Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide Cisco IOS Release 12.2(25)SEF June 2006 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xxvii Audience Purpose xxvii xxvii Conventions xxviii Related Publications xxviii Obtaining Documentation xxix Cisco.
Contents CHAPTER 2 Using the Command-Line Interface Understanding Command Modes Understanding the Help System 2-1 2-1 2-3 Understanding Abbreviated Commands 2-4 Understanding no and default Forms of Commands Understanding CLI Error Messages Using Configuration Logging 2-4 2-5 2-5 Using Command History 2-6 Changing the Command History Buffer Size 2-6 Recalling Commands 2-6 Disabling the Command History Feature 2-7 Using Editing Features 2-7 Enabling and Disabling Editing Features 2-7 Editing Comma
Contents Booting Manually 3-15 Booting a Specific Software Image 3-16 Controlling Environment Variables 3-16 Scheduling a Reload of the Software Image 3-18 Configuring a Scheduled Reload 3-18 Displaying Scheduled Reload Information 3-19 CHAPTER 4 Configuring Cisco IOS CNS Agents 4-1 Understanding Cisco Configuration Engine Software 4-1 Configuration Service 4-2 Event Service 4-3 NameSpace Mapper 4-3 What You Should Know About the CNS IDs and Device Hostnames ConfigID 4-3 DeviceID 4-4 Hostname and Devi
Contents Configuring the Source IP Address for NTP Packets 5-10 Displaying the NTP Configuration 5-11 Configuring Time and Date Manually 5-11 Setting the System Clock 5-11 Displaying the Time and Date Configuration 5-12 Configuring the Time Zone 5-12 Configuring Summer Time (Daylight Saving Time) 5-13 Configuring a System Name and Prompt 5-14 Default System Name and Prompt Configuration Configuring a System Name 5-15 Understanding DNS 5-15 Default DNS Configuration 5-16 Setting Up DNS 5-16 Displaying the D
Contents Configuring Multiple Privilege Levels 6-7 Setting the Privilege Level for a Command 6-8 Changing the Default Privilege Level for Lines 6-9 Logging into and Exiting a Privilege Level 6-9 Controlling Switch Access with TACACS+ 6-10 Understanding TACACS+ 6-10 TACACS+ Operation 6-12 Configuring TACACS+ 6-12 Default TACACS+ Configuration 6-13 Identifying the TACACS+ Server Host and Setting the Authentication Key 6-13 Configuring TACACS+ Login Authentication 6-14 Configuring TACACS+ Authorization for Pr
Contents Configuring the Switch for Secure Shell 6-37 Understanding SSH 6-38 SSH Servers, Integrated Clients, and Supported Versions Limitations 6-39 Configuring SSH 6-39 Configuration Guidelines 6-39 Setting Up the Switch to Run SSH 6-39 Configuring the SSH Server 6-41 Displaying the SSH Configuration and Status 6-41 6-38 Configuring the Switch for Secure Socket Layer HTTP 6-42 Understanding Secure HTTP Servers and Clients 6-42 Certificate Authority Trustpoints 6-42 CipherSuites 6-44 Configuring Secure
Contents Using IEEE 802.1x Authentication with Wake-on-LAN 7-16 Using IEEE 802.1x Authentication with MAC Authentication Bypass 7-17 Configuring IEEE 802.1x Authentication 7-18 Default IEEE 802.1x Authentication Configuration 7-19 IEEE 802.1x Authentication Configuration Guidelines 7-20 IEEE 802.1x Authentication 7-20 VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass 7-21 MAC Authentication Bypass 7-22 Configuring IEEE 802.
Contents Connecting Interfaces 8-5 Management-Only Interface 8-5 Using Interface Configuration Mode 8-6 Procedures for Configuring Interfaces 8-6 Configuring a Range of Interfaces 8-7 Configuring and Using Interface Range Macros 8-8 Configuring Ethernet Interfaces 8-10 Default Ethernet Interface Configuration 8-10 Configuring Interface Speed and Duplex Mode 8-11 Speed and Duplex Configuration Guidelines 8-11 Setting the Type of a Dual-Purpose Uplink Port 8-12 Setting the Interface Speed and Duplex Para
Contents VLAN Configuration Mode Options 10-6 VLAN Configuration in config-vlan Mode 10-6 VLAN Configuration in VLAN Database Configuration Mode Saving VLAN Configuration 10-6 Default Ethernet VLAN Configuration 10-7 Creating or Modifying an Ethernet VLAN 10-8 Deleting a VLAN 10-9 Assigning Static-Access Ports to a VLAN 10-10 Configuring Extended-Range VLANs 10-11 Default VLAN Configuration 10-11 Extended-Range VLAN Configuration Guidelines Creating an Extended-Range VLAN 10-12 Displaying VLANs 10-6 10-1
Contents Troubleshooting Dynamic-Access Port VLAN Membership VMPS Configuration Example 10-30 CHAPTER 11 Configuring VTP 10-30 11-1 Understanding VTP 11-1 The VTP Domain 11-2 VTP Modes 11-3 VTP Advertisements 11-3 VTP Version 2 11-4 VTP Pruning 11-4 Configuring VTP 11-6 Default VTP Configuration 11-6 VTP Configuration Options 11-7 VTP Configuration in Global Configuration Mode 11-7 VTP Configuration in VLAN Database Configuration Mode VTP Configuration Guidelines 11-8 Domain Names 11-8 Passwords 11-8
Contents CHAPTER 13 Configuring STP 13-1 Understanding Spanning-Tree Features 13-1 STP Overview 13-2 Spanning-Tree Topology and BPDUs 13-3 Bridge ID, Switch Priority, and Extended System ID 13-4 Spanning-Tree Interface States 13-4 Blocking State 13-6 Listening State 13-6 Learning State 13-6 Forwarding State 13-6 Disabled State 13-7 How a Switch or Port Becomes the Root Switch or Root Port 13-7 Spanning Tree and Redundant Connectivity 13-8 Spanning-Tree Address Management 13-8 Accelerated Aging to Retai
Contents CHAPTER 14 Configuring MSTP 14-1 Understanding MSTP 14-2 Multiple Spanning-Tree Regions 14-2 IST, CIST, and CST 14-3 Operations Within an MST Region 14-3 Operations Between MST Regions 14-4 IEEE 802.1s Terminology 14-5 Hop Count 14-5 Boundary Ports 14-6 IEEE 802.1s Implementation 14-6 Port Role Naming Change 14-7 Interoperation Between Legacy and Standard Switches Detecting Unidirectional Link Failure 14-8 Interoperability with IEEE 802.
