa global configuration command. Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Starting TACACS+ Accounting The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Understanding RADIUS RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco routers and switches. Clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Transitioning from RADIUS to TACACS+ Services Remote PC R1 RADIUS server R2 RADIUS server T1 TACACS+ server T2 TACACS+ server Workstation 86891 Figure 7-2 RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: 1. The user is prompted to enter a username and password. 2.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS You identify RADIUS security servers by their hostname or IP address, hostname and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 8 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 7-23. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information). Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the switch and all RADIUS servers.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“ This example shows how to specify an authorized VLAN in the RADIUS server database: cisco-avpair= ”tunnel-type(#64)=VLAN(13)” cisco-avpair= ”tunnel-medium-type(#65)=802 media(6)” cisco-avpair= ”tunnel-private-group-ID(#81)=vlanid” This example shows how to apply an in
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with the switch. You specify the RADIUS host and secret text string by using the radius-server global configuration commands.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos You can download the cryptographic software image from www.hp.com/support. For more information, see the release notes for this release.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos In this software release, Kerberos supports these network services: • Telnet • rlogin • rsh (Remote Shell Protocol) Table 7-2 lists the common Kerberos-related terms and definitions: Table 7-2 Kerberos Terms Term Definition Authentication A process by which a user or service identifies itself to another service.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 7-2 Kerberos Terms (continued) Term KEYTAB Definition 3 Principal A password that a network service shares with the KDC. In Kerberos 5 and later Kerberos versions, the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it. In Kerberos versions earlier than Kerberos 5, KEYTAB is referred to as SRVTAB 4.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos 4. The KDC sends an encrypted TGT that includes the user identity to the switch. 5. The switch attempts to decrypt the TGT by using the password that the user entered. • If the decryption is successful, the user is authenticated to the switch.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization Note A Kerberos server can be a switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol. To set up a Kerberos-authenticated server-client system, follow these steps: • Configure the KDC by using Kerberos commands. • Configure the switch to use the Kerberos protocol.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Step 6 Command Purpose username name [privilege level] {password encryption-type password} Enter the local database, and establish a username-based authentication system. Repeat this command for each user. • For name, specify the user ID as one word. Spaces and quotation marks are not allowed. • (Optional) For level, specify the privilege level the user has after gaining access. The range is 0 to 15.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell For SSH configuration examples, see the “SSH Configuration Examples” section in the “Configuring Secure Shell” section in the “Other Security Features” chapter of the Cisco IOS Security Configuration Guide, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter0918 6a00800ca7d5.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell SSH also supports these user authentication methods: Note • TACACS+ (for more information, see the “Controlling Switch Access with TACACS+” section on page 7-10) • RADIUS (for more information, see the “Controlling Switch Access with RADIUS” section on page 7-17) • Local authentication and authorization (for more information, see the “Configuring the Switch for Local Authentication and Authorization” section o
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell • When generating the RSA key pair, the message No domain specified might appear. If it does, you must configure an IP domain name by using the ip domain-name global configuration command. • When configuring the local authentication and authorization authentication method, make sure that AAA is disabled on the console. Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: 1.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Configuring the SSH Server Beginning in privileged EXEC mode, follow these steps to configure the SSH server: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip ssh version [1 | 2] (Optional) Configure the switch to run SSH Version 1 or SSH Version 2. • 1—Configure the switch to run SSH Version 1. • 2—Configure the switch to run SSH Version 2.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Displaying the SSH Configuration and Status To display the SSH server configuration and status, use one or more of the privileged EXEC commands in Table 7-3: Table 7-3 Commands for Displaying the SSH Server Configuration and Status Command Purpose show ip ssh Shows the version and configuration information for the SSH server. show ssh Shows the status of the SSH server.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP The primary role of the HTTP secure server (the switch) is to listen for HTTPS requests on a designated port (the default HTTPS port is 443) and pass the request to the HTTP 1.1 Web server. The HTTP 1.1 server processes requests and passes responses (pages) back to the HTTP secure server, which, in turn, responds to the original request.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Configuring Secure HTTP Servers and Clients These sections contain this configuration information: • Default SSL Configuration, page 7-45 • SSL Configuration Guidelines, page 7-45 • Configuring a CA Trustpoint, page 7-45 • Configuring the Secure HTTP Server, page 7-46 • Configuring the Secure HTTP Client, page 7-48 Default SSL Configuration The standard HTTP server is enabled. SSL is enabled.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Command Purpose Step 5 crypto ca trustpoint name Specify a local configuration name for the CA trustpoint and enter CA trustpoint configuration mode. Step 6 enrollment url url Specify the URL to which the switch should send certificate requests. Step 7 enrollment http-proxy host-name port-number (Optional) Configure the switch to obtain certificates from the CA through an HTTP proxy server.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Step 4 Step 5 Step 6 Step 7 Command Purpose ip http secure-port port-number (Optional) Specify the port number to be used for the HTTPS server. The default port number is 443. Valid options are 443 or any number in the range 1025 to 65535.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP To verify the secure HTTP connection by using a Web browser, enter https://URL, where the URL is the IP address or hostname of the server switch. If you configure a port other than the default port, you must also specify the port number after the URL. For example: https://209.165.129:1026 or https://host.domain.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Displaying Secure HTTP Server and Client Status To display the SSL secure server and client status, use the privileged EXEC commands in Table 7-4: Table 7-4 Commands for Displaying the SSL Secure Server and Client Status Command Purpose show ip http client secure status Shows the HTTP secure client configuration. show ip http server secure status Shows the HTTP secure server configuration.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 7-50 OL-12247-01
CH A P T E R 8 Configuring SDM Templates This chapter describes how to configure the Switch Database Management (SDM) templates on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 8 Configuring SDM Templates Understanding the SDM Templates Table 8-1 Approximate Number of Feature Resources Allowed by Each Template Resource Access Default Routing VLAN Unicast MAC addresses 4K 6K 3K 12 K IGMP groups and multicast routes 1K 1K 1K 1K Unicast routes 6K 8K 11 K 0 • Directly connected hosts 4K 6K 3K 0 • Indirect routes 2K 2K 8K 0 Policy-based routing ACEs 0.5 K 0 0.5 K 0 QoS classification ACEs 0.5 K 0.5 K 0.5 K 0.
Chapter 8 Configuring SDM Templates Understanding the SDM Templates Table 8-2 Approximate Feature Resources Allowed by Dual IPv4-IPv6 Templates Resource IPv4-and-IPv6 Default IPv4-and-IPv6 Routing IPv4-and-IPv6 VLAN Unicast MAC addresses 2K 1.5 K 8K IPv4 IGMP groups and multicast routes 1K 1K 1 K for IGMP groups 0 for multicast routes Total IPv4 unicast routes: 3K 2.75 K 0 • Directly connected IPv4 hosts 2K 1.5 K 0 • Indirect IPv4 routes 1K 1.
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template 2d23h:%SDM-6-MISMATCH_ADVISE:compatible desktop SDM template: 2d23h:%SDM-6-MISMATCH_ADVISE: 2d23h:%SDM-6-MISMATCH_ADVISE: "sdm prefer vlan desktop" 2d23h:%SDM-6-MISMATCH_ADVISE: "reload" Configuring the Switch SDM Template These sections contain this configuration information: • Default SDM Template, page 8-4 • SDM Template Configuration Guidelines, page 8-4 • Setting the SDM Template, page 8-5 Default SDM Template The default
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template Setting the SDM Template Beginning in privileged EXEC mode, follow these steps to use the SDM template to maximize feature usage: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 8 Configuring SDM Templates Displaying the SDM Templates On next reload, template will be “desktop vlan” template. To return to the default template, use the no sdm prefer global configuration command.
Chapter 8 Configuring SDM Templates Displaying the SDM Templates This is an example of output from the show sdm prefer dual-ipv4-and-ipv6 routing command: Switch# show sdm prefer dual-ipv4-and-ipv6 routing The current template is "desktop IPv4 and IPv6 routing" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.
Chapter 8 Configuring SDM Templates Displaying the SDM Templates Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 8-8 OL-12247-01
CH A P T E R 9 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the switch. IEEE 802.1x authentication prevents unauthorized devices (clients) from gaining access to the network.Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • IEEE 802.1x Accounting, page 9-9 • IEEE 802.1x Accounting Attribute-Value Pairs, page 9-9 • Using IEEE 802.1x Authentication with VLAN Assignment, page 9-10 • Using IEEE 802.1x Authentication with Per-User ACLs, page 9-12 • Using IEEE 802.1x Authentication with Guest VLAN, page 9-13 • Using IEEE 802.1x Authentication with Restricted VLAN, page 9-14 • Using IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 9-2 shows the authentication process. If Multi Domain Authentication (MDA) is enabled on a port, this flow can be used with some exceptions that are applicable to voice authorization. For more information on MDA, see “Using Multidomain Authentication” section on page 9-20. Figure 9-2 Authentication Flowchart Start IEEE 802.1x authentication process times out.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which re-authentication occurs. The Termination-Action RADIUS attribute (Attribute [29]) specifies the action to take during re-authentication. The actions are Initialize and ReAuthenticate. When the Initialize action is set (the attribute value is DEFAULT), the IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 9-3 Message Exchange Authentication server (RADIUS) Client EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS Access-Request EAP-Request/OTP RADIUS Access-Challenge EAP-Response/OTP RADIUS Access-Request EAP-Success RADIUS Access-Accept Port Authorized 201761 EAPOL-Logoff Port Unauthorized If IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Ports in Authorized and Unauthorized States During IEEE 802.1x authentication, depending on the switch port state, the switch can grant a client access to the network. The port starts in the unauthorized state. While in this state, the port that is not configured as a voice VLAN port disallows all ingress and egress traffic except for IEEE 802.1x authentication, CDP, and STP packets.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication If IP connectivity to the RADIUS server is interrupted because the switch that was connected to the server is removed or fails, these events occur: • Ports that are already authenticated and that do not have periodic re-authentication enabled remain in the authenticated state. Communication with the RADIUS server is not required.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 9-5 Multiple Host Mode Example Authentication server (RADIUS) Access point 101227 Wireless clients IEEE 802.1x Accounting The IEEE 802.1x standard defines how users are authorized and authenticated for network access but does not keep track of network usage. IEEE 802.1x accounting is disabled by default. You can enable IEEE 802.1x accounting to monitor this activity on IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Voice device authentication is supported. When a voice device is authorized and the RADIUS server returned an authorized VLAN, the voice VLAN on the port is configured to send and receive packets on the assigned voice VLAN. Voice VLAN assignment behaves the same as data VLAN assignment on multidomain authentication (MDA)-enabled ports.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the switch: – [64] Tunnel-Type = VLAN – [65] Tunnel-Medium-Type = 802 – [81] Tunnel-Private-Group-ID = VLAN name or VLAN ID Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type 6).
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication For examples of vendor-specific attributes, see the “Configuring the Switch to Use Vendor-Specific RADIUS Attributes” section on page 7-29. For more information about configuring ACLs, see Chapter 34, “Configuring Network Security with ACLs.” To configure per-user ACLs, you need to perform these tasks: • Enable AAA authentication.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Any number of IEEE 802.1x-incapable clients are allowed access when the switch port is moved to the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state in the user-configured access VLAN, and authentication is restarted. Guest VLANs are supported on IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication After a port moves to the restricted VLAN, a simulated EAP success message is sent to the client. This prevents clients from indefinitely attempting authentication. Some clients (for example, devices running Windows XP) cannot implement DHCP without EAP success. Restricted VLANs are supported only on IEEE 802.1x ports in single-host mode and on Layer 2 ports.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Inaccessible authentication bypass interacts with these features: • Guest VLAN—Inaccessible authentication bypass is compatible with guest VLAN. When a guest VLAN is enabled on IEEE 8021.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • When an IEEE 802.1x client logs off, the port changes to an unauthenticated state, and all dynamic entries in the secure host table are cleared, including the entry for the client. Normal authentication then takes place. • If the port is administratively shut down, the port becomes unauthenticated, and all dynamic entries are removed from the secure host table.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication frame with a username and password based on the MAC address. If authorization succeeds, the switch grants the client access to the network. If authorization fails, the switch assigns the port to the guest VLAN if one is configured. If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the device connected to that interface is an IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Network Admission Control Layer 2 IEEE 802.1x Validation The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which checks the antivirus condition or posture of endpoint systems or clients before granting the devices network access. With NAC Layer 2 IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • If more than one device attempts authorization on either the voice or the data domain of a port, it is error disabled. • Until a device is authorized, the port drops its traffic. Non-Cisco IP phones or voice devices are allowed into both the data and voice VLANs. The data VLAN allows the voice device to contact a DHCP server to obtain an IP address and acquire the voice VLAN information.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication For example: proxyacl# proxyacl# proxyacl# proxyacl# Note 10=permit 20=permit 30=permit 40=permit ip any 10.0.0.0 255.0.0.0 ip any 11.1.0.0 255.255.0.0 udp any any eq syslog udp any any eq tftp The proxyacl entry determines the type of allowed network access. For more information, see the “Configuring Web Authentication” section on page 9-42.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication • Configuring IEEE 802.1x Authentication with WoL, page 9-39 (optional) • Configuring MAC Authentication Bypass, page 9-40 (optional) • Configuring NAC Layer 2 IEEE 802.1x Validation, page 9-41 (optional) • Configuring Web Authentication, page 9-42 • Disabling IEEE 802.1x Authentication on the Port, page 9-44 (optional) • Resetting the IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Table 9-2 Default IEEE 802.1x Authentication Configuration (continued) Feature Default Setting Client timeout period 30 seconds (when relaying a request from the authentication server to the client, the amount of time the switch waits for a response before resending the request to the client.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication • The IEEE 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3 routed ports, but it is not supported on these port types: – Trunk port—If you try to enable IEEE 802.1x authentication on a trunk port, an error message appears, and IEEE 802.1x authentication is not enabled. If you try to change the mode of an IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication the IEEE 802.1x authentication process (dot1x timeout quiet-period and dot1x timeout tx-period interface configuration commands). The amount to decrease the settings depends on the connected IEEE 802.1x client type. • When configuring the inaccessible authentication bypass feature, follow these guidelines: – The feature is supported on IEEE 802.1x port in single-host mode and multihosts mode.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 4 The switch sends a start message to an accounting server. Step 5 Re-authentication is performed, as necessary. Step 6 The switch sends an interim accounting update to the accounting server that is based on the result of re-authentication. Step 7 The user disconnects from the port. Step 8 The switch sends a stop message to the accounting server.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring the Switch-to-RADIUS-Server Communication RADIUS security servers are identified by their hostname or IP address, hostname and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation. Configuring the Host Mode Beginning in privileged EXEC mode, follow these steps to allow multiple hosts (clients) on an IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring Periodic Re-Authentication You can enable periodic IEEE 802.1x client re-authentication and specify how often it occurs. If you do not specify a time period before enabling re-authentication, the number of seconds between attempts is 3600.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Changing the Quiet Period When the switch cannot authenticate the client, the switch remains idle for a set period of time and then tries again. The dot1x timeout quiet-period interface configuration command controls the idle period. A failed authentication of the client might occur because the client provided an invalid password.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show dot1xinterface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default retransmission time, use the no dot1x timeout tx-period interface configuration command.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Setting the Re-Authentication Number You can also change the number of times that the switch restarts the authentication process before the port changes to the unauthorized state. Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Note You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and interim-update messages and time stamps. To turn on these functions, enable logging of “Update/Watchdog packets from this AAA client” in your RADIUS server Network Configuration tab. Next, enable “CVS RADIUS Accounting” in your RADIUS server System Configuration tab.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose switchport mode access Set the port to access mode, or or switchport mode private-vlan host Configure the Layer 2 port as a private-VLAN host port. Step 4 dot1x port-control auto Enable IEEE 802.1x authentication on the port. Step 5 dot1x guest-vlan vlan-id Specify an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to 4094.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 4 dot1x port-control auto Enable IEEE 802.1x authentication on the port. Step 5 dot1x auth-fail vlan vlan-id Specify an active VLAN as an IEEE 802.1x restricted VLAN. The range is 1 to 4094. You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x restricted VLAN.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication To return to the default value, use the no dot1x auth-fail max-attempts interface configuration command.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 4 Command Purpose radius-server host ip-address [acct-port udp-port] [auth-port udp-port][test username name [idle-time time] [ignore-acct-port] [ignore-auth-port]] [key string] (Optional) Configure the RADIUS server parameters by using these keywords: • acct-port udp-port—Specify the UDP port for the RADIUS accounting server. The range for the UDP port number is from 0 to 65536.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 6 interface interface-id Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the “IEEE 802.1x Authentication Configuration Guidelines” section on page 9-24.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 3 Command Purpose dot1x control-direction {both | in} Enable IEEE 802.1x authentication with WoL on the port, and use these keywords to configure the port as bidirectional or unidirectional. • both—Sets the port as bidirectional. The port cannot receive packets from or send packets to the host. By default, the port is bidirectional. • in—Sets the port as unidirectional.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring NAC Layer 2 IEEE 802.1x Validation You can configure NAC Layer 2 IEEE 802.1x validation, which is also referred to as IEEE 802.1x authentication with a RADIUS server. Beginning in privileged EXEC mode, follow these steps to configure NAC Layer 2 IEEE 802.1x validation. The procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring Web Authentication Beginning in privileged EXEC mode, follow these steps to configure authentication, authorization, accounting (AAA) and RADIUS on a switch before configuring web authentication. The steps enable AAA by using RADIUS authentication and enable device tracking. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure a port to use web authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip admission name rule proxy http Define a web authentication rule. Note The same rule cannot be used for both web authentication and NAC Layer 2 IP validation.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 9 dot1x port-control auto Enable IEEE 802.1x authentication on the interface. Step 10 dot1x fallback fallback-profile Configure the port to authenticate a client by using web authentication when no IEEE 802.1x supplicant is detected on the port. Any change to the fallback-profile global configuration takes effect the next time IEEE 802.1x fallback is invoked on the interface.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Displaying IEEE 802.1x Statistics and Status To configure the port as an IEEE 802.1x port access entity (PAE) authenticator, which enables IEEE 802.1x on the port but does not allow clients connected to the port to be authorized, use the dot1x pae authenticator interface configuration command. This example shows how to disable IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Displaying IEEE 802.
CH A P T E R 10 Configuring Interface Characteristics This chapter defines the types of interfaces on the switch and describes how to configure them. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 10 Configuring Interface Characteristics Understanding Interface Types • Switch Virtual Interfaces, page 10-5 • EtherChannel Port Groups, page 10-5 • 10-Gigabit Ethernet Interfaces, page 10-6 • Connecting Interfaces, page 10-6 Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 12, “Configuring VLANs.
Chapter 10 Configuring Interface Characteristics Understanding Interface Types Note When you put an interface that is in Layer 3 mode into Layer 2 mode, the previous configuration information related to the affected interface might be lost, and the interface is returned to its default configuration. For detailed information about configuring access port and trunk port characteristics, see Chapter 12, “Configuring VLANs.” For more information about tunnel ports, see Chapter 16, “Configuring IEEE 802.
Chapter 10 Configuring Interface Characteristics Understanding Interface Types traffic is forwarded to and from the trunk port for that VLAN. If VTP learns of a new, enabled VLAN that is not in the allowed list for a trunk port, the port does not become a member of the VLAN, and no traffic for the VLAN is forwarded to or from the port. For more information about trunk ports, see Chapter 12, “Configuring VLANs.” Tunnel Ports Tunnel ports are used in IEEE 802.
Chapter 10 Configuring Interface Characteristics Understanding Interface Types Switch Virtual Interfaces A switch virtual interface (SVI) represents a VLAN of switch ports as one interface to the routing or bridging function in the system. Only one SVI can be associated with a VLAN, but you need to configure an SVI for a VLAN only when you wish to route between VLANs, to fallback-bridge nonroutable protocols between VLANs, or to provide IP host connectivity to the switch.
Chapter 10 Configuring Interface Characteristics Understanding Interface Types When you configure an EtherChannel, you create a port-channel logical interface and assign an interface to the EtherChannel. For Layer 3 interfaces, you manually create the logical interface by using the interface port-channel global configuration command. Then you manually assign an interface to the EtherChannel by using the channel-group interface configuration command.
Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode possible, to maintain high performance, forwarding is done by the switch hardware. However, only IPv4 packets with Ethernet II encapsulation are routed in hardware. Non-IP traffic and traffic with other encapsulation methods are fallback-bridged by hardware. • The routing function can be enabled on all SVIs and routed ports. The switch routes only IP traffic.
Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode You can identify physical interfaces by physically checking the interface location on the switch. You can also use the show privileged EXEC commands to display information about a specific interface or all the interfaces on the switch. The remainder of this chapter primarily provides physical interface configuration procedures.
Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode Enter the show interfaces privileged EXEC command to see a list of all interfaces on or configured for the switch. A report is provided for each interface that the device supports or for the specified interface. Configuring a Range of Interfaces You can use the interface range global configuration command to configure multiple interfaces with the same configuration parameters.
Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode • You must add a space between the first interface number and the hyphen when using the interface range command. For example, the command interface range gigabitethernet1/0/1 - 4 is a valid range; the command interface range gigabitethernet1/0/1-4 is not a valid range. • The interface range command only works with VLAN interfaces that have been configured with the interface vlan command.
Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode Command Purpose Step 5 show running-config | include define Show the defined interface range macro configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no define interface-range macro_name global configuration command to delete a macro.
Chapter 10 Configuring Interface Characteristics Using the Internal Ethernet Management Port This example shows how to delete the interface-range macro enet_list and to verify that it was deleted.
Chapter 10 Configuring Interface Characteristics Using the Internal Ethernet Management Port All the Ethernet management ports on the stack members in the same enclosure are managed by the Onboard Administrator software that the enclosure is running. However, only the Ethernet management port for the stack master is enabled. The active link is from the Ethernet management port on the stack master through the Onboard Administrator to the PC.
Chapter 10 Configuring Interface Characteristics Using the Internal Ethernet Management Port Supported Features on the Ethernet Management Port The Ethernet management port supports these features: • Express Setup (only in switch stacks) • Network Assistant • Telnet with passwords • TFTP • Secure Shell (SSH) • DHCP-based autoconfiguration • SMNP (only the ENTITY-MIB and the IF-MIB) • IP ping • Interface features – Speed—100 Mb/s (nonconfigurable) – Duplex mode—Full (nonconfigurable) – Lo
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Monitoring the Ethernet Management Port To display the link status, use the show interfaces fastethernet 0 privileged EXEC command. TFTP and the Ethernet Management Port Use the commands in Table 10-1 when using TFTP to download or upload a configuration file to the boot loader.
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Default Ethernet Interface Configuration Table 10-2 shows the Ethernet interface default configuration, including some features that apply only to Layer 2 interfaces. For more details on the VLAN parameters listed in the table, see Chapter 12, “Configuring VLANs.” For details on controlling traffic to the port, see Chapter 25, “Configuring Port-Based Traffic Control.
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Table 10-2 Default Layer 2 Ethernet Interface Configuration (continued) Feature Default Setting Port Fast Disabled. See the “Default Optional Spanning-Tree Configuration” section on page 19-12. Auto-MDIX Note Enabled. Configuring Interface Speed and Duplex Mode Ethernet interfaces on the switch operate at 10, 100, 1000, or 10,000 Mb/s and in either full- or half-duplex mode.
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Caution Changing the interface speed and duplex mode configuration might shut down and re-enable the interface during the reconfiguration. Setting the Interface Speed and Duplex Parameters Beginning in privileged EXEC mode, follow these steps to set the speed and duplex mode for a physical interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to set the interface speed to 100 Mb/s and the duplex mode to half on an external 10/100/1000 Mb/s port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/17 Switch(config-if)# speed 10 Switch(config-if)# duplex half This example shows how to set the interface speed to 100 Mb/s on an external 10/100/1000 Mb/s port: Switch# configure terminal Switch(config)# interface gigabitethern
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces To disable flow control, use the flowcontrol receive off interface configuration command.
Chapter 10 Configuring Interface Characteristics Configuring Layer 3 Interfaces To disable auto-MDIX, use the no mdix auto interface configuration command.
Chapter 10 Configuring Interface Characteristics Configuring Layer 3 Interfaces Note When you create an SVI, it does not become active until it is associated with a physical port. For information about assigning Layer 2 ports to VLANs, see Chapter 12, “Configuring VLANs.” • Routed ports: Routed ports are physical ports configured to be in Layer 3 mode by using the no switchport interface configuration command. • Layer 3 EtherChannel ports: EtherChannel interfaces made up of routed ports.
Chapter 10 Configuring Interface Characteristics Configuring the System MTU Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 show interfaces [interface-id] Verify the configuration. show ip interface [interface-id] show running-config interface [interface-id] Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove an IP address from an interface, use the no ip address interface configuration command.
Chapter 10 Configuring Interface Characteristics Configuring the System MTU The upper limit of the system routing MTU value is based on the switch or switch stack configuration and refers to either the currently applied system MTU or the system jumbo MTU value. For more information about setting the MTU sizes, see the system mtu global configuration command in the command reference for this release.
Chapter 10 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Monitoring and Maintaining the Interfaces These sections contain interface monitoring and maintenance information: • Monitoring Interface Status, page 10-25 • Clearing and Resetting Interfaces and Counters, page 10-26 • Shutting Down and Restarting the Interface, page 10-26 Monitoring Interface Status Commands entered at the privileged EXEC prompt display information about the interface, including the versions
Chapter 10 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Clearing and Resetting Interfaces and Counters Table 10-5 lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces. Table 10-5 Clear Commands for Interfaces Command Purpose clear counters [interface-id] Clear interface counters. clear interface interface-id Reset the hardware logic on an interface.
CH A P T E R 11 Configuring Smartports Macros This chapter describes how to configure and apply Smartports macros on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 11 Configuring Smartports Macros Configuring Smartports Macros Table 11-1 Cisco-Default Smartports Macros (continued) Macro Name1 Description cisco-phone Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Chapter 11 Configuring Smartports Macros Configuring Smartports Macros Smartports Macro Configuration Guidelines Follow these guidelines when configuring macros on your switch: • When creating a macro, do not use the exit or end commands or change the command mode by using interface interface-id. This could cause commands that follow exit, end, or interface interface-id to execute in a different command mode. • When creating a macro, all CLI commands should be in the same configuration mode.
Chapter 11 Configuring Smartports Macros Configuring Smartports Macros Follow these guidelines when you apply a Cisco-default Smartports macro on an interface: • Display all macros on the switch by using the show parser macro user EXEC command. Display the contents of a specific macro by using the show parser macro macro-name user EXEC command. • Keywords that begin with $ mean that a unique parameter value is required.
Chapter 11 Configuring Smartports Macros Configuring Smartports Macros Applying Smartports Macros Beginning in privileged EXEC mode, follow these steps to apply a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro global {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Apply each individual command defined in the macro to the switch by entering macro global apply macro-name.
Chapter 11 Configuring Smartports Macros Configuring Smartports Macros This example shows how to apply the user-created macro called snmp, to set the hostname address to test-server, and to set the IP precedence value to 7: Switch(config)# macro global apply snmp ADDRESS test-server VALUE 7 This example shows how to debug the user-created macro called snmp by using the macro global trace global configuration command to find any syntax or configuration errors in the macro when it is applied to the switch
Chapter 11 Configuring Smartports Macros Configuring Smartports Macros Step 7 Command Purpose macro {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Append the Cisco-default macro with the required values by using the parameter value keywords, and apply the macro to the interface. Keywords that begin with $ mean that a unique parameter value is required. You can use the macro apply macro-name ? command to display a list of any required values in the macro.
Chapter 11 Configuring Smartports Macros Displaying Smartports Macros Displaying Smartports Macros To display the Smartports macros, use one or more of the privileged EXEC commands in Table 11-2. Table 11-2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros. show parser macro name macro-name Displays a specific macro. show parser macro brief Displays the configured macro names.
CH A P T E R 12 Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS). Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 12 Configuring VLANs Understanding VLANs Figure 12-1 shows an example of VLANs segmented into logically defined networks. Figure 12-1 VLANs as Logically Defined Networks Engineering VLAN Marketing VLAN Accounting VLAN Cisco router Enclosure 3 Gigabit Ethernet Enclosure 1 201766 Enclosure 2 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Chapter 12 Configuring VLANs Understanding VLANs Although the switch or switch stack supports a total of 1005 (normal range and extended range) VLANs, the number of routed ports, SVIs, and other configured features affects the use of the switch hardware. The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Table 12-1 Port Membership Modes and Characteristics (continued) Membership Mode VLAN Membership Characteristics VTP Characteristics Dynamic access A dynamic-access port can belong to one VLAN (VLAN ID 1 to 4094) and is dynamically assigned by a VMPS. The VMPS can be a Catalyst 5000 or Catalyst 6500 series switch, for example, but never a blade switch. The switch is a VMPS client. VTP is required.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Caution You can cause inconsistency in the VLAN database if you attempt to manually delete the vlan.dat file. If you want to modify the VLAN configuration, use the commands described in these sections and in the command reference for this release. To change the VTP configuration, see Chapter 13, “Configuring VTP.” You use the interface configuration mode to define the port membership mode and to add and remove ports from VLANs.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Token Ring VLANs Although the switch does not support Token Ring connections, a remote device such as a Catalyst 5000 series switch with Token Ring connections could be managed from one of the supported switches.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs VLAN Configuration Mode Options You can configure normal-range VLANs (with VLAN IDs 1 to 1005) by using these two configuration modes: • VLAN Configuration in config-vlan Mode, page 12-7 You access config-vlan mode by entering the vlan vlan-id global configuration command. • VLAN Configuration in VLAN Database Configuration Mode, page 12-7 You access VLAN database configuration mode by entering the vlan database privileged EXEC command.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs When you save VLAN and VTP information (including extended-range VLAN configuration information) in the startup configuration file and reboot the switch, the switch configuration is selected as follows: Caution • If the VTP mode is transparent in the startup configuration, and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file, the VLAN database is ignored (cleared), and the VTP and
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Creating or Modifying an Ethernet VLAN Each Ethernet VLAN in the VLAN database has a unique, 4-digit ID that can be a number from 1 to 1001. VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs. To create a normal-range VLAN to be added to the VLAN database, assign a number and name to the VLAN. Note When the switch is in VTP transparent mode, you can assign VLAN IDs greater than 1006, but they are not added to the VLAN database.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs You can also create or modify Ethernet VLANs by using the VLAN database configuration mode. Note VLAN database configuration mode does not support RSPAN VLAN configuration or extended-range VLANs. Beginning in privileged EXEC mode, follow these steps to use VLAN database configuration mode to create or modify an Ethernet VLAN: Command Purpose Step 1 vlan database Enter VLAN database configuration mode.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Caution When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN. Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no vlan vlan-id Remove the VLAN by entering the VLAN ID.
Chapter 12 Configuring VLANs Configuring Extended-Range VLANs Command Purpose Step 7 show interfaces interface-id switchport Verify your entries in the Administrative Mode and the Access Mode VLAN fields of the display. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return an interface to its default configuration, use the default interface interface-id interface configuration command.
Chapter 12 Configuring VLANs Configuring Extended-Range VLANs Extended-Range VLAN Configuration Guidelines Follow these guidelines when creating extended-range VLANs: • To add an extended-range VLAN, you must use the vlan vlan-id global configuration command and access config-vlan mode. You cannot add extended-range VLANs in VLAN database configuration mode (accessed by entering the vlan database privileged EXEC command).
Chapter 12 Configuring VLANs Configuring Extended-Range VLANs Creating an Extended-Range VLAN You create an extended-range VLAN in global configuration mode by entering the vlan global configuration command with a VLAN ID from 1006 to 4094. This command accesses the config-vlan mode. The extended-range VLAN has the default Ethernet VLAN characteristics (see Table 12-2) and the MTU size, private VLAN, and RSPAN configuration are the only parameters you can change.
Chapter 12 Configuring VLANs Configuring Extended-Range VLANs This example shows how to create a new extended-range VLAN with all default characteristics, enter config-vlan mode, and save the new VLAN in the switch startup configuration file: Switch(config)# vtp mode transparent Switch(config)# vlan 2000 Switch(config-vlan)# end Switch# copy running-config startup config Creating an Extended-Range VLAN with an Internal VLAN ID If you enter an extended-range VLAN ID that is already assigned to an internal
Chapter 12 Configuring VLANs Displaying VLANs Displaying VLANs Use the show vlan privileged EXEC command to display a list of all VLANs on the switch, including extended-range VLANs. The display includes VLAN status, ports, and configuration information. To view normal-range VLANs in the VLAN database (1 to 1005), use the show VLAN database configuration command (accessed by entering the vlan database privileged EXEC command). Table 12-3 lists the commands for monitoring VLANs.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Figure 12-2 shows a network of switches that are connected by ISL trunks. Figure 12-2 Switches in an ISL Trunking Environment Catalyst 6500 series switch ISL trunk ISL trunk ISL trunk ISL trunk Blade switch Blade switch Blade switch VLAN1 VLAN3 VLAN2 VLAN2 VLAN1 VLAN3 119945 Blade switch Figure 12-3 shows a network of switches that are connected by IEEE 802.1Q trunks. Figure 12-3 Switches in an IEEE 802.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Ethernet trunk interfaces support different trunking modes (see Table 12-4). You can set an interface as trunking or nontrunking or to negotiate trunking with the neighboring interface. To autonegotiate trunking, the interfaces must be in the same VTP domain. Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which is a Point-to-Point Protocol.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Encapsulation Types Table 12-5 lists the Ethernet trunk encapsulation types and keywords. Table 12-5 Ethernet Trunk Encapsulation Types Encapsulation Function switchport trunk encapsulation isl Specifies ISL encapsulation on the trunk link. switchport trunk encapsulation dot1q Specifies IEEE 802.1Q encapsulation on the trunk link.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Default Layer 2 Ethernet Interface VLAN Configuration Table 12-6 shows the default Layer 2 Ethernet interface VLAN configuration.
Chapter 12 Configuring VLANs Configuring VLAN Trunks – STP Port Fast setting. – trunk status: if one port in a port group ceases to be a trunk, all ports cease to be trunks. • We recommend that you configure no more than 24 trunk ports in PVST mode and no more than 40 trunk ports in MST mode. • If you try to enable IEEE 802.1x on a trunk port, an error message appears, and IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to trunk, the port mode is not changed.