Contents CHAPTER 15 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast 15-2 Understanding BPDU Guard 15-2 Understanding BPDU Filtering 15-3 Understanding UplinkFast 15-3 Understanding BackboneFast 15-5 Understanding EtherChannel Guard 15-7 Understanding Root Guard 15-8 Understanding Loop Guard 15-9 15-1 15-1 Configuring Optional Spanning-Tree Features 15-9 Default Optional Spanning-Tree Configuration 15-9 Optional Spanning-Tree Configuratio
Contents CHAPTER 17 Configuring DHCP Features 17-1 Understanding DHCP Features 17-1 DHCP Server 17-2 DHCP Relay Agent 17-2 DHCP Snooping 17-2 Option-82 Data Insertion 17-3 Configuring DHCP Features 17-6 Default DHCP Configuration 17-6 DHCP Snooping Configuration Guidelines 17-7 Configuring the DHCP Relay Agent 17-8 Enabling DHCP Snooping and Option 82 17-8 Enabling the Cisco IOS DHCP Server Database 17-10 Displaying DHCP Snooping Information CHAPTER 18 Configuring IGMP Snooping and MVR 17-10 18-1
Contents Configuring MVR 18-19 Default MVR Configuration 18-19 MVR Configuration Guidelines and Limitations Configuring MVR Global Parameters 18-20 Configuring MVR Interfaces 18-21 Displaying MVR Information 18-20 18-23 Configuring IGMP Filtering and Throttling 18-23 Default IGMP Filtering and Throttling Configuration 18-24 Configuring IGMP Profiles 18-24 Applying IGMP Profiles 18-25 Setting the Maximum Number of IGMP Groups 18-26 Configuring the IGMP Throttling Action 18-27 Displaying IGMP Filtering an
Contents CHAPTER 20 Configuring CDP 20-1 Understanding CDP 20-1 Configuring CDP 20-2 Default CDP Configuration 20-2 Configuring the CDP Characteristics 20-2 Disabling and Enabling CDP 20-3 Disabling and Enabling CDP on an Interface Monitoring and Maintaining CDP CHAPTER 21 Configuring UDLD 20-4 21-1 Understanding UDLD 21-1 Modes of Operation 21-1 Methods to Detect Unidirectional Links Configuring UDLD 21-3 Default UDLD Configuration 21-4 Configuration Guidelines 21-4 Enabling UDLD Globally 21-5
Contents Creating a Local SPAN Session 22-10 Creating a Local SPAN Session and Configuring Incoming Traffic 22-13 Specifying VLANs to Filter 22-14 Configuring RSPAN 22-15 RSPAN Configuration Guidelines 22-15 Configuring a VLAN as an RSPAN VLAN 22-16 Creating an RSPAN Source Session 22-17 Creating an RSPAN Destination Session 22-19 Creating an RSPAN Destination Session and Configuring Incoming Traffic Specifying VLANs to Filter 22-22 Displaying SPAN and RSPAN Status CHAPTER 23 Configuring RMON 22-20 22
Contents CHAPTER 25 Configuring SNMP 25-1 Understanding SNMP 25-1 SNMP Versions 25-2 SNMP Manager Functions 25-3 SNMP Agent Functions 25-4 SNMP Community Strings 25-4 Using SNMP to Access MIB Variables 25-4 SNMP Notifications 25-5 SNMP ifIndex MIB Object Values 25-5 Configuring SNMP 25-6 Default SNMP Configuration 25-6 SNMP Configuration Guidelines 25-6 Disabling the SNMP Agent 25-7 Configuring Community Strings 25-8 Configuring SNMP Groups and Users 25-9 Configuring SNMP Notifications 25-11 Setting th
Contents IPv4 ACL Configuration Examples 26-19 Numbered ACLs 26-19 Extended ACLs 26-19 Named ACLs 26-20 Time Range Applied to an IP ACL 26-20 Commented IP ACL Entries 26-20 Creating Named MAC Extended ACLs 26-21 Applying a MAC ACL to a Layer 2 Interface 26-22 Configuring VLAN Maps 26-23 VLAN Map Configuration Guidelines 26-24 Creating a VLAN Map 26-25 Examples of ACLs and VLAN Maps 26-25 Applying a VLAN Map to a VLAN 26-27 Using VLAN Maps in Your Network 26-28 Wiring Closet Configuration 26-28 Denying Ac
Contents Enabling Auto-QoS for VoIP 27-26 Auto-QoS Configuration Example 27-27 Displaying Auto-QoS Information 27-29 Configuring Standard QoS 27-29 Default Standard QoS Configuration 27-30 Default Ingress Queue Configuration 27-30 Default Egress Queue Configuration 27-31 Default Mapping Table Configuration 27-32 Standard QoS Configuration Guidelines 27-32 QoS ACL Guidelines 27-32 Applying QoS on Interfaces 27-32 Policing Guidelines 27-33 General QoS Guidelines 27-33 Enabling QoS Globally 27-34 Enabling V
Contents Configuring Egress Queue Characteristics 27-69 Configuration Guidelines 27-70 Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID 27-72 Configuring SRR Shaped Weights on Egress Queues 27-74 Configuring SRR Shared Weights on Egress Queues 27-75 Configuring the Egress Expedite Queue 27-76 Limiting the Bandwidth on an Egress Interface 27-76 Displaying Standard QoS Information CHAPTER 28 27-70 27-77 Conf