Chapter 12 Configuring VLANs Configuring VLAN Trunks To return an interface to its default configuration, use the default interface interface-id interface configuration command. To reset all trunking characteristics of a trunking interface to the defaults, use the no switchport trunk interface configuration command. To disable trunking, use the switchport mode access interface configuration command to configure the port as a static-access port. This example shows how to configure a port as an IEEE 802.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Step 4 Command Purpose switchport trunk allowed vlan {add | all | except | remove} vlan-list (Optional) Configure the list of VLANs allowed on the trunk. For explanations about using the add, all, except, and remove keywords, see the command reference for this release. The vlan-list parameter is either a single VLAN number from 1 to 4094 or a range of VLANs described by two VLAN numbers, the lower one first, separated by a hyphen.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 5 show interfaces interface-id switchport Verify your entries in the Pruning VLANs Enabled field of the display. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default pruning-eligible list of all VLANs, use the no switchport trunk pruning vlan interface configuration command.
Chapter 12 Configuring VLANs Configuring VLAN Trunks You configure load sharing on trunk ports by using STP port priorities or STP path costs. For load sharing using STP port priorities, both load-sharing links must be connected to the same switch. For load sharing using STP path costs, each load-sharing link can be connected to the same switch or to two different switches. For more information about STP, see Chapter 17, “Configuring STP.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 12-4. Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A. Step 2 vtp domain domain-name Configure a VTP administrative domain. The domain name can be 1 to 32 characters. Step 3 vtp mode server Configure Switch A as the VTP server. Step 4 end Return to privileged EXEC mode.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Load Sharing Using STP Path Cost You can configure parallel trunks to share VLAN traffic by setting different path costs on a trunk and associating the path costs with different sets of VLANs, blocking different ports for different VLANs. The VLANs keep the traffic separate and maintain redundancy in the event of a lost link. In Figure 12-5, Trunk ports 1 and 2 are configured as 100BASE-T ports.
Chapter 12 Configuring VLANs Configuring VMPS Command Purpose Step 11 interface gigabitethernet1/0/1 Define the interface on which to set the STP cost, and enter interface configuration mode. Step 12 spanning-tree vlan 2-4 cost 30 Set the spanning-tree path cost to 30 for VLANs 2 through 4. Step 13 end Return to global configuration mode. Step 14 Repeat Steps 9 through 13 on the other configured trunk interface on Switch A, and set the spanning-tree path cost to 30 for VLANs 8, 9, and 10.
Chapter 12 Configuring VLANs Configuring VMPS If the port is currently unassigned (that is, it does not yet have a VLAN assignment), the VMPS provides one of these responses: • If the host is allowed on the port, the VMPS sends the client a vlan-assignment response containing the assigned VLAN name and allowing access to the host. • If the host is not allowed on the port and the VMPS is in open mode, the VMPS sends an access-denied response.
Chapter 12 Configuring VLANs Configuring VMPS Default VMPS Client Configuration Table 12-7 shows the default VMPS and dynamic-access port configuration on client switches.
Chapter 12 Configuring VLANs Configuring VMPS Entering the IP Address of the VMPS You must first enter the IP address of the server to configure the switch as a client. Note If the VMPS is being defined for a cluster of switches, enter the address on the command switch. Beginning in privileged EXEC mode, follow these steps to enter the IP address of the VMPS: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 12 Configuring VLANs Configuring VMPS Command Purpose Step 6 show interfaces interface-id switchport Verify your entries in the Operational Mode field of the display. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To return an interface to its default configuration, use the default interface interface-id interface configuration command.
Chapter 12 Configuring VLANs Configuring VMPS Changing the Retry Count Beginning in privileged EXEC mode, follow these steps to change the number of times that the switch attempts to contact the VMPS before querying the next server: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vmps retry count Change the retry count. The retry range is 1 to 10; the default is 3. Step 3 end Return to privileged EXEC mode.
Chapter 12 Configuring VLANs Configuring VMPS Troubleshooting Dynamic-Access Port VLAN Membership The VMPS shuts down a dynamic-access port under these conditions: • The VMPS is in secure mode, and it does not allow the host to connect to the port. The VMPS shuts down the port to prevent the host from connecting to the network. • More than 20 active hosts reside on a dynamic-access port.
Chapter 12 Configuring VLANs Configuring VMPS Figure 12-6 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6500 series switch A Primary VMPS Server 1 Router 172.20.26.150 172.20.22.7 Client switch B Server 1 Dynamic-access port 172.20.26.151 Trunk port Switch C 172.20.26.152 Switch D 172.20.26.153 Switch E 172.20.26.154 Switch F 172.20.26.155 Switch G 172.20.26.156 Switch H 172.20.26.
Chapter 12 Configuring VLANs Configuring VMPS Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 12-36 OL-12247-01
CH A P T E R 13 Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 13 Configuring VTP Understanding VTP The switch supports 1005 VLANs, but the number of routed ports, SVIs, and other configured features affects the usage of the switch hardware. If the switch is notified by VTP of a new VLAN and the switch is already using the maximum available hardware resources, it sends a message that there are not enough hardware resources available and shuts down the VLAN. The output of the show vlan user EXEC command shows the VLAN in a suspended state.
Chapter 13 Configuring VTP Understanding VTP For domain name and password configuration guidelines, see the “VTP Configuration Guidelines” section on page 13-8. VTP Modes You can configure a supported switch or switch stack to be in one of the VTP modes listed in Table 13-1. Table 13-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
Chapter 13 Configuring VTP Understanding VTP VTP advertisements distribute this global domain information: • VTP domain name • VTP configuration revision number • Update identity and update timestamp • MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN. • Frame format VTP advertisements distribute this VLAN information for each configured VLAN: • VLAN IDs (ISL and IEEE 802.
Chapter 13 Configuring VTP Understanding VTP VTP pruning blocks unneeded flooded traffic to VLANs on trunk ports that are included in the pruning-eligible list. Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning eligible switch trunk ports. If the VLANs are configured as pruning-ineligible, the flooding continues. VTP pruning is supported with VTP Version 1 and Version 2. Figure 13-1 shows a switched network without VTP pruning enabled.
Chapter 13 Configuring VTP Configuring VTP Enabling VTP pruning on a VTP server enables pruning for the entire management domain. Making VLANs pruning-eligible or pruning-ineligible affects pruning eligibility for those VLANs on that trunk only (not on all switches in the VTP domain). See the “Enabling VTP Pruning” section on page 13-14. VTP pruning takes effect several seconds after you enable it. VTP pruning does not prune traffic from VLANs that are pruning-ineligible.
Chapter 13 Configuring VTP Configuring VTP Default VTP Configuration Table 13-2 shows the default VTP configuration. Table 13-2 Default VTP Configuration Feature Default Setting VTP domain name Null. VTP mode Server. VTP version Version 1 (Version 2 is disabled). VTP password None. VTP pruning Disabled. VTP Configuration Options You can configure VTP by using these configuration modes.
Chapter 13 Configuring VTP Configuring VTP VTP Configuration in VLAN Database Configuration Mode You can configure all VTP parameters in VLAN database configuration mode, which you access by entering the vlan database privileged EXEC command. For more information about available keywords, see the vtp VLAN database configuration command description in the command reference for this release.
Chapter 13 Configuring VTP Configuring VTP VTP Version Follow these guidelines when deciding which VTP version to implement: • All switches in a VTP domain must run the same VTP version. • A VTP Version 2-capable switch can operate in the same VTP domain as a switch running VTP Version 1 if Version 2 is disabled on the Version 2-capable switch (Version 2 is disabled by default). • Do not enable VTP Version 2 on a switch unless all of the switches in the same VTP domain are Version-2-capable.
Chapter 13 Configuring VTP Configuring VTP Step 4 Command Purpose vtp password password (Optional) Set the password for the VTP domain. The password can be 8 to 64 characters. If you configure a VTP password, the VTP domain does not function properly if you do not assign the same password to each switch in the domain. Step 5 end Return to privileged EXEC mode. Step 6 show vtp status Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display.
Chapter 13 Configuring VTP Configuring VTP This example shows how to use VLAN database configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# vlan database Switch(vlan)# vtp server Switch(vlan)# vtp domain eng_group Switch(vlan)# vtp password mypassword Switch(vlan)# exit APPLY completed. Exiting.... Switch# Configuring a VTP Client When a switch is in VTP client mode, you cannot change its VLAN configuration.
Chapter 13 Configuring VTP Configuring VTP Use the no vtp mode global configuration command to return the switch to VTP server mode. To return the switch to a no-password state, use the no vtp password privileged EXEC command. When you configure a domain name, it cannot be removed; you can only reassign a switch to a different domain.
Chapter 13 Configuring VTP Configuring VTP Note You can also configure VTP transparent mode by using the vlan database privileged EXEC command to enter VLAN database configuration mode and by entering the vtp transparent command, similar to the second procedure under the “Configuring a VTP Server” section on page 13-9. Use the no vtp transparent VLAN database configuration command to return the switch to VTP server mode.
Chapter 13 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode. Beginning in privileged EXEC mode, follow these steps to enable VTP pruning in the VTP domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 13 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to verify and reset the VTP configuration revision number on a switch before adding it to a VTP domain: Step 1 Command Purpose show vtp status Check the VTP configuration revision number. If the number is 0, add the switch to the VTP domain. If the number is greater than 0, follow these steps: a. Write down the domain name. b. Write down the configuration revision number. c.
Chapter 13 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 13-3 shows the privileged EXEC commands for monitoring VTP activity. Table 13-3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information.
CH A P T E R 14 Configuring Voice VLAN This chapter describes how to configure the voice VLAN feature on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Voice VLAN is referred to as an auxiliary VLAN in some Catalyst 6500 family switch documentation. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 14 Configuring Voice VLAN Understanding Voice VLAN Figure 14-1 shows one way to connect a Cisco 7960 IP Phone. Figure 14-1 Cisco 7960 IP Phone Connected to a Switch Cisco IP Phone 7960 Phone ASIC P2 3-port switch P3 Access port 101351 P1 PC Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone.
Chapter 14 Configuring Voice VLAN Configuring Voice VLAN Note Untagged traffic from the device attached to the Cisco IP Phone passes through the phone unchanged, regardless of the trust state of the access port on the phone.
Chapter 14 Configuring Voice VLAN Configuring Voice VLAN • If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the same IP subnet. These conditions indicate that they are in the same VLAN: – They both use IEEE 802.1p or untagged frames. – The Cisco IP Phone uses IEEE 802.1p frames, and the device uses untagged frames. – The Cisco IP Phone uses untagged frames, and the device uses IEEE 802.1p frames. – The Cisco IP Phone uses IEEE 802.
Chapter 14 Configuring Voice VLAN Configuring Voice VLAN Configuring Cisco IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value. It can use IEEE 802.1p priority tagging to give voice traffic a higher priority and forward all voice traffic through the native (access) VLAN.
Chapter 14 Configuring Voice VLAN Configuring Voice VLAN This example shows how to configure a port connected to a Cisco IP Phone to use the CoS value to classify incoming traffic, to use IEEE 802.1p priority tagging for voice traffic, and to use the default native VLAN (VLAN 0) to carry all traffic: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 14 Configuring Voice VLAN Displaying Voice VLAN Step 3 Command Purpose switchport priority extend {cos value | trust} Set the priority of data traffic received from the Cisco IP Phone access port: • cos value—Configure the phone to override the priority received from the PC or the attached device with the specified CoS value. The value is a number from 0 to 7, with 7 as the highest priority. The default priority is cos 0.
Chapter 14 Configuring Voice VLAN Displaying Voice VLAN Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 14-8 OL-12247-01
CH A P T E R 15 Configuring Private VLANs This chapter describes how to configure private VLANs on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 15 Configuring Private VLANs Understanding Private VLANs Figure 15-1 Private-VLAN Domain Private VLAN domain Subdomain Subdomain Secondary isolated VLAN 201784 Secondary community VLAN Primary VLAN There are two types of secondary VLANs: • Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.
Chapter 15 Configuring Private VLANs Understanding Private VLANs Primary and secondary VLANs have these characteristics: • Primary VLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports. • Isolated VLAN —A private VLAN has only one isolated VLAN.
Chapter 15 Configuring Private VLANs Understanding Private VLANs Private VLANs across Multiple Switches As with regular VLANs, private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. The trunk port treats the private VLAN as any other VLAN. A feature of private VLANs across multiple switches is that traffic from an isolated port in switch A does not reach an isolated port on Switch B. See Figure 15-2.
Chapter 15 Configuring Private VLANs Understanding Private VLANs You should also see the “Secondary and Primary VLAN Configuration” section on page 15-7 under the “Private-VLAN Configuration Guidelines” section. Private VLANs and Unicast, Broadcast, and Multicast Traffic In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but devices connected to interfaces in different VLANs must communicate at the Layer 3 level.
Chapter 15 Configuring Private VLANs Configuring Private VLANs • If two stacks merge, private VLANs on the winning stack are not affected, but private-VLAN configuration on the losing switch is lost when that switch reboots. For more information about switch stacks, see Chapter 5, “Managing Switch Stacks.
Chapter 15 Configuring Private VLANs Configuring Private VLANs Private-VLAN Configuration Guidelines Guidelines for configuring private VLANs fall into these categories: • Secondary and Primary VLAN Configuration, page 15-7 • Private-VLAN Port Configuration, page 15-8 • Limitations with Other Features, page 15-9 Secondary and Primary VLAN Configuration Follow these guidelines when configuring private VLANs: • Set VTP to transparent mode.
Chapter 15 Configuring Private VLANs Configuring Private VLANs Connecting a device with a different MAC address but with the same IP address generates a message, and the ARP entry is not created. You must manually remove private-VLAN port ARP entries if a MAC address changes. – You can remove a private-VLAN ARP entry by using the no arp ip-address global configuration command. – You can add a private-VLAN ARP entry by using the arp ip-address hardware-address type global configuration command.
Chapter 15 Configuring Private VLANs Configuring Private VLANs Limitations with Other Features When configuring private VLANs, remember these limitations with other features: Note In some cases, the configuration is accepted with no error messages, but the commands have no effect. • Do not configure fallback bridging on switches with private VLANs. • When IGMP snooping is enabled on the switch (the default), the switch or switch stack supports no more than 20 private-VLAN domains.
Chapter 15 Configuring Private VLANs Configuring Private VLANs Configuring and Associating VLANs in a Private VLAN Beginning in privileged EXEC mode, follow these steps to configure a private VLAN: Note The private-vlan commands do not take effect until you exit VLAN configuration mode. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp mode transparent Set VTP mode to transparent (disable VTP).
Chapter 15 Configuring Private VLANs Configuring Private VLANs When you associate secondary VLANs with a primary VLAN, note this syntax information: • The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single private-VLAN ID or a hyphenated range of private-VLAN IDs. • The secondary_vlan_list parameter can contain multiple community VLAN IDs but only one isolated VLAN ID.
Chapter 15 Configuring Private VLANs Configuring Private VLANs Command Purpose Step 3 switchport mode private-vlan host Configure the Layer 2 port as a private-VLAN host port. Step 4 switchport private-vlan host-association primary_vlan_id secondary_vlan_id Associate the Layer 2 port with a private VLAN. Step 5 end Return to privileged EXEC mode. Step 6 show interfaces [interface-id] switchport Verify the configuration.
Chapter 15 Configuring Private VLANs Configuring Private VLANs Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN promiscuous port and map it to primary and secondary VLANs: Note Isolated and community VLANs are both secondary VLANs. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 15 Configuring Private VLANs Configuring Private VLANs Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface If the private VLAN will be used for inter-VLAN routing, you configure an SVI for the primary VLAN and map secondary VLANs to the SVI. Note Isolated and community VLANs are both secondary VLANs.
Chapter 15 Configuring Private VLANs Monitoring Private VLANs Monitoring Private VLANs Table 15-1 shows the privileged EXEC commands for monitoring private-VLAN activity. Table 15-1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces, including the VLANs to which they belongs. show vlan private-vlan [type] Display the private-VLAN information for the switch. show interface switchport Display private-VLAN configuration on interfaces.
Chapter 15 Configuring Private VLANs Monitoring Private VLANs Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 15-16 OL-12247-01
CH A P T E R 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Virtual private networks (VPNs) provide enterprise-scale connectivity on a shared infrastructure, often Ethernet-based, with the same security, prioritization, reliability, and manageability requirements of private networks.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling Customer traffic tagged in the normal way with appropriate VLAN IDs comes from an IEEE 802.1Q trunk port on the customer device and into a tunnel port on the service-provider edge switch. The link between the customer device and the edge switch is asymmetric because one end is configured as an IEEE 802.1Q trunk port, and the other end is configured as a tunnel port.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling Original (Normal), IEEE 802.1Q, and Double-Tagged Ethernet Packet Formats Source address Destination Length/ address EtherType DA SA Len/Etype DA SA Etype DA SA Etype Frame Check Sequence Data Tag Tag FCS Len/Etype Etype Tag Original Ethernet frame Data Len/Etype FCS IEE 802.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling These sections contain this configuration information: • Default IEEE 802.1Q Tunneling Configuration, page 16-4 • IEEE 802.1Q Tunneling Configuration Guidelines, page 16-4 • IEEE 802.1Q Tunneling and Other Features, page 16-6 • Configuring an IEEE 802.1Q Tunneling Port, page 16-6 Default IEEE 802.1Q Tunneling Configuration By default, IEEE 802.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling These are some ways to solve this problem: • Use ISL trunks between core switches in the service-provider network. Although customer interfaces connected to edge switches must be IEEE 802.1Q trunks, we recommend using ISL trunks for connecting switches in the core layer. • Use the vlan dot1q tag native global configuration command to configure the edge switch so that all packets going out an IEEE 802.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling and Other Features Although IEEE 802.1Q tunneling works well for Layer 2 packet switching, there are incompatibilities between some Layer 2 features and Layer 3 switching. • A tunnel port cannot be a routed port. • IP routing is not supported on a VLAN that includes IEEE 802.1Q ports. Packets received from a tunnel port are forwarded based only on Layer 2 information.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling Command Purpose Step 5 exit Return to global configuration mode. Step 6 vlan dot1q tag native (Optional) Set the switch to enable tagging of native VLAN packets on all IEEE 802.1Q trunk ports. When not set, and a customer VLAN ID is the same as the native VLAN, the trunk port does not apply a metro tag, and packets could be sent to the wrong destination.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling as normal packets. Layer 2 protocol data units (PDUs) for CDP, STP, or VTP cross the service-provider network and are delivered to customer switches on the outbound side of the service-provider network.
Chapter 16 Configuring IEEE 802.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling For example, in Figure 16-6, Customer A has two switches in the same VLAN that are connected through the SP network. When the network tunnels PDUs, switches on the far ends of the network can negotiate the automatic creation of EtherChannels without needing dedicated lines. See the “Configuring Layer 2 Tunneling for EtherChannels” section on page 16-14 for instructions.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling See Figure 16-4, with Customer X and Customer Y in access VLANs 30 and 40, respectively. Asymmetric links connect the customers in Site 1 to edge switches in the service-provider network. The Layer 2 PDUs (for example, BPDUs) coming into Switch B from Customer Y in Site 1 are forwarded to the infrastructure as double-tagged packets with the well-known MAC address as the destination MAC address.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Layer 2 Protocol Tunneling Configuration Guidelines These are some configuration guidelines and operating characteristics of Layer 2 protocol tunneling: • The switch supports tunneling of CDP, STP, including multiple STP (MSTP), and VTP. Protocol tunneling is disabled by default but can be enabled for the individual protocols on IEEE 802.1Q tunnel ports or access ports.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Beginning in privileged EXEC mode, follow these steps to configure a port for Layer 2 protocol tunneling: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the interface to be configured as a tunnel port.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Use the no l2protocol-tunnel [cdp | stp | vtp] interface configuration command to disable protocol tunneling for one of the Layer 2 protocols or for all three. Use the no l2protocol-tunnel shutdown-threshold [cdp | stp | vtp] and the no l2protocol-tunnel drop-threshold [cdp | stp | vtp] commands to return the shutdown and drop thresholds to the default settings.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Step 5 Command Purpose l2protocol-tunnel shutdown-threshold [point-to-point [pagp | lacp | udld]] value (Optional) Configure the threshold for packets-per-second accepted for encapsulation. The interface is disabled if the configured threshold is exceeded. If no protocol option is specified, the threshold applies to each of the tunneled Layer 2 protocol types. The range is 1 to 4096.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Configuring the Customer Switch After configuring the SP edge switch, begin in privileged EXEC mode and follow these steps to configure a customer switch for Layer 2 protocol tunneling for EtherChannels: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter the interface configuration mode. This should be the customer switch port.
Chapter 16 Configuring IEEE 802.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status Monitoring and Maintaining Tunneling Status Table 16-2 shows the privileged EXEC commands for monitoring and maintaining IEEE 802.1Q and Layer 2 protocol tunneling. Table 16-2 Commands for Monitoring and Maintaining Tunneling Command Purpose clear l2protocol-tunnel counters Clear the protocol counters on Layer 2 protocol tunneling ports. show dot1q-tunnel Display IEEE 802.
CH A P T E R 17 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard. A switch stack appears as a single spanning-tree node to the rest of the network, and all stack members use the same bridge ID.
Chapter 17 Configuring STP Understanding Spanning-Tree Features • Supported Spanning-Tree Instances, page 17-10 • Spanning-Tree Interoperability and Backward Compatibility, page 17-11 • STP and IEEE 802.1Q Trunks, page 17-11 • VLAN-Bridge Spanning Tree, page 17-11 • Spanning Tree and Switch Stacks, page 17-12 For configuration information, see the “Configuring Spanning-Tree Features” section on page 17-12.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch. In a switch stack, all switches use the same bridge ID for a given spanning-tree instance. • The spanning-tree path cost to the root switch.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Only one outgoing port on the stack root switch is selected as the root port. The remaining switches in the stack become its designated switches (Switch 2 and Switch 3) as shown in Figure 17-1 on page 17-4. • The shortest distance to the root switch is calculated for each switch based on the path cost. • A designated switch for each LAN segment is selected.
Chapter 17 Configuring STP Understanding Spanning-Tree Features The switch supports the IEEE 802.1t spanning-tree extensions, and some of the bits previously used for the switch priority are now used as the VLAN identifier. The result is that fewer MAC addresses are reserved for the switch, and a larger range of VLAN IDs can be supported, all while maintaining the uniqueness of the bridge ID.
Chapter 17 Configuring STP Understanding Spanning-Tree Features • From learning to forwarding or to disabled • From forwarding to disabled Figure 17-2 illustrates how an interface moves through the states.
Chapter 17 Configuring STP Understanding Spanning-Tree Features • Does not learn addresses • Receives BPDUs Listening State The listening state is the first state a Layer 2 interface enters after the blocking state. The interface enters this state when the spanning tree decides that the interface should participate in frame forwarding.
Chapter 17 Configuring STP Understanding Spanning-Tree Features How a Switch or Port Becomes the Root Switch or Root Port If all switches in a network are enabled with default spanning-tree settings, the switch with the lowest MAC address becomes the root switch. In Figure 17-3, Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768) and Switch A has the lowest MAC address.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity Active link Blocked link Blade servers 201769 Figure 17-4 You can also create redundant links between switches by using EtherChannel groups. For more information, see Chapter 37, “Configuring EtherChannels and Link-State Tracking.” Spanning-Tree Address Management IEEE 802.1D specifies 17 multicast addresses, ranging from 0x00180C2000000 to 0x0180C2000010, to be used by different bridge protocols.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: • PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Interoperability and Backward Compatibility Table 17-2 lists the interoperability and compatibility among the supported spanning-tree modes in a network.
Chapter 17 Configuring STP Configuring Spanning-Tree Features VLAN spanning trees to prevent loops from forming if there are multiple connections among VLANs. It also prevents the individual spanning trees from the VLANs being bridged from collapsing into a single spanning tree. To support VLAN-bridge spanning tree, some of the spanning-tree timers are increased. To use the fallback bridging feature, you must have the IP services feature set enabled on your switch.
Chapter 17 Configuring STP Configuring Spanning-Tree Features • Configuring the Switch Priority of a VLAN, page 17-21 (optional) • Configuring Spanning-Tree Timers, page 17-22 (optional) Default Spanning-Tree Configuration Table 17-3 shows the default spanning-tree configuration. Table 17-3 Default Spanning-Tree Configuration Feature Default Setting Enable state Enabled on VLAN 1. For more information, see the “Supported Spanning-Tree Instances” section on page 17-10. Spanning-tree mode PVST+.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Caution Switches that are not running spanning tree still forward BPDUs that they receive so that the other switches on the VLAN that have a running spanning-tree instance can break loops. Therefore, spanning tree must be running on enough switches to break all the loops in the network; for example, at least one switch on each loop in the VLAN must be running spanning tree.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Changing the Spanning-Tree Mode. The switch supports three spanning-tree modes: PVST+, rapid PVST+, or MSTP. By default, the switch runs the PVST+ protocol. Beginning in privileged EXEC mode, follow these steps to change the spanning-tree mode. If you want to enable a mode that is different from the default mode, this procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Disabling Spanning Tree Spanning tree is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit specified in the “Supported Spanning-Tree Instances” section on page 17-10. Disable spanning tree only if you are sure there are no loops in the network topology.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Note The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not configure an access switch as the spanning-tree primary root. Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).
Chapter 17 Configuring STP Configuring Spanning-Tree Features Configuring a Secondary Root Switch When you configure a switch as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified VLAN if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Note If your switch is a member of a switch stack, you must use the spanning-tree [vlan vlan-id] cost cost interface configuration command instead of the spanning-tree [vlan vlan-id] port-priority priority interface configuration command to select an interface to put in the forwarding state. Assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 17 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree [vlan vlan-id] port-priority interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree port priorities, see the “Configuring Trunk Ports for Load Sharing” section on page 12-24. Configuring Path Cost The spanning-tree path cost default value is derived from the media speed of an interface.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Note The show spanning-tree interface interface-id privileged EXEC command displays information only for ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. To return to the default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 17-4 describes the timers that affect the entire spanning-tree performance. Table 17-4 Spanning-Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches. Forward-delay timer Controls how long each of the listening and learning states last before the interface begins forwarding.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id forward-time seconds Configure the forward time of a VLAN.
Chapter 17 Configuring STP Displaying the Spanning-Tree Status Configuring the Transmit Hold-Count You can configure the BPDU burst size by changing the transmit hold count value. Note Changing this parameter to a higher value can have a significant impact on CPU utilization, especially in Rapid-PVST mode. Lowering this value can slow down convergence in certain scenarios. We recommend that you maintain the default setting.
CH A P T E R 18 Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the switch. Note The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard. The MSTP enables multiple VLANs to be mapped to the same spanning-tree instance, reducing the number of spanning-tree instances needed to support a large number of VLANs. The MSTP provides for multiple forwarding paths for data traffic and enables load-balancing.
Chapter 18 Configuring MSTP Understanding MSTP • Configuring MSTP Features, page 18-14 • Displaying the MST Configuration and Status, page 18-26 Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances.
Chapter 18 Configuring MSTP Understanding MSTP IST, CIST, and CST Unlike PVST+ and rapid PVST+ in which all the spanning-tree instances are independent, the MSTP establishes and maintains two types of spanning trees: • An internal spanning tree (IST), which is the spanning tree that runs in an MST region. Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance for a region, known as the internal spanning tree (IST).
Chapter 18 Configuring MSTP Understanding MSTP For correct operation, all switches in the MST region must agree on the same CIST regional root. Therefore, any two switches in the region only synchronize their port roles for an MST instance if they converge to a common CIST regional root. Operations Between MST Regions If there are multiple regions or legacy IEEE 802.
Chapter 18 Configuring MSTP Understanding MSTP MSTP switches use Version 3 RSTP BPDUs or IEEE 802.1D STP BPDUs to communicate with legacy IEEE 802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches. IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters.
Chapter 18 Configuring MSTP Understanding MSTP The message-age and maximum-age information in the RSTP portion of the BPDU remain the same throughout the region, and the same values are propagated by the region designated ports at the boundary.
Chapter 18 Configuring MSTP Understanding MSTP Port Role Naming Change The boundary role is no longer in the final MST standard, but this boundary concept is maintained in Cisco’s implementation. However, an MST instance port at a boundary of the region might not follow the state of the corresponding CIST port.
Chapter 18 Configuring MSTP Understanding MSTP Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
Chapter 18 Configuring MSTP Understanding RSTP Interoperability with IEEE 802.1D STP A switch running MSTP supports a built-in protocol migration mechanism that enables it to interoperate with legacy IEEE 802.1D switches. If this switch receives a legacy IEEE 802.1D configuration BPDU (a BPDU with the protocol version set to 0), it sends only IEEE 802.1D BPDUs on that port.
Chapter 18 Configuring MSTP Understanding RSTP • Backup port—Acts as a backup for the path provided by a designated port toward the leaves of the spanning tree. A backup port can exist only when two ports are connected in a loopback by a point-to-point link or when a switch has two or more connections to a shared LAN segment. • Disabled port—Has no role within the operation of the spanning tree. A port with the root or a designated port role is included in the active topology.
Chapter 18 Configuring MSTP Understanding RSTP After receiving Switch B’s agreement message, Switch A also immediately transitions its designated port to the forwarding state. No loops in the network are formed because Switch B blocked all of its nonedge ports and because there is a point-to-point link between Switches A and B. When Switch C is connected to Switch B, a similar set of handshaking messages are exchanged.
Chapter 18 Configuring MSTP Understanding RSTP If a designated port is in the forwarding state and is not configured as an edge port, it transitions to the blocking state when the RSTP forces it to synchronize with new root information. In general, when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions, its port state is set to blocking.
Chapter 18 Configuring MSTP Understanding RSTP Table 18-3 RSTP BPDU Flags (continued) Bit Function 5 Forwarding 6 Agreement 7 Topology change acknowledgement (TCA) The sending switch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN. The port role in the proposal message is always set to the designated port. The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal.
Chapter 18 Configuring MSTP Configuring MSTP Features • Notification—Unlike IEEE 802.1D, which uses TCN BPDUs, the RSTP does not use them. However, for IEEE 802.1D interoperability, an RSTP switch processes and generates TCN BPDUs. • Acknowledgement—When an RSTP switch receives a TCN message on a designated port from an IEEE 802.1D switch, it replies with an IEEE 802.1D configuration BPDU with the TCA bit set. However, if the TC-while timer (the same as the topology-change timer in IEEE 802.
Chapter 18 Configuring MSTP Configuring MSTP Features Default MSTP Configuration Table 18-4 shows the default MSTP configuration. Table 18-4 Default MSTP Configuration Feature Default Setting Spanning-tree mode PVST+ (Rapid PVST+ and MSTP are disabled). Switch priority (configurable on a per-CIST port basis) 32768. Spanning-tree port priority (configurable on a per-CIST port basis) 128. Spanning-tree port cost (configurable on a per-CIST port basis) 1000 Mb/s: 4. 100 Mb/s: 19. 10 Mb/s: 100.
Chapter 18 Configuring MSTP Configuring MSTP Features • For load-balancing across redundant paths in the network to work, all VLAN-to-instance mapping assignments must match; otherwise, all traffic flows on a single link. You can achieve load-balancing across a switch stack by manually configuring the path cost. • All MST boundary ports must be forwarding for load-balancing between a PVST+ and an MST cloud or between a rapid-PVST+ and an MST cloud.
Chapter 18 Configuring MSTP Configuring MSTP Features Step 8 Command Purpose spanning-tree mode mst Enable MSTP. RSTP is also enabled. Caution Changing spanning-tree modes can disrupt traffic because all spanning-tree instances are stopped for the previous mode and restarted in the new mode. You cannot run both MSTP and PVST+ or both MSTP and rapid PVST+ at the same time. Step 9 end Return to privileged EXEC mode. Step 10 show running-config Verify your entries.
Chapter 18 Configuring MSTP Configuring MSTP Features If any root switch for the specified instance has a switch priority lower than 24576, the switch sets its own priority to 4096 less than the lowest switch priority. (4096 is the value of the least-significant bit of a 4-bit switch priority value as shown in Table 17-1 on page 17-5.
Chapter 18 Configuring MSTP Configuring MSTP Features Configuring a Secondary Root Switch When you configure a switch with the extended system ID support as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified instance if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch.
Chapter 18 Configuring MSTP Configuring MSTP Features Note If your switch is a member of a switch stack, you must use the spanning-tree mst [instance-id] cost cost interface configuration command instead of the spanning-tree mst [instance-id] port-priority priority interface configuration command to select a port to put in the forwarding state. Assign lower cost values to ports that you want selected first and higher cost values to ports that you want selected last.
Chapter 18 Configuring MSTP Configuring MSTP Features Configuring Path Cost The MSTP path cost default value is derived from the media speed of an interface. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 18 Configuring MSTP Configuring MSTP Features Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority. Beginning in privileged EXEC mode, follow these steps to configure the switch priority. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 18 Configuring MSTP Configuring MSTP Features Command Purpose Step 4 show spanning-tree mst Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst hello-time global configuration command. Configuring the Forwarding-Delay Time Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for all MST instances.
Chapter 18 Configuring MSTP Configuring MSTP Features To return the switch to its default setting, use the no spanning-tree mst max-age global configuration command. Configuring the Maximum-Hop Count Beginning in privileged EXEC mode, follow these steps to configure the maximum-hop count for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 18 Configuring MSTP Configuring MSTP Features Command Purpose Step 5 show spanning-tree mst interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Designating the Neighbor Type A topology could contain both prestandard and IEEE 802.1s standard compliant devices.
Chapter 18 Configuring MSTP Displaying the MST Configuration and Status To restart the protocol migration process on a specific interface, use the clear spanning-tree detected-protocols interface interface-id privileged EXEC command.