Contents CHAPTER 29 Troubleshooting 29-1 Recovering from a Software Failure 29-2 Recovering from a Lost or Forgotten Password 29-3 Procedure with Password Recovery Enabled 29-4 Procedure with Password Recovery Disabled 29-6 Preventing Autonegotiation Mismatches SFP Module Security and Identification Monitoring SFP Module Status Monitoring Temperature 29-7 29-8 29-8 29-9 Using Ping 29-9 Understanding Ping 29-9 Executing Ping 29-9 Using Layer 2 Traceroute 29-10 Understanding Layer 2 Traceroute 29-1
Contents APPENDIX B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System B-1 Displaying Available File Systems B-2 Setting the Default File System B-3 Displaying Information about Files on a File System B-3 Changing Directories and Displaying the Working Directory Creating and Removing Directories B-4 Copying Files B-4 Deleting Files B-5 Creating, Displaying, and Extracting tar Files B-5 Creating a tar File B-6 Displaying the Contents of a ta
Contents Uploading an Image File By Using TFTP B-24 Copying Image Files By Using FTP B-24 Preparing to Download or Upload an Image File By Using FTP B-25 Downloading an Image File By Using FTP B-26 Uploading an Image File By Using FTP B-27 Copying Image Files By Using RCP B-28 Preparing to Download or Upload an Image File By Using RCP B-29 Downloading an Image File By Using RCP B-30 Uploading an Image File By Using RCP B-32 APPENDIX C Unsupported Commands in Cisco IOS Release 12.
Contents Spanning Tree C-4 Unsupported Global Configuration Command C-4 Unsupported Interface Configuration Command C-4 VLAN C-5 Unsupported Global Configuration Commands Unsupported vlan-config Command C-5 Unsupported User EXEC Commands C-5 VTP C-5 C-5 Unsupported Privileged EXEC Commands C-5 INDEX Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL-8915-01 xxvii
Contents Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide xxviii OL-8915-01
Preface Audience This guide is for the networking professional managing the Cisco Catalyst Blade Switch 3020 for HP, hereafter referred to as the switch module. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking. Purpose This guide provides the information that you need to configure Cisco IOS software features on your switch.
Preface Conventions Conventions This publication uses these conventions to convey instructions and information: Command descriptions use these conventions: • Commands and keywords are in boldface text. • Arguments for which you supply values are in italic. • Square brackets ([ ]) mean optional elements. • Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.
Preface Obtaining Documentation You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section on page xxix. • Release Notes for the Cisco Catalyst Blade Switch 3020 for HP, Cisco IOS Release 12.2(25)SEF (not orderable but available on Cisco.com) • Cisco Catalyst Blade Switch 3020 for HP System Message Guide (not orderable, but available on Cisco.
Preface Documentation Feedback The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com users (Cisco direct customers) can order a Product Documentation DVD (product number DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at this URL: http://www.cisco.com/go/marketplace/ Ordering Documentation Registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the Cisco Marketplace at this URL: http://www.cisco.
Preface Obtaining Technical Assistance To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL: http://www.cisco.com/en/US/products/products_psirt_rss_feed.html Reporting Security Problems in Cisco Products Cisco is committed to delivering secure products.
Preface Obtaining Technical Assistance Cisco Technical Support & Documentation Website The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL: http://www.cisco.com/techsupport Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password.
Preface Obtaining Additional Publications and Information Definitions of Service Request Severity To ensure that all service requests are reported in a standard format, Cisco has established severity definitions. Severity 1 (S1)—An existing network is down, or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Preface Obtaining Additional Publications and Information • iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions.
C H A P T E R 1 Overview This chapter provides these topics about the switch software: • Features, page 1-1 • Default Settings After Initial Switch Configuration, page 1-8 • Design Concepts for Using the Switch, page 1-10 • Where to Go Next, page 1-13 Unless otherwise noted, the term switch refers to a standalone blade switch. In this document, IP refers to IP Version 4 (IPv4).
Chapter 1 Overview Features Ease-of-Deployment and Ease-of-Use Features The switch ships with these features to make the deployment and the use easier: • Express Setup for quickly configuring a switch for the first time with basic IP information, contact information, switch and Telnet passwords, and Simple Network Management Protocol (SNMP) information through a browser-based program. For more information about Express Setup, see the getting started guide.
Chapter 1 Overview Features Management Options These are the options for configuring and managing the switch: • An embedded device manager—The device manager is a GUI that is integrated in the software image. You use it to configure and to monitor a single switch. For information about launching the device manager, see the getting started guide. For more information about the device manager, see the switch online help. • CLI—The Cisco IOS software supports desktop- and multilayer-switching features.
Chapter 1 Overview Features Note • Cisco Discovery Protocol (CDP) Versions 1 and 2 for network topology discovery and mapping between the switch and other Cisco devices on the network • Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external source • Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • Configuration logging to log and to view changes to the switch configuration • Unique device identifi
Chapter 1 Overview Features • Optional spanning-tree features available in PVST+, rapid-PVST+, and MSTP mode: – Port Fast for eliminating the forwarding delay by enabling a port to immediately change from the blocking state to the forwarding state – BPDU guard for shutting down Port Fast-enabled ports that receive bridge protocol data units (BPDUs) – BPDU filtering for preventing a Port Fast-enabled port from sending or receiving BPDUs – Root guard for preventing switches outside the network core from
Chapter 1 Overview Features • Port security option for limiting and identifying MAC addresses of the stations allowed to access the port • Port security aging to set the aging time for secure addresses on a port • BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs • Standard and extended IP access control lists (ACLs) for defining inbound security policies on Layer 2 interfaces (port ACLs) • Extended MAC access control lists for defining security polici
Chapter 1 Overview Features QoS and CoS Features These are the QoS and CoS features: • Automatic QoS (auto-QoS) to simplify the deployment of existing QoS features by classifying traffic and configuring egress queues • Classification – IP type-of-service/Differentiated Services Code Point (IP ToS/DSCP) and IEEE 802.1p CoS marking priorities on a per-port basis for protecting the performance of mission-critical applications – IP ToS/DSCP and IEEE 802.
Chapter 1 Overview Default Settings After Initial Switch Configuration Monitoring Features These are the monitoring features: • Switch LEDs that provide port- and switch-level status • MAC address notification traps and RADIUS accounting for tracking users on a network by storing the MAC addresses that the switch has learned or removed • Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) for traffic monitoring on any port or VLAN (except for the fa0 interface) • SPAN and RSPAN support of Intrus
Chapter 1 Overview Default Settings After Initial Switch Configuration • NTP is enabled. For more information, see Chapter 5, “Administering the Switch.” • DNS is enabled. For more information, see Chapter 5, “Administering the Switch.” • TACACS+ is disabled. For more information, see Chapter 6, “Configuring Switch-Based Authentication.” • RADIUS is disabled. For more information, see Chapter 6, “Configuring Switch-Based Authentication.
Chapter 1 Overview Design Concepts for Using the Switch • The IGMP snooping querier feature is disabled. For more information, see Chapter 18, “Configuring IGMP Snooping and MVR.” • MVR is disabled. For more information, see Chapter 18, “Configuring IGMP Snooping and MVR.” • Port-based traffic – Broadcast, multicast, and unicast storm control is disabled. For more information, see Chapter 19, “Configuring Port-Based Traffic Control.” – No protected ports are defined.
Chapter 1 Overview Design Concepts for Using the Switch Table 1-1 Increasing Network Performance Network Demands Suggested Design Methods Too many users on a single network segment and a growing number of users accessing the Internet • Increased power of new PCs, workstations, and servers • High bandwidth demand from networked applications (such as e-mail with large attached files) and from bandwidth-intensive applications (such as multimedia) • Create smaller network segments so that fewer users
Chapter 1 Overview Design Concepts for Using the Switch DSCP marking priorities on these switches. For high-speed IP forwarding at the distribution layer, connect the switches in the access layer to a Gigabit multilayer switch with routing capability, such as a Catalyst 3750 switch, or to a router. The first illustration is of an isolated high-performance workgroup, where the blade switches are connected to Catalyst 3750 switches in the distribution layer.
Chapter 1 Overview Where to Go Next Figure 1-2 Server Aggregation Campus core Catalyst 6500 switches Catalyst 3750 StackWise switch stacks Blade Servers 119956 Blade Switches Where to Go Next Before configuring the switch, review these sections for startup information: • Chapter 2, “Using the Command-Line Interface” • Chapter 3, “Assigning the Switch IP Address and Default Gateway” Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL-8915-01 1-13
Chapter 1 Overview Where to Go Next Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide 1-14 OL-8915-01
C H A P T E R 2 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your switch.
Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the hostname Switch. Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with your switch. Switch> Enter logout or quit. Use this mode to • Change terminal settings. • Perform basic tests.