CH A P T E R 19 Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on theswitch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+). You can configure only the noted features when your switch or switch stack is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features At the interface level, you enable BPDU guard on any port by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature. When the port receives a BPDU, it is put in the error-disabled state. The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 19-2 Switches in a Hierarchical Network Backbone switches Root bridge 126763 Distribution switches Active link Blocked link Blade switches If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 19-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B L1 L2 L3 43575 Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root. As shown in Figure 19-5, the stack-root port on Switch 1 provides the path to the root of the spanning tree. The alternate stack-root ports on Switches 2 and 3 can provide an alternate path to the spanning-tree root if the current stack-root switch fails or if its link to the spanning-tree root fails.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Each switch in the stack decides if the sending switch is a better choice than itself to be the stack root of this spanning-tree instance by comparing the root, cost, and bridge ID. If the sending switch is the best choice as the stack root, each switch in the stack returns an acknowledgement; otherwise, it sends a fast-transition request.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features BackboneFast, which is enabled by using the spanning-tree backbonefast global configuration command, starts when a root port or blocked interface on a switch receives inferior BPDUs from its designated switch. An inferior BPDU identifies a switch that declares itself as both the root bridge and the designated switch.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If link L1 fails as shown in Figure 19-7, Switch C cannot detect this failure because it is not connected directly to link L1. However, because Switch B is directly connected to the root switch over L1, it detects the failure, elects itself the root, and begins sending BPDUs to Switch C, identifying itself as the root.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding EtherChannel Guard You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device. A misconfiguration can occur if the switch interfaces are configured in an EtherChannel, but the interfaces on the other device are not. A misconfiguration can also occur if the channel parameters are not the same at both ends of the EtherChannel.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Figure 19-9 Root Guard in a Data-Center Network Data-center network Customer network Potential spanning-tree root without root guard enabled Desired root switch 201771 Enable the root-guard feature on these interfaces to prevent switches in the customer network from becoming the root switch or being in the path to the root.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features • Enabling BackboneFast, page 19-16 (optional) • Enabling EtherChannel Guard, page 19-17 (optional) • Enabling Root Guard, page 19-18 (optional) • Enabling Loop Guard, page 19-18 (optional) Default Optional Spanning-Tree Configuration Table 19-1 shows the default optional spanning-tree configuration.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to enable Port Fast. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Step 3 spanning-tree portfast [trunk] Enable Port Fast on an access port connected to a single workstation or server.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features The BPDU guard feature provides a secure response to invalid configurations because you must manually put the port back in service. Use the BPDU guard feature in a service-provider network to prevent an access port from participating in the spanning tree.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU filtering on any interface without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs. Caution Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to enable UplinkFast and CSUF. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree uplinkfast [max-update-rate Enable UplinkFast. pkts-per-second] (Optional) For pkts-per-second, the range is 0 to 32000 packets per second; the default is 150.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Note If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not supported on Token Ring VLANs. This feature is supported for use with third-party switches. You can configure the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Root Guard Root guard enabled on an interface applies to all the VLANs to which the interface belongs. Do not enable the root guard on interfaces to be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in the blocked state) replace the root port in the case of a failure.
Chapter 19 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Step 3 Command Purpose spanning-tree loopguard default Enable loop guard. By default, loop guard is disabled. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To globally disable loop guard, use the no spanning-tree loopguard default global configuration command.
Chapter 19 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 19-20 OL-12247-01
CH A P T E R 20 Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 20 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature You configure Flex Links on one Layer 2 interface (the active link) by assigning another Layer 2 interface as the Flex Link or backup link. The Flex Link can be on the same switch or on another switch in the stack. When one of the links is up and forwarding traffic, the other link is in standby mode, ready to begin forwarding traffic if the other link shuts down.
Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Figure 20-2 VLAN Flex Links Load Balancing Configuration Example Uplink switch C Uplink switch B Forwarding Not Forwarding gi2/0/6 gi2/0/8 Switch A 201398 Chapter 20 MAC Address-Table Move Update The MAC address-table move update feature allows the switch to provide rapid bidirectional convergence when a primary (forwarding) link goes down and the standby link begins f
Chapter 20 Understanding Flex Links and the MAC Address-Table Move Update Figure 20-3 Configuring Flex Links and the MAC Address-Table Move Update Feature MAC Address-Table Move Update Example Server Switch C Port 4 Port 3 Switch B Switch D Port 1 Port 2 141223 Switch A PC Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 20-4 OL-12247-01
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links and MAC Address-Table Move Update These sections contain this information: • Configuration Guidelines, page 20-5 • Default Configuration, page 20-5 Configuration Guidelines Follow these guidelines to configure Flex Links: • You can configure only one Flex Link backup link for any active link, and it must be a different interface from the activ
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links and MAC Address-Table Move Update This section contains this information: • Configuring Flex Links, page 20-6 • Configuring VLAN Load Balancing on Flex Links, page 20-8 • Configuring the MAC Address-Table Move Update Feature, page 20-9 Configuring Flex Links Beginning in privileged EXEC mode, follow these steps to configure a pair of Flex Li
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Beginning in privileged EXEC mode, follow these steps to configure a preemption scheme for a pair of Flex Links: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface, and enter interface configuration mode.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring VLAN Load Balancing on Flex Links Beginning in privileged EXEC mode, follow these steps to configure VLAN load balancing on Flex Links: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface, and enter interface configuration mode.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update When a Flex Link interface comes up, VLANs preferred on this interface are blocked on the peer interface and moved to the forwarding state on the interface that has just come up. In this example, if interface Gi2/0/6 comes up, VLANs preferred on this interface are blocked on the peer interface Gi2/0/8 and forwarded on Gi2/0/6.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Command Purpose Step 4 end Return to global configuration mode. Step 5 mac address-table move update transmit Enable the access switch to send MAC address-table move updates to other switches in the network if the primary link goes down and the switch starts forwarding traffic through the standby link. Step 6 end Return to privileged EXEC mode.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Monitoring Flex Links and the MAC Address-Table Move Update Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show mac address-table move update Verify the configuration. Step 5 copy running-config startup config (Optional) Save your entries in the switch startup configuration file.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Monitoring Flex Links and the MAC Address-Table Move Update Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 20-12 OL-12247-01
CH A P T E R 21 Configuring DHCP Features and IP Source Guard This chapter describes how to configure DHCP snooping and the option-82 data insertion features on the switch. It also describes how to configure the IP source guard feature.Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Features For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Features The switch drops a DHCP packet when one of these situations occurs: • A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received from outside the network or firewall. • A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Features Figure 21-1 is an example of a blade switch in an enclosure in which a centralized DHCP server assigns IP addresses to subscribers connected to the switch at the access layer.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Features • Remote-ID suboption fields – Suboption type – Length of the suboption type – Remote-ID type – Length of the remote-ID type In the port field of the circuit ID suboption, the port numbers start at 1. For example, on a switch with Cisco dual SFP X2 converter modules in the 10-Gigabit Ethernet module slots, port 1 is the internal Gigabit Ethernet 1/0/1 port, port 2 is the internal Gigabit Ethernet1/0/2 port, and so on.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Features The values for these fields in the packets change from the default values when you configure the remote-ID and circuit-ID suboptions: • Circuit-ID suboption fields – The circuit-ID type is 1. – The length values are variable, depending on the length of the string that you configure. • Remote-ID suboption fields – The remote-ID type is 1.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Features Each database entry (binding) has an IP address, an associated MAC address, the lease time (in hexadecimal format), the interface to which the binding applies, and the VLAN to which the interface belongs. The database agent stores the bindings in a file at a configured location.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features DHCP Snooping and Switch Stacks DHCP snooping is managed on the stack master. When a new switch joins the stack, the switch receives the DHCP snooping configuration from the stack master. When a member leaves the stack, all DHCP snooping address bindings associated with the switch age out. All snooping statistics are generated on the stack master. If a new stack master is elected, the statistics counters reset.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Table 21-1 Default DHCP Configuration (continued) Feature Default Setting DHCP snooping option to accept packets on untrusted input interfaces3 Disabled DHCP snooping limit rate None configured DHCP snooping trust Untrusted DHCP snooping VLAN Disabled DHCP snooping MAC address verification Enabled Cisco IOS DHCP server binding database Enabled in Cisco IOS software, requires configuration.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features • Before configuring the DHCP relay agent on your switch, make sure to configure the device that is acting as the DHCP server. For example, you must specify the IP addresses that the DHCP server can assign or exclude, configure DHCP options for devices, or set up the DHCP database agent. • If the DHCP relay agent is enabled but DHCP snooping is disabled, the DHCP option-82 data insertion feature is not supported.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Configuring the DHCP Relay Agent Beginning in privileged EXEC mode, follow these steps to enable the DHCP relay agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service dhcp Enable the DHCP server and relay agent on your switch. By default, this feature is enabled. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Command Purpose interface range port-range Configure multiple physical ports that are connected to the DHCP clients, and enter interface range configuration mode. or or interface interface-id Configure a single physical port that is connected to the DHCP client, and enter interface configuration mode. Step 7 switchport mode access Define the VLAN membership mode for the port.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Step 6 Command Purpose ip dhcp snooping information option allow-untrusted (Optional) If the switch is an aggregation switch connected to an edge switch, enable the switch to accept incoming DHCP snooping packets with option-82 information from the edge switch. The default setting is disabled. Note Enter this command only on aggregation switches that are connected to trusted devices.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# ip dhcp snooping limit rate 100 Enabling DHCP Snooping on Private VLANs You can enable DHCP snooping on private VLANs. If DHCP snooping is enabled, the configuration is propagated to both a primary VLAN and its associated secondary VLANs. If DHCP snooping is enabled on the primary VLAN, it is also configured on the secondary VLANs.
Chapter 21 Configuring DHCP Features and IP Source Guard Displaying DHCP Snooping Information Step 3 Command Purpose ip dhcp snooping database timeout seconds Specify (in seconds) how long to wait for the database transfer process to finish before stopping the process. The default is 300 seconds. The range is 0 to 86400. Use 0 to define an infinite duration, which means to continue trying the transfer indefinitely.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding IP Source Guard Note If DHCP snooping is enabled and an interface changes to the down state, the switch does not delete the statically configured bindings. Understanding IP Source Guard IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Source IP and MAC Address Filtering When IP source guard is enabled with this option, IP traffic is filtered based on the source IP and MAC addresses. The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table. When IP source guard with source IP and MAC address filtering is enabled, the switch filters IP and non-IP traffic.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard • When configuring IP source guard on interfaces on which a private VLAN is configured, port security is not supported. • IP source guard is not supported on EtherChannels. • You can enable this feature when IEEE 802.1x port-based authentication is enabled. • If the number of hardware entries exceeds the maximum available, the CPU usage increases.
Chapter 21 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information Command Purpose Step 8 show ip source binding [ip-address] [mac-address] [dhcp-snooping | static] [inteface interface-id] [vlan vlan-id] Display the IP source bindings on the switch, on a specific VLAN, or on a specific interface. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 21 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 21-20 OL-12247-01
CH A P T E R 22 Configuring Dynamic ARP Inspection This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 22 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Figure 22-1 Host A (IA, MA) ARP Cache Poisoning A B Host B (IB, MB) Host C (man-in-the-middle) (IC, MC) 111750 C Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA.
Chapter 22 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header. Use the ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command. For more information, see the “Performing Validation Checks” section on page 22-12.
Chapter 22 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a switch running dynamic ARP inspection.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Logging of Dropped Packets When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Table 22-1 Default Dynamic ARP Inspection Configuration (continued) Feature Default Setting Log buffer When dynamic ARP inspection is enabled, all denied or dropped ARP packets are logged. The number of entries in the log is 32. The number of system messages is limited to 5 per second. The logging-rate interval is 1 second. Per-VLAN logging All denied or dropped ARP packets are logged.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection • The operating rate for the port channel is cumulative across all the physical ports within the channel. For example, if you configure the port channel with an ARP rate-limit of 400 pps, all the interfaces combined on the channel receive an aggregate 400 pps. The rate of incoming ARP packets on EtherChannel ports is equal to the sum of the incoming rate of packets from all the channel members.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 3 Command Purpose ip arp inspection vlan vlan-range Enable dynamic ARP inspection on a per-VLAN basis. By default, dynamic ARP inspection is disabled on all VLANs. For vlan-range, specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094. Specify the same VLAN ID for both switches.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and Host 1 could be attacked by either Switch B or Host 2. To prevent this possibility, you must configure port 1 on Switch A as untrusted. To permit ARP packets from Host 2, you must set up an ARP ACL and apply it to VLAN 1.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 5 Command Purpose ip arp inspection filter arp-acl-name vlan vlan-range [static] Apply the ARP ACL to the VLAN. By default, no defined ARP ACLs are applied to any VLAN. • For arp-acl-name, specify the name of the ACL created in Step 2. • For vlan-range, specify the VLAN that the switches and hosts are in.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection To remove the ARP ACL, use the no arp access-list global configuration command. To remove the ARP ACL attached to a VLAN, use the no ip arp inspection filter arp-acl-name vlan vlan-range global configuration command. This example shows how to configure an ARP ACL called host2 on Switch A, to permit ARP packets from Host 2 (IP address 1.1.1.1 and MAC address 0001.0001.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Command Purpose Step 4 exit Return to global configuration mode. Step 5 errdisable detect cause arp-inspection (Optional) Enable error recovery from the dynamic ARP inspection error-disabled state, and configure the dynamic ARP inspection recover mechanism variables and errdisable recovery cause arp-inspection and By default, recovery is disabled, and the recovery interval is 300 seconds.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip arp inspection validate {[src-mac] [dst-mac] [ip]} Perform a specific check on incoming ARP packets. By default, no checks are performed.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer or increase the logging rate.
Chapter 22 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Step 3 Command Purpose ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {all | none | permit}} Control the type of packets that are logged per VLAN. By default, all denied or all dropped packets are logged. The term logged means the entry is placed in the log buffer and a system message is generated.
Chapter 22 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information To clear or display dynamic ARP inspection statistics, use the privileged EXEC commands in Table 22-3: Table 22-3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics.
CH A P T E R 23 Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on the switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Understanding IGMP Snooping Layer 2 switches can use IGMP snooping to constrain the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with IP multicast devices.
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping IGMP Versions The switch supports IGMP Version 1, IGMP Version 2, and IGMP Version 3. These versions are interoperable on the switch. For example, if IGMP snooping is enabled on an IGMPv2 switch and the switch receives an IGMPv3 report from a host, the switch can forward the IGMPv3 report to the multicast router. Note The switch supports IGMPv3 snooping based only on the destination multicast MAC address.
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 23-1 Initial IGMP Join Message Router A 19 IGMP report 224.1.2.3 VLAN Switching engine CPU 0 201772 Forwarding table 1 3 5 7 Blade Blade Blade Blade Server 1 Server 2 Server 3 Server 4 Router A sends a general query to the switch, which forwards the query to ports 2 through 5, which are all members of the same VLAN. Blade Server 1 wants to join multicast group 224.1.2.
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping If another blade server (for example, Blade Server 4) sends an unsolicited IGMP join message for the same group (Figure 23-2), the CPU receives that message and adds the port number of Blade Server 4 to the forwarding table as shown in Table 23-2. Note that because the forwarding table directs IGMP messages only to the CPU, the message is not flooded to other ports on the switch.
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Immediate Leave Immediate Leave is only supported on IGMP Version 2 hosts. The switch uses IGMP snooping Immediate Leave to remove from the forwarding table an interface that sends a leave message without the switch sending group-specific queries to the interface. The VLAN interface is pruned from the multicast tree for the multicast group specified in the original leave message.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping IGMP Snooping and Switch Stacks IGMP snooping functions across the switch stack; that is, IGMP control information from one switch is distributed to all switches in the stack. (See Chapter 5, “Managing Switch Stacks,” for more information about switch stacks.) Regardless of the stack member through which IGMP multicast data enters the stack, the data reaches the hosts that have registered for that group.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Table 23-3 Default IGMP Snooping Configuration (continued) Feature Default Setting IGMP snooping querier Disabled IGMP report suppression Enabled 1. TCN = Topology Change Notification Enabling or Disabling IGMP Snooping By default, IGMP snooping is globally enabled on the switch. When globally enabled or disabled, it is also enabled or disabled in all existing VLAN interfaces.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Setting the Snooping Method Multicast-capable router ports are added to the forwarding table for every Layer 2 multicast entry.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping This example shows how to configure IGMP snooping to use CGMP packets as the learning method: Switch# configure terminal Switch(config)# ip igmp snooping vlan 1 mrouter learn cgmp Switch(config)# end Configuring a Multicast Router Port To add a multicast router port (add a static connection to a multicast router), use the ip igmp snooping vlan mrouter global configuration command on the switch.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to add a Layer 2 port as a member of a multicast group: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id static ip_address Statically configure a Layer 2 port as a member of a multicast interface interface-id group: • vlan-id is the multicast group VLAN ID. The range is 1 to 1001 and 1006 to 4094.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping To disable IGMP Immediate Leave on a VLAN, use the no ip igmp snooping vlan vlan-id immediate-leave global configuration command.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Controlling the Multicast Flooding Time After a TCN Event You can control the time that multicast traffic is flooded after a TCN event by using the ip igmp snooping tcn flood query count global configuration command. This command configures the number of general queries for which multicast data traffic is flooded after a TCN event.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping To return to the default query solicitation, use the no ip igmp snooping tcn query solicit global configuration command. Disabling Multicast Flooding During a TCN Event When the switch receives a TCN, multicast traffic is flooded to all the ports until 2 general queries are received.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping • When it is administratively enabled, the IGMP snooping querier moves to the operationally disabled state under these conditions: – IGMP snooping is disabled in the VLAN. – PIM is enabled on the SVI of the corresponding VLAN. Beginning in privileged EXEC mode, follow these steps to enable the IGMP snooping querier feature in a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 23 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information This example shows how to set the IGMP snooping querier feature to Version 2: Switch# configure terminal Switch(config)# no ip igmp snooping querier version 2 Switch(config)# end Disabling IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. This feature is not supported when the query includes IGMPv3 reports.
Chapter 23 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information To display IGMP snooping information, use one or more of the privileged EXEC commands in Table 23-4. Table 23-4 Commands for Displaying IGMP Snooping Information Command Purpose show ip igmp snooping [vlan vlan-id] Display the snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.
Chapter 23 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service-provider network (for example, the broadcast of multiple television channels over a service-provider network).
Chapter 23 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Using MVR in a Multicast Television Application Figure 23-3 Multicast VLAN Registration Example Multicast VLAN Cisco router Multicast server SP Switch SP SP Switch Switch SP SP Blade Switch Server RP2 Server RP = Receiver Port SP = Source Port RP3 Server RP4 Server RP5 Server 201915 RP1 Note: All source ports belong to the multicast VLAN.
Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR IGMP reports are sent to the same IP multicast group address as the multicast data. The blade switch CPU must capture all IGMP join and leave messages from receiver ports and forward them to the multicast VLAN of the source (uplink) port, based on the MVR mode.
Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR • MVR is not supported when multicast routing is enabled on a switch. If you enable multicast routing and a multicast routing protocol while MVR is enabled, MVR is disabled, and you receive a warning message. If you try to enable MVR while multicast routing and a multicast routing protocol are enabled, the operation to enable MVR is cancelled, and you receive an error message. • MVR can coexist with IGMP snooping on a switch.
Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR To return the switch to its default settings, use the no mvr [mode | group ip-address | querytime | vlan] global configuration commands.
Chapter 23 Configuring IGMP Snooping and MVR Displaying MVR Information Step 8 Command Purpose show mvr Verify the configuration. show mvr interface or show mvr members Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the interface to its default settings, use the no mvr [type | immediate | vlan vlan-id | group] interface configuration commands.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Table 23-6 Commands for Displaying MVR Information (continued) Command Purpose show mvr Displays MVR status and values for the switch—whether MVR is enabled or disabled, the multicast VLAN, the maximum (256) and current (0 through 256) number of multicast groups, the query response time, and the MVR mode.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Default IGMP Filtering and Throttling Configuration Table 23-7 shows the default IGMP filtering configuration.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Step 4 Command Purpose range ip multicast address Enter the IP multicast address or range of IP multicast addresses to which access is being controlled. If entering a range, enter the low IP multicast address, a space, and the high IP multicast address. You can use the range command multiple times to enter multiple addresses or ranges of addresses. Step 5 end Return to privileged EXEC mode.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling To remove a profile from an interface, use the no ip igmp filter profile number interface configuration command.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Follow these guidelines when configuring the IGMP throttling action: • This restriction can be applied only to Layer 2 ports. You can use this command on a logical EtherChannel interface but cannot use it on ports that belong to an EtherChannel port group. • When the maximum group limitation is set to the default (no maximum), entering the ip igmp max-groups action {deny | replace} command has no effect.
Chapter 23 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Displaying IGMP Filtering and Throttling Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface. You can also display the IGMP throttling configuration for all interfaces on the switch or for a specified interface.
Chapter 23 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 23-30 OL-12247-01
CH A P T E R 24 Configuring IPv6 MLD Snooping You can use Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP Version 6 (IPv6) multicast data to clients and routers in a switched network on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note To use IPv6, you must configure the dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
Chapter 24 Configuring IPv6 MLD Snooping Understanding MLD Snooping MLD is a protocol used by IPv6 multicast routers to discover the presence of multicast listeners (nodes wishing to receive IPv6 multicast packets) on the links that are directly attached to the routers and to discover which multicast packets are of interest to neighboring nodes. MLD is derived from IGMP; MLD Version 1 (MLDv1) is equivalent to IGMPv2, and MLD Version 2 (MLDv2) is equivalent to IGMPv3.
Chapter 24 Configuring IPv6 MLD Snooping Understanding MLD Snooping MLD Messages MLDv1 supports three types of messages: • Listener Queries are the equivalent of IGMPv2 queries and are either General Queries or Multicast-Address-Specific Queries (MASQs). • Multicast Listener Reports are the equivalent of IGMPv2 reports • Multicast Listener Done messages are the equivalent of IGMPv2 leave messages. MLDv2 supports MLDv2 queries and reports, as well as MLDv1 Report and Done messages.
Chapter 24 Configuring IPv6 MLD Snooping Understanding MLD Snooping Multicast Router Discovery Like IGMP snooping, MLD snooping performs multicast router discovery, with these characteristics: • Ports configured by a user never age out. • Dynamic port learning results from MLDv1 snooping queries and IPv6 PIMv2 packets. • If there are multiple routers on the same Layer 2 interface, MLD snooping tracks a single multicast router on the port (the router that most recently sent a router control packet).
Chapter 24 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping The number of MASQs generated is configured by using the ipv6 mld snooping last-listener-query count global configuration command. The default number is 2. The MASQ is sent to the IPv6 multicast address for which the Done message was sent.
Chapter 24 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Default MLD Snooping Configuration Table 24-1 shows the default MLD snooping configuration. Table 24-1 Default MLD Snooping Configuration Feature Default Setting MLD snooping (Global) Disabled. MLD snooping (per VLAN) Enabled. MLD snooping must be globally enabled for VLAN MLD snooping to take place. IPv6 Multicast addresses None configured. IPv6 Multicast router ports None configured.
Chapter 24 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Enabling or Disabling MLD Snooping By default, IPv6 MLD snooping is globally disabled on the switch and enabled on all VLANs. When MLD snooping is globally disabled, it is also disabled on all VLANs. When you globally enable MLD snooping, the VLAN configuration overrides the global configuration. That is, MLD snooping is enabled only on VLAN interfaces in the default state (enabled).
Chapter 24 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Configuring a Static Multicast Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure an IPv6 multicast address and member ports for a VLAN.
Chapter 24 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Beginning in privileged EXEC mode, follow these steps to add a multicast router port to a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 mld snooping vlan vlan-id mrouter interface interface-id Specify the multicast router VLAN ID, and specify the interface to the multicast router. • The VLAN ID range is 1 to 1001 and 1006 to 4094.
Chapter 24 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Configuring MLD Snooping Queries When Immediate Leave is not enabled and a port receives an MLD Done message, the switch generates MASQs on the port and sends them to the IPv6 multicast address for which the Done message was sent. You can optionally configure the number of MASQs that are sent and the length of time the switch waits for a response before deleting the port from the multicast group.
Chapter 24 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information This example shows how to set the MLD snooping global robustness variable to 3: Switch# configure terminal Switch(config)# ipv6 mld snooping robustness-variable 3 Switch(config)# exit This example shows how to set the MLD snooping last-listener query count for a VLAN to 3: Switch# configure terminal Switch(config)# ipv6 mld snooping vlan 200 last-listener-query-count 3 Switch(config)# exit This example shows how to set the MLD
Chapter 24 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information Table 24-2 Commands for Displaying MLD Snooping Information Command Purpose show ipv6 mld snooping [vlan vlan-id] Display the MLD snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094.
CH A P T E R 25 Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 25 Configuring Port-Based Traffic Control Configuring Storm Control Storm control uses one of these methods to measure traffic activity: • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received • Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received With each method, the p
Chapter 25 Configuring Port-Based Traffic Control Configuring Storm Control You use the storm-control interface configuration commands to set the threshold value for each traffic type. Default Storm Control Configuration By default, unicast, broadcast, and multicast storm control are disabled on the switch interfaces; that is, the suppression level is 100 percent.
Chapter 25 Configuring Port-Based Traffic Control Configuring Storm Control Step 3 Command Purpose storm-control {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]} Configure broadcast, multicast, or unicast storm control. By default, storm control is disabled. The keywords have these meanings: • For level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage (up to two decimal places) of the bandwidth.
Chapter 25 Configuring Port-Based Traffic Control Configuring Protected Ports Command Purpose Step 6 show storm-control [interface-id] [broadcast | Verify the storm control suppression levels set on the interface for multicast | unicast] the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Blocking Protected Port Configuration Guidelines You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group. Do not configure a private-VLAN port as a protected port. Do not configure a protected port as a private-VLAN port.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Default Port Blocking Configuration The default is to not block flooding of unknown multicast and unicast traffic out of a port, but to flood these packets to all ports. Blocking Flooded Traffic on an Interface Note The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security These sections contain this conceptual and configuration information: • Understanding Port Security, page 25-8 • Default Port Security Configuration, page 25-10 • Port Security Configuration Guidelines, page 25-10 • Enabling and Configuring Port Security, page 25-12 • Enabling and Configuring Port Security Aging, page 25-16 • Port Security and Switch Stacks, page 25-17 • Port Security and Private VLANs, page 25-17 U
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration. The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum number of available MAC addresses allowed in the system. This number is determined by the active Switch Database Management (SDM) template.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Table 25-1 Security Violation Mode Actions Violation Mode Traffic is forwarded1 Sends SNMP trap Sends syslog message Displays error message2 Violation counter increments Shuts down port protect No No No No No No restrict No Yes Yes No Yes No shutdown No Yes Yes No Yes Yes shutdown vlan No Yes Yes No Yes No 3 1.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security • A secure port cannot be a private-VLAN port. • When you enable port security on an interface that is also configured with a voice VLAN, set the maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Enabling and Configuring Port Security Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Step 7 Command Purpose switchport port-security violation {protect | restrict | shutdown | shutdown vlan} (Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these: • Note protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Step 8 Command Purpose switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}] (Optional) Enter a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table. All addresses are now dynamically learned.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# switchport switchport switchport switchport switchport port-security port-security port-security port-security port-security mac-address 0000.0000.0003 mac-address sticky 0000.0000.0001 vlan voice mac-address 0000.0000.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security To disable port security aging for all secure addresses on a port, use the no switchport port-security aging time interface configuration command. To disable aging for only statically configured secure addresses, use the no switchport port-security aging static interface configuration command.
Chapter 25 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings This example shows how to configure port security on a PVLAN host and promiscuous ports Switch(config)# interface gigabitethernet 1/0/8 Switch(config-if)# switchport private-vlan mapping 2061 2201-2206,3101 Switch(config-if)# switchport mode private-vlan promiscuous Switch(config-if)# switchport port-security maximum 288 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security v
CH A P T E R 26 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 26 Configuring CDP Configuring CDP CDP and Switch Stacks A switch stack appears as a single switch in the network. Therefore, CDP discovers the switch stack, not the individual stack members. The switch stack sends CDP messages to neighboring network devices when there are changes to the switch stack membership, such as stack members being added or removed.
Chapter 26 Configuring CDP Configuring CDP Step 3 Command Purpose cdp holdtime seconds (Optional) Specify the amount of time a receiving device should hold the information sent by your device before discarding it. The range is 10 to 255 seconds; the default is 180 seconds. Step 4 cdp advertise-v2 (Optional) Configure CDP to send Version-2 advertisements. This is the default state. Step 5 end Return to privileged EXEC mode. Step 6 show cdp Verify your settings.
Chapter 26 Configuring CDP Configuring CDP Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and to receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on a port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you are disabling CDP, and enter interface configuration mode.
Chapter 26 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, use one or more of the privileged EXEC commands in Table 26-2. Table 26-2 Commands for Displaying CDP Information Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors.
Chapter 26 Configuring CDP Monitoring and Maintaining CDP Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 26-6 OL-12247-01
CH A P T E R 27 Configuring LLDP and LLDP-MED This chapter describes how to configure the Link Layer Discovery Protocol (LLDP) and LLDP Media Endpoint Discovery (LLDP-MED) on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 27 Configuring LLDP and LLDP-MED Understanding LLDP and LLDP-MED LLDP supports a set of attributes that it uses to discover neighbor devices. These attributes contain type, length, and value descriptions and are referred to as TLVs. LLDP supported devices can use TLVs to receive and send information to their neighbors. Details such as configuration information, device capabilities, and device identity can be advertised using this protocol. The switch supports these basic management TLVs.
Chapter 27 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED • Location TLV Provides location information from the switch to the endpoint device. The location TLV can send this information: – Civic location information Provides the civic address information and postal information. Examples of civic location information are street address, road name, and postal community name information. – ELIN location information Provides the location information of a caller.
Chapter 27 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Table 27-1 Default LLDP Configuration (continued) Feature Default Setting LLDP transmit Enabled LLDP med-tlv-select Enabled to send all LLDP-MED TLVs Configuring LLDP Characteristics You can configure the frequency of LLDP updates, the amount of time to hold the information before discarding it, and the initialization delay time. You can also select the LLDP and LLDP-MED TLVs to be sent and received.
Chapter 27 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Disabling and Enabling LLDP Globally LLDP is enabled by default. Beginning in privileged EXEC mode, follow these steps to globally disable LLDP: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no lldp run Disable LLDP. Step 3 end Return to privileged EXEC mode.
Chapter 27 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Beginning in privileged EXEC mode, follow these steps to enable LLDP on an interface when it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring LLDP and LLDP-MED Monitoring and Maintaining LLDP and LLDP-MED Command Purpose Step 3 no lldp med-tlv-select tlv Specify the TLV to disable. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Beginning in privileged EXEC mode, follow these steps to enable a TLV on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring LLDP and LLDP-MED Monitoring and Maintaining LLDP and LLDP-MED Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 27-8 OL-12247-01
CH A P T E R 28 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 28 Configuring UDLD Understanding UDLD In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection. If the ports are connected correctly but the traffic is one way, UDLD does not detect the unidirectional link because the Layer 1 mechanism, which is supposed to detect this condition, does not do so.
Chapter 28 Configuring UDLD Configuring UDLD If the detection window ends and no valid reply message is received, the link might shut down, depending on the UDLD mode. When UDLD is in normal mode, the link might be considered undetermined and might not be shut down. When UDLD is in aggressive mode, the link is considered unidirectional, and the port is disabled.
Chapter 28 Configuring UDLD Configuring UDLD Default UDLD Configuration Table 28-1 shows the default UDLD configuration.
Chapter 28 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch and all members in the switch stack: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 28 Configuring UDLD Configuring UDLD Enabling UDLD on an Interface Beginning in privileged EXEC mode, follow these steps either to enable UDLD in the aggressive or normal mode or to disable UDLD on a port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be enabled for UDLD, and enter interface configuration mode. Step 3 udld port [aggressive] UDLD is disabled by default.
Chapter 28 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release.
Chapter 28 Configuring UDLD Displaying UDLD Status Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 28-8 OL-12247-01
CH A P T E R 29 Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN These sections contain this conceptual information: • Local SPAN, page 29-2 • Remote SPAN, page 29-3 • SPAN and RSPAN Concepts and Terminology, page 29-4 • SPAN and RSPAN Interaction with Other Features, page 29-9 • SPAN and RSPAN and Switch Stacks, page 29-11 Local SPAN Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and destination ports are in the same switch or switch stack.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 29-2 Example of Local SPAN Configuration on a Switch Stack Blade switch stack Switch 1 1/0/4 Port 4 on switch 1 in the stack mirrored on port 15 on switch 2 2/0/15 Network analyzer Switch 2 Switch 3 202310 Stackwise Plus port connections Remote SPAN RSPAN supports source ports, source VLANs, and destination ports on different switches (or different switch stacks), enabling remote monitoring of multiple switches across your
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 29-3 Example of RSPAN Configuration RSPAN destination ports RSPAN destination session Switch C Intermediate switches must support RSPAN VLAN RSPAN VLAN RSPAN source session A Switch B RSPAN source ports RSPAN source session B RSPAN source ports 101366 Switch A SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed over normal trunk ports to the destination switch. An RSPAN destination session takes all packets received on the RSPAN VLAN, strips off the VLAN tagging, and presents them on the destination port.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • The switch does not support a combination of local SPAN and RSPAN in a single session. – An RSPAN source session cannot have a local destination port. – An RSPAN destination session cannot have a local source port. – An RSPAN destination session and an RSPAN source session that are using the same RSPAN VLAN cannot run on the same switch or switch stack.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Switch congestion can cause packets to be dropped at ingress source ports, egress source ports, or SPAN destination ports. In general, these characteristics are independent of one another. For example: • A packet might be forwarded normally but dropped from monitoring due to an oversubscribed SPAN destination port. • An ingress packet might be dropped from normal forwarding, but still appear on the SPAN destination port.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • If ports are added to or removed from the source VLANs, the traffic on the source VLAN received by those ports is added to or removed from the sources being monitored. • You cannot use filter VLANs in the same session with VLAN sources. • You can monitor only Ethernet VLANs. VLAN Filtering When you monitor a trunk port as a source port, by default, all VLANs active on the trunk are monitored.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2. • It does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP). • A destination port that belongs to a source VLAN of any SPAN session is excluded from the source list and is not monitored. • The maximum number of destination ports in a switch or switch stack is 64.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • STP—A destination port does not participate in STP while its SPAN or RSPAN session is active. The destination port can participate in STP after the SPAN or RSPAN session is disabled. On a source port, SPAN does not affect the STP status. STP can be active on trunk ports carrying an RSPAN VLAN. • CDP—A SPAN destination port does not participate in CDP while the SPAN session is active.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN SPAN and RSPAN and Switch Stacks Because the stack of switches is treated as one logical switch, local SPAN source ports and destination ports can be in different switches in the stack. Therefore, the addition or deletion of switches in the stack can affect a local SPAN session, as well as an RSPAN source or destination session.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN SPAN Configuration Guidelines Follow these guidelines when configuring SPAN: • On each switch stack, you can configure a maximum of 2 source sessions and 64 RSPAN destination sessions. A source session is either a local SPAN session or an RSPAN source session. • For SPAN sources, you can monitor traffic for a single port or VLAN or a series or range of ports or VLANs for each session.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating a Local SPAN Session Beginning in privileged EXEC mode, follow these steps to create a SPAN session and specify the source (monitored) ports or VLANs and the destination (monitoring) ports: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Remove any existing SPAN configuration for the session. For session_number, the range is 1 to 66.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 4 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]} Specify the SPAN session and the destination port (monitoring port). For session_number, specify the session number entered in step 3. Note For local SPAN, you must use the same session number for the source and destination interfaces. For interface-id, specify the destination port.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination Gigabit Ethernet port 2. The configuration is then modified to also monitor all traffic on all ports belonging to VLAN 10.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 5 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]} Specify the SPAN session and the destination port (monitoring port). For session_number, specify the session number entered in Step 3. For interface-id, specify the destination port. The destination interface must be a physical port; it cannot be an EtherChannel, and it cannot be a VLAN.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets. Specify these ACLs on the RSPAN VLAN in the RSPAN source switches. • For RSPAN configuration, you can distribute the source ports and the destination ports across multiple switches in your network. • RSPAN does not support BPDU packet monitoring or other Layer 2 switch protocols.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN To remove the remote SPAN characteristic from a VLAN and convert it back to a normal VLAN, use the no remote-span VLAN configuration command. This example shows how to create RSPAN VLAN 901.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 6 Command Purpose show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 5 Command Purpose monitor session session_number destination remote vlan vlan-id Specify the RSPAN session and the destination remote VLAN (RSPAN VLAN). For session_number, enter the session number specified in step 3. For vlan-id, specify the RSPAN VLAN to carry the monitored traffic to the destination port. Step 6 end Return to privileged EXEC mode. Step 7 show monitor [session session_number] Verify the configuration.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 6 Command Purpose monitor session session_number source remote vlan vlan-id Specify the RSPAN session and the source RSPAN VLAN. For session_number, the range is 1 to 66. For vlan-id, specify the source RSPAN VLAN to monitor. Step 7 monitor session session_number destination interface interface-id Specify the RSPAN session and the destination interface. For session_number, enter the number defined in Step 6.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 3 Command Purpose monitor session session_number source remote vlan vlan-id Specify the RSPAN session and the source RSPAN VLAN. For session_number, the range is 1 to 66. For vlan-id, specify the source RSPAN VLAN to monitor. Step 4 Specify the SPAN session, the destination port, the packet monitor session session_number encapsulation, and the incoming VLAN and encapsulation.
Chapter 29 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions.
CH A P T E R 30 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information.
Chapter 30 Configuring RMON Configuring RMON Figure 30-1 Remote Monitoring Example Network management station with generic RMON console application RMON history and statistic collection enabled. Blade Servers RMON alarms and events configured. SNMP configured.
Chapter 30 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station. We recommend that you use a generic RMON console application on the network management station (NMS) to take advantage of the RMON network management capabilities.
Chapter 30 Configuring RMON Configuring RMON Command Step 3 Purpose rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535. • (Optional) For description string, specify a description of the event. • (Optional) Use the log keyword to generate an RMON log entry when the event is triggered.
Chapter 30 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 30 Configuring RMON Displaying RMON Status Command Step 3 Purpose rmon collection stats index [owner ownername] Enable RMON statistic collection on the interface. • For index, specify the RMON group of statistics. The range is from 1 to 65535. • (Optional) For owner ownername, enter the name of the owner of the RMON group of statistics. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries.
CH A P T E R 31 Configuring System Message Logging This chapter describes how to configure system message logging on the switch.Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 31 Configuring System Message Logging Configuring System Message Logging You can access logged system messages by using the switch command-line interface (CLI) or by saving them to a properly configured syslog server. The switch software saves syslog messages in an internal buffer on a standalone switch, and in the case of a switch stack, on the stack master. If a standalone switch or the stack master fails, the log is lost unless you had saved it to flash memory.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Table 31-1 describes the elements of syslog messages. Table 31-1 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages” section on page 31-8. Date and time of the message or event.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Default System Message Logging Configuration Table 31-2 shows the default system message logging configuration. Table 31-2 Default System Message Logging Configuration Feature Default Setting System message logging to the console Enabled. Console severity Debugging (and numerically lower levels; see Table 31-3 on page 31-10). Logging file configuration No filename specified. Logging buffer size 4096 bytes.
Chapter 31 Configuring System Message Logging Configuring System Message Logging The logging synchronous global configuration command also affects the display of messages to the console. When this command is enabled, messages appear only after you press Return. For more information, see the “Synchronizing Log Messages” section on page 31-6. To re-enable message logging after it has been disabled, use the logging on global configuration command.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Step 6 Command Purpose terminal monitor Log messages to a nonconsole terminal during the current session. Terminal parameter-setting commands are set locally and do not remain in effect after the session has ended. You must perform this step for each session to see the debugging messages. Step 7 show running-config Verify your entries.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to configure synchronous logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line [console | vty] line-number [ending-line-number] Specify the line to be configured for synchronous logging of messages.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Time Stamps on Log Messages By default, log messages are not time-stamped. Beginning in privileged EXEC mode, follow these steps to enable time-stamping of log messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log time stamps.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable sequence numbers, use the no service sequence-numbers global configuration command. This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Table 31-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to change the level and history table size defaults. This procedure is optional. Command Step 1 Step 2 Purpose configure terminal logging history level Enter global configuration mode. 1 Change the default level of syslog messages stored in the history file and sent to the SNMP server. See Table 31-3 on page 31-10 for a list of level keywords.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to enable configuration logging: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 archive Enter archive configuration mode. Step 3 log config Enter configuration-change logger configuration mode. Step 4 logging enable Enable configuration change logging.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Log in as root, and perform these steps: Note Step 1 Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network. If this is the case with your system, use the UNIX man syslogd command to decide what options must be added to or removed from the syslog command line to enable logging of remote syslog messages. Add a line such as the following to the file /etc/syslog.conf: local7.
Chapter 31 Configuring System Message Logging Displaying the Logging Configuration Command Purpose Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a syslog server, use the no logging host global configuration command, and specify the syslog server IP address. To disable logging to syslog servers, enter the no logging trap global configuration command.
CH A P T E R 32 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 32 Configuring SNMP Understanding SNMP These sections contain this conceptual information: • SNMP Versions, page 32-2 • SNMP Manager Functions, page 32-3 • SNMP Agent Functions, page 32-4 • SNMP Community Strings, page 32-4 • Using SNMP to Access MIB Variables, page 32-4 • SNMP Notifications, page 32-5 • SNMP ifIndex MIB Object Values, page 32-5 SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standar
Chapter 32 Configuring SNMP Understanding SNMP Table 32-1 identifies the characteristics of the different combinations of security models and levels. Table 32-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication.
Chapter 32 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. • Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Chapter 32 Configuring SNMP Understanding SNMP SNMP Notifications SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP notifications can be sent as traps or inform requests. In command syntax, unless there is an option in the command to select either traps or informs, the keyword traps refers to either traps or informs, or both. Use the snmp-server host command to specify whether to send SNMP notifications as traps or informs.
Chapter 32 Configuring SNMP Configuring SNMP Configuring SNMP These sections contain this configuration information: • Default SNMP Configuration, page 32-6 • SNMP Configuration Guidelines, page 32-6 • Disabling the SNMP Agent, page 32-7 • Configuring Community Strings, page 32-8 • Configuring SNMP Groups and Users, page 32-9 • Configuring SNMP Notifications, page 32-11 • Setting the Agent Contact and Location Information, page 32-15 • Limiting TFTP Servers Used Through SNMP, page 32-15 •
Chapter 32 Configuring SNMP Configuring SNMP When configuring SNMP, follow these guidelines: • When configuring an SNMP group, do not specify a notify view. The snmp-server host global configuration command autogenerates a notify view for the user and then adds it to the group associated with that user. Modifying the group's notify view affects all users associated with that group. See the Cisco IOS Configuration Fundamentals Command Reference, Release 12.
Chapter 32 Configuring SNMP Configuring SNMP Configuring Community Strings You use the SNMP community string to define the relationship between the SNMP manager and the agent. The community string acts like a password to permit access to the agent on the switch.
Chapter 32 Configuring SNMP Configuring SNMP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note To disable access for an SNMP community, set the community string for that community to the null string (do not enter a value for the community string). To remove a specific community string, use the no snmp-server community string global configuration command.
Chapter 32 Configuring SNMP Configuring SNMP Command Step 3 Purpose snmp-server group groupname {v1 | v2c | v3 Configure a new SNMP group on the remote device. {auth | noauth | priv}} [read readview] • For groupname, specify the name of the group. [write writeview] [notify notifyview] [access • Specify a security model: access-list] – v1 is the least secure of the possible security models. – v2c is the second least secure model. It allows transmission of informs and integers twice the normal width.
Chapter 32 Configuring SNMP Configuring SNMP Command Step 4 Purpose Add a new user for an SNMP group. snmp-server user username groupname {remote host [udp-port port]} {v1 [access • The username is the name of the user on the host that connects access-list] | v2c [access access-list] | v3 to the agent. [encrypted] [access access-list] [auth {md5 | • The groupname is the name of the group to which the user is sha} auth-password]} associated.
Chapter 32 Configuring SNMP Configuring SNMP Table 32-5 Switch Notification Types (continued) Notification Type Keyword Description cluster Generates a trap when the cluster configuration changes. config Generates a trap for SNMP configuration changes. copy-config Generates a trap for SNMP copy configuration changes. entity Generates a trap for SNMP entity changes. envmon Generates environmental monitor traps.
Chapter 32 Configuring SNMP Configuring SNMP Table 32-5 Note Switch Notification Types (continued) Notification Type Keyword Description vlan-membership Generates a trap for SNMP VLAN membership changes. vlancreate Generates SNMP VLAN created traps. vlandelete Generates SNMP VLAN deleted traps. vtp Generates a trap for VLAN Trunking Protocol (VTP) changes. Though visible in the command-line help strings, the cpu [threshold] keyword is not supported.
Chapter 32 Configuring SNMP Configuring SNMP Step 5 Command Purpose snmp-server host host-addr [informs | traps] [version {1 | 2c | 3 {auth | noauth | priv}}] community-string [notification-type] Specify the recipient of an SNMP trap operation. • For host-addr, specify the name or Internet address of the host (the targeted recipient). • (Optional) Enter informs to send SNMP informs to the host. • (Optional) Enter traps (the default) to send SNMP traps to the host.
Chapter 32 Configuring SNMP Configuring SNMP To remove the specified host from receiving traps, use the no snmp-server host host global configuration command. The no snmp-server host command with no keywords disables traps, but not informs, to the host. To disable informs, use the no snmp-server host informs global configuration command. To disable a specific trap type, use the no snmp-server enable traps notification-types global configuration command.
Chapter 32 Configuring SNMP Configuring SNMP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list, repeating the command as many times as necessary. • For access-list-number, enter the access list number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 32 Configuring SNMP Displaying SNMP Status This example shows how to send Entity MIB traps to the host cisco.com. The community string is restricted. The first line enables the switch to send Entity MIB traps in addition to any traps previously enabled. The second line specifies the destination of these traps and overwrites any previous snmp-server host commands for the host cisco.com. Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.
Chapter 32 Configuring SNMP Displaying SNMP Status Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 32-18 OL-12247-01
CH A P T E R 33 Configuring Embedded Event Manager This chapter describes how to use the embedded event manager (EEM) to monitor and manage the switch and how to configure it. Unless otherwise noted, the term switch refers to a standalone switch or a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3T.
Chapter 33 Configuring Embedded Event Manager Understanding Embedded Event Manager Figure 33-1 Embedded Event Manager Core Event Detectors Core event publishers Cisco IOS parser text Syslog message queue OIR events event manager run CLI command Hardware timers CLI event detector SYSLOG event detector OIR event detector NONE event detector Timer event detector Counter event detector EMBEDDED EVENT MANAGER SERVER EEM POLICY DIRECTOR Subscribes to receive events and implements policy actions
Chapter 33 Configuring Embedded Event Manager Understanding Embedded Event Manager EEM allows these event detectors: • Application-specific event detector– Allows any EEM policy to publish an event. • IOS CLI event detector– Generates policies based on the commands entered through the CLI. • GOLD event detector– Publishes an event when a GOLD failure event is detected on a specified card and subcard. • Counter event detector–Publishes an event when a named counter crosses a specified threshold.
Chapter 33 Configuring Embedded Event Manager Understanding Embedded Event Manager Embedded Event Manager Actions EEM provides actions that occur in response to an event. EEM supports these actions: • Modifying a named counter. • Publishing an application-specific event. • Generating an SNMP trap. • Generating prioritized syslog messages. • Reloading the Cisco IOS software. • Reloading the switch stack. • Reloading the master switch in the event of a master switchover.
Chapter 33 Configuring Embedded Event Manager Configuring Embedded Event Manager • Cisco built-in variables (available in EEM applets) Defined by Cisco and can be read-only or read-write. The read-only variables are set by the system before an applet starts to execute. The single read-write variable, _exit_status, allows you to set the exit status for policies triggered from synchronous events.
Chapter 33 Configuring Embedded Event Manager Configuring Embedded Event Manager Step 4 Step 5 Command Purpose action label syslog [priority priority-level] msg msg-text Specify the action when an EEM applet is triggered. Repeat this action to add other CLI commands to the applet. • (Optional) The priority keyword specifies the priority level of the syslog messages. If selected, you need to define the priority-level argument.
Chapter 33 Configuring Embedded Event Manager Displaying Embedded Event Manager Information 4 5 _config_cmd1 _config_cmd2 interface Ethernet1/0 no shut This example shows a CRON timer environment variable, which is assigned by the software, to be set to every second minute, every hour of every day: Switch(config)# event manager environment_cron_entry 0-59/2 0-23/1 * * 0-6 This example shows the sample EEM policy named tm_cli_cmd.tcl registered as a system policy.
Chapter 33 Configuring Embedded Event Manager Displaying Embedded Event Manager Information Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 33-8 OL-12247-01
CH A P T E R 34 Configuring Network Security with ACLs This chapter describes how to configure network security on the switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists.Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note Information in this chapter about IP ACLs is specific to IP Version 4 (IPv4). For information about IPv6 ACLs, see Chapter 35, “Configuring IPv6 ACLs.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs You configure access lists on a router or Layer 3 switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use ACLs to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked at router interfaces.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs • When an output router ACL and input port ACL exist in an SVI, incoming packets received on the ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are filtered by the router ACL. Other packets are not filtered. • When a VLAN map, input router ACL, and input port ACL exist in an SVI, incoming packets received on the ports to which a port ACL is applied are only filtered by the port ACL.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs Figure 34-1 Using ACLs to Control Traffic to a Network Blade Server A Blade Server B Research & Development network = ACL denying traffic from Blade Server B and permitting traffic from Blade Server A = Packet 119651 Human Resources network When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs As with port ACLs, the switch examines ACLs associated with features configured on a given interface. However, router ACLs are supported in both directions. As packets enter the switch on an interface, ACLs associated with all inbound features configured on that interface are examined.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs • Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer 4 information. Consider access list 102, configured with these commands, applied to three fragmented packets: Switch(config)# Switch(config)# Switch(config)# Switch(config)# Note access-list access-list access-list access-list 102 102 102 102 permit tcp any host 10.1.1.1 eq smtp deny tcp any host 10.1.1.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Stack members perform these ACL functions: • They receive the ACL information from the master switch and program their hardware. • They act as standby switches, ready to take over the role of the stack master if the existing master were to fail and they were to be elected as the new stack master. When a stack master fails and a new stack master is elected, the newly elected master reparses the backed up running configuration.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Creating Standard and Extended IPv4 ACLs This section describes IP ACLs. An ACL is a sequential collection of permit and deny conditions. One by one, the switch tests packets against the conditions in an access list. The first match determines whether the switch accepts or rejects the packet. Because the switch stops testing after the first match, the order of the conditions is critical.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Table 34-1 Note Access List Numbers (continued) Access List Number Type Supported 1200–1299 IPX summary address access list No 1300–1999 IP standard access list (expanded range) Yes 2000–2699 IP extended access list (expanded range) Yes In addition to numbered standard and extended ACLs, you can also create standard and extended named IP ACLs by using the supported numbers.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Creating a Numbered Standard ACL Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} Define a standard IPv4 access list by using a source address and source [source-wildcard] [log] wildcard. The access-list-number is a decimal number from 1 to 99 or 1300 to 1999.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs The switch always rewrites the order of standard access lists so that entries with host matches and entries with matches having a don’t care mask of 0.0.0.0 are moved to the top of the list, above any entries with non-zero don’t care masks. Therefore, in show command output and in the configuration file, the ACEs do not necessarily appear in the order in which they were entered.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs or or Step 2b Command Purpose access-list access-list-number {deny | permit} protocol any any [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] In access-list configuration mode, define an extended IP access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and an abbreviation for a destination and destination wildcard of 0.0.0.0 255.255.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Step 2d Command Purpose access-list access-list-number {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] (Optional) Define an extended ICMP access list and the access conditions. Enter icmp for Internet Control Message Protocol.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs After creating a numbered extended ACL, you can apply it to terminal lines (see the “Applying an IPv4 ACL to a Terminal Line” section on page 34-19), to interfaces (see the “Applying an IPv4 ACL to an Interface” section on page 34-20), or to VLANs (see the “Configuring VLAN Maps” section on page 34-29).
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create a standard ACL using names: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip access-list standard name Define a standard IPv4 access list using a name, and enter access-list configuration mode. The name can be a number from 1 to 99.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs When you are creating standard extended ACLs, remember that, by default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end. For standard ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask. After you create an ACL, any additions are placed at the end of the list.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to configure a time-range parameter for an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 time-range time-range-name Assign a meaningful name (for example, workhours) to the time range to be created, and enter time-range configuration mode. The name cannot contain a space or quotation mark and must begin with a letter.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs This example uses named ACLs to permit and deny the same traffic.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line [console | vty] line-number Identify a specific line to configure, and enter in-line configuration mode. • console—Specify the console terminal line. The console port is DCE.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to control access to an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Identify a specific interface for configuration, and enter interface configuration mode. The interface can be a Layer 2 interface (port ACL), or a Layer 3 interface (router ACL).
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Hardware and Software Treatment of IP ACLs ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to the CPU for software processing. If the hardware reaches its capacity to store ACL configurations, packets are sent to the CPU for forwarding. The forwarding rate for software-forwarded traffic is substantially less than for hardware-forwarded traffic.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Use router ACLs to do this in one of two ways: • Create a standard ACL, and filter traffic coming to the server from Port 1. • Create an extended ACL, and filter traffic coming from the server into Port 1. Figure 34-3 Using Router ACLs to Control Traffic Blade server B Port 2 Port 1 Accounting 172.20.128.64-95 201775 Human Resources 172.20.128.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Numbered ACLs In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host. Using access list 2, the switch accepts one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the switch accepts addresses on all other network 36.0.0.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Named ACLs This example creates a standard ACL named internet_filter and an extended ACL named marketing_group. The internet_filter ACL allows all traffic from the source address 1.2.3.4. Switch(config)# ip access-list standard Internet_filter Switch(config-ext-nacl)# permit 1.2.3.4 Switch(config-ext-nacl)# exit The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs In this example of a numbered ACL, the Winter and Smith servers are not allowed to browse the web: Switch(config)# Switch(config)# Switch(config)# Switch(config)# access-list access-list access-list access-list 100 100 100 100 remark Do deny host remark Do deny host not allow Winter to browse the web 171.69.3.85 any eq www not allow Smith to browse the web 171.69.3.
Chapter 34 Configuring Network Security with ACLs Creating Named MAC Extended ACLs This is a an example of a log for an extended ACL: 01:24:23:%SEC-6-IPACCESSLOGDP:list ext1 permitted packet 01:25:14:%SEC-6-IPACCESSLOGDP:list ext1 permitted packets 01:26:12:%SEC-6-IPACCESSLOGP:list ext1 denied udp packet 01:31:33:%SEC-6-IPACCESSLOGP:list ext1 denied udp packets icmp 10.1.1.15 -> 10.1.1.61 (0/0), 1 icmp 10.1.1.15 -> 10.1.1.61 (0/0), 7 0.0.0.0(0) -> 255.255.255.255(0), 1 0.0.0.0(0) -> 255.255.255.
Chapter 34 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Step 3 Command Purpose {deny | permit} {any | host source MAC address | source MAC address mask} {any | host destination MAC address | destination MAC address mask} [type mask | lsap lsap mask | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump | msdos | mumps | netbios | vines-echo |vines-ip | xns-idp | 0-65535] [cos cos] In extended MAC acce
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps • A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one. Beginning in privileged EXEC mode, follow these steps to apply a MAC access list to control access to a Layer 2 interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps To create a VLAN map and apply it to one or more VLANs, perform these steps: Step 1 Create the standard or extended IPv4 ACLs or named MAC extended ACLs that you want to apply to the VLAN. See the “Creating Standard and Extended IPv4 ACLs” section on page 34-8 and the “Creating a VLAN Map” section on page 34-31. Step 2 Enter the vlan access-map global configuration command to create a VLAN ACL map entry.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps • When a frame is Layer-2 forwarded within a private VLAN, the same VLAN map is applied at the ingress side and at the egress side. When a frame is routed from inside a private VLAN to an external port, the private-VLAN map is applied at the ingress side. – For frames going upstream from a host port to a promiscuous port, the VLAN map configured on the secondary VLAN is applied.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps Examples of ACLs and VLAN Maps These examples show how to create ACLs and VLAN maps that for specific purposes. Example 1 This example shows how to create an ACL and a VLAN map to deny a packet. In the first map, any packets that match the ip1 ACL (TCP packets) would be dropped. You first create the ip1ACL to permit any TCP packet and no other packets.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps Example 3 In this example, the VLAN map has a default action of drop for MAC packets and a default action of forward for IP packets. Used with MAC extended access lists good-hosts and good-protocols, the map will have the following results: • Forward MAC packets from hosts 0000.0c00.0111 and 0000.0c00.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps Applying a VLAN Map to a VLAN Beginning in privileged EXEC mode, follow these steps to apply a VLAN map to one or more VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan filter mapname vlan-list list Apply the VLAN map to one or more VLAN IDs. The list can be a single VLAN ID (22), a consecutive list (10-22), or a string of VLAN IDs (12, 22, 30).
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 34-4 Deny Access to a Server on Another VLAN VLAN map 10.1.1.100 Subnet 10.1.2.0/8 Server (VLAN 10) 10.1.1.4 Layer 3 switch Host (VLAN 10) Host (VLAN 20) Packet Host (VLAN 10) 101356 10.1.1.8 This example shows how to deny access to a server on another VLAN by creating the VLAN map SERVER 1 that denies access to hosts in subnet 10.1.2.0.8, host 10.1.1.4, and host 10.1.1.8 and permits other IP traffic.
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Note When you use router ACLs with VLAN maps, packets that require logging on the router ACLs are not logged if they are denied by a VLAN map. If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match the type, the default is to drop the packet. If there is no match clause in the VLAN map, and no action specified, the packet is forwarded if it does not match any VLAN map entry.
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Examples of Router ACLs and VLAN Maps Applied to VLANs This section gives examples of applying router ACLs and VLAN maps to a VLAN for switched, bridged, routed, and multicast packets. Although the following illustrations show packets being forwarded to their destination, each time the packet’s path crosses a line indicating a VLAN map or an ACL, it is also possible that the packet might be dropped, rather than forwarded.
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 34-6 Applying ACLs on Bridged Packets VLAN 10 map VLAN 20 map Frame Blade server A (VLAN 10) Blade server B (VLAN 20) VLAN 10 VLAN 20 Packet 201777 Fallback bridge ACLs and Routed Packets Figure 34-7 shows how ACLs are applied on routed packets. For routed packets, the ACLs are applied in this order: 1. VLAN map for input VLAN 2. Input router ACL 3. Output router ACL 4.
Chapter 34 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration ACLs and Multicast Packets Figure 34-8 shows how ACLs are applied on packets that are replicated for IP multicasting. A multicast packet being routed has two different kinds of filters applied: one for destinations that are other ports in the input VLAN and another for each of the destinations that are in other VLANs to which the packet has been routed.
Chapter 34 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Table 34-2 Commands for Displaying Access Lists and Access Groups (continued) Command Purpose show ip interface interface-id Display detailed configuration and status of an interface. If IP is enabled on the interface and ACLs have been applied by using the ip access-group interface configuration command, the access groups are included in the display.
CH A P T E R 35 Configuring IPv6 ACLs When the switch is running the advanced IP services feature set, you can filter IP Version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces similarly to the way that you create and apply IP Version 4 (IPv4) named ACLs. You can also create and apply input router ACLs to filter Layer 3 management traffic when the switch is running the IP services or IP base feature set.
Chapter 35 Configuring IPv6 ACLs Understanding IPv6 ACLs Understanding IPv6 ACLs A switch running the advanced IP services feature set supports two types of IPv6 ACLs: • IPv6 router ACLs are supported on outbound or inbound traffic on Layer 3 interfaces, which can be routed ports, switch virtual interfaces (SVIs), or Layer 3 EtherChannels. IPv6 router ACLs apply only to IPv6 packets that are routed. • IPv6 port ACLs are supported on inbound traffic on Layer 2 interfaces only.
Chapter 35 Configuring IPv6 ACLs Understanding IPv6 ACLs Supported ACL Features IPv6 ACLs on the switch have these characteristics: • Fragmented frames (the fragments keyword as in IPv4) are supported. • The same statistics supported in IPv4 are supported for IPv6 ACLs. • If the switch runs out of hardware space, packets associated with the ACL are forwarded to the CPU, and the ACLs are applied in software. • Routed or bridged packets with hop-by-hop options have IPv6 ACLs applied in software.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs If a new switch takes over as stack master, it distributes the ACL configuration to all stack members. The member switches sync up the configuration distributed by the new stack master and flush out entries that are not required. When an ACL is modified, attached to, or detached from an interface, the stack master distributes the change to all stack members.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs • You cannot use MAC ACLs to filter IPv6 frames. MAC ACLs can only filter non-IP frames. • If the hardware memory is full, for any additional configured ACLs, packets are forwarded to the CPU, and the ACLs are applied in software. Creating IPv6 ACLs Beginning in privileged EXEC mode, follow these steps to create an IPv6 ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs Command Step 3a Purpose Enter deny or permit to specify whether to deny or permit the packet if {deny | permit} protocol {source-ipv6-prefix/prefix-length | conditions are matched.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs Command Step 3b Step 3c Step 3d Purpose (Optional) Define a TCP access list and the access conditions. {deny | permit} tcp {source-ipv6-prefix/prefix-length | Enter tcp for Transmission Control Protocol. The parameters are the same as any | host source-ipv6-address} those described in Step 3a, with these additional optional parameters: [operator [port-number]] • ack—Acknowledgment bit set.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs Use the no {deny | permit} IPv6 access-list configuration commands with keywords to remove the deny or permit conditions from the specified access list. This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000.
Chapter 35 Configuring IPv6 ACLs Displaying IPv6 ACLs Use the no ipv6 traffic-filter access-list-name interface configuration command to remove an access list from an interface.
Chapter 35 Configuring IPv6 ACLs Displaying IPv6 ACLs Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 35-10 OL-12247-01
CH A P T E R 36 Configuring QoS This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 36 Configuring QoS Understanding QoS Understanding QoS Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Chapter 36 Configuring QoS Understanding QoS Figure 36-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 header IP header Data Layer 2 ISL Frame ISL header (26 bytes) Encapsulated frame 1... (24.5 KB) FCS (4 bytes) 3 bits used for CoS Layer 2 802.1Q and 802.
Chapter 36 Configuring QoS Understanding QoS Figure 36-2 shows the basic QoS model. Actions at the ingress port include classifying traffic, policing, marking, queueing, and scheduling: • Classifying a distinct path for a packet by associating it with a QoS label. The switch maps the CoS or DSCP in the packet to a QoS label to distinguish one kind of traffic from another. The QoS label that is generated identifies all future QoS actions to be performed on this packet.
Chapter 36 Configuring QoS Understanding QoS Classification Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification is enabled only if QoS is globally enabled on the switch. By default, QoS is globally disabled, so no classification occurs. During classification, the switch performs a lookup and assigns a QoS label to the packet.
Chapter 36 Configuring QoS Understanding QoS After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Figure 36-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface configuration for classification. Trust DSCP (IP traffic). IP and non-IP traffic Trust DSCP or IP precedence (non-IP traffic). Trust IP precedence (IP traffic). Assign DSCP identical to DSCP in packet.
Chapter 36 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: Note • If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken.
Chapter 36 Configuring QoS Understanding QoS The policy map can contain the police and police aggregate policy-map class configuration commands, which define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded. To enable the policy map, you attach it to a port by using the service-policy interface configuration command. You can apply a nonhierarchical policy map to a physical port or an SVI.
Chapter 36 Configuring QoS Understanding QoS Policing on Physical Ports In policy maps on physical ports, you can create these types of policers: • Individual—QoS applies the bandwidth limits specified in the policer separately to each matched traffic class. You configure this type of policer within a policy map by using the police policy-map class configuration command. • Aggregate—QoS applies the bandwidth limits specified in an aggregate policer cumulatively to all matched traffic flows.
Chapter 36 Configuring QoS Understanding QoS Figure 36-4 Policing and Marking Flowchart on Physical Ports Start Get the clasification result for the packet. No Is a policer configured for this packet? Yes Check if the packet is in profile by querying the policer. No Yes Pass through Check out-of-profile action configured for this policer. Drop Drop packet. Mark Done 86835 Modify DSCP according to the policed-DSCP map. Generate a new QoS label.
Chapter 36 Configuring QoS Understanding QoS When configuring policing on an SVI, you can create and configure a hierarchical policy map with these two levels: • VLAN level—Create this primary level by configuring class maps and classes that specify the port trust state or set a new DSCP or IP precedence value in the packet. The VLAN-level policy map applies only to the VLAN in an SVI and does not support policers.
Chapter 36 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an QoS label based on the DSCP or CoS value from the classification stage: • During classification, QoS uses configurable mapping tables to derive a corresponding DSCP or CoS value from a received CoS, DSCP, or IP precedence value. These maps include the CoS-to-DSCP map and the IP-precedence-to-DSCP map.
Chapter 36 Configuring QoS Understanding QoS Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 36-6.
Chapter 36 Configuring QoS Understanding QoS CoS 6-7 CoS 4-5 CoS 0-3 WTD and Queue Operation 100% 1000 60% 600 40% 400 0 86692 Figure 36-7 For more information, see the “Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds” section on page 36-67, the “Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set” section on page 36-71, and the “Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID” section on page 36-73.
Chapter 36 Configuring QoS Understanding QoS Queueing and Scheduling on Ingress Queues Figure 36-8shows the queueing and scheduling flowchart for ingress ports. Figure 36-8 Queueing and Scheduling Flowchart for Ingress Ports Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds. Are thresholds being exceeded? Yes No Drop packet. Queue the packet. Service the queue according to the SRR weights. Note 86693 Send packet to the stack ring.
Chapter 36 Configuring QoS Understanding QoS You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Chapter 36 Configuring QoS Understanding QoS Queueing and Scheduling on Egress Queues Figure 36-9 shows the queueing and scheduling flowchart for egress ports. Note If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Figure 36-9 Queueing and Scheduling Flowchart for Egress Ports Start Receive packet from the stack ring. Read QoS label (DSCP or CoS value). Determine egress queue number and threshold based on the label.
Chapter 36 Configuring QoS Understanding QoS These queues are assigned to a queue-set. All traffic exiting the switch flows through one of these four queues and is subjected to a threshold based on the QoS label assigned to the packet. Figure 36-10 shows the egress queue buffer. The buffer space is divided between the common pool and the reserved pool.
Chapter 36 Configuring QoS Understanding QoS WTD Thresholds You can assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an egress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue output dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue output cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Chapter 36 Configuring QoS Configuring Auto-QoS • During policing, IP and non-IP packets can have another DSCP assigned to them (if they are out of profile and the policer specifies a markdown DSCP). Once again, the DSCP in the packet is not modified, but an indication of the marked-down value is carried along. For IP packets, the packet modification occurs at a later stage; for non-IP packets the DSCP is converted to CoS and used for queueing and scheduling decisions.
Chapter 36 Configuring QoS Configuring Auto-QoS Generated Auto-QoS Configuration By default, auto-QoS is disabled on all ports. When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress and egress queues as shown in Table 36-2.
Chapter 36 Configuring QoS Configuring Auto-QoS If the packet does not have a DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. The switch configures ingress and egress queues on the port according to the settings in Table 36-3 and Table 36-4.
Chapter 36 Configuring QoS Configuring Auto-QoS Table 36-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically maps DSCP values to an ingress queue and to a threshold ID.
Chapter 36 Configuring QoS Configuring Auto-QoS Table 36-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically configures the egress queue buffer sizes. It configures the bandwidth and the SRR mode (shaped or shared) on the egress queues mapped to the port.
Chapter 36 Configuring QoS Configuring Auto-QoS Effects of Auto-QoS on the Configuration When auto-QoS is enabled, the auto qos voip interface configuration command and the generated configuration are added to the running configuration. The switch applies the auto-QoS-generated commands as if the commands were entered from the CLI. An existing user configuration can cause the application of the generated commands to fail or to be overridden by the generated commands. These actions occur without warning.
Chapter 36 Configuring QoS Configuring Auto-QoS Enabling Auto-QoS for VoIP Beginning in privileged EXEC mode, follow these steps to enable auto-QoS for VoIP within a QoS domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 36 Configuring QoS Configuring Auto-QoS Auto-QoS Configuration Example This section describes how you could implement auto-QoS in a network, as shown in Figure 36-11. For optimum QoS performance, enable auto-QoS on all the devices in the network. Figure 36-11 Auto-QoS Configuration Example Network Cisco router To Internet Trunk link Trunk link Video server 172.20.10.
Chapter 36 Configuring QoS Configuring Auto-QoS Note You should not configure any standard QoS commands before entering the auto-QoS commands. You can fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoS configuration is completed. Beginning in privileged EXEC mode, follow these steps to configure the switch at the edge of the QoS domain to prioritize the VoIP traffic over all other traffic: Command Purpose Step 1 debug auto qos Enable debugging for auto-QoS.
Chapter 36 Configuring QoS Displaying Auto-QoS Information Displaying Auto-QoS Information To display the initial auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings.
Chapter 36 Configuring QoS Configuring Standard QoS Default Standard QoS Configuration QoS is disabled. There is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
Chapter 36 Configuring QoS Configuring Standard QoS Default Egress Queue Configuration Table 36-9 shows the default egress queue configuration for each queue-set when QoS is enabled. All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited.
Chapter 36 Configuring QoS Configuring Standard QoS Default Mapping Table Configuration The default CoS-to-DSCP map is shown in Table 36-12 on page 36-60. The default IP-precedence-to-DSCP map is shown in Table 36-13 on page 36-61. The default DSCP-to-CoS map is shown in Table 36-14 on page 36-63. The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value.
Chapter 36 Configuring QoS Configuring Standard QoS • Follow these guidelines when configuring policy maps on physical ports or SVIs: – You cannot apply the same policy map to a physical port and to an SVI. – If VLAN-based QoS is configured on a physical port, the switch removes all the port-based policy maps on the port. The traffic on this physical port is now affected by the policy map attached to the SVI to which the physical port belongs.