Chapter 2 Using the Command-Line Interface Understanding the Help System Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method Interface configuration While in global configuration mode, enter the interface command (with a specific interface). Switch(config-if)# Use this mode to configure To exit to global configuration mode, parameters for the Ethernet ports. enter exit. To return to privileged EXEC mode, press Ctrl-Z or enter end.
Chapter 2 Using the Command-Line Interface Understanding Abbreviated Commands Table 2-2 Help Summary (continued) Command Purpose ? List all commands available for a particular command mode. For example: Switch> ? command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword.
Chapter 2 Using the Command-Line Interface Understanding CLI Error Messages Understanding CLI Error Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Table 2-3 Common CLI Error Messages Error Message Meaning How to Get Help % Ambiguous command: "show con" You did not enter enough characters for your switch to recognize the command.
Chapter 2 Using the Command-Line Interface Using Command History Using Command History The software provides a history or record of commands that you have entered. The command history feature is particularly useful for recalling long or complex commands or entries, including access lists.
Chapter 2 Using the Command-Line Interface Using Editing Features Disabling the Command History Feature The command history feature is automatically enabled. You can disable it for the current terminal session or for the command line. These procedures are optional. To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Press Ctrl-F, or press the right arrow key. Move the cursor forward one character. Press Ctrl-A. Move the cursor to the beginning of the command line. Press Ctrl-E. Move the cursor to the end of the command line. Press Esc B. Move the cursor back one word. Press Esc F. Move the cursor forward one word. Press Ctrl-T.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Scroll down a line or screen on displays that are longer than the terminal screen can display. Press the Return key. Scroll down one line. Press the Space bar. Scroll down one screen. Press Ctrl-L or Ctrl-R. Redisplay the current command line.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands. This is useful when you need to sort through large amounts of output or if you want to exclude output that you do not need to see. Using these commands is optional.
Chapter 2 Using the Command-Line Interface Accessing the CLI For information about configuring the switch for Telnet access, see the “Setting a Telnet Password for a Terminal Line” section on page 6-6. The switch supports up to 16 simultaneous Telnet sessions. Changes made by one Telnet user are reflected in all other Telnet sessions. For information about configuring the switch for SSH, see the “Configuring the Switch for Secure Shell” section on page 6-37.
Chapter 2 Using the Command-Line Interface Accessing the CLI Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide 2-12 OL-8915-01
C H A P T E R 3 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assigning the IP address and default gateway information) by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The boot loader provides access to the flash file system before the operating system is loaded. Normally, the boot loader is used only to load, uncompress, and launch the operating system. After the boot loader gives the operating system control of the CPU, the boot loader is not active until the next system reset or power-on.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Default Switch Information Table 3-1 shows the default switch information. Table 3-1 Default Switch Information Feature Default Setting IP address and subnet mask No IP address or subnet mask are defined. Default gateway No default gateway is defined. Enable secret password No password is defined. Hostname The factory-assigned default hostname is Switch. Telnet password No password is defined.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DHCP Client Request Process When you boot your switch, the DHCP client is invoked and requests configuration information from a DHCP server when the configuration file is not present on the switch.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring DHCP-Based Autoconfiguration These sections contain this configuration information: • DHCP Server Configuration Guidelines, page 3-5 • Configuring the TFTP Server, page 3-6 • Configuring the DNS, page 3-6 • Configuring the Relay Device, page 3-6 • Obtaining Configuration Files, page 3-7 • Example Configuration, page 3-8 If your DHCP server is a Cisco device, see the “Configuring DHCP” section
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the TFTP Server Based on the DHCP server configuration, the switch attempts to download one or more configuration files from the TFTP server.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information For example, in Figure 3-2, configure the router interfaces as follows: On interface 10.0.0.2: router(config-if)# ip helper-address 20.0.0.2 router(config-if)# ip helper-address 20.0.0.3 router(config-if)# ip helper-address 20.0.0.4 On interface 20.0.0.1 router(config-if)# ip helper-address 10.0.0.1 Figure 3-2 Relay Device Used in Autoconfiguration Switch (DHCP client) Cisco router (Relay) 10.0.0.2 10.0.0.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The default configuration file contains the hostnames-to-IP-address mapping for the switch. The switch fills its host table with the information in the file and obtains its hostname. If the hostname is not found in the file, the switch uses the hostname in the DHCP reply. If the hostname is not specified in the DHCP reply, the switch uses the default Switch as its hostname.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Table 3-2 DHCP Server Configuration (continued) Switch A Switch B Switch C Switch D Boot filename (configuration file) (optional) switcha-confg switchb-confg switchc-confg switchd-confg Hostname (optional) switcha switchb switchc switchd DNS Server Configuration The DNS server maps the TFTP server name tftpserver to IP address 10.0.0.3.
Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface vlan vlan-id Enter interface configuration mode, and enter the VLAN to which the IP information is assigned.
Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration ! ! no aaa new-model system env temperature threshold yellow 25 ip subnet-zero ! no ip domain-lookup ! ! ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 2-4,20-22,100,200,999 ! ! interface FastEthernet0 ip address dhcp no ip route-cache keepalive 1 ! interface GigabitEthernet0/1 speed 1000 spanning-tree portfast ! interf
Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration interface GigabitEthernet0/11 speed 1000 spanning-tree portfast ! interface GigabitEthernet0/12 speed 1000 spanning-tree portfast ! interface GigabitEthernet0/13 speed 1000 spanning-tree portfast ! interface GigabitEthernet0/14 speed 1000 spanning-tree portfast ! interface GigabitEthernet0/15 speed 1000 spanning-tree portfast ! interface GigabitEthernet0/16 speed 1000 spanning-tree portfast ! inter
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration ! interface GigabitEthernet0/24 switchport access vlan 2 switchport trunk native vlan 2 ! interface Vlan1 no ip 2.2.2.122 255.255.255.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Default Boot Configuration Table 3-3 shows the default boot configuration. Table 3-3 Default Boot Configuration Feature Default Setting Operating system software image The switch attempts to automatically boot the system using information in the BOOT environment variable.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Step 4 Command Purpose show boot Verify your entries. The boot config-file global configuration command changes the setting of the CONFIG_FILE environment variable. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no boot config-file global configuration command.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Booting a Specific Software Image By default, the switch attempts to automatically boot the system using information in the BOOT environment variable. If this variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Environment variables store two kinds of data: • Data that controls code, which does not read the Cisco IOS configuration file. For example, the name of a boot loader helper file, which extends or patches the functionality of the boot loader can be stored as an environment variable. • Data that controls code, which is responsible for reading the Cisco IOS configuration file.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Scheduling a Reload of the Software Image You can schedule a reload of the software image to occur on the switch at a later time (for example, late at night or during the weekend when the switch is used less), or you can synchronize a reload network-wide (for example, to perform a software upgrade on all switches in the network). Note A scheduled reload must take place within approximately 24 days.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image This example shows how to reload the software on the switch at a future time: Switch# reload at 02:00 jun 20 Reload scheduled for 02:00:00 UTC Thu Jun 20 1996 (in 344 hours and 53 minutes) Proceed with reload? [confirm] To cancel a previously scheduled reload, use the reload cancel privileged EXEC command.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide 3-20 OL-8915-01
C H A P T E R 4 Configuring Cisco IOS CNS Agents This chapter describes how to configure the Cisco IOS CNS agents on the switch. Note For complete configuration information for the Cisco Configuration Engine, see this URL on Cisco.com http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software Figure 4-1 Configuration Engine Architectural Overview Service provider network Configuration engine Data service directory Configuration server Event service 141327 Web-based user interface Order entry configuration management These sections contain this conceptual information: • Configuration Service, page 4-2 • Event Service, page 4-3 • What You Should Know About the CNS IDs and Device Hostnames, p
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software Event Service The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine. The Event Service is a highly capable publish-and-subscribe communication method.
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software DeviceID Each configured switch participating on the event bus has a unique DeviceID, which is analogous to the switch source address so that the switch can be targeted as a specific destination on the bus. All switches configured with the cns config partial global configuration command must access the event bus.
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco IOS Agents Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Incremental (Partial) Configuration After the network is running, new services can be added by using the Cisco IOS agent. Incremental (partial) configurations can be sent to the switch. The actual configuration can be sent as an event payload by way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation. The switch can check the syntax of the configuration before applying it.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Table 4-1 Prerequisites for Enabling Automatic Configuration Device Required Configuration Access switch Factory default (no configuration file) Distribution switch DHCP server TFTP server CNS Configuration Engine Note • IP helper address • Enable DHCP relay agent • IP routing (if used as default gateway) • IP address assignment • TFTP server IP address • Path to bootstrap configuration file on the TFTP server •
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Enabling the CNS Event Agent Note You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: • The cns config initial global configuration command enables the Cisco IOS agent and initiates an initial configuration on the switch.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Step 7 Step 8 Command Purpose cns id interface num {dns-reverse | ipaddress | mac-address} [event] or cns id {hardware-serial | hostname | string string} [event] Set the unique EventID or ConfigID used by the Configuration Engine.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Command Purpose Step 10 show cns config connections Verify information about the configuration agent. Step 11 show running-config Verify your entries. To disable the CNS Cisco IOS agent, use the no cns config initial {ip-address | hostname} global configuration command. This example shows how to configure an initial configuration on a remote switch. The switch hostname is the unique ID.
Chapter 4 Configuring Cisco IOS CNS Agents Displaying CNS Configuration Displaying CNS Configuration You can use the privileged EXEC commands in Table 4-2 to display CNS configuration information. Table 4-2 Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed.
C H A P T E R 5 Administering the Switch This chapter describes how to perform one-time operations to administer the switch.
Chapter 5 Administering the Switch Managing the System Time and Date The system clock can provide time to these services: • User show commands • Logging and debugging messages The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight saving time) so that the time appears correctly for the local time zone.
Chapter 5 Administering the Switch Managing the System Time and Date Figure 5-1 shows a typical network example using NTP. Switch A is the NTP master, with Switches B, C, and D configured in NTP server mode, in server association with Switch A. Switch E is configured as an NTP peer to the upstream and downstream switches, Switch B and Switch F.