Chapter 36 Configuring QoS Configuring Standard QoS • A switch that is running the IP services feature set supports QoS DSCP and IP precedence matching in policy-based routing (PBR) route maps with these limitations: – You cannot apply QoS DSCP mutation maps and PBR route maps to the same interface. – You cannot configure DSCP transparency and PBR DSCP route maps on the same switch. Enabling QoS Globally By default, QoS is disabled on the switch.
Chapter 36 Configuring QoS Configuring Standard QoS Use the no mls qos vlan-based interface configuration command to disable VLAN-based QoS on the physical port. Configuring Classification Using Port Trust States These sections describe how to classify incoming traffic by using port trust states.
Chapter 36 Configuring QoS Configuring Standard QoS Figure 36-12 Port Trusted States within the QoS Domain Trusted interface Trunk Traffic classification performed here P1 201781 P3 Trusted boundary Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 36 Configuring QoS Configuring Standard QoS Step 3 Command Purpose mls qos trust [cos | dscp | ip-precedence] Configure the port trust state. By default, the port is not trusted. If no keyword is specified, the default is dscp. The keywords have these meanings: • cos—Classifies an ingress packet by using the packet CoS value. For an untagged packet, the port default CoS value is used. The default port CoS value is 0. • dscp—Classifies an ingress packet by using the packet DSCP value.
Chapter 36 Configuring QoS Configuring Standard QoS Step 3 Command Purpose mls qos cos {default-cos | override} Configure the default CoS value for the port. • For default-cos, specify a default CoS value to be assigned to a port. If the packet is untagged, the default CoS value becomes the packet CoS value. The CoS range is 0 to 7. The default is 0.
Chapter 36 Configuring QoS Configuring Standard QoS In some situations, you can prevent a PC connected to the Cisco IP Phone from taking advantage of a high-priority data queue. You can use the switchport priority extend cos interface configuration command to configure the telephone through the switch CLI to override the priority of the traffic received from the PC.
Chapter 36 Configuring QoS Configuring Standard QoS Regardless of the DSCP transparency configuration, the switch modifies the internal DSCP value of the packet, which the switch uses to generate a class of service (CoS) value that represents the priority of the traffic. The switch also uses the internal DSCP value to select an egress queue and threshold.
Chapter 36 Configuring QoS Configuring Standard QoS Figure 36-13 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. 101235 IP traffic Beginning in privileged EXEC mode, follow these steps to configure the DSCP-trusted state on a port and modify the DSCP-to-DSCP-mutation map.
Chapter 36 Configuring QoS Configuring Standard QoS To return a port to its non-trusted state, use the no mls qos trust interface configuration command. To return to the default DSCP-to-DSCP-mutation map values, use the no mls qos map dscp-mutation dscp-mutation-name global configuration command.
Chapter 36 Configuring QoS Configuring Standard QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify non-IP traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended ACL, repeating the command as many times as necessary. • For access-list-number, enter the access list number.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Create a Layer 2 MAC ACL by specifying the name of the list. After entering this command, the mode changes to extended MAC ACL configuration.
Chapter 36 Configuring QoS Configuring Standard QoS Classifying Traffic by Using Class Maps You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. The class map defines the criteria to use to match against a specific traffic flow to further classify it. Match statements can include criteria such as an ACL, IP precedence values, or DSCP values.
Chapter 36 Configuring QoS Configuring Standard QoS Command Step 4 Purpose match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported. • For access-group acl-index-or-name, specify the number or name of the ACL created in Step 2.
Chapter 36 Configuring QoS Configuring Standard QoS Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps You can configure a nonhierarchical policy map on a physical port that specifies which traffic class to act on.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a nonhierarchical policy map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 class-map [match-all | match-any] class-map-name Create a class map, and enter class-map configuration mode. By default, no class maps are defined. • (Optional) Use the match-all keyword to perform a logical-AND of all matching statements under this class map.
Chapter 36 Configuring QoS Configuring Standard QoS Step 5 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, go to Step 6. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 36 Configuring QoS Configuring Standard QoS Command Purpose Step 8 exit Return to policy map configuration mode. Step 9 exit Return to global configuration mode. Step 10 interface interface-id Specify the port to attach to the policy map, and enter interface configuration mode. Valid interfaces include physical ports. Step 11 service-policy input policy-map-name Specify the policy-map name, and apply it to an ingress port. Only one policy map per ingress port is supported.
Chapter 36 Configuring QoS Configuring Standard QoS Switch(config-ext-mac)# exit Switch(config)# class-map macclass1 Switch(config-cmap)# match access-group maclist1 Switch(config-cmap)# exit Switch(config)# policy-map macpolicy1 Switch(config-pmap)# class macclass1 Switch(config-pmap-c)# set dscp 63 Switch(config-pmap-c)# exit Switch(config-pmap)# class macclass2 maclist2 Switch(config-pmap-c)# set dscp 45 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet1/0
Chapter 36 Configuring QoS Configuring Standard QoS • When configuring a hierarchical policy map on trunk ports, the VLAN ranges must not overlap. If the ranges overlap, the actions specified in the policy map affect the incoming and outgoing traffic on the overlapped VLANs. • Aggregate policers are not supported in hierarchical policy maps. • When VLAN-based QoS is enabled, the switch supports VLAN-based features, such as the VLAN map.
Chapter 36 Configuring QoS Configuring Standard QoS Command Step 3 Purpose match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported. • For access-group acl-index-or-name, specify the number or name of the ACL.
Chapter 36 Configuring QoS Configuring Standard QoS Step 10 Command Purpose policy-map policy-map-name Create an interface-level policy map by entering the policy-map name, and enter policy-map configuration mode. By default, no policy maps are defined, and no policing is performed. Step 11 class-map class-map-name Define an interface-level traffic classification, and enter policy-map configuration mode. By default, no policy-map class-maps are defined.
Chapter 36 Configuring QoS Configuring Standard QoS Step 17 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, omit Step 18. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 36 Configuring QoS Configuring Standard QoS Step 23 Command Purpose service-policy input policy-map-name Specify the VLAN-level policy-map name, and apply it to the SVI. Repeat the previous step and this command to apply the policy map to other SVIs. If the hierarchical VLAN-level policy map has more than one interface-level policy map, all class maps must be configured to the same VLAN-level policy map specified in the service-policy policy-map-name command.
Chapter 36 Configuring QoS Configuring Standard QoS Switch(config-pmap-c)# exit Switch(config-pmap)# class-map cm-2 Switch(config-pmap-c)# match ip dscp 2 Switch(config-pmap-c)# service-policy port-plcmap-1 Switch(config-pmap)# exit Switch(config-pmap)# class-map cm-3 Switch(config-pmap-c)# match ip dscp 3 Switch(config-pmap-c)# service-policy port-plcmap-2 Switch(config-pmap)# exit Switch(config-pmap)# class-map cm-4 Switch(config-pmap-c)# trust dscp Switch(config-pmap)# exit Switch(config)# interface v
Chapter 36 Configuring QoS Configuring Standard QoS Step 4 Command Purpose policy-map policy-map-name Create a policy map by entering the policy map name, and enter policy-map configuration mode. For more information, see the “Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps” section on page 36-48. Step 5 class class-map-name Define a traffic classification, and enter policy-map class configuration mode.
Chapter 36 Configuring QoS Configuring Standard QoS Switch(config-pmap-c)# trust dscp Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# class ipclass2 Switch(config-pmap-c)# set dscp 56 Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# service-policy input aggflow1 Switch(config-if)# exit Configuring DSCP Maps These sections contain this
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the CoS-to-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map cos-dscp dscp1...dscp8 Modify the CoS-to-DSCP map. For dscp1...dscp8, enter eight DSCP values that correspond to CoS values 0 to 7. Separate each DSCP value with a space. The DSCP range is 0 to 63. Step 3 end Return to privileged EXEC mode.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the IP-precedence-to-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map ip-prec-dscp dscp1...dscp8 Modify the IP-precedence-to-DSCP map. For dscp1...dscp8, enter eight DSCP values that correspond to the IP precedence values 0 to 7. Separate each DSCP value with a space. The DSCP range is 0 to 63.
Chapter 36 Configuring QoS Configuring Standard QoS To return to the default map, use the no mls qos policed-dscp global configuration command.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-CoS map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-cos dscp-list to cos Modify the DSCP-to-CoS map. • For dscp-list, enter up to eight DSCP values separated by spaces. Then enter the to keyword. • For cos, enter the CoS value to which the DSCP values correspond.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-DSCP-mutation map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-mutation dscp-mutation-name in-dscp to out-dscp Modify the DSCP-to-DSCP-mutation map. • For dscp-mutation-name, enter the mutation map name. You can create more than one map by specifying a new name.
Chapter 36 Configuring QoS Configuring Standard QoS Note In the above DSCP-to-DSCP-mutation map, the mutated values are shown in the body of the matrix. The d1 column specifies the most-significant digit of the original DSCP; the d2 row specifies the least-significant digit of the original DSCP. The intersection of the d1 and d2 values provides the mutated value. For example, a DSCP value of 12 corresponds to a mutated value of 10.
Chapter 36 Configuring QoS Configuring Standard QoS Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and to set WTD thresholds. This procedure is optional.
Chapter 36 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to allocate bandwidth between the ingress queues. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input bandwidth weight1 weight2 Assign shared round robin weights to the ingress queues. The default setting for weight1 and weight2 is 4 (1/2 of the bandwidth is equally shared between the two queues).
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the priority queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input priority-queue queue-id bandwidth weight Assign a queue as the priority queue and guarantee bandwidth on the stack or internal ring if the ring is congested.
Chapter 36 Configuring QoS Configuring Standard QoS These sections contain this configuration information: • Configuration Guidelines, page 36-71 • Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set, page 36-71 (optional) • Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID, page 36-73 (optional) • Configuring SRR Shaped Weights on Egress Queues, page 36-75 (optional) • Configuring SRR Shared Weights on Egress Queues, page 36-76 (optional) • Configuri
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and to drop thresholds for a queue-set. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos queue-set output qset-id buffers allocation1 ... allocation4 Allocate buffers to a queue-set. By default, all allocation values are equally mapped among the four queues (25, 25, 25, 25).
Chapter 36 Configuring QoS Configuring Standard QoS Command Purpose Step 7 show mls qos interface [interface-id] buffers Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos queue-set output qset-id buffers global configuration command. To return to the default WTD threshold percentages, use the no mls qos queue-set output qset-id threshold [queue-id] global configuration command.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an egress queue and to a threshold ID. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue output dscp-map queue queue-id threshold threshold-id dscp1...dscp8 Map DSCP or CoS values to an egress queue and to a threshold ID.
Chapter 36 Configuring QoS Configuring Standard QoS Configuring SRR Shaped Weights on Egress Queues You can specify how much of the available bandwidth is allocated to each queue. The ratio of the weights is the ratio of frequency in which the SRR scheduler sends packets from each queue. You can configure the egress queues for shaped or shared weights, or both. Use shaping to smooth bursty traffic or to provide a smoother output over time.
Chapter 36 Configuring QoS Configuring Standard QoS Configuring SRR Shared Weights on Egress Queues In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue empties and does not require a share of the link, the remaining queues can expand into the unused bandwidth and share it among them.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on a switch. Step 3 interface interface-id Specify the egress port, and enter interface configuration mode. Step 4 priority-queue out Enable the egress expedite queue, which is disabled by default.
Chapter 36 Configuring QoS Displaying Standard QoS Information Command Purpose Step 5 show mls qos interface [interface-id] queueing Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no srr-queue bandwidth limit interface configuration command.
Chapter 36 Configuring QoS Displaying Standard QoS Information Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL-12247-01 36-79
Chapter 36 Configuring QoS Displaying Standard QoS Information Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 36-80 OL-12247-01
CH A P T E R 37 Configuring EtherChannels and Link-State Tracking This chapter describes how to configure EtherChannels on Layer 2 and Layer 3 ports on the switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels EtherChannel Overview An EtherChannel consists of individual Gigabit Ethernet links bundled into a single logical link as shown in Figure 37-1.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Figure 37-2 Single-Switch EtherChannel Blade switch stack Switch 1 Channel group 1 StackWise Plus port connections Switch A Channel group 2 201782 Switch 2 Switch 3 Figure 37-3 Cross-Stack EtherChannel Blade switch stack Switch 1 StackWise Plus port connections Switch A Switch 2 Switch 3 201783 Channel group 1 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL-12247-01 37-3
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Port-Channel Interfaces When you create an EtherChannel, a port-channel logical interface is involved: • With Layer 2 ports, use the channel-group interface configuration command to dynamically create the port-channel logical interface.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports. You can use PAgP only in single-switch EtherChannel configurations; PAgP cannot be enabled on cross-stack EtherChannels.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Use the silent mode when the switch is connected to a device that is not PAgP-capable and seldom, if ever, sends packets. An example of a silent partner is a file server or a packet analyzer that is not generating traffic. In this case, running PAgP on a physical port connected to a silent partner prevents that switch port from ever becoming operational.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Ports can form an EtherChannel when they are in different LACP modes as long as the modes are compatible. For example: • A port in the active mode can form an EtherChannel with another port that is in the active or passive mode. • A port in the passive mode cannot form an EtherChannel with another port that is also in the passive mode because neither port starts LACP negotiation.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels With destination-MAC address forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the channel based on the destination host’s MAC address of the incoming packet. Therefore, packets to the same destination are forwarded over the same port, and packets to a different destination are sent on a different port in the channel.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Figure 37-5 Blade Server 1 Load Distribution and Forwarding Methods Blade Server 16 Blade Switch with source-based forwarding enabled EtherChannel 119705 Cisco router with destination-based forwarding enabled Client Client EtherChannel and Switch Stacks If a stack member that has ports participating in an EtherChannel fails or leaves the stack, the stack master removes the failed stack member switch ports fro
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels For more information about switch stacks, see Chapter 5, “Managing Switch Stacks.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels EtherChannel Configuration Guidelines If improperly configured, some EtherChannel ports are automatically disabled to avoid network loops and other problems. Follow these guidelines to avoid configuration problems: • Do not try to configure more than 48 EtherChannels on the switch. • Configure a PAgP EtherChannel with up to eight Ethernet ports of the same type.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels – An EtherChannel supports the same allowed range of VLANs on all the ports in a trunking Layer 2 EtherChannel. If the allowed range of VLANs is not the same, the ports do not form an EtherChannel even when PAgP is set to the auto or desirable mode. – Ports with different spanning-tree path costs can form an EtherChannel if they are otherwise compatibly configured.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Step 4 Command Purpose channel-group channel-group-number mode {auto [non-silent] | desirable [non-silent] | on} | {active | passive} Assign the port to a channel group, and specify the PAgP or the LACP mode. For channel-group-number, the range is 1 to 48. For mode, select one of these keywords: • auto—Enables PAgP only if a PAgP device is detected.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels This example shows how to configure an EtherChannel on a single switch in the stack.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to create a port-channel interface for a Layer 3 EtherChannel. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface port-channel port-channel-number Specify the port-channel logical interface, and enter interface configuration mode. For port-channel-number, the range is 1 to 48.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Step 5 Command Purpose channel-group channel-group-number mode {auto [non-silent] | desirable [non-silent] | on} | {active | passive} Assign the port to a channel group, and specify the PAgP or the LACP mode. For channel-group-number, the range is 1 to 48. This number must be the same as the port-channel-number (logical port) configured in the “Creating Port-Channel Logical Interfaces” section on page 37-14.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels This example shows how to configure an EtherChannel. It assigns two ports to channel 5 with the LACP mode active: Switch# configure terminal Switch(config)# interface range gigabitethernet2/0/1 -2 Switch(config-if-range)# no ip address Switch(config-if-range)# no switchport Switch(config-if-range)# channel-group 5 mode active Switch(config-if-range)# end This example shows how to configure a cross-stack EtherChannel.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load-balancing to the default configuration, use the no port-channel load-balance global configuration command.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to configure your switch as a PAgP physical-port learner and to adjust the priority so that the same port in the bundle is selected for sending packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port for transmission, and enter interface configuration mode.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels If you configure more than eight links for an EtherChannel group, the software automatically decides which of the hot-standby ports to make active based on the LACP priority.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Configuring the LACP Port Priority By default, all ports use the same port priority. If the local system has a lower value for the system priority and the system ID than the remote system, you can affect which of the hot-standby links become active first by changing the port priority of LACP EtherChannel ports to a lower value than the default.
Chapter 37 Configuring EtherChannels and Link-State Tracking Displaying EtherChannel, PAgP, and LACP Status Displaying EtherChannel, PAgP, and LACP Status To display EtherChannel, PAgP, and LACP status information, use the privileged EXEC commands described in Table 37-4: Table 37-4 Commands for Displaying EtherChannel, PAgP, and LACP Status Command Description show etherchannel [channel-group-number {detail | port | port-channel | protocol | summary}] {detail | load-balance | port | port-channel | p
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding Link-State Tracking Figure 37-6 Typical Link-State Tracking Configuration Layer 3 link Distribution switch 1 Distribution switch 2 Link-state group 1 (Port-channel 1) Link-state group 2 (Port-channel 2) Blade switch 1 Enclosure Link-state group 2 201917 Link-state group 1 Blade switch 2 Blade server 1 Blade server 2 Blade server n–1 Blade server n The configuration in Figure 37-6 ensures that when server NIC adapter
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking In a link-state group, the upstream ports can become unavailable or lose connectivity because the distribution switch or router fails, the cables are disconnected, or the link is lost.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking • Do not configure an EtherChannel as a downstream interface. • Only interfaces gigabitethernetn/0/1 through gigabitethernetn/0/16, where n is the stack member number from 1 to 9, can be configured as downstream ports in a specific link-state group.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Displaying Link-State Tracking Status Use the show link state group command to display the link-state group information. Enter this command without keywords to display information about all link-state groups. Enter the group number to display information specific to the group. Enter the detail keyword to display detailed information about the group.
CH A P T E R 38 Configuring IP Unicast Routing This chapter describes how to configure IP Version 4 (IPv4) unicast routing on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. A switch stack operates and appears as a single router to the rest of the routers in the network. Basic routing functions, including static routing and the Routing Information Protocol (RIP), are available with both the IP base feature set and the IP services feature set.
Chapter 38 Configuring IP Unicast Routing Understanding IP Routing Note When configuring routing parameters on the switch and to allocate system resources to maximize the number of unicast routes allowed, you can use the sdm prefer routing global configuration command to set the Switch Database Management (sdm) feature to the routing template. For more information on the SDM templates, see Chapter 8, “Configuring SDM Templates” or see the sdm prefer command in the command reference for this release.
Chapter 38 Configuring IP Unicast Routing Understanding IP Routing Default routing refers to sending traffic with a destination unknown to the router to a default outlet or destination. Static unicast routing forwards packets from predetermined ports through a single path into and out of a network. Static routing is secure and uses little bandwidth, but does not automatically respond to changes in the network, such as link failures, and therefore, might result in unreachable destinations.
Chapter 38 Configuring IP Unicast Routing Understanding IP Routing Stack members perform these functions: • They act as routing standby switches, ready to take over in case they are elected as the new stack master if the stack master fails. • They program the routes into hardware. The routes programmed by the stack members are the same that are downloaded by the stack master as part of the dCEF database.
Chapter 38 Configuring IP Unicast Routing Steps for Configuring Routing Steps for Configuring Routing By default, IP routing is disabled on the switch, and you must enable it before routing can take place. For detailed IP routing configuration information, see the Cisco IOS IP Configuration Guide, Release 12.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing • Configuring Address Resolution Methods, page 38-9 • Routing Assistance When IP Routing is Disabled, page 38-12 • Configuring Broadcast Packet Handling, page 38-14 • Monitoring and Maintaining IP Addressing, page 38-18 Default Addressing Configuration Table 38-1 shows the default addressing configuration. Table 38-1 Default Addressing Configuration Feature Default Setting IP address None defined.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Assigning IP Addresses to Network Interfaces An IP address identifies a location to which IP packets can be sent. Some IP addresses are reserved for special uses and cannot be used for host, subnet, or network addresses. RFC 1166, “Internet Numbers,” contains the official description of IP addresses. An interface can have one primary IP address. A mask identifies the bits that denote the network number in an IP address.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Classless Routing By default, classless routing behavior is enabled on the switch when it is configured to route. With classless routing, if a router receives packets for a subnet of a network with no default route, the router forwards the packet to the best supernet route.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Figure 38-3 No IP Classless Routing 128.0.0.0/8 128.20.4.1 128.20.0.0 Bit bucket 128.20.1.0 128.20.3.0 128.20.4.1 Host 45748 128.20.2.0 To prevent the switch from forwarding packets destined for unrecognized subnets to the best supernet route possible, you can disable classless routing behavior.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing The switch can use these forms of address resolution: • Address Resolution Protocol (ARP) is used to associate IP address with MAC addresses. Taking an IP address as input, ARP learns the associated MAC address and then stores the IP address/MAC address association in an ARP cache for rapid retrieval. Then the IP datagram is encapsulated in a link-layer frame and sent over the network.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 3 arp ip-address hardware-address type [alias] (Optional) Specify that the switch respond to ARP requests as if it were the owner of the specified IP address. Step 4 interface interface-id Enter interface configuration mode, and specify the interface to configure. Step 5 arp timeout seconds (Optional) Set the length of time an ARP cache entry will stay in the cache. The default is 14400 seconds (4 hours).
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Enable Proxy ARP By default, the switch uses proxy ARP to help hosts learn MAC addresses of hosts on other networks or subnets. Beginning in privileged EXEC mode, follow these steps to enable proxy ARP if it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to define a default gateway (router) when IP routing is disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip default-gateway ip-address Set up a default gateway (router). Step 3 end Return to privileged EXEC mode. Step 4 show ip redirects Display the address of the default gateway router to verify the setting.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 6 ip irdp maxadvertinterval seconds (Optional) Set the IRDP maximum interval between advertisements. The default is 600 seconds. Step 7 ip irdp minadvertinterval seconds (Optional) Set the IRDP minimum interval between advertisements. The default is 0.75 times the maxadvertinterval. If you change the maxadvertinterval, this value changes to the new default (0.75 of maxadvertinterval).
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Enabling Directed Broadcast-to-Physical Broadcast Translation By default, IP directed broadcasts are dropped; they are not forwarded. Dropping IP-directed broadcasts makes routers less susceptible to denial-of-service attacks. You can enable forwarding of IP-directed broadcasts on an interface where the broadcast becomes a physical (MAC-layer) broadcast.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Forwarding UDP Broadcast Packets and Protocols User Datagram Protocol (UDP) is an IP host-to-host layer protocol, as is TCP. UDP provides a low-overhead, connectionless session between two end systems and does not provide for acknowledgment of received datagrams. Network hosts occasionally use UDP broadcasts to find address, configuration, and name information.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Establishing an IP Broadcast Address The most popular IP broadcast address (and the default) is an address consisting of all ones (255.255.255.255). However, the switch can be configured to generate any form of IP broadcast address. Beginning in privileged EXEC mode, follow these steps to set the IP broadcast address on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to use the bridging spanning-tree database to flood UDP datagrams: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip forward-protocol spanning-tree Use the bridging spanning-tree database to flood UDP datagrams. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entry.
Chapter 38 Configuring IP Unicast Routing Enabling IP Unicast Routing Table 38-3 Commands to Display Caches, Tables, and Databases Command Purpose show arp Display the entries in the ARP table. show hosts Display the default domain name, style of lookup service, name server hosts, and the cached list of hostnames and addresses. show ip aliases Display IP addresses mapped to TCP ports (aliases). show ip arp Display the IP ARP cache.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Switch(config-router)# network 10.0.0.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Default RIP Configuration Table 38-4 shows the default RIP configuration. Table 38-4 Default RIP Configuration Feature Default Setting Auto summary Enabled. Default-information originate Disabled. Default metric Built-in; automatic metric translations. IP RIP authentication key-chain No authentication. Authentication mode: clear text. IP RIP receive version According to the version router configuration command.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Step 4 Command Purpose network network number Associate a network with a RIP routing process. You can specify multiple network commands. RIP routing updates are sent and received through interfaces only on these networks. Note You must configure a network number for the RIP commands to take effect. Step 5 neighbor ip-address (Optional) Define a neighboring router with which to exchange routing information.
Chapter 38 Configuring IP Unicast Routing Configuring RIP To turn off the RIP routing process, use the no router rip global configuration command. To display the parameters and current state of the active routing protocol process, use the show ip protocols privileged EXEC command. Use the show ip rip database privileged EXEC command to display summary address entries in the RIP database. Configuring RIP Authentication RIP Version 1 does not support authentication.
Chapter 38 Configuring IP Unicast Routing Configuring RIP If you want to configure an interface running RIP to advertise a summarized local IP address pool on a network access server for dial-up clients, use the ip summary-address rip interface configuration command. Note If split horizon is enabled, neither autosummary nor interface IP summary addresses are advertised.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Configuring Split Horizon Routers connected to broadcast-type IP networks and using distance-vector routing protocols normally use the split-horizon mechanism to reduce the possibility of routing loops. Split horizon blocks information about routes from being advertised by a router on any interface from which that information originated. This feature can optimize communication among multiple routers, especially when links are broken.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF • Plain text and MD5 authentication among neighboring routers within an area is supported. • Configurable routing interface parameters include interface output cost, retransmission interval, interface transmit delay, router priority, router dead and hello intervals, and authentication key. • Virtual links are supported. • Not-so-stubby-areas (NSSAs) per RFC 1587are supported.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Table 38-5 Default OSPF Configuration Feature Default Setting Interface parameters Cost: No default cost predefined. Retransmit interval: 5 seconds. Transmit delay: 1 second. Priority: 1. Hello interval: 10 seconds. Dead interval: 4 times the hello interval. No authentication. No password specified. MD5 authentication disabled. Area Authentication type: 0 (no authentication). Default cost: 1. Range: Disabled. Stub: No stub area defined.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Table 38-5 Default OSPF Configuration (continued) Feature Default Setting Timers LSA group pacing 240 seconds. Timers shortest path first (spf) spf delay: 5 seconds. spf-holdtime: 10 seconds. Virtual link No area ID or router ID defined. Hello interval: 10 seconds. Retransmit interval: 5 seconds. Transmit delay: 1 second. Dead interval: 40 seconds. Authentication key: no key predefined. Message-digest key (MD5): no key predefined. 1.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF After a stack master change, the new master sends an OSPF NSF signal to neighboring NSF-aware devices. A device recognizes this signal to mean that it should not reset the neighbor relationship with the stack. As the NSF-capable stack master receives signals from other routes on the network, it begins to rebuild its neighbor list.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF To end an OSPF routing process, use the no router ospf process-id global configuration command. This example shows how to configure an OSPF routing process and assign it a process number of 109: Switch(config)# router ospf 109 Switch(config-router)# network 131.108.0.0 255.255.255.0 area 24 Configuring OSPF Interfaces You can use the ip ospf interface configuration commands to modify interface-specific OSPF parameters.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 11 ip ospf database-filter all out (Optional) Block flooding of OSPF LSA packets to the interface. By default, OSPF floods new LSAs over all interfaces in the same area, except the interface on which the LSA arrives. Step 12 end Return to privileged EXEC mode. Step 13 show ip ospf interface [interface-name] Display OSPF-related interface information.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 5 area area-id stub [no-summary] (Optional) Define an area as a stub area. The no-summary keyword prevents an ABR from sending summary link advertisements into the stub area. Step 6 area area-id nssa [no-redistribution] [default-information-originate] [no-summary] (Optional) Defines an area as a not-so-stubby-area. Every router within the same area must agree that the area is NSSA.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF • Default Metrics: OSPF calculates the OSPF metric for an interface according to the bandwidth of the interface. The metric is calculated as ref-bw divided by bandwidth, where ref is 10 by default, and bandwidth (bw) is specified by the bandwidth interface configuration command. For multiple links with high bandwidth, you can specify a larger number to differentiate the cost on those links.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Beginning in privileged EXEC mode, follow these steps to configure these OSPF parameters: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router ospf process-id Enable OSPF routing, and enter router configuration mode. Step 3 summary-address address mask (Optional) Specify an address and IP subnet mask for redistributed routes so that only one summary route is advertised.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Changing LSA Group Pacing The OSPF LSA group pacing feature allows the router to group OSPF LSAs and pace the refreshing, check-summing, and aging functions for more efficient router use. This feature is enabled by default with a 4-minute default pacing interval, and you will not usually need to modify this parameter.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Monitoring OSPF You can display specific statistics such as the contents of IP routing tables, caches, and databases. Table 38-6 lists some of the privileged EXEC commands for displaying statistics. For more show ip ospf database privileged EXEC command options and for explanations of fields in the resulting display, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP EIGRP offers these features: • Fast convergence. • Incremental updates when the state of a destination changes, instead of sending the entire contents of the routing table, minimizing the bandwidth required for EIGRP packets. • Less CPU usage because full update packets need not be processed each time they are received. • Protocol-independent neighbor discovery mechanism to learn about neighboring routers.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Note • Configuring EIGRP Route Authentication, page 38-42 • EIGRP Stub Routing, page 38-43 • Monitoring and Maintaining EIGRP, page 38-44 To enable EIGRP, the switch or stack master must be running the IP services feature set. Default EIGRP Configuration Table 38-7 shows the default EIGRP configuration. Table 38-7 Default EIGRP Configuration Feature Default Setting Auto summary Enabled.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Table 38-7 Default EIGRP Configuration (continued) Feature 1 Default Setting NSF Awareness Enabled2. Allows Layer 3 switches to continue forwarding packets from a neighboring NSF-capable router during hardware or software changes. NSF capability Disabled. Note The switch supports EIGRP NSF-capable routing for IPv4. Offset-list Disabled. Router EIGRP Disabled. Set metric No metric set in the route map.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP EIGRP NSF Capability The IP-services feature set also supports EIGRP NSF-capable routing for IPv4 for better convergence and lower traffic loss following a stack master change. When an EIGRP NSF-capable stack master restarts or a new stack master starts up and NSF restarts, the switch has no neighbors, and the topology table is empty.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Step 6 Command Purpose metric weights tos k1 k2 k3 k4 k5 (Optional) Adjust the EIGRP metric. Although the defaults have been carefully set to provide excellent operation in most networks, you can adjust them. Caution Setting metrics is complex and is not recommended without guidance from an experienced network designer.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 5 ip hello-interval eigrp autonomous-system-number seconds (Optional) Change the hello time interval for an EIGRP routing process. The range is 1 to 65535 seconds. The default is 60 seconds for low-speed NBMA networks and 5 seconds for all other networks. Step 6 ip hold-time eigrp autonomous-system-number seconds (Optional) Change the hold time interval for an EIGRP routing process. The range is 1 to 65535 seconds.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Command Step 9 Purpose accept-lifetime start-time {infinite | end-time | duration (Optional) Specify the time period during which the key seconds} can be received. The start-time and end-time syntax can be either hh:mm:ss Month date year or hh:mm:ss date Month year. The default is forever with the default start-time and the earliest acceptable date as January 1, 1993. The default end-time and duration is infinite.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Figure 38-4 EIGRP Stub Router Configuration Routed to WAN Switch B Switch C 145776 Switch A Host A Host B Host C For more information about EIGRP stub routing, see “Configuring EIGRP Stub Routing” section of the Cisco IOS IP Configuration Guide, Volume 2 of 3: Routing Protocols, Release 12.2. Monitoring and Maintaining EIGRP You can delete neighbors from the neighbor table. You can also display various EIGRP routing statistics.
Chapter 38 Configuring IP Unicast Routing Configuring BGP For details about BGP commands and keywords, see the “IP Routing Protocols” part of the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. For a list of BGP commands that are visible but not supported by the switch, see Appendix C, “Unsupported Commands in Cisco IOS Release 12.2(40)EX.
Chapter 38 Configuring IP Unicast Routing Configuring BGP In BGP, each route consists of a network number, a list of autonomous systems that information has passed through (the autonomous system path), and a list of other path attributes. The primary function of a BGP system is to exchange network reachability information, including information about the list of AS paths, with other BGP systems.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Table 38-9 Default BGP Configuration Feature Default Setting Aggregate address Disabled: None defined. AS path access list None defined. Auto summary Enabled. Best path BGP community list BGP confederation identifier/peers • The router considers as-path in choosing a route and does not compare similar routes from external BGP peers. • Compare router ID: Disabled. • Number: None defined.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Table 38-9 Default BGP Configuration (continued) Feature Default Setting Neighbor • Advertisement interval: 30 seconds for external peers; 5 seconds for internal peers. • Change logging: Enabled. • Conditional advertisement: Disabled. • Default originate: No default route is sent to the neighbor. • Description: None. • Distribute list: None defined. • External BGP multihop: Only directly connected neighbors are allowed.
Chapter 38 Configuring IP Unicast Routing Configuring BGP neighboring router during the interval between the primary Route Processor (RP) in a router failing and the backup RP taking over, or while the primary RP is manually reloaded for a nondisruptive software upgrade. For more information, see the “BGP Nonstop Forwarding (NSF) Awareness” section of the Cisco IOS IP Routing Protocols Configuration Guide, Release 12.4 at this URL: http://www.cisco.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Step 5 Command Purpose neighbor {ip-address | peer-group-name} remote-as number Add an entry to the BGP neighbor table specifying that the neighbor identified by the IP address belongs to the specified AS. For EBGP, neighbors are usually directly connected, and the IP address is the address of the interface at the other end of the connection. For IBGP, the IP address can be the address of any of the router interfaces.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Router B: Switch(config)# router bgp 200 Switch(config-router)# neighbor 129.213.1.2 remote-as 100 Switch(config-router)# neighbor 175.220.1.2 remote-as 200 Router C: Switch(config)# router bgp 200 Switch(config-router)# neighbor 175.220.212.1 remote-as 200 Switch(config-router)# neighbor 192.208.10.1 remote-as 300 Router D: Switch(config)# router bgp 300 Switch(config-router)# neighbor 192.208.10.
Chapter 38 Configuring IP Unicast Routing Configuring BGP establish a TCP session. A soft reset allows the dynamic exchange of route refresh requests and routing information between BGP routers and the subsequent re-advertisement of the respective outbound routing table. • When soft reset generates inbound updates from a neighbor, it is called dynamic inbound soft reset. • When soft reset sends a set of updates to a neighbor, it is called outbound soft reset.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Configuring BGP Decision Attributes When a BGP speaker receives updates from multiple autonomous systems that describe different paths to the same destination, it must choose the single best path for reaching that destination. When chosen, the selected path is entered into the BGP routing table and propagated to its neighbors. The decision is based on the value of attributes that the update contains and other BGP-configurable factors.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, follow these steps to configure some decision attributes: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enable a BGP routing process, assign it an AS number, and enter router configuration mode. Step 3 bgp best-path as-path ignore (Optional) Configure the router to ignore AS path length in selecting a route.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 14 show ip bgp show ip bgp neighbors Verify the reset by checking information about the routing table and about BGP neighbors. Step 15 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of each command to return to the default state.
Chapter 38 Configuring IP Unicast Routing Configuring BGP path, community, and network numbers. Autonomous system path matching requires the match as-path access-list route-map command, community based matching requires the match community-list route-map command, and network-based matching requires the ip access-list global configuration command.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Configuring Prefix Lists for BGP Filtering You can use prefix lists as an alternative to access lists in many BGP route filtering commands, including the neighbor distribute-list router configuration command. The advantages of using prefix lists include performance improvements in loading and lookup of large lists, incremental update support, easier CLI configuration, and greater flexibility.
Chapter 38 Configuring IP Unicast Routing Configuring BGP sequence number command; to reenable automatic generation, use the ip prefix-list sequence number command. To clear the hit-count table of prefix list entries, use the clear ip prefix-list privileged EXEC command. Configuring BGP Community Filtering One way that BGP controls the distribution of routing information based on the value of the COMMUNITIES attribute.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 5 set comm-list list-num delete (Optional) Remove communities from the community attribute of an inbound or outbound update that match a standard or extended community list specified by a route map. Step 6 exit Return to global configuration mode. Step 7 ip bgp-community new-format (Optional) Display and parse BGP communities in the format AA:NN. A BGP community is displayed in a two-part format 2 bytes long.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 7 neighbor {ip-address | peer-group-name} default-originate [route-map map-name] (Optional) Allow a BGP speaker (the local router) to send the default route 0.0.0.0 to a neighbor for use as a default route. Step 8 neighbor {ip-address | peer-group-name} send-community (Optional) Specify that the COMMUNITIES attribute be sent to the neighbor at this IP address.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 23 neighbor {ip-address | peer-group-name} soft-reconfiguration inbound (Optional) Configure the software to start storing received updates. Step 24 end Return to privileged EXEC mode. Step 25 show ip bgp neighbors Verify the configuration. Step 26 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 38 Configuring IP Unicast Routing Configuring BGP To delete an aggregate entry, use the no aggregate-address address mask router configuration command. To return options to the default values, use the command with keywords. Configuring Routing Domain Confederations One way to reduce the IBGP mesh is to divide an autonomous system into multiple subautonomous systems and to group them into a single confederation that appears as a single autonomous system.
Chapter 38 Configuring IP Unicast Routing Configuring BGP When the route reflector receives an advertised route, it takes one of these actions, depending on the neighbor: • A route from an external BGP speaker is advertised to all clients and nonclient peers. • A route from a nonclient peer is advertised to all clients. • A route from a client is advertised to all clients and nonclient peers. Hence, the clients need not be fully meshed.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, use these commands to configure BGP route dampening: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enter BGP router configuration mode. Step 3 bgp dampening Enable BGP route dampening. Step 4 bgp dampening half-life reuse suppress max-suppress [route-map map] (Optional) Change the default values of route dampening factors.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Table 38-11 IP BGP Clear and Show Commands (continued) Command Purpose show ip bgp prefix Display peer groups and peers not in peer groups to which the prefix has been advertised. Also display prefix attributes such as the next hop and the local prefix. show ip bgp cidr-only Display all BGP routes that contain subnet and supernet network masks.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE These sections contain this information: • Understanding Multi-VRF CE, page 38-66 • Default Multi-VRF CE Configuration, page 38-68 • Multi-VRF CE Configuration Guidelines, page 38-68 • Configuring VRFs, page 38-69 • Configuring VRF-Aware Services, page 38-70 • Configuring Multicast VRFs, page 38-74 • Configuring a VPN Routing Session, page 38-74 • Configuring BGP PE to CE Routing Sessions, page 38-75 • Multi-VRF CE Config
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Figure 38-6 shows a configuration using switches as multiple virtual CEs. This scenario is suited for customers who have low bandwidth requirements for their VPN service, for example, small companies. In this case, multi-VRF CE support is required in the switches. Because multi-VRF CE is a Layer 3 feature, each interface in a VRF must be a Layer 3 interface.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE To configure VRF, you create a VRF table and specify the Layer 3 interface associated with the VRF. Then configure the routing protocols in the VPN and between the CE and the PE. BGP is the preferred routing protocol used to distribute VPN routing information across the provider’s backbone. The multi-VRF CE network has three major components: • VPN route target communities—lists of all other members of a VPN community.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE • A customer can use multiple VLANs as long as they do not overlap with those of other customers. A customer’s VLANs are mapped to a specific routing table ID that is used to identify the appropriate routing tables stored on the switch. • A switch supports one global network and up to 26 VRFs. • Most routing protocols (BGP, OSPF, RIP, and static routing) can be used between the CE and the PE.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 9 end Return to privileged EXEC mode. Step 10 show ip vrf [brief | detail | interfaces] [vrf-name] Verify the configuration. Display information about the configured VRFs. Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no ip vrf vrf-name global configuration command to delete a VRF and to remove all interfaces from it.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE User Interface for PING Beginning in privileged EXEC mode, follow these steps to configure VRF-aware services for ping. For complete syntax and usage information for the commands, refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2. Command Purpose ping vrf vrf-name ip-host Display the ARP table in the specified VRF.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 6 standby 1 ip ip-address Enable HSRP and configure the virtual IP address. Step 7 end Return to privileged EXEC mode. User Interface for uRPF uRPF can be configured on an interface assigned to a VRF, and source lookup is done in the VRF table. Beginning in privileged EXEC mode, follow these steps to configure VRF-aware services for uRPF.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE User Interface for Traceroute Beginning in privileged EXEC mode, follow these steps to configure VRF-aware services for traceroute. For complete syntax and usage information for the commands, refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2. Command Purpose traceroute vrf vrf-name ipaddress Specify the name of a VPN VRF in which to find the destination address.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Configuring Multicast VRFs Beginning in privileged EXEC mode, follow these steps to configure a multicast within a VRF table. For complete syntax and usage information for the commands, see the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip routing Enable IP routing mode.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Beginning in privileged EXEC mode, follow these steps to configure OSPF in the VPN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router ospf process-id vrf vrf-name Enable OSPF routing, specify a VPN forwarding table, and enter router configuration mode. Step 3 log-adjacency-changes (Optional) Log changes in the adjacency state. This is the default state.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Use the no router bgp autonomous-system-number global configuration command to delete the BGP routing process. Use the command with keywords to delete routing characteristics. Multi-VRF CE Configuration Example Figure 38-7 is a simplified example of the physical connections in a network similar to that in Figure 38-6. OSPF is the protocol used in VPN1, VPN2, and the global network. BGP is used in the CE to PE connections.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Configuring Switch A On Switch A, enable routing and configure VRF. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Switch(config)# interface vlan118 Switch(config-if)# ip vrf forwarding v12 Switch(config-if)# ip address 118.0.0.8 255.255.255.0 Switch(config-if)# exit Switch(config)# interface vlan208 Switch(config-if)# ip vrf forwarding v11 Switch(config-if)# ip address 208.0.0.8 255.255.255.0 Switch(config-if)# exit Configure OSPF routing in VPN1 and VPN2.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Configuring Switch F Switch F belongs to VPN 2. Configure the connection to Switch A by using these commands. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 38 Configuring IP Unicast Routing Configuring Unicast Reverse Path Forwarding Router(config)# router bgp 100 Router(config-router)# address-family ipv4 vrf v2 Router(config-router-af)# neighbor 83.0.0.8 remote-as 800 Router(config-router-af)# neighbor 83.0.0.8 activate Router(config-router-af)# network 3.3.2.0 mask 255.255.255.0 Router(config-router-af)# exit Router(config-router)# address-family ipv4 vrf vl Router(config-router-af)# neighbor 38.0.0.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Configuring Protocol-Independent Features This section describes how to configure IP routing protocol-independent features. These features are available on switches running the IP base or the IP services feature set; except that with the IP base feature set, protocol-related features are available only for RIP.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features The default configuration is CEF or dCEF enabled on all Layer 3 interfaces. Entering the no ip route-cache cef interface configuration command disables CEF for traffic that is being forwarded by software. This command does not affect the hardware forwarding path. Disabling CEF and using the debug ip packet detail privileged EXEC command can be useful to debug software-forwarded traffic.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Even though the router automatically learns about and configures equal-cost routes, you can control the maximum number of parallel paths supported by an IP routing protocol in its routing table. Although the switch software allows a maximum of 32 equal-cost routes, the switch hardware will never use more than 16 paths per route.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Table 38-14 Dynamic Routing Protocol Default Administrative Distances Route Source Default Distance Connected interface 0 Static route 1 Enhanced IRGP summary route 5 External BGP 20 Internal Enhanced IGRP 90 IGRP 100 OSPF 110 Internal BGP 200 Unknown 225 Static routes that point to an interface are advertised through RIP, IGRP, and other dynamic routing protocols, whether or not static redistribute
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 4 show ip route Display the selected default route in the gateway of last resort display. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no ip default-network network number global configuration command to remove the route. When default information is passed through a dynamic routing protocol, no further configuration is required.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Note Although each of Steps 3 through 14 in the following section is optional, you must enter at least one match route-map configuration command and one set route-map configuration command. Beginning in privileged EXEC mode, follow these steps to configure a route map for redistribution: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 12 set dampening halflife reuse suppress max-suppress-time Set BGP route dampening factors. Step 13 set local-preference value Assign a value to a local BGP path. Step 14 set origin {igp | egp as | incomplete} Set the BGP origin code. Step 15 set as-path {tag | prepend as-path-string} Modify the BGP autonomous system path.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to control route redistribution. Note that the keywords are the same as defined in the previous procedure. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router {bgp | rip | ospf | eigrp} Enter router configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features With PBR, you classify traffic using access control lists (ACLs) and then make traffic go through a different path. PBR is applied to incoming packets. All packets received on an interface with PBR enabled are passed through route maps. Based on the criteria defined in the route maps, packets are forwarded (routed) to the appropriate next hop.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features • To use PBR, you must first enable the routing template by using the sdm prefer routing global configuration command. PBR is not supported with the VLAN or default template. For more information on the SDM templates, see Chapter 8, “Configuring SDM Templates.” • VRF and PBR are mutually exclusive on a switch interface. You cannot enable VRF when PBR is enabled on an interface.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to configure PBR: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 route-map map-tag [permit] [sequence number] Define any route maps used to control where packets are output, and enter route-map configuration mode. • map-tag—A meaningful name for the route map.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 11 end Return to privileged EXEC mode. Step 12 show route-map [map-name] (Optional) Display all route maps configured or only the one specified to verify configuration. Step 13 show ip policy (Optional) Display policy route maps attached to interfaces. Step 14 show ip local policy (Optional) Display whether or not local policy routing is enabled and, if so, the route map being used.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 7 end Return to privileged EXEC mode. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Use a network monitoring privileged EXEC command such as show ip ospf interface to verify the interfaces that you enabled as passive, or use the show ip interface privileged EXEC command to verify the interfaces that you enabled as active.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features router to intelligently discriminate between sources of routing information. The router always picks the route whose routing protocol has the lowest administrative distance. Table 38-14 on page 38-84 shows the default administrative distances for various routing information sources. Because each network has its own requirements, there are no general guidelines for assigning administrative distances.
Chapter 38 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Beginning in privileged EXEC mode, follow these steps to manage authentication keys: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 key chain name-of-chain Identify a key chain, and enter key chain configuration mode. Step 3 key number Identify the key number. The range is 0 to 2147483647. Step 4 key-string text Identify the key string.
Chapter 38 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Table 38-15 Commands to Clear IP Routes or Display Route Status (continued) Command Purpose show ip route supernets-only Display supernets. show ip cache Display the routing table used to switch IP traffic. show route-map [map-name] Display all route maps configured or only the one specified.
CH A P T E R 39 Configuring IPv6 Unicast Routing Internet Protocol Version 6 (IPv6) is the network-layer Internet Protocol intended to replace Version 4 (IPv4) in the TCP/IP suite of protocols. This chapter describes how to configure IPv6 unicast routing on the switch. For information about configuring IPv4 unicast routing, see Chapter 38, “Configuring IP Unicast Routing.”For information about configuring IPv6 Multicast Listener Discovery (MLD) snooping, see Chapter 24, “Configuring IPv6 MLD Snooping.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 The architecture of IPv6 allows existing IPv4 users to transition easily to IPv6, and provides services such as end-to-end security, quality of service (QoS), and globally unique addresses. The flexibility of the IPv6 address space reduces the need for private addresses and the use of Network Address Translation (NAT) processing by border routers at the edge of networks.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 For more information about IPv6 address formats, address types, and the IPv6 packet header, go to “Implementing Basic Connectivity for IPv6” chapter of the Cisco IOS IPv6 Configuration Library at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_configuration_guide_chapter0918 6a00801d65f5.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 • Link local unicast addresses can be automatically configured on any interface by using the link-local prefix FE80::/10(1111 1110 10) and the interface identifier in the modified EUI format. Link-local addresses are used in the neighbor discovery protocol and the stateless autoconfiguration process. Nodes on a local link use link-local addresses and do not require globally unique addresses to communicate.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 A value of 137 in the ICMP packet header Type field identifies an IPv6 neighbor redirect message. The switch supports ICMPv6 redirect (RFC 2463). Routers send neighbor-redirect messages to inform hosts of better first-hop nodes on the path to a destination. A router does not update its routing tables after receiving a neighbor-redirect message and hosts do not originate neighbor-redirect messages.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 The switch uses hardware memory to store unicast routes, MAC addresses, access control lists (ACLs), and other features, and provides the switch database management (SDM) templates to allocate memory resources depending on how the switch is used. You must use the dual IPv4 and IPv6 template templates to allocate hardware memory usage to both IPv4and IPv6 protocols. See the “SDM Templates” section on page 39-11.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 Passive Interfaces As with EIGRP IPv4, EIGRP IPv6 allows you to specify your EIGRP IPv4 interfaces and to select a subset of those to be passive interfaces. Use the passive-interface default command to make all interfaces passive, then use the no passive-interface command on selected interfaces to make them active. EIGRP IPv6 does not need to be configured on a passive interface.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 Table 39-2 EIGRP IPv6 Router-mode Commands (continued) Command Purpose metric weights tos k1 k2 k3 k4 k5 Tunes EIGRP metric calculations. neighbor x:x:x:x::x interface-name Defines a neighboring router with which to exchange routing information on a router that is running EIGRP. passive-interface [interface-name | default] Disables sending routing updates on an interface.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 For complete syntax and usage information on these commands, see the Cisco IOS command references.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 • In addition to the normal SPAN and RSPAN limitations defined in the software configuration guide, these limitations are specific to IPv6 packets: – When you egress RSPAN IPv6-routed packets, the source MAC address in the SPAN output packet can be corrupted. – When you egress RSPAN IPv6-routed packets, the destination MAC address can be corrupted. Normal traffic is not affected.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 Note IPv6 packets are routed in hardware across the stack provided the packet does not have exceptions (IPv6Options) and the switches in the stack have not run out of hardware resources.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 • Note Dual IPv4 and IPv6 VLAN template—supports basic Layer 2, multicast, QoS, and ACLs for IPv4, and basic Layer 2 and ACLs for IPv6 on the switch. An IPv4 route requires only one hardware entry. Because of the hardware compression scheme used for IPv6, an IPv6 route can take more than one hardware entry, reducing the number of entries forwarded in hardware.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Default IPv6 Configuration Table 39-5 shows the default IPv6 configuration. Table 39-5 Default IPv6 Configuration Feature Default Setting SDM template Default desktop. IPv6 routing Disabled globally and on all interfaces CEFv6 or dCEFv6 Disabled (IPv4 CEF and dCEF are enabled by default) Note IPv6 addresses When IPv6 routing is enabled, CEFv6 and dCEF6 are automatically enabled.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these steps to assign an IPv6 address to a Layer 3 interface and enable IPv6 routing: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 sdm prefer dual-ipv4-and-ipv6 {default | routing | vlan} Select an SDM template that supports IPv4 and IPv6. • default—Set the switch to the default template to balance system resources.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 without arguments. To disable IPv6 processing on an interface that has not been explicitly configured with an IPv6 address, use the no ipv6 enable interface configuration command. To globally disable IPv6 routing, use the no ipv6 unicast-routing global configuration command. This example shows how to enable IPv6 with both a link-local address and a global address based on the IPv6 prefix 2001:0DB8:c18:1::/64.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Command Purpose Step 4 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure. Step 5 no switchport Remove the interface from Layer 2 configuration mode (if it is a physical interface). Step 6 ip address ip-address mask [secondary] Specify a primary or secondary IPv4 address for the interface.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Configuring IPv6 ICMP Rate Limiting IPv6 ICMP rate limiting uses a token-bucket algorithm for limiting the rate at which IPv6 ICMP error messages are sent to the network. The interval between error messages is specified in a time interval and a bucket size.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 To disable IPv6 CEF or distributed CEF, use the no ipv6 cef or no ipv6 cef distributed global configuration command. To reenable IPv6 CEF or dCEF if it has been disabled, use the ipv6 cef or ipv6 cef distributed global configuration command. You can verify the IPv6 state by entering the show ipv6 cef privileged EXEC command.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these steps to configure an IPv6 static route: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 route ipv6-prefix/prefix length {ipv6-address | interface-id [ipv6-address]} [administrative distance] Configure a static IPv6 route. • ipv6-prefix—The IPv6 network that is the destination of the static route.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Step 4 Command Purpose show ipv6 static [ipv6-address | ipv6-prefix/prefix length] [interface interface-id] [recursive] [detail] Verify your entries by displaying the contents of the IPv6 routing table. or • interface interface-id—(Optional) Display only those static routes with the specified interface as an egress interface. • recursive—(Optional) Display only recursive static routes.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these required and optional steps to configure IPv6 RIP: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 router rip name Configure an IPv6 RIP routing process, and enter router configuration mode for the process. Step 3 maximum-paths number-paths (Optional) Define the maximum number of equal-cost routes that IPv6 RIP can support.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Configuring OSPF for IPv6 Open Shortest Path First (OSPF) is a link-state protocol for IP, which means that routing decisions are based on the states of the links that connect the source and destination devices. The state of a link is a description of the interface and its relationship to its neighboring networking devices.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these required and optional steps to configure IPv6 OSPF: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 router ospf process-id Enable OSPF router configuration mode for the process. The process ID is the number assigned administratively when enabling the OSPF for IPv6 routing process. It is locally assigned and can be a positive integer from 1 to 65535.
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 To disable an OSPF routing process, use the no ipv6 router ospf process-id global configuration command. To disable the OSPF routing process for an interface, use the no ipv6 ospf process-id area area-id interface configuration command. For more information about configuring OSPF routing for IPv6, see the “Implementing OSPF for IPv6” chapter in the Cisco IOS IPv6 Configuration Library at this URL: http://www.cisco.
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 This is an example of the output from the show ipv6 neighbor privileged EXEC command: Switch# show ipv6 neighbors IPv6 Address 3FFE:C000:0:7::777 3FFE:C101:113:1::33 Age Link-layer Addr State Interface - 0007.0007.0007 REACH Vl7 - 0000.0000.
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 ICMP statistics: Rcvd: 1 input, 0 checksum errors, 0 too short 0 unknown info type, 0 unknown error type unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port parameter: 0 error, 0 header, 0 option 0 hopcount expired, 0 reassembly timeout,0 too big 0 echo request, 0 echo reply 0 group query, 0 group report, 0 group reduce 1 router solicit, 0 router advert, 0 redirects 0 neighbor solicit, 0 neighbor advert Sent: 10112 output, 0 rate-limited u
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 39-28 OL-12247-01
CH A P T E R 40 Configuring HSRP This chapter describes how to use Hot Standby Router Protocol (HSRP) on the switch to provide routing redundancy for routing IP traffic without being dependent on the availability of any single router.Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 40 Configuring HSRP Understanding HSRP HSRP is useful for hosts that do not support a router discovery protocol and cannot switch to a new router when their selected router reloads or loses power. When HSRP is configured on a network segment, it provides a virtual MAC address and an IP address that is shared among router interfaces in a group of router interfaces running HSRP.
Chapter 40 Configuring HSRP Understanding HSRP Figure 40-1 Typical HSRP Configuration Blade server B 172.20.130.5 172.20.128.1 Router A Virtual router Standby router 172.20.128.3 172.20.128.2 Router B 172.20.128.55 172.20.128.32 Blade server C Blade server A 201787 Active router Multiple HSRP The switch supports Multiple HSRP (MHSRP), an extension of HSRP that allows load sharing between two or more HSRP groups.
Chapter 40 Configuring HSRP Configuring HSRP Figure 40-2 MHSRP Load Sharing Active router for group 1 Standby router for group 2 Active router for group 2 Standby router for group 1 Router A Router B 10.0.0.1 10.0.0.2 Active link Active link Standby link Blade switch enclosure with a management module 201791 Blade switch enclosure with a management module Standby link HSRP and Switch Stacks HSRP hello messages are generated by the stack master.
Chapter 40 Configuring HSRP Configuring HSRP • Enabling HSRP Support for ICMP Redirect Messages, page 40-11 • Configuring HSRP Groups and Clustering, page 40-11 Default HSRP Configuration Table 40-1 shows the default HSRP configuration. Table 40-1 Default HSRP Configuration Feature Default Setting HSRP groups None configured Standby group number 0 Standby MAC address System assigned as: 0000.0c07.
Chapter 40 Configuring HSRP Configuring HSRP When the standby ip command is enabled on an interface and proxy ARP is enabled, if the interface’s Hot Standby state is active, proxy ARP requests are answered using the Hot Standby group MAC address. If the interface is in a different state, proxy ARP responses are suppressed. Beginning in privileged EXEC mode, follow these steps to create or enable HSRP on a Layer 3 interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 40 Configuring HSRP Configuring HSRP Configuring HSRP Priority The standby priority, standby preempt, and standby track interface configuration commands are all used to set characteristics for finding active and standby routers and behavior regarding when a new active router takes over. When configuring HSRP priority, follow these guidelines: • Assigning priority helps select the active and standby routers.
Chapter 40 Configuring HSRP Configuring HSRP Step 3 Command Purpose standby [group-number] priority priority [preempt [delay delay]] Set a priority value used in choosing the active router. The range is 1 to 255; the default priority is 100. The highest number represents the highest priority. • (Optional) group-number—The group number to which the command applies.
Chapter 40 Configuring HSRP Configuring HSRP This example activates a port, sets an IP address and a priority of 120 (higher than the default value), and waits for 300 seconds (5 minutes) before attempting to become the active router: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# no switchport Switch(config-if)# standby ip 172.20.128.
Chapter 40 Configuring HSRP Configuring HSRP When configuring these attributes, follow these guidelines: • The authentication string is sent unencrypted in all HSRP messages. You must configure the same authentication string on all routers and access servers on a cable to ensure interoperation. Authentication mismatch prevents a device from learning the designated Hot Standby IP address and timer values from other routers configured with HSRP.
Chapter 40 Configuring HSRP Displaying HSRP Configurations This example shows how to set the timers on standby group 1 with the time between hello packets at 5 seconds and the time after which a router is considered down to be 15 seconds: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# no switchport Switch(config-if)# standby 1 ip Switch(config-if)# standby 1 timers 5 15 Switch(config-if)# end Enabling HSRP Support for ICMP Redirect Messages ICMP redirect mess
Chapter 40 Configuring HSRP Displaying HSRP Configurations This is a an example of output from the show standby privileged EXEC command, displaying HSRP information for two standby groups (group 1 and group 100): Switch# show standby VLAN1 - Group 1 Local state is Standby, priority 105, may preempt Hellotime 3 holdtime 10 Next hello sent in 00:00:02.182 Hot standby IP address is 172.20.128.3 configured Active router is 172.20.128.
CH A P T E R 41 Configuring Cisco IOS IP SLAs Operations This chapter describes how to use Cisco IOS IP Service Level Agreements (SLAs) on the switch. Cisco IP SLAs is a part of Cisco IOS software that allows Cisco customers to analyze IP service levels for IP applications and services by using active traffic monitoring—the generation of traffic in a continuous, reliable, and predictable manner—for measuring network performance.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs options such as source and destination IP address, User Datagram Protocol (UDP)/TCP port numbers, a type of service (ToS) byte (including Differentiated Services Code Point [DSCP] and IP Prefix bits), Virtual Private Network (VPN) routing/forwarding instance (VRF), and URL web address.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs Using Cisco IOS IP SLAs to Measure Network Performance You can use IP SLAs to monitor the performance between any area in the network—core, distribution, and edge—without deploying a physical probe. It uses generated traffic to measure network performance between two networking devices. Figure 41-1 shows how IP SLAs begins when the source device sends a generated packet to the destination device.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs IP SLAs Responder and IP SLAs Control Protocol The IP SLAs responder is a component embedded in the destination Cisco device that allows the system to anticipate and respond to IP SLAs request packets. The responder provides accurate measurements without the need for dedicated probes.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs Cisco IOS IP SLAs Responder Time Stamping Source router T2 T1 Target router Responder T3 T4 =T3-T2 RTT (Round-trip time) = T4 (Time stamp 4) - T1 (Time stamp 1) - 121380 Figure 41-2 An additional benefit of the two time stamps at the target device is the ability to track one-way delay, jitter, and directional packet loss. Because much network behavior is asynchronous, it is critical to have these statistics.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations • One-way mean opinion score (MOS) • One-way latency An IP SLAs threshold violation can also trigger another IP SLAs operation for further analysis. For example, the frequency could be increased or an ICMP path echo or ICMP path jitter operation could be initiated for troubleshooting. Determining the type of threshold and the level to set can be complex, and depends on the type of IP service being used in the network.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Note that not all of the IP SLAs commands or operations described in this guide are supported on the switch. The switch supports IP service level analysis by using UDP jitter, UDP echo, HTTP, TCP connect, ICMP echo, ICMP path echo, ICMP path jitter, FTP, DNS, and DHCP, as well as multiple operation scheduling and proactive threshold monitoring.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Configuring the IP SLAs Responder The IP SLAs responder is available only on Cisco IOS software-based devices, including some Layer 2 switches that do not support full IP SLAs functionality, such as the Catalyst 2960 or the Cisco ME 2400 switch.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations • Per-direction delay (one-way delay) • Round-trip delay (average round-trip time) Because the paths for the sending and receiving of data can be different (asymmetric), you can use the per-direction data to more readily identify where congestion or other problems are occurring in the network.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Command Step 3 Purpose udp-jitter {destination-ip-address Configure the IP SLAs operation as a UDP jitter operation, and enter UDP jitter configuration mode. | destination-hostname} destination-port [source-ip • destination-ip-address | destination-hostname—Specify the destination IP {ip-address | hostname}] address or hostname.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Command Purpose Step 7 end Return to privileged EXEC mode. Step 8 show ip sla configuration [operation-number] (Optional) Display configuration values, including all defaults for all IP SLAs operations or a specified operation. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Note This operation does not require the IP SLAs responder to be enabled. Beginning in privileged EXEC mode, follow these steps to configure an ICMP echo operation on the source device: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip sla operation-number Create an IP SLAs operation and enter IP SLAs configuration mode.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Command Purpose Step 8 show ip sla configuration [operation-number] (Optional) Display configuration values including all defaults for all IP SLAs operations or a specified operation. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the IP SLAs operation, enter the no ip sla operation-number global configuration command.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Monitoring IP SLAs Operations Monitoring IP SLAs Operations Use the user EXEC or privileged EXEC commands in Table 41-1 to display IP SLAs operations configuration and results. Table 41-1 Monitoring IP SLAs Operations Command Purpose show ip sla application Display global information about Cisco IOS IP SLAs. show ip sla authentication Display IP SLAs authentication information.
CH A P T E R 42 Configuring Enhanced Object Tracking This chapter describes how to configure enhanced object tracking on the switch. This feature provides a more complete alternative to the Hot Standby Routing Protocol (HSRP) tracking mechanism. which allows you to track the line-protocol state of an interface. If the line protocol state of an interface goes down, the HSRP priority of the interface is reduced and another HSRP device with a higher priority becomes active.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring Enhanced Object Tracking Features These sections describe configuring enhanced object tracking: • Default Configuration, page 42-2 • Tracking Interface Line-Protocol or IP Routing State, page 42-2 • Configuring a Tracked List, page 42-3 • Configuring HSRP Object Tracking, page 42-7 • Configuring Other Tracking Characteristics, page 42-8 • Configuring IP SLAs Object Tracking, page 42-9 Def
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Command Purpose Step 6 delay {up seconds [down seconds] (Optional) Specify a period of time in seconds to delay communicating state | [up seconds] down seconds} changes of a tracked object. The range is from 1 to 180 seconds. Step 7 end Return to privileged EXEC mode. Step 8 show track object-number Verify that the specified objects are being tracked.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Beginning in privileged EXEC mode, follow these steps to configure a tracked list of objects with a Boolean expression: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 track track-number list boolean {and | or} Configure a tracked list object, and enter tracking configuration mode. The track-number can be from 1 to 500.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Beginning in privileged EXEC mode, follow these steps to configure a tracked list of objects by using a weight threshold and to configure a weight for each object: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 track track-number list threshold weight Configure a tracked list object and enter tracking configuration mode. The track-number can be from 1 to 500.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Beginning in privileged EXEC mode, follow these steps to configure a tracked list of objects by using a percentage threshold: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 track track-number list threshold percentage Configure a tracked list object and enter tracking configuration mode. The track-number can be from 1 to 500.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring HSRP Object Tracking Beginning in privileged EXEC mode, follow these steps to configure a standby HSRP group to track an object and change the HSRP priority based on the object state: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Step 6 Command Purpose standby [group-number] track object-number [decrement [priority-decrement]] Configure HSRP to track an object and change the hot standby priority based on the state of the object. • (Optional) group-number—Enter the group number to which the tracking applies. • object-number—Enter a number representing the object to be tracked. The range is from 1 to 500; the default is 1.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring IP SLAs Object Tracking Cisco IOS IP Service Level Agreements (IP SLAs) is a network performance measurement and diagnostics tool that uses active monitoring by generating traffic to measure network performance. Cisco IP SLAs operations collects real-time metrics that you can use for network troubleshooting, design, and analysis.
Chapter 42 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking Latest operation return code: over threshold Latest RTT (millisecs) 4 Tracked by: HSRP Ethernet0/1 3 This example output shows whether a route is reachable: Switch(config)# track 3 500 reachability Switch(config)# end Switch# show track 3 Track 3 Response Time Reporter 1 reachability Reachability is Up 1 change, last change 00:00:47 Latest operation return code: over threshold Latest RTT (millisecs) 4 Tracked by: HSRP Et
Chapter 42 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL-12247-01 42-11
Chapter 42 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 42-12 OL-12247-01
CH A P T E R 43 Configuring Web Cache Services By Using WCCP This chapter describes how to configure your switch to redirect traffic to wide-area application engines (such as the Cisco Cache Engine 550) by using the Web Cache Communication Protocol (WCCP). This software release supports only WCCP version 2 (WCCPv2). WCCP is a Cisco-developed content-routing technology that you can use to integrate wide-area application engines—referred to as application engines—into your network infrastructure.
Chapter 43 Configuring Web Cache Services By Using WCCP Understanding WCCP When an application engine receives a request, it attempts to service it from its own local cache. If the requested information is not present, the application engine sends a separate request to the end server to retrieve the requested information. After receiving the requested information, the application engine forwards it to the requesting client and also caches it to fulfill future requests.
Chapter 43 Configuring Web Cache Services By Using WCCP Understanding WCCP WCCP Negotiation In the exchange of WCCP protocol messages, the designated application engine and the WCCP-enabled switch negotiate these items: • Forwarding method (the method by which the switch forwards packets to the application engine). The switch rewrites the Layer 2 header by replacing the packet destination MAC address with the target application engine MAC address. It then forwards the packet to the application engine.
Chapter 43 Configuring Web Cache Services By Using WCCP Understanding WCCP You can configure up to 8 service groups on a switch and up to 32 clients per service group. WCCP maintains the priority of the service group in the group definition. WCCP uses the priority to configure the service groups in the switch hardware.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP Unsupported WCCP Features These WCCP features are not supported in this software release: • Packet redirection on an outbound interface that is configured by using the ip wccp redirect out interface configuration command. This command is not supported. • The GRE forwarding method for packet redirection is not supported. • The hash assignment method for load balancing is not supported. • There is no SNMP support for WCCP.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP • The number of available policy-based routing (PBR) labels are reduced as more interfaces are enabled for WCCP ingress redirection. For every interface that supports service groups, one label is consumed. The WCCP labels are taken from the PBR labels. You need to monitor and manage the labels that are available between PBR and WCCP. When labels are not available, the switch cannot add service groups.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP Beginning in privileged EXEC mode, follow these steps to enable the web cache service, to set a multicast group address or group list, to configure routed interfaces, to redirect inbound packets received from a client to the application engine, enable an interface to listen for a multicast address, and to set a password. This procedure is required.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP Command Purpose Step 12 ip wccp {web-cache | service-number} redirect in Redirect packets received from the client to the application engine. Enable this on the interface connected to the client. Step 13 ip wccp {web-cache | service-number} group-listen (Optional) When using a multicast group address, group-listen enables the interface to listen for the multicast address.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP Switch(config-if)# ip address 175.20.50.40 255.255.255.0 Switch(config-if)# no shutdown Switch(config-if)# ip wccp web-cache redirect in Switch(config-if)# exit Switch(config)# interface gigabitethernet1/0/6 Switch(config-if)# no switchport Switch(config-if)# ip address 175.20.60.50 255.255.255.
Chapter 43 Configuring Web Cache Services By Using WCCP Monitoring and Maintaining WCCP Monitoring and Maintaining WCCP To monitor and maintain WCCP, use one or more of the privileged EXEC commands in Table 43-2: Table 43-2 Commands for Monitoring and Maintaining WCCP Command Purpose clear ip wccp web-cache Removes statistics for the web-cache service. show ip wccp web-cache Displays global information related to WCCP.