Chapter 5 Administering the Switch Managing the System Time and Date These sections contain this configuration information: • Default NTP Configuration, page 5-4 • Configuring NTP Authentication, page 5-4 • Configuring NTP Associations, page 5-5 • Configuring NTP Broadcast Service, page 5-6 • Configuring NTP Access Restrictions, page 5-8 • Configuring the Source IP Address for NTP Packets, page 5-10 • Displaying the NTP Configuration, page 5-11 Default NTP Configuration Table 5-1 shows the
Chapter 5 Administering the Switch Managing the System Time and Date Step 3 Command Purpose ntp authentication-key number md5 value Define the authentication keys. By default, none are defined. • For number, specify a key number. The range is 1 to 4294967295. • md5 specifies that message authentication support is provided by using the message digest algorithm 5 (MD5). • For value, enter an arbitrary string of up to eight characters for the key.
Chapter 5 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to form an NTP association with another device: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp peer ip-address [version number] [key keyid] [source interface] [prefer] Configure the switch system clock to synchronize a peer or to be synchronized by a peer (peer association).
Chapter 5 Administering the Switch Managing the System Time and Date The switch can send or receive NTP broadcast packets on an interface-by-interface basis if there is an NTP broadcast server, such as a router, broadcasting time information on the network. The switch can send NTP broadcast packets to a peer so that the peer can synchronize to it. The switch can also receive NTP broadcast packets to synchronize its own clock.
Chapter 5 Administering the Switch Managing the System Time and Date Step 5 Command Purpose ntp broadcastdelay microseconds (Optional) Change the estimated round-trip delay between the switch and the NTP broadcast server. The default is 3000 microseconds; the range is 1 to 999999. Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 5 Administering the Switch Managing the System Time and Date Step 3 Command Purpose access-list access-list-number permit source [source-wildcard] Create the access list. • For access-list-number, enter the number specified in Step 2. • Enter the permit keyword to permit access if the conditions are matched. • For source, enter the IP address of the device that is permitted access to the switch. • (Optional) For source-wildcard, enter the wildcard bits to be applied to the source.
Chapter 5 Administering the Switch Managing the System Time and Date Disabling NTP Services on a Specific Interface NTP services are enabled on all interfaces by default. Beginning in privileged EXEC mode, follow these steps to disable NTP packets from being received on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to disable.
Chapter 5 Administering the Switch Managing the System Time and Date Displaying the NTP Configuration You can use two privileged EXEC commands to display NTP information: • show ntp associations [detail] • show ntp status For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 5 Administering the Switch Managing the System Time and Date Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command. The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source such as NTP, the flag is set. If the time is not authoritative, it is used only for display purposes.
Chapter 5 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 5 Administering the Switch Configuring a System Name and Prompt Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 Configure summer time to start on the first date and end on the second clock summer-time zone date [month date year hh:mm month date year hh:mm date.
Chapter 5 Administering the Switch Configuring a System Name and Prompt These sections contain this configuration information: • Default System Name and Prompt Configuration, page 5-15 • Configuring a System Name, page 5-15 • Understanding DNS, page 5-15 Default System Name and Prompt Configuration The default switch system name and prompt is Switch.
Chapter 5 Administering the Switch Configuring a System Name and Prompt These sections contain this configuration information: • Default DNS Configuration, page 5-16 • Setting Up DNS, page 5-16 • Displaying the DNS Configuration, page 5-17 Default DNS Configuration Table 5-2 shows the default DNS configuration. Table 5-2 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
Chapter 5 Administering the Switch Creating a Banner Command Purpose Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.
Chapter 5 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day.
Chapter 5 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message.
Chapter 5 Administering the Switch Managing the MAC Address Table These sections contain this configuration information: • Building the Address Table, page 5-20 • MAC Addresses and VLANs, page 5-20 • Default MAC Address Table Configuration, page 5-21 • Changing the Address Aging Time, page 5-21 • Removing Dynamic Address Entries, page 5-22 • Configuring MAC Address Notification Traps, page 5-22 • Adding and Removing Static Address Entries, page 5-24 • Configuring Unicast MAC Address Filter
Chapter 5 Administering the Switch Managing the MAC Address Table Default MAC Address Table Configuration Table 5-3 shows the default MAC address table configuration. Table 5-3 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned Static addresses None configured Changing the Address Aging Time Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use.
Chapter 5 Administering the Switch Managing the MAC Address Table Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode.
Chapter 5 Administering the Switch Managing the MAC Address Table Step 5 Command Purpose mac address-table notification [interval value] | [history-size value] Enter the trap interval time and the history table size. • (Optional) For interval value, specify the notification trap interval in seconds between each set of traps that are generated to the NMS. The range is 0 to 2147483647 seconds; the default is 1 second.
Chapter 5 Administering the Switch Managing the MAC Address Table Adding and Removing Static Address Entries A static address has these characteristics: • It is manually entered in the address table and must be manually removed. • It can be a unicast or multicast address. • It does not age and is retained when the switch restarts. You can add and remove static addresses and define the forwarding behavior for them.
Chapter 5 Administering the Switch Managing the MAC Address Table Configuring Unicast MAC Address Filtering When unicast MAC address filtering is enabled, the switch drops packets with specific source or destination MAC addresses. This feature is disabled by default and only supports unicast static addresses. Follow these guidelines when using this feature: • Multicast MAC addresses, broadcast MAC addresses, and router MAC addresses are not supported.