CH A P T E R 44 Configuring IP Multicast Routing This chapter describes how to configure IP multicast routing on the switch. IP multicasting is a more efficient way to use network resources, especially for bandwidth-intensive services such as audio and video. IP multicast routing enables a host (source) to send packets to a group of hosts (receivers) anywhere within the IP network by using a special form of IP address called the IP multicast group address.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing The Cisco IOS software supports these protocols to implement IP multicast routing: • Internet Group Management Protocol (IGMP) is used among hosts on a LAN and the routers (and multilayer switches) on that LAN to track the multicast groups of which hosts are members.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding IGMP To participate in IP multicasting, multicast hosts, routers, and multilayer switches must have the IGMP operating. This protocol defines the querier and host roles: • A querier is a network device that sends query messages to discover which network devices are members of a given multicast group.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding PIM PIM is called protocol-independent: regardless of the unicast routing protocols used to populate the unicast routing table, PIM uses this information to perform multicast forwarding instead of maintaining a separate multicast routing table. PIM is defined in RFC 2362, Protocol-Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing When a new receiver on a previously pruned branch of the tree joins a multicast group, the PIM DM device detects the new receiver and immediately sends a graft message up the distribution tree toward the source.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing The redundant PIM stub router topology is not supported. The redundant topology exists when there is more than one PIM router forwarding multicast traffic to a single access domain. PIM messages are blocked, and the PIM asset and designated router election mechanisms are not supported on the PIM passive interfaces. Only the nonredundant access router topology is supported by the PIM stub feature.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Mapping agents listen to these candidate RP announcements and use the information to create entries in their Group-to-RP mapping caches. Only one mapping cache entry is created for any Group-to-RP range received, even if multiple candidate RPs are sending RP announcements for the same range.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing With multicasting, the source is sending traffic to an arbitrary group of hosts represented by a multicast group address in the destination address field of the IP packet. To decide whether to forward or drop an incoming multicast packet, the router or multilayer switch uses a reverse path forwarding (RPF) check on the packet as follows and shown in Figure 44-3: 1.
Chapter 44 Configuring IP Multicast Routing Multicast Routing and Switch Stacks Sparse-mode PIM uses the RPF lookup function to decide where it needs to send joins and prunes: • (S,G) joins (which are source-tree states) are sent toward the source. • (*,G) joins (which are shared-tree states) are sent toward the RP. DVMRP and dense-mode PIM use only source trees and use RPF as previously described.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing In a switch stack, the routing master (stack master) performs these functions: • It is responsible for completing the IP multicast routing functions of the stack. It fully initializes and runs the IP multicast routing protocols. • It builds and maintains the multicast routing table for the entire stack. • It is responsible for distributing the multicast routing table to all stack members.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Table 44-2 Default Multicast Routing Configuration Feature Default Setting Multicast routing Disabled on all interfaces. PIM version Version 2. PIM mode No mode is defined. PIM stub routing None configured. PIM RP address None configured. PIM domain border Disabled. PIM multicast boundary None. Candidate BSRs Disabled. Candidate RPs Disabled. Shortest-path tree threshold rate 0 kb/s.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Sparse-mode groups in a mixed PIMv1 and PIMv2 region are possible because the Auto-RP feature in PIMv1 interoperates with the PIMv2 RP feature. Although all PIMv2 devices can also use PIMv1, we recommend that the RPs be upgraded to PIMv2. To ease the transition to PIMv2, we have these recommendations: • Use Auto-RP throughout the region. • Configure sparse-dense mode throughout the region.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing In populating the multicast routing table, dense-mode interfaces are always added to the table. Sparse-mode interfaces are added to the table only when periodic join messages are received from downstream devices or when there is a directly connected member on the interface. When forwarding from a LAN, sparse-mode operation occurs if there is an RP known for the group. If so, the packets are encapsulated and sent toward the RP.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 5 Command Purpose ip pim {dense-mode | sparse-mode | sparse-dense-mode} Enable a PIM mode on the interface. By default, no mode is configured. The keywords have these meanings: • dense-mode—Enables dense mode of operation. • sparse-mode—Enables sparse mode of operation. If you configure sparse mode, you must also configure an RP. For more information, see the “Configuring a Rendezvous Point” section on page 44-16.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Enabling PIM Stub Routing Beginning in privileged EXEC mode, follow these steps to enable PIM stub routing on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you want to enable PIM stub routing, and enter interface configuration mode.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing • show ip igmp detail displays the interested clients that have joined the specific multicast source group. • show ip igmp mroute verifies that the multicast stream forwards from the source to the interested clients. Configuring a Rendezvous Point You must have an RP if the interface is in sparse-dense mode and if you want to treat the group as a sparse group.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to manually configure the address of the RP. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip pim rp-address ip-address [access-list-number] [override] Configure the address of a PIM RP. By default, no PIM RP address is configured.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Auto-RP Auto-RP uses IP multicast to automate the distribution of group-to-RP mappings to all Cisco routers and multilayer switches in a PIM network. It has these benefits: • It is easy to use multiple RPs within a network to serve different group ranges. • It provides load splitting among different RPs and arrangement of RPs according to the location of group participants.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to deploy Auto-RP in an existing sparse-mode cloud. This procedure is optional. Step 1 Command Purpose show running-config Verify that a default RP is already configured on all PIM devices and the RP in the sparse-mode network. It was previously configured with the ip pim rp-address global configuration command. This step is not required for spare-dense-mode environments.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 5 Command Purpose ip pim send-rp-discovery scope ttl Find a switch whose connectivity is not likely to be interrupted, and assign it the role of RP-mapping agent. For scope ttl, specify the time-to-live value in hops to limit the RP discovery packets. All devices within the hop count from the source device receive the Auto-RP discovery messages.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to filter incoming RP announcement messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip pim rp-announce-filter rp-list access-list-number group-list access-list-number Filter incoming RP announcement messages. Enter this command on each mapping agent in the network.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Switch(config)# access-list 20 deny 239.0.0.0 0.0.255.255 Switch(config)# access-list 20 permit 224.0.0.0 15.255.255.255 In this example, the mapping agent accepts candidate RP announcements from only two devices, 172.16.5.1 and 172.16.2.1. The mapping agent accepts candidate RP announcements from these two devices only for multicast groups that fall in the group range of 224.0.0.0 to 239.255.255.255.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Figure 44-4 Constraining PIMv2 BSR Messages PIMv2 sparse-mode network Configure the ip pim bsr-border command on this interface. Layer 3 switch BSR messages BSR Layer 3 switch Neighboring PIMv2 domain 101243 Neighboring PIMv2 domain BSR messages Configure the ip pim bsr-border command on this interface.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows a portion of an IP multicast boundary configuration that denies Auto-RP information: Switch(config)# access-list 1 deny 224.0.1.39 Switch(config)# access-list 1 deny 224.0.1.40 Switch(config)# access-list 1 permit all Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip multicast boundary 1 Configuring Candidate BSRs You can configure one or more candidate BSRs.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Candidate RPs You can configure one or more candidate RPs. Similar to BSRs, the RPs should also have good connectivity to other devices and be in the backbone portion of the network. An RP can serve the entire IP multicast address space or a portion of it. Candidate RPs send candidate RP advertisements to the BSR.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows how to configure the switch to advertise itself as a candidate RP to the BSR in its PIM domain. Standard access list number 4 specifies the group prefix associated with the RP that has the address identified by a port. That RP is responsible for the groups with the prefix 239. Switch(config)# ip pim rp-candidate gigabitethernet1/0/2 group-list 4 Switch(config)# access-list 4 permit 239.0.0.0 0.255.255.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced PIM Features Monitoring the RP Mapping Information To monitor the RP mapping information, use these commands in privileged EXEC mode: • show ip pim bsr displays information about the elected BSR. • show ip pim rp-hash group displays the RP that was selected for the specified group. • show ip pim rp [group-name | group-address | mapping] displays how the switch learns of the RP (through the BSR or the Auto-RP mechanism).
Chapter 44 Configuring IP Multicast Routing Configuring Advanced PIM Features Figure 44-5 Shared Tree and Source Tree (Shortest-Path Tree) Source Source tree (shortest path tree) Router A Router B Shared tree from RP RP 44967 Router C Receiver If the data rate warrants, leaf routers (routers without any downstream connections) on the shared tree can use the data distribution tree rooted at the source. This type of distribution tree is called a shortest-path tree or source tree.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced PIM Features Delaying the Use of PIM Shortest-Path Tree The change from shared to source tree happens when the first data packet arrives at the last-hop router (Router C in Figure 44-5). This change occurs because the ip pim spt-threshold global configuration command controls that timing. The shortest-path tree requires more memory than the shared tree but reduces delay. You might want to postpone its use.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip pim spt-threshold {kbps | infinity} global configuration command.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features • Modifying the IGMP Host-Query Message Interval, page 44-33 (optional) • Changing the IGMP Query Timeout for IGMPv2, page 44-34 (optional) • Changing the Maximum Query Response Time for IGMPv2, page 44-35 (optional) • Configuring the Switch as a Statically Connected Member, page 44-35 (optional) Default IGMP Configuration Table 44-3 shows the default IGMP configuration.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show ip igmp interface [interface-id] Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To cancel membership in a group, use the no ip igmp join-group group-address interface configuration command. This example shows how to enable the switch to join multicast group 255.2.2.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 7 show ip igmp interface [interface-id] Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable groups on an interface, use the no ip igmp access-group interface configuration command. This example shows how to configure hosts attached to a port as able to join only group 255.2.2.2: Switch(config)# access-list 1 255.2.2.2 0.0.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features The switch elects a PIM designated router (DR) for the LAN (subnet). The DR is the router or multilayer switch with the highest IP address for IGMPv2. For IGMPv1, the DR is elected according to the multicast routing protocol that runs on the LAN. The designated router is responsible for sending IGMP host-query messages to all hosts on the LAN.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 5 show ip igmp interface [interface-id] Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip igmp querier-timeout interface configuration command.
Chapter 44 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Beginning in privileged EXEC mode, follow these steps to configure the switch itself to be a statically connected member of a group (and enable fast switching). This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Chapter 44 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Step 3 Command Purpose ip cgmp [proxy] Enable CGMP on the interface. By default, CGMP is disabled on all interfaces. Enabling CGMP triggers a CGMP join message. Enable CGMP only on Layer 3 interfaces connected to Layer 2 Catalyst switches. (Optional) When you enter the proxy keyword, the CGMP proxy function is enabled.
Chapter 44 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Enabling sdr Listener Support By default, the switch does not listen to session directory advertisements. Beginning in privileged EXEC mode, follow these steps to enable the switch to join the default session directory group (224.2.127.254) on the interface and listen to session directory advertisements. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 44 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Configuring an IP Multicast Boundary Administratively-scoped boundaries can be used to limit the forwarding of multicast traffic outside of a domain or subdomain. This approach uses a special range of multicast addresses, called administratively-scoped addresses, as the boundary mechanism.
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to set up an administratively-scoped boundary. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list, repeating the command as many times as necessary.
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Configuring DVMRP Interoperability Cisco multicast routers and multilayer switches using PIM can interoperate with non-Cisco multicast routers that use the DVMRP. PIM devices dynamically discover DVMRP multicast routers on attached networks by listening to DVMR probe messages.
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Command Step 4 Purpose ip dvmrp metric metric [list Configure the metric associated with a set of destinations for DVMRP access-list-number] [[protocol process-id] reports. | [dvmrp]] • For metric, the range is 0 to 32. A value of 0 means that the route is not advertised. A value of 32 is equivalent to infinity (unreachable).
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Configuring a DVMRP Tunnel The software supports DVMRP tunnels to the MBONE. You can configure a DVMRP tunnel on a router or multilayer switch if the other end is running DVMRP. The software then sends and receives multicast packets through the tunnel. This strategy enables a PIM domain to connect to the DVMRP router when all routers on the path do not support multicast routing.
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Step 9 Command Purpose ip dvmrp accept-filter access-list-number [distance] neighbor-list access-list-number Configure an acceptance filter for incoming DVMRP reports. By default, all destination reports are accepted with a distance of 0. Reports from all neighbors are accepted. • For access-list-number, specify the access list number created in Step 2.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to advertise network 0.0.0.0 to DVMRP neighbors on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface that is connected to the DVMRP router, and enter interface configuration mode.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features These sections contain this configuration information: • Enabling DVMRP Unicast Routing, page 44-46 (optional) • Rejecting a DVMRP Nonpruning Neighbor, page 44-47 (optional) • Controlling Route Exchanges, page 44-49 (optional) For information on basic DVMRP features, see the “Configuring Basic DVMRP Interoperability Features” section on page 44-40.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Rejecting a DVMRP Nonpruning Neighbor By default, Cisco devices accept all DVMRP neighbors as peers, regardless of their DVMRP capability. However, some non-Cisco devices run old versions of DVMRP that cannot prune, so they continuously receive forwarded packets, wasting bandwidth. Figure 44-7 shows this scenario.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 44-8 Router Rejects Nonpruning DVMRP Neighbor Source router or RP RP Router A Multicast traffic gets to receiver, not to leaf DVMRP device Router B Receiver Layer 3 switch Leaf nonpruning DVMRP device 101245 Configure the ip dvmrp reject-non-pruners command on this interface. Note that the ip dvmrp reject-non-pruners interface configuration command prevents peering with neighbors only.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Controlling Route Exchanges These sections describe how to tune the Cisco device advertisements of DVMRP routes: • Limiting the Number of DVMRP Routes Advertised, page 44-49 (optional) • Changing the DVMRP Route Threshold, page 44-49 (optional) • Configuring a DVMRP Summary Address, page 44-50 (optional) • Disabling DVMRP Autosummarization, page 44-52 (optional) • Adding a Metric Offset to the DVMRP R
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to change the threshold number of routes that trigger the warning. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip dvmrp routehog-notification route-count Configure the number of routes that trigger a syslog message. Step 3 end Return to privileged EXEC mode.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 44-9 On Connected Unicast Routes Are Advertised by Default interface tunnel 0 ip unnumbered gigabitethernet1/0/1 DVMRP Report 151.16.0.0/16 m = 39 172.34.15.0/24 m = 42 202.13.3.0/24 m = 40 176.32.10.0/24 m=1 176.32.15.0/24 m=1 interface gigabitethernet1/0/1 ip addr 176.32.10.1 255.255.255.0 ip pim dense-mode DVMRP router interface gigabitethernet1/0/2 ip addr 176.32.15.1 255.255.255.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Disabling DVMRP Autosummarization By default, the software automatically performs some level of DVMRP summarization. Disable this function if you want to advertise all routes, not just a summary. In some special cases, you can use the neighboring DVMRP router with all subnet information to better control the flow of multicast traffic in the DVMRP network.
Chapter 44 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Step 3 Command Purpose ip dvmrp metric-offset [in | out] increment Change the metric added to DVMRP routes advertised in incoming reports. The keywords have these meanings: • (Optional) in—Specifies that the increment value is added to incoming DVMRP reports and is reported in mrinfo replies.
Chapter 44 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Table 44-4 Commands for Clearing Caches, Tables, and Databases (continued) Command Purpose clear ip igmp group [group-name | group-address | interface] Delete entries from the IGMP cache. clear ip mroute {* | group [source]} Delete entries from the IP multicast routing table. clear ip pim auto-rp rp-address Clear the auto-RP cache.
Chapter 44 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Table 44-5 Commands for Displaying System and Network Statistics (continued) Command Purpose show ip pim rp [group-name | group-address] Display the RP routers associated with a sparse-mode multicast group. This command is available in all software images.
Chapter 44 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 44-56 OL-12247-01
CH A P T E R 45 Configuring MSDP This chapter describes how to configure the Multicast Source Discovery Protocol (MSDP) on the switch. The MSDP connects multiple Protocol-Independent Multicast sparse-mode (PIM-SM) domains. MSDP is not fully supported in this software release because of a lack of support for Multicast Border Gateway Protocol (MBGP), which works closely with MSDP. However, it is possible to create default peers that MSDP can operate with if MBGP is not running.
Chapter 45 Configuring MSDP Understanding MSDP The purpose of this topology is to have domains discover multicast sources in other domains. If the multicast sources are of interest to a domain that has receivers, multicast data is delivered over the normal, source-tree building mechanism in PIM-SM. MSDP is also used to announce sources sending to a group. These announcements must originate at the domain’s RP. MSDP depends heavily on the Border Gateway Protocol (BGP) or MBGP for interdomain operation.
Chapter 45 Configuring MSDP Understanding MSDP Figure 45-1 MSDP Running Between RP Peers MSDP peer RP + MSDP peer MSDP SA MSDP SA TCP connection BGP M SD P SA Peer RPF flooding Receiver MSDP peer 201788 Register Multicast Source (S,G) Join PIM DR PIM sparse-mode domain MSDP Benefits MSDP has these benefits: • It breaks up the shared multicast distribution tree. You can make the shared tree local to your domain.
Chapter 45 Configuring MSDP Configuring MSDP Configuring MSDP These sections contain this configuration information: • Default MSDP Configuration, page 45-4 • Configuring a Default MSDP Peer, page 45-4 (required) • Caching Source-Active State, page 45-6 (optional) • Requesting Source Information from an MSDP Peer, page 45-8 (optional) • Controlling Source Information that Your Switch Originates, page 45-9 (optional) • Controlling Source Information that Your Switch Forwards, page 45-12 (option
Chapter 45 Configuring MSDP Configuring MSDP Figure 45-2 Default MSDP Peer Network Router C Default MSDP peer ISP C PIM domain SA SA SA 10.1.1.1 Default MSDP peer Default MSDP peer ISP A PIM domain Customer PIM domain 86515 Switch B Router A Beginning in privileged EXEC mode, follow these steps to specify a default MSDP peer. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 45 Configuring MSDP Configuring MSDP Step 3 Step 4 Command Purpose ip prefix-list name [description string] | seq number {permit | deny} network length (Optional) Create a prefix list using the name specified in Step 2. ip msdp description {peer-name | peer-address} text • (Optional) For description string, enter a description of up to 80 characters to describe this prefix list. • For seq number, enter the sequence number of the entry. The range is 1 to 4294967294.
Chapter 45 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to enable the caching of source/group pairs. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp cache-sa-state [list access-list-number] Enable the caching of source/group pairs (create an SA state). Those pairs that pass the access list are cached. For list access-list-number, the range is 100 to 199.
Chapter 45 Configuring MSDP Configuring MSDP Requesting Source Information from an MSDP Peer Local RPs can send SA requests and get immediate responses for all active sources for a given group. By default, the switch does not send any SA request messages to its MSDP peers when a new member joins a group and wants to receive multicast traffic. The new member waits to receive the next periodic SA message.
Chapter 45 Configuring MSDP Configuring MSDP Controlling Source Information that Your Switch Originates You can control the multicast source information that originates with your switch: • Sources you advertise (based on your sources) • Receivers of source information (based on knowing the requestor) For more information, see the “Redistributing Sources” section on page 45-9 and the “Filtering Source-Active Request Messages” section on page 45-11.
Chapter 45 Configuring MSDP Configuring MSDP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] Create an IP standard access list, repeating the command as many times as necessary. or or access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended access list, repeating the command as many times as necessary.
Chapter 45 Configuring MSDP Configuring MSDP Filtering Source-Active Request Messages By default, only switches that are caching SA information can respond to SA requests. By default, such a switch honors all SA request messages from its MSDP peers and supplies the IP addresses of the active sources. However, you can configure the switch to ignore all SA requests from an MSDP peer. You can also honor only those SA request messages from a peer for groups described by a standard access list.
Chapter 45 Configuring MSDP Configuring MSDP Controlling Source Information that Your Switch Forwards By default, the switch forwards all SA messages it receives to all its MSDP peers. However, you can prevent outgoing messages from being forwarded to a peer by using a filter or by setting a time-to-live (TTL) value. These methods are described in the next sections.
Chapter 45 Configuring MSDP Configuring MSDP Step 3 Command Purpose access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard (Optional) Create an IP extended access list, repeating the command as many times as necessary. • For access-list-number, enter the number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 45 Configuring MSDP Configuring MSDP Using TTL to Limit the Multicast Data Sent in SA Messages You can use a TTL value to control what data is encapsulated in the first SA message for every source. Only multicast packets with an IP-header TTL greater than or equal to the ttl argument are sent to the specified MSDP peer. For example, you can limit internal traffic to a TTL of 8. If you want other groups to go to external locations, you must send those packets with a TTL greater than 8.
Chapter 45 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to apply a filter. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp sa-filter in ip-address | name Filter all SA messages from the specified MSDP peer. or or ip msdp sa-filter in {ip-address | name} list access-list-number From the specified peer, pass only those SA messages that pass the IP extended access list.
Chapter 45 Configuring MSDP Configuring MSDP Configuring an MSDP Mesh Group An MSDP mesh group is a group of MSDP speakers that have fully meshed MSDP connectivity among one another. Any SA messages received from a peer in a mesh group are not forwarded to other peers in the same mesh group. Thus, you reduce SA message flooding and simplify peer-RPF flooding. Use the ip msdp mesh-group global configuration command when there are multiple RPs within a domain.
Chapter 45 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to shut down a peer. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp shutdown {peer-name | peer address} Administratively shut down the specified MSDP peer without losing configuration information. For peer-name | peer address, enter the IP address or name of the MSDP peer to shut down. Step 3 end Return to privileged EXEC mode.
Chapter 45 Configuring MSDP Configuring MSDP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note that the ip msdp originator-id global configuration command also identifies an interface to be used as the RP address.
Chapter 45 Configuring MSDP Monitoring and Maintaining MSDP Monitoring and Maintaining MSDP To monitor MSDP SA messages, peers, state, or peer status, use one or more of the privileged EXEC commands in Table 45-1: Table 45-1 Commands for Monitoring and Maintaining MSDP Command Purpose debug ip msdp [peer-address | name] [detail] [routes] Debugs an MSDP activity. debug ip msdp resets Debugs MSDP peer reset reasons.
Chapter 45 Configuring MSDP Monitoring and Maintaining MSDP Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 45-20 OL-12247-01
CH A P T E R 46 Configuring Fallback Bridging This chapter describes how to configure fallback bridging (VLAN bridging) on the switch. With fallback bridging, you can forward non-IP packets that the switch does not route between VLAN bridge domains and routed ports. To use this feature, the switch or stack master must be running the IP services feature set. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 46 Configuring Fallback Bridging Understanding Fallback Bridging A VLAN bridge domain is represented with switch virtual interfaces (SVIs). A set of SVIs and routed ports (which do not have any VLANs associated with them) can be configured (grouped together) to form a bridge group. Recall that an SVI represents a VLAN of switch ports as one interface to the routing or bridging function in the system.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Figure 46-1 Fallback Bridging Network Example Layer 3 switch Routed port 172.20.130.1 Host C SVI 1 SVI 2 172.20.129.1 Blade server B Blade server A VLAN 30 VLAN 20 201789 172.20.128.1 Fallback Bridging and Switch Stacks When the stack master fails, a stack member becomes the new stack master by using the election process described in Chapter 5, “Managing Switch Stacks.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Table 46-1 Default Fallback Bridging Configuration Feature Default Setting Bridge groups None are defined or assigned to a port. No VLAN-bridge STP is defined. Switch forwards frames for stations that it has dynamically learned Enabled. Spanning tree parameters: • Switch priority • 32768. • Port priority • 128. • Port path cost • 10 Mb/s: 100. 100 Mb/s: 19. 1000 Mb/s: 4. • Hello BPDU interval • 2 seconds.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Beginning in privileged EXEC mode, follow these steps to create a bridge group and to assign an interface to it. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 bridge bridge-group protocol vlan-bridge Assign a bridge group number, and specify the VLAN-bridge spanning-tree protocol to run in the bridge group. The ibm and dec keywords are not supported.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Switch(config-if)# bridge-group 10 Switch(config-if)# exit Adjusting Spanning-Tree Parameters You might need to adjust certain spanning-tree parameters if the default values are not suitable. You configure parameters affecting the entire spanning tree by using variations of the bridge global configuration command. You configure interface-specific parameters by using variations of the bridge-group interface configuration command.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging To return to the default setting, use the no bridge bridge-group priority global configuration command. To change the priority on a port, use the bridge-group priority interface configuration command (described in the next section). This example shows how to set the switch priority to 100 for bridge group 10: Switch(config)# bridge 10 priority 100 Changing the Interface Priority You can change the priority for a port.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Step 3 Command Purpose bridge-group bridge-group path-cost cost Assign the path cost of a port. • For bridge-group, specify the bridge group number. The range is 1 to 255. • For cost, enter a number from 0 to 65535. The higher the value, the higher the cost. – For 10 Mb/s, the default path cost is 100. – For 100 Mb/s, the default path cost is 19. – For 1000 Mb/s, the default path cost is 4.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Command Purpose Step 4 show running-config Verify your entry. Step 5 copy running-config startup-config (Optional) Save your entry in the configuration file. To return to the default setting, use the no bridge bridge-group hello-time global configuration command.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Beginning in privileged EXEC mode, follow these steps to change the maximum-idle interval (maximum aging time). This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 bridge bridge-group max-age seconds Specify the interval that the switch waits to hear BPDUs from the root switch. • For bridge-group, specify the bridge group number. The range is 1 to 255.
Chapter 46 Configuring Fallback Bridging Monitoring and Maintaining Fallback Bridging Monitoring and Maintaining Fallback Bridging To monitor and maintain the network, use one or more of the privileged EXEC commands in Table 46-2: Table 46-2 Commands for Monitoring and Maintaining Fallback Bridging Command Purpose clear bridge bridge-group Removes any learned entries from the forwarding database. show bridge [bridge-group] group Displays details about the bridge group.
Chapter 46 Configuring Fallback Bridging Monitoring and Maintaining Fallback Bridging Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 46-12 OL-12247-01
CH A P T E R 47 Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the switch. Depending on the nature of the problem, you can use the command-line interface (CLI), the device manager, or Network Assistant to identify and solve problems. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 47 Troubleshooting Recovering from a Software Failure Recovering from a Software Failure Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity. This procedure uses the Xmodem Protocol to recover from a corrupt or wrong image file.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password You can release the Mode button after the system LED stops blinking and is solid green. Several lines of information about the software appear along with instructions: The system has been interrupted prior to initializing the flash file system.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password You enable or disable password recovery by using the service password-recovery global configuration command. When you enter the service password-recovery or no service password-recovery command on the stack master, it is propagated throughout the stack and applied to all switches in the stack. Follow the steps in this procedure if you have forgotten or lost the switch password.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password Step 5 After recovering the password, reload the switch, the standalone switch, or the stack master. On a switch: Switch> reload slot Proceed with reload? [confirm] y Step 6 Power on the rest of the switch stack. Procedure with Password Recovery Enabled If the password-recovery mechanism is enabled, this message appears: The system has been interrupted prior to initializing the flash file system.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password Step 7 At the switch prompt, enter privileged EXEC mode: Switch> enable Step 8 Rename the configuration file to its original name: Switch# rename flash:config.text.old flash:config.text Note Step 9 Before continuing to Step 9, power on any connected stack members and wait until they have completely initialized. Failure to follow this step can result in a lost configuration depending on how your switch is set up.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password Procedure with Password Recovery Disabled If the password-recovery mechanism is disabled, this message appears: The password-recovery mechanism has been triggered, but is currently disabled. Access to the boot loader prompt through the password-recovery mechanism is disallowed at this point. However, if you agree to let the system be reset back to the default system configuration, access to the boot loader prompt can still be allowed.
Chapter 47 Troubleshooting Preventing Switch Stack Problems Step 7 Change the password: Switch (config)# enable secret password The secret password can be from 1 to 25 alphanumeric characters, can start with a number, is case sensitive, and allows spaces but ignores leading spaces. Step 8 Return to privileged EXEC mode: Switch (config)# exit Switch# Note Step 9 Before continuing to Step 9, power on any connected stack members and wait until they have completely initialized.
Chapter 47 Troubleshooting Preventing Autonegotiation Mismatches • Manually assigning stack member numbers according to the placement of the switches in the stack can make it easier to remotely troubleshoot the switch stack. However, you need to remember that the switches have manually assigned numbers if you add, remove, or rearrange switches later. Use the switch current-stack-member-number renumber new-stack-member-number global configuration command to manually assign a stack member number.
Chapter 47 Troubleshooting Monitoring SFP Module Status vendor name and vendor ID, and recompute the security code and CRC. If the serial number, the vendor name or vendor ID, the security code, or CRC is invalid, the software generates a security error message and places the interface in an error-disabled state. Note The security error message references the GBIC_SECURITY facility. The switch supports SFP modules and does not support GBIC modules.
Chapter 47 Troubleshooting Using Ping Understanding Ping The switch supports IP ping, which you can use to test connectivity to remote hosts. Ping sends an echo request packet to an address and waits for a reply. Ping returns one of these responses: • Normal response—The normal response (hostname is alive) occurs in 1 to 10 seconds, depending on network traffic. • Destination does not respond—If the host does not respond, a no-answer message is returned.
Chapter 47 Troubleshooting Using Layer 2 Traceroute Table 47-1 describes the possible ping character output. Table 47-1 Ping Output Display Characters Character Description ! Each exclamation point means receipt of a reply. . Each period means the network server timed out while waiting for a reply. U A destination unreachable error PDU was received. C A congestion experienced packet was received. I User interrupted test. ? Unknown packet type. & Packet lifetime exceeded.
Chapter 47 Troubleshooting Using IP Traceroute • A switch is reachable from another switch when you can test connectivity by using the ping privileged EXEC command. All switches in the physical path must be reachable from each other. • The maximum number of hops identified in the path is ten. • You can enter the traceroute mac or the traceroute mac ip privileged EXEC command on a switch that is not in the physical path from the source device to the destination device.
Chapter 47 Troubleshooting Using IP Traceroute Understanding IP Traceroute You can use IP traceroute to identify the path that packets take through the network on a hop-by-hop basis. The command output displays all network layer (Layer 3) devices, such as routers, that the traffic passes through on the way to the destination. Your switches can participate as the source or destination of the traceroute privileged EXEC command and might or might not appear as a hop in the traceroute command output.
Chapter 47 Troubleshooting Using TDR This example shows how to perform a traceroute to an IP host: Switch# traceroute ip 171.9.15.10 Type escape sequence to abort. Tracing the route to 171.69.115.10 1 172.2.52.1 0 msec 0 msec 4 msec 2 172.2.1.203 12 msec 8 msec 0 msec 3 171.9.16.6 4 msec 0 msec 0 msec 4 171.9.4.5 0 msec 4 msec 0 msec 5 171.9.121.34 0 msec 4 msec 4 msec 6 171.9.15.9 120 msec 132 msec 128 msec 7 171.9.15.
Chapter 47 Troubleshooting Using Debug Commands TDR can detect these cabling problems: • Open, broken, or cut twisted-pair wires—The wires are not connected to the wires from the remote device. • Shorted twisted-pair wires—The wires are touching each other or the wires from the remote device. For example, a shorted twisted pair can occur if one wire of the twisted pair is soldered to the other wire. If one of the twisted-pair wires is open, TDR can find the length at which the wire is open.
Chapter 47 Troubleshooting Using Debug Commands Caution Note Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users.
Chapter 47 Troubleshooting Using the show platform forward Command Caution Because debugging output takes priority over other network traffic, and because the debug all privileged EXEC command generates more output than any other debug command, it can severely diminish switch performance or even render it unusable. In virtually all cases, it is best to use more specific debug commands. The no debug all privileged EXEC command disables all diagnostic output.
Chapter 47 Troubleshooting Using the show platform forward Command This is an example of the output from the show platform forward command on port 1 in VLAN 5 when the packet entering that port is addressed to unknown MAC addresses. The packet should be flooded to all other ports in VLAN 5. Switch# show platform forward gigabitethernet1/0/1 vlan 5 1.1.1 2.2.2 ip 13.1.1.1 13.2.2.
Chapter 47 Troubleshooting Using the show platform forward Command Packet 1 Lookup Key-Used OutptACL 50_0D020202_0D010101-00_40000014_000A0000 Port Gi1/0/2 Vlan SrcMac 0005 0001.0001.0001 DstMac Cos 0009.43A8.0145 Index-Hit A-Data 01FFE 03000000 Dscpv This is an example of the output when the packet coming in on port 1 in VLAN 5 has a destination MAC address set to the router MAC address in VLAN 5 and the destination IP address unknown.
Chapter 47 Troubleshooting Using the crashinfo Files Using the crashinfo Files The crashinfo files save information that helps Cisco technical support representatives to debug problems that caused the Cisco IOS image to fail (crash). The switch writes the crash information to the console at the time of the failure. The switch creates two types of crashinfo files: • Basic crashinfo file—The switch automatically creates this file the next time you boot up the Cisco IOS image after the failure.
Chapter 47 Troubleshooting Using On-Board Failure Logging Using On-Board Failure Logging You can use the on-board-failure logging (OBFL) feature to collect information about the switch. The information includes uptime, temperature, and voltage information and helps Cisco technical support representatives to troubleshoot switch problems. We recommend that you keep OBFL enabled and do not erase the data stored in the flash memory.
Chapter 47 Troubleshooting Using On-Board Failure Logging To disable OBFL, use the no hw-module module [switch-number] logging onboard [message level] global configuration command. To clear all the OBFL data in the flash memory except for the uptime and CLI command information, use the clear logging onboard privileged EXEC command.
Chapter 47 Troubleshooting Using On-Board Failure Logging Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide 47-24 OL-12247-01
CH A P T E R 48 Configuring Online Diagnostics This chapter describes how to configure the online diagnostics on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 48 Configuring Online Diagnostics Configuring Online Diagnostics Configuring Online Diagnostics You must configure the failure threshold and the interval between tests before enabling diagnostic monitoring. This section has this information: • Scheduling Online Diagnostics, page 48-2 • Configuring Health-Monitoring Diagnostics, page 48-3 Scheduling Online Diagnostics You can schedule online diagnostics to run at a designated time of day or on a daily, weekly, or monthly basis for a switch.
Chapter 48 Configuring Online Diagnostics Configuring Online Diagnostics This example shows how to schedule diagnostic testing to occur weekly at a specific time on member switch 6 when this command is entered on a stack master: Switch(config)# diagnostic schedule switch 6 test 1-4,7 weekly saturday 10:30 For more examples, see the “Examples” section of the diagnostic schedule command in the command reference for this release.
Chapter 48 Configuring Online Diagnostics Configuring Online Diagnostics Step 4 Command Purpose diagnostic monitor threshold switch number test {name | test-id | test-id-range | all} failure count count (Optional) Set the failure threshold for the health-monitoring tests. The range for the switch number keyword is from 1 to 9. When specifying the tests, use one of these parameters: • name—Name of the test that appears in the show diagnostic content command output.
Chapter 48 Configuring Online Diagnostics Running Online Diagnostic Tests Running Online Diagnostic Tests After you configure online diagnostics, you can manually start diagnostic tests or display the test results. You can also see which tests are configured for the switch or switch stack and the diagnostic tests that have already run.
Chapter 48 Configuring Online Diagnostics Running Online Diagnostic Tests Displaying Online Diagnostic Tests and Test Results You can display the online diagnostic tests that are configured for the switch or switch stack and check the test results by using the privileged EXEC show commands in Table 48-1: Table 48-1 Commands for Diagnostic Test Configuration and Results Command Purpose show diagnostic content switch [number | all] Display the online diagnostics configured for a switch.
A P P E N D I X A Supported MIBs This appendix lists the supported management information base (MIBs) for this release on the switch. It contains these sections: • MIB List, page A-1 • Using FTP to Access the MIB Files, page A-4 • BRIDGE-MIB MIB List Note The BRIDGE-MIB supports the context of a single VLAN. By default, SNMP messages using the configured community string always provide information for VLAN 1.
Appendix A Supported MIBs MIB List • CISCO-IETF-ISIS-MIB (Only with the IP services and advanced IP services feature sets) • CISCO-IF-EXTENSIONS-MIB • CISCO-IGMP-FILTER-MIB • CISCO-IMAGE-MIB (Only stack master feature set details are shown.) • CISCO IP-STAT-MIB • CISCO-L2L3-INTERFACE-CONFIG-MIB • CISCO-LAG-MIB • CISCO-MAC-NOTIFICATION-MIB • CISCO-MEMORY-POOL-MIB (Only stack master feature set details are shown.
Appendix A Supported MIBs MIB List Note • IEEE8023-LAG-MIB • IF-MIB (In and out counters for VLANs are not supported.) • IGMP-MIB • INET-ADDRESS-MIB • IPMROUTE-MIB • OLD-CISCO-CHASSIS-MIB (Partial support on stacking-capable switches; some objects reflect only the stack master.) • OLD-CISCO-CPU-MIB • OLD-CISCO-FLASH-MIB (Supports only the stack master in a switch stack. Use CISCO-FLASH_MIB.
Appendix A Supported MIBs Using FTP to Access the MIB Files Using FTP to Access the MIB Files You can get each MIB file by using this procedure: Step 1 Make sure that your FTP client is in passive mode. Note Some FTP clients do not support passive mode. Step 2 Use FTP to access the server ftp.cisco.com. Step 3 Log in with the username anonymous. Step 4 Enter your e-mail username when prompted for the password. Step 5 At the ftp> prompt, change directories to /pub/mibs/v1 and /pub/mibs/v2.
A P P E N D I X B Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the switch flash file system, how to copy configuration files, and how to archive (upload and download) software images to a switch or to a switch stack. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System These sections contain this configuration information: • Displaying Available File Systems, page B-2 • Setting the Default File System, page B-3 • Displaying Information about Files on a File System, page B-3 • Changing Directories and Displaying the Working Directory, page B-4 • Creating and Removing Directories, page B-4 • Copying Files, page B-5 • Deleting Files,
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table B-1 show file systems Field Descriptions (continued) Field Value Flags Permission for file system. ro—read-only. rw—read/write.\ wo—write-only. Prefixes Alias for file system. flash:—Flash file system. nvram:—NVRAM. null:—Null destination for copies. You can copy a remote file to null to find its size. rcp:—Remote Copy Protocol (RCP) network server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table B-2 Commands for Displaying Information About Files (continued) Command Description show file information file-url Display information about a specific file. show file descriptors Display a list of open file descriptors. File descriptors are the internal representations of open files. You can use this command to see if another user has a file open.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System To delete a directory with all its files and subdirectories, use the delete /force /recursive filesystem:/file-url privileged EXEC command. Use the /recursive keyword to delete the named directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Use the /recursive keyword for deleting a directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Beginning in privileged EXEC mode, follow these steps to create a file, display the contents, and extract it. Step 1 Command Purpose archive /create destination-url flash:/file-url Create a file and add files to it. For destination-url, specify the destination URL alias for the local or network file system and the name of the file to create. The -filename.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Step 3 Command Purpose archive /xtract source-url flash:/file-url [dir/file...] Extract a file into a directory on the flash file system. For source-url, specify the source URL alias for the local file system. The -filename. is the file from which to extract files.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files service service service !
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Guidelines for Creating and Using Configuration Files Creating configuration files can aid in your switch configuration. Configuration files can contain some or all of the commands needed to configure one or more switches. For example, you might want to download the same configuration file to several switches that have the same hardware configuration.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Creating a Configuration File By Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately. This is one method of creating a configuration file: Step 1 Copy an existing configuration from a switch to a server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation). • For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 3 Upload the switch configuration to the TFTP server. Specify the IP address or hostname of the TFTP server and the destination filename.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files These sections contain this configuration information: • Preparing to Download or Upload a Configuration File By Using FTP, page B-14 • Downloading a Configuration File By Using FTP, page B-14 • Uploading a Configuration File By Using FTP, page B-15 Preparing to Download or Upload a Configuration File By Using FTP Before you begin downloading or uploading a configuration file
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 Using FTP, copy the configuration file from a network server copy ftp:[[[//[username[:password]@]location]/directory] to the running configuration or to the startup configuration file.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 3 Command Purpose configure terminal Enter global configuration mode. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username. Step 5 ip ftp password password (Optional) Change the default password.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: • The username specified in the copy command if a username is specified.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using RCP” section on page B-17.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using RCP” section on page B-17.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Clearing the Startup Configuration File To clear the contents of your startup configuration, use the erase nvram: or the erase startup-config privileged EXEC command. Caution You cannot restore the startup configuration file after it has been deleted.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files You use the archive config privileged EXEC command to save configurations in the configuration archive by using a standard location and filename prefix that is automatically appended with an incremental version number (and optional timestamp) as each consecutive file is saved. You can specify how many versions of the running configuration are kept in the archive.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • Make sure that the switch also has sufficient free memory to execute the configuration replacement or rollback configuration commands. • Certain configuration commands, such as those pertaining to physical components of a networking device (for example, physical interfaces), cannot be added or removed from the running configuration.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Performing a Configuration Replacement or Rollback Operation Starting in privileged EXEC mode, follow these steps to replace the running configuration file with a saved configuration file: Step 1 Command Purpose archive config (Optional) Save the running configuration file to the configuration archive.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command, we recommend using the archive download-sw and archive upload-sw privileged EXEC commands to download and upload software image files. For switch stacks, the archive download-sw and archive upload-sw privileged EXEC commands can only be used through the stack master.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management. The image is stored on the system board flash memory (flash:). You can use the show version privileged EXEC command to see the software version that is currently running on your switch.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Table B-3 info File Description (continued) Field Description total_image_file_size Specifies the size of all the images (the Cisco IOS image and the web management files) in the file, which is an approximate measure of the flash memory needed.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files. To restart the daemon, either stop the inetd process and restart it, or enter a fastboot command (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x). For more information on the TFTP daemon, see the documentation for your workstation.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 3 Step 4 Step 5 Command Purpose archive download-sw /allow-feature-upgrade [/directory] /overwrite /reload tftp:[[//location]/directory]/image-name1.tar [image-name2.tar image-name3.tar image-name4.tar] (Optional) Download the image files from the TFTP server to the switch, and overwrite the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image on the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images You upload a switch image file to a server for backup purposes. You can use this uploaded image for future downloads to the switch or another switch of the same type.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Before you begin downloading or uploading an image file by using FTP, do these tasks: • Ensure that the switch has a route to the FTP server. The switch and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the FTP server by using the ping command.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 7 Step 8 Step 9 Command Purpose archive download-sw /allow-feature-upgrade [/directory] /overwrite /reload tftp:[[//location]/directory]/image-name1.tar [image-name2.tar image-name3.tar image-name4.tar] (Optional) Download the image files from the FTP server to the switch, and overwrite the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The download algorithm verifies that the image is appropriate for the switch model and that enough DRAM is present, or it aborts the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the flash device, whether or not it is the same as the new one, downloads the new image, and then reloads the software.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 archive upload-sw Upload the currently running switch image to the FTP server. ftp:[[//[username[:password]@]location]/directory]/ • For //username:password, specify the username and image-name.tar. password. These must be associated with an account on the FTP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Preparing to Download or Upload an Image File By Using RCP RCP provides another method of downloading and uploading image files between remote hosts and the switch. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection-oriented. To use RCP to copy files, the server from or to which you will be copying files must support RCP.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images If the switch IP address translates to Switch1.company.com, the .rhosts file for User0 on the RCP server should contain this line: Switch1.company.com Switch1 For more information, see the documentation for your RCP server. Downloading an Image File By Using RCP You can download a new image file and replace or keep the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 6 Step 7 Step 8 Command Purpose archive download-sw /allow-feature-upgrade [/directory] /overwrite /reload tftp:[[//location]/directory]/image-name1.tar [image-name2.tar image-name3.tar image-name4.tar] Download the images file from the RCP server to the switch and overwrite the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The download algorithm verifies that the image is appropriate for the switch model and that enough DRAM is present, or it aborts the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the flash device whether or not it is the same as the new one, downloads the new image, and then reloads the software.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 archive upload-sw rcp:[[[//[username@]location]/directory]/image-na me.tar] Upload the currently running switch image to the RCP server. • For //username, specify the username; for the RCP copy request to execute, define an account on the network server for the remote username.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Beginning in privileged EXEC mode from the stack member that you want to upgrade, follow these steps to copy the running image file from the flash memory of a different stack member: Step 1 Command Purpose archive copy-sw /destination-system destination-stack-member-number /force-reload source-stack-member-number Copy the running image file from a stack member, and then unconditio
A P P E N D I X C Unsupported Commands in Cisco IOS Release 12.2(40)EX This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the switch prompt but are not supported in this release, either because they are not tested or because of switch hardware limitations. This is not a complete list. The unsupported commands are listed by software feature and command mode.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(40)EX Debug Commands Debug Commands Unsupported Privileged EXEC Commands debug platform cli-redirection main debug platform configuration Embedded Event Manager Unsupported Privileged EXEC Commands event manager update user policy [policy-filename | group [group name expression] ] | repository [url location] Parameters are not supported for this command: event manager run [policy name] ||...
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(40)EX MAC Address Commands neighbor advertise-map neighbor allowas-in neighbor default-originate neighbor description network backdoor table-map Unsupported VPN Configuration Commands All Unsupported Route Map Commands match route-type for policy-based routing (PBR) set as-path {tag | prepend as-path-string} set automatic-tag set dampening half-life reuse suppress max-suppress-time set default interface interface-id [interface-id.....
Appendix C Unsupported Commands in Cisco IOS Release 12.2(40)EX Miscellaneous show mac-address-table interface show mac-address-table multicast show mac-address-table notification show mac-address-table static show mac-address-table vlan show mac address-table multicast Note Use the show ip igmp snooping groups privileged EXEC command to display Layer 2 multicast address-table entries for a VLAN.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(40)EX MSDP MSDP Unsupported Privileged EXEC Commands show access-expression show exception show location show pm LINE show smf [interface-id] show subscriber-policy [policy-number] show template [template-name] Unsupported Global Configuration Commands ip msdp default-peer ip-address | name [prefix-list list] (Because BGP/MBGP is not supported, use the ip msdp peer command instead of this command.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(40)EX QoS QoS Unsupported Global Configuration Command priority-list Unsupported Interface Configuration Commands priority-group rate-limit Unsupported Policy-Map Configuration Command class class-default where class-default is the class-map-name.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
I N D EX ACEs Numerics and QoS 10-Gigabit Ethernet interfaces 10-6 defined 36-7 34-2 Ethernet IP A 34-2 34-2 ACLs AAA down policy, NAC Layer 2 IP validation abbreviating commands ABRs 1-10 ACEs 34-2 any keyword 2-4 34-13 applying 38-26 on bridged packets access templates 34-37 on multicast packets 8-1 access-class command on routed packets 34-20 access control entries 34-38 on switched packets See ACEs access-denied response, VMPS 12-29 applying IPv4 ACLs to interfaces 34-
Index ACLs (continued) ACLs (continued) IP precedence of creating QoS 34-8 fragments and QoS guidelines implicit deny undefined router 34-8 36-43 standard IPv4 applying to interfaces creating named creating 34-20 support for 34-8 time ranges 34-8 terminal lines, setting on unsupported features 35-3 applying to interfaces configuring named 35-3 34-36 40-1 displaying the MAC address table 35-3 default aging defined removing 17-9 6-21 17-9 6-19 3-10, 6-20 6-22 MAC, discovering 6
Index addresses (continued) ARP static configuring adding and removing defined defined 6-24 address resolution adjacency tables, with CEF managing 38-81 administrative distances ASBRs vendor-proprietary 1-2 advertisements vendor-specific audience 26-1 HSRP aggregatable global unicast addresses aggregate addresses, BGP 39-3 7-29 38-42 40-9 local mode with AAA NTP associations 38-61 aggregated ports 7-36 6-4 RADIUS See EtherChannel aggregate policers 36-58 aggregate policing 1
Index automatic extraction (auto-extract) in switch stacks 5-13 BGP automatic QoS aggregate addresses 38-61 aggregate routes, configuring See QoS automatic upgrades (auto-upgrade) in switch stacks CIDR 5-13 auto-MDIX 38-61 clear commands configuring described 38-64 community filtering 10-20 38-58 configuring neighbors 10-20 autonegotiation default configuration duplex mode described 1-3 interface configuration guidelines mismatches enabling 10-17 autonomous system boundary route
Index booting C boot loader, function of boot process manually 3-2 cables, monitoring for unidirectional links 3-2 CA trustpoint 3-13 specific image configuring 3-14 defined boot loader 7-45 7-43 accessing 3-15 caution, described described 3-2 CDP environment variables prompt configuring 36-38 26-2 default configuration 3-2 bootstrap router (BSR), described xliv and trusted boundary 3-15 3-15 trap-door mechanism 44-7 26-2 defined with LLDP described Border Gateway Protoc
Index Cisco Discovery Protocol CLI (continued) See CDP editing features Cisco Express Forwarding enabling and disabling keystroke editing See CEF wrapped lines Cisco Group Management Protocol error messages See CGMP 2-7 2-8 2-9 2-5 filtering command output Cisco IOS DHCP server getting help See DHCP, Cisco IOS DHCP server 2-10 2-3 history Cisco IOS File System changing the buffer size See IFS Cisco IOS IP SLAs 41-1 Cisco Network Assistant 2-6 disabling 2-7 recalling commands
Index community strings configuring overview configuration files (continued) types and location 32-8 uploading 32-4 community VLANs preparing 15-2, 15-3 compatibility, feature 25-11 compatibility, software See stacks, switch config.
Index cross-stack EtherChannel default configuration (continued) configuration guidelines CDP 37-12 configuring 26-2 DHCP on Layer 2 interfaces 37-12 on Layer 3 physical interfaces described 37-15 21-8 DHCP option 82 21-8 DHCP snooping 21-8 DHCP snooping binding database 37-2 illustration 37-3 DNS support for 1-7 dynamic ARP inspection cross-stack UplinkFast, STP 6-16 EIGRP 19-5 EtherChannel disabling 19-16 Ethernet interfaces enabling 19-16 fallback bridging Flex Links
Index default configuration (continued) private VLANs RADIUS RIP device discovery protocol device manager 15-6 benefits 7-20 1-2 described 38-21 1-2, 1-5 RMON 30-3 in-band management RSPAN 29-11 requirements SDM template SNMP 32-6 SPAN 29-11 SSL configuring described 36-30 21-6 relay agent 5-21 system message logging system name and prompt TACACS+ server 31-4 21-10 client request message exchange 7-13 3-4 configuring VLAN, Layer 2 Ethernet interfaces VLANs 12-8 VMPS 12-3
Index DHCP option 82 DHCP snooping binding database (continued) circuit ID suboption configuration guidelines default configuration displaying deleting 21-5 binding file 21-9 bindings 21-8 forwarding address, specifying overview 21-15 database agent 21-15 helper address 21-15 described 21-11 21-6 displaying 21-11 21-15 21-15 binding entries 21-3 packet format, suboption 21-15 status and statistics 21-15 circuit ID 21-5 displaying status and statistics remote ID 21-5 enabli
Index documentation, related xliv dual protocol stacks document conventions xliii configuring domain names DNS 6-15 VTP 13-8 IPv4 and IPv6 autosummarization configuring a summary address dot1q-tunnel switchport mode disabling 12-18 double-tagged packets 44-50 44-52 connecting PIM domain to DVMRP router IEEE 802.
Index dynamic access ports characteristics configuring defined dynamic ARP inspection (continued) priority of ARP ACLs and DHCP snooping entries 22-4 12-4 12-31 rate limiting of ARP packets 10-3 configuring dynamic addresses described See addresses 22-11 22-4 error-disabled state dynamic ARP inspection ARP cache poisoning statistics 22-1 ARP requests, described ARP spoofing attack 22-4 clearing 22-1 22-16 displaying 22-1 22-16 validation checks, performing clearing log buffer statis
Index EIGRP (continued) stub routing automatic creation of 38-43 support for EIGRP IPv6 EtherChannel channel groups 1-11 binding physical and logical interfaces 39-6 elections numbering of Layer 2 interfaces default configuration 33-7 environmental variables event detectors described 33-4 with STP described 7-44 encryption for passwords 37-19 interaction with other features modes enhanced object tracking Layer 3 interface 42-7 load balancing 42-2 line-protocol state 38-5 37-7, 3
Index extended crashinfo file EtherChannel (continued) extended-range VLANs port-channel interfaces described port groups configuration guidelines 37-4 numbering of configuring 37-4 creating 10-5 stack changes, effects of support for 19-10 MSTP disabling 19-17 STP enabling 19-17 and switch stacks See EBGP external neighbors, BGP 10-13 F 10-12 10-15 Fa0 port 10-15 See Ethernet management port, internal 10-13 failover support 10-12 10-12 Layer 3 routing guidelines unsupported f
Index fallback bridging (continued) files (continued) frame forwarding tar flooding packets forwarding packets overview creating 46-2 displaying the contents of 46-2 extracting 46-1 protocol, unsupported B-7 B-8 image file format 46-4 stack changes, effects of B-25 file system 46-3 STP displaying available file systems disabling on an interface forward-delay interval hello BPDU interval interface priority local file system names 46-9 setting the default 46-9 46-7 VLAN-bridge span
Index flowcontrol H configuring described 10-19 hardware limitations and Layer 3 interfaces 10-19 hello time forward-delay time MSTP STP MSTP 18-23 STP 17-23 18-22 17-22 help, for the command line Forwarding Information Base hierarchical policy maps See FIB forwarding nonroutable protocols configuring accessing MIB files described A-4 36-32 36-52 36-11 changing the buffer size B-14 B-13 preparing the server uploading 36-8 history configuration files downloading 2-3 configurati
Index HSRP (continued) timers IEEE 802.1Q and trunk ports 40-10 tracking 10-3 configuration limitations 40-7 HTTP over SSL encapsulation 12-19 12-16 native VLAN for untagged traffic see HTTPS 12-24 tunneling HTTPS configuring described compatibility with other features 7-46 defaults 7-43 self-signed certificate HTTP secure server described 7-43 16-4 16-1 tunnel ports with other features 7-43 16-6 16-6 IEEE 802.1s See MSTP I IEEE 802.1w IBPG See RSTP 38-45 IEEE 802.
Index IGMP (continued) IGMP profile host-query interval, modifying joining multicast group join messages configuring 23-3 leaving multicast group multicast reachability queries 23-26 configuration mode 23-3 leave processing, enabling overview applying 44-33 23-25 23-25 IGMP snooping 23-11, 24-9 and address aliasing 23-5 and stack changes 44-31 configuring 44-3 23-2 23-7 23-7 default configuration 23-4 report suppression definition 23-7, 24-6 23-2 described 23-6 enabling and
Index interface Internet Protocol version 6 number See IPv6 10-7 range macros Inter-Switch Link 10-10 interface command See ISL 10-7 to 10-8 interface configuration mode inter-VLAN routing 2-3 interfaces 1-11, 38-2 Intrusion Detection System auto-MDIX, configuring See IDS appliances 10-20 configuring inventory management TLV IPv4 and IPv6 procedure for QoS classification implicit deny 10-26 default configuration described IP ACLs 39-15 10-8 counters, clearing named 10-21 dis
Index IP multicast routing (continued) and IGMP snooping IP multicast routing (continued) MBONE 23-2 Auto-RP deleting sdr cache entries adding to an existing sparse-mode cloud benefits of described 44-18 clearing the cache limiting sdr cache entry lifetime preventing candidate RP spoofing 44-20 44-18 bootstrap router configuring candidate RPs peering devices 44-55 protocol interaction 44-23 Cisco implementation 44-22 44-54 RP 44-2 assigning manually configuring default configuratio
Index IP phones IP SLAs (continued) and QoS scheduling 14-1 automatic classification and queueing configuring trusted boundary for QoS 36-38 41-2 41-2 threshold monitoring track state 36-38 41-6 42-9 UDP jitter operation 36-2 IP-precedence-to-DSCP map for QoS 36-61 IP protocols 41-8 IP source guard and DHCP snooping in ACLs routing SNMP support supported metrics 14-4 ensuring port security with QoS IP precedence 36-20 41-5 and EtherChannels 34-12 21-16 21-18 and hardware entri
Index IP traceroute IP unicast routing (continued) executing 47-14 overview 47-14 protocols distance-vector IP unicast routing dynamic address resolution administrative distances ARP 38-3 link-state 38-9 38-3 proxy ARP 38-84, 38-93 38-10 redistribution 38-10 assigning IP addresses to Layer 3 interfaces authentication keys 38-85 reverse address resolution 38-7 routed ports 38-94 broadcast flooding subnet mask 38-17 packets supernet 38-14 classless routing UDP 38-8 configur
Index IPv6 (continued) addresses ISL and IPv6 39-2 address formats advantages encapsulation and switch stacks isolated port 39-5 defined 39-18 15-2, 15-3 J 39-13 39-1 enabling join messages, IGMP described 39-6 EIGRP IPv6 commands passive interfaces prefix lists router ID 39-7 39-24 39-4 39-1 network services configuring KDC 8-2, 24-1, 35-1, 39-11 stack master functions supported features 39-3 switch limitations 39-9 35-4 39-10 38-13 7-32 7-35 7-32 7-32 7-34 realm 7-33
Index key distribution center Lightweight Directory Access Protocol See KDC See LDAP line configuration mode 2-3 Link Aggregation Control Protocol L See EtherChannel l2protocol-tunnel command Link Failure, detecting unidirectional 16-13 Link Layer Discovery Protocol LACP Layer 2 protocol tunneling See CDP 16-9 link local unicast addresses See EtherChannel Layer 2 frames, classification with CoS 36-2 Layer 2 interfaces, default configuration configuring See Flex Links links, unidirectiona
Index load balancing local SPAN MAC address-table move update 40-3 configuration guidelines 29-2 location TLV configuring 27-3, 27-6 logging messages, ACL login authentication with RADIUS 7-23 with TACACS+ login banners 20-9 default configuration 34-9 20-5 description 20-3 monitoring 20-11 20-5 MAC address-to-VLAN mapping 7-14 MAC extended access lists 6-17 log messages applying to Layer 2 interfaces configuring for QoS See system message logging Long-Reach Ethernet (LRE) technolo
Index marking monitoring (continued) action in policy map HSRP 36-48 action with aggregate policers described IEEE 802.
Index monitoring (continued) VMPS VTP MSDP (continued) source-active messages (continued) 12-33 filtering to a peer 13-16 MSDP 45-12 limiting data with TTL benefits of monitoring 45-3 clearing MSDP connections and statistics support for forwarded by switch 45-12 originated by switch 45-9 received by switch configuration guidelines described 45-4 18-16 18-6 BPDU filtering sending SA messages to 45-17 specifying the originating address 45-18 filtering described 19-3 enabling 19
Index MSTP (continued) MSTP (continued) displaying status Port Fast 18-26 enabling the mode 18-16 EtherChannel guard described enabling unexpected behavior 19-10 19-10 enabling 18-17 19-18 root switch 18-19 configuring 18-18 IEEE 802.
Index Multiple HSRP NAC (continued) See MHSRP Layer 2 IEEE 802.1x validation Layer 2 IP validation multiple VPN routing/forwarding in customer edge devices See multi-VRF CE multi-VRF CE 38-76 configuration guidelines configuring named IPv6 ACLs 35-3 See NSM 38-68 native VLAN 38-68 and IEEE 802.
Index network performance, measuring with IP SLAs network policy TLV 41-3 NTP (continued) synchronizing devices 27-6 Network Time Protocol time See NTP services no commands 6-5 6-2 synchronizing 2-4 6-2 nonhierarchical policy maps configuration guidelines configuring O 36-48 described 36-9 OBFL non-IP traffic filtering nontrunking mode 34-27 12-4 configuration modes 12-6 HSRP 42-7 IP SLAs 12-1 42-9 IP SLAs, configuring 10-4 mointoring xliv 42-9 42-10 offline configuration
Index OSPF (continued) monitoring PBR defined 38-36 router IDs enabling 38-35 route summarization support for 38-90 fast-switched policy-based routing 38-32 local policy-based routing 1-11 virtual links 38-88 peers, BGP 38-32 out-of-profile markdown 38-91 38-59 percentage thresholds in tracked lists 1-11 performance, network design performance features P 36-19 1-3 7-43 per-VLAN spanning-tree plus See PVST+ PAgP Layer 2 protocol tunneling 16-9 parallel paths, in routing tables OS
Index PBR (continued) port ACLs versions interoperability 44-11 troubleshooting interoperability problems v2 improvements 44-27 defined 34-2 types of 34-3 Port Aggregation Protocol See EtherChannel 44-4 PIM-DVMRP, as snooping method 23-9 port-based authentication ping accounting character output description 9-9 authentication server 47-12 executing 47-11 defined overview 47-11 RADIUS server policed-DSCP map for QoS 9-2 client, defined 36-62 policers 9-3 9-2 configuration g
Index port-based authenication (continued) port-based authentication (continued) inaccessible authentication bypass configuring described voice VLAN described 9-37 9-15 guidelines 9-26 initiation and message exchange magic packet 9-5 method lists PVID 9-16 VVID 9-16 wake-on-LAN, described port blocking 9-18 9-16 1-4, 25-6 port-channel 9-26 multiple-hosts mode, described 9-8 per-user ACLs See EtherChannel Port Fast AAA authorization 9-26 described 19-2 configuration tasks 9-13
Index port security (continued) enabling private VLANs (continued) monitoring 25-17 on trunk ports 25-13 sticky learning 25-8 violations ports community with other features configuring host ports 25-10 port-shutdown response, VMPS power management TLV isolated 27-6 primary VLANs 20-5 preferential treatment of traffic See QoS 15-1 15-5 2-2 changing the default for lines exiting 40-7 overriding CoS trusting CoS overview 14-6 7-9 7-2, 7-7 setting a command with See protected ports
Index pruning, VTP (continued) QoS (continued) enabling classification in VTP domain on a port class maps, described 13-14 defined 12-23 36-7 36-4 examples 13-5 DSCP transparency, described overview 13-4 flowchart pruning-eligible list changing 12-23 for VTP pruning VLANs 36-6 forwarding treatment 36-3 in frames and packets 36-3 IP ACLs, described 13-5 36-5, 36-7 MAC ACLs, described 13-14 PVST+ options for IP traffic described IEEE 802.
Index QoS (continued) QoS (continued) configuring (continued) ingress queues (continued) policy maps, hierarchical priority queue, described 36-52 policy maps on physical ports port trust states within the domain trusted boundary scheduling, described 36-48 WTD, described 36-38 default auto configuration 36-67 36-16 IP phones 36-21 default standard configuration 36-4 setting WTD thresholds 36-35 36-16 automatic classification and queueing 36-30 displaying statistics 36-78 detecti
Index QoS (continued) RADIUS (continued) queues operation of configuring egress characteristics 36-70 configuring ingress characteristics high priority (expedite) location of 36-19, 36-76 support for macro 36-13 7-18 1-10 7-28 10-10 of interfaces 36-19 10-9 rapid convergence 1-10 trust states 18-10 rapid per-VLAN spanning-tree plus bordering another domain described 36-40 See rapid PVST+ rapid PVST+ 36-5 trusted device described 36-38 within the domain 17-10 IEEE 802.
Index redundancy (continued) restricting access STP NTP services backbone overview 17-8 multidrop backbone path cost RADIUS reliable transport protocol, EIGRP 7-10 retry count, VMPS, changing 19-15 reverse address resolution 38-37 12-33 38-9 Reverse Address Resolution Protocol 3-17 Remote Authentication Dial-In User Service See RADIUS See RARP RFC Remote Copy Protocol 1058, RIP See RCP 38-20 1112, IP multicast and IGMP Remote Network Monitoring 1157, SNMPv1 1163, BGP See RMON 38
Index RMON routing default configuration displaying status groups supported 30-3 38-3 redistribution of information static 30-2 38-3 collecting group history support for 30-5 30-5 See RIP routing protocol administrative distances RSPAN 1-12 root guard described characteristics 19-10 enabling support for root switch 18-17 17-16 route calculation timers, OSPF route dampening, BGP 38-33 34-38 routed ports 29-8 displaying status 29-24 in a switch stack 29-2 interaction with other feat
Index RSTP (continued) secure HTTP client interoperability with IEEE 802.
Index show and more command output, filtering show cdp traffic command default configuration 26-5 show configuration command show forward command SNMP (continued) 2-10 engine ID 10-21 groups 47-18 32-7 32-6, 32-9 show interfaces command 10-18, 10-21 host show l2protocol command 16-13, 16-15, 16-16 ifIndex values show lldp traffic command 27-7 in-band management show platform forward command 10-26 Simple Network Management Protocol 11-6 applying global parameter values applying macr
Index software compatibility SPAN (continued) See stacks, switch transmitted traffic VLAN-based software images location in flash See STP 3-17 tar file format, described SPAN traffic B-25 See also downloading and uploading 29-6 split horizon, RIP in IPv4 ACLs 34-12 in IPv6 ACLs 35-6 configuring source-and-destination-IP address based forwarding, EtherChannel 37-8 36-75 shared weights on egress queues 36-76 described source-IP address based forwarding, EtherChannel source-MAC address
Index stack changes, effects on (continued) IGMP snooping IP routing accessing CLI of specific member 23-7 member number 35-4 IPv6 routing priority value 39-10 MAC address tables MVR auto-advise SNMP bridge ID 8-3 configuration file system message log VTP bridge ID (MAC address) 5-1 election 5-6 description of 5-8 5-1 5-25 5-21 hardware compatibility and SDM mismatch mode 5-11 5-6 HSRP considerations IPv6 on accessing CLI of specific member configuring 5-25 priority value 5-23 M
Index stacks, switch (continued) standby links standby router offline configuration described 20-2 40-1 standby timers, HSRP 5-9 effects of adding a provisioned switch startup configuration 5-9 effects of removing a provisioned switch 5-11 effects of replacing a provisioned switch 5-11 provisioned configuration, defined booting manually 3-13 specific image 5-9 provisioned switch, defined 5-9 clearing provisioning a new member 5-24 configuration file partitioned provisioned switch
Index storm control STP (continued) configuring default optional feature configuration 25-3 described 25-1 designated port, defined disabling 25-5 designated switch, defined 17-4 17-4 displaying 25-18 detecting indirect link failures support for 1-4 disabling thresholds 25-1 19-8 17-16 displaying status STP 19-12 17-24 EtherChannel guard accelerating root port selection 19-4 BackboneFast described 19-7 disabling 19-17 enabling 19-16 described 19-10 disabling 19-17 enab
Index STP (continued) subnet mask subnet zero loop guard described summer time 19-18 modes supported optional features supported supernet 17-9 38-8 and IP unicast routing and router ACLs 12-27 Port Fast 19-2 enabling 19-12 defined 10-6 10-5 routing between VLANs switch console port 12-26 preventing root switch selection protocols supported 38-5 34-4 connecting VLANs described 19-10 12-2 1-6 Switch Database Management See SDM 17-10 redundant connectivity switched packets, ACLs
Index system clock (continued) T displaying the time and date overview 6-12 TACACS+ 6-1 accounting, defined See also NTP authentication, defined system message logging default configuration accounting authorization 31-5 level keywords, described limiting messages message format overview 7-16 default configuration 31-10 7-14 7-13 displaying the configuration 31-10 identifying the server 31-2 7-17 7-13 limiting the services to the user sequence numbers, enabling and disabling setting
Index TFTP traceroute, Layer 2 (continued) configuration files multicast traffic downloading multiple devices on a port B-12 preparing the server uploading unicast traffic B-11 configuring for autoconfiguration image files 3-6 47-12 traceroute command 47-14 See also IP traceroute 3-6 tracked lists deleting configuring B-29 downloading types B-27 preparing the server uploading 42-3 42-3 tracked objects B-26 by Boolean expression B-29 limiting access by servers by threshold we
Index troubleshooting tunneling connectivity problems defined 47-10, 47-12, 47-13 16-1 detecting unidirectional links 28-1 IEEE 802.
Index unicast MAC address filtering and adding static addresses 6-25 and router MAC addresses configuration guidelines 6-25 unicast storm 25-1 preparing 6-25 6-25 and multicast addresses described configuration files 6-26 and broadcast MAC addresses and CPU packets uploading 1-6 6-25 reasons for B-9 using FTP B-15 using RCP B-19 using TFTP 6-25 B-12 image files preparing unicast storm control command unicast traffic, blocking B-26, B-30, B-35 reasons for 25-4 25-7 UniDirectio
Index VLAN configuration at bootup saving VLANs adding 12-8 adding to VLAN database 12-8 VLAN configuration mode allowed on trunk and startup configuration file configuration options 12-7 VLAN filtering and SPAN configuring 16-5 13-2 deleting VLAN Management Policy Server features 34-34 common uses for internal 34-30 34-31 defined 34-2 displaying modifying 34-34 34-31 support for 1-9 VLAN membership confirming 12-32 12-3 VLAN Query Protocol multicast 29-16 23-18 normal-ran
Index VLANs (continued) VPN traffic between VLAN-bridge STP VTP modes configuring routing in 12-2 forwarding 17-11, 46-2 38-74 38-68 in service provider networks 13-3 VLAN Trunking Protocol routes 38-65 38-66 VPN routing and forwarding table See VTP VLAN trunks See VRF 12-16 VMPS VQP administering VRF 12-33 configuration example defining 12-34 configuration guidelines default configuration description tables 12-30 ftp ping 12-34 12-31 mapping MAC addresses to VLANs reconfi
Index VTP (continued) VTP (continued) configuration revision number guideline Version 2 configuration guidelines 13-14 resetting 13-15 configuring client mode 13-11 server mode 13-9 transparent mode consistency checks 13-12 13-13 enabling 13-13 overview 13-4 W 13-4 default configuration disabling 13-7 WCCP described 13-1 authentication disabling 13-12 configuration guidelines domain names domains 13-8 43-3 default configuration 13-2 described Layer 2 protocol tunneling
Index WTD described 36-13 setting thresholds egress queue-sets ingress queues support for 36-71 36-67 1-11 X Xmodem protocol 47-2 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide IN-54 OL-12247-01