Chapter 5 Administering the Switch Managing the ARP Table This example shows how to enable unicast MAC address filtering and to configure the switch to drop packets that have a source or destination address of c2f3.220a.12f4. When a packet is received in VLAN 4 with this MAC address as its source or destination, the packet is dropped: Switch(config)# mac address-table static c2f3.220a.
C H A P T E R 6 Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the switch.
Chapter 6 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands • If you want to use username and password pairs, but you want to store them centrally on a server instead of locally, you can store them in a database on a security server. Multiple networking devices can then use the same database to obtain user authentication (and, if necessary, authorization) information. For more information, see the “Controlling Switch Access with TACACS+” section on page 6-10.
Chapter 6 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 6 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable secret passwords: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password [level level] {password | encryption-type encrypted-password} Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 6 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2: Switch(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8 Disabling Password Recovery By default, any end user with physical access to the switch can recover from a lost password by interrupting the boot process while the switch is powering on and then by entering a new password.
Chapter 6 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting a Telnet Password for a Terminal Line When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use. The setup program also prompts you to configure your switch for Telnet access through a password.
Chapter 6 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username and a password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 username name [privilege level] {password encryption-type password} Enter the username, privilege level, and password for each user.
Chapter 6 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting the Privilege Level for a Command Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 privilege mode level level command Set the privilege level for a command.
Chapter 6 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line vty line Select the virtual terminal line on which to restrict access. Step 3 privilege level level Change the default privilege level for the line.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Controlling Switch Access with TACACS+ This section describes how to enable and configure Terminal Access Controller Access Control System Plus (TACACS+), which provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 6-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ server 1) Catalyst 6500 series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) 171.20.10.8 119942 Configure the Blade switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers). Enable AAA. Create a login authentication method list.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: 1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user. The user enters a username, and the switch then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ authorize, or to keep accounts on users; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 3 aaa new-model Enable AAA. Step 4 aaa group server tacacs+ group-name (Optional) Define the AAA server-group with a group name. This command puts the switch in a server group subconfiguration mode. Step 5 server ip-address (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Note To secure the switch for HTTP access by using AAA methods, you must configure the switch with the ip http authentication aaa global configuration command. Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Starting TACACS+ Accounting The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Understanding RADIUS RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco routers and switches. Clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Transitioning from RADIUS to TACACS+ Services Remote PC R1 RADIUS server R2 RADIUS server T1 TACACS+ server T2 TACACS+ server Workstation 86891 Figure 6-2 RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: 1. The user is prompted to enter a username and password. 2.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS You identify RADIUS security servers by their hostname or IP address, hostname and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 8 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 6-23. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information). Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the switch and all RADIUS servers.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“ This example shows how to specify an authorized VLAN in the RADIUS server database: cisco-avpair= ”tunnel-type(#64)=VLAN(13)” cisco-avpair= ”tunnel-medium-type(#65)=802 media(6)” cisco-avpair= ”tunnel-private-group-ID(#81)=vlanid” This example shows how to apply an in
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring the Switch for Vendor-Proprietary RADIUS Server Communication Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Controlling Switch Access with Kerberos This section describes how to enable and configure the Kerberos security system, which authenticates requests for network resources by using a trusted third party. To use this feature, the cryptographic (that is, supports encryption) versions of the switch software must be installed on your switch.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts (such as UNIX servers and PCs).
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 6-2 Kerberos Terms (continued) Term KEYTAB Definition 3 Principal A password that a network service shares with the KDC. In Kerberos 5 and later Kerberos versions, the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it. In Kerberos versions earlier than Kerberos 5, KEYTAB is referred to as SRVTAB 4.
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos 4. The KDC sends an encrypted TGT that includes the user identity to the switch. 5. The switch attempts to decrypt the TGT by using the password that the user entered. • If the decryption is successful, the user is authenticated to the switch.
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization Note A Kerberos server can be a Cisco Catalyst Blade Switch 3020 for HP that is configured as a network security server and that can authenticate users by using the Kerberos protocol. To set up a Kerberos-authenticated server-client system, follow these steps: • Configure the KDC by using Kerberos commands. • Configure the switch to use the Kerberos protocol.
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Step 6 Command Purpose username name [privilege level] {password encryption-type password} Enter the local database, and establish a username-based authentication system. Repeat this command for each user. • For name, specify the user ID as one word. Spaces and quotation marks are not allowed. • (Optional) For level, specify the privilege level the user has after gaining access. The range is 0 to 15.
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell For SSH configuration examples, see the “SSH Configuration Examples” section in the “Configuring Secure Shell” chapter of the Cisco IOS Security Configuration Guide, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/ scfssh.
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Limitations These limitations apply to SSH: • The switch supports Rivest, Shamir, and Adelman (RSA) authentication. • SSH supports only the execution-shell application. • The SSH server and the SSH client are supported only on DES (56-bit) and 3DES (168-bit) data encryption software. • The switch does not support the Advanced Encryption Standard (AES) symmetric encryption algorithm.
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell 3. Generate an RSA key pair for the switch, which automatically enables SSH. Follow this procedure only if you are configuring the switch as an SSH server. 4. Configure user authentication for local or remote access. This step is required. For more information, see the “Configuring the Switch for Local Authentication and Authorization” section on page 6-36.
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Configuring the SSH Server Beginning in privileged EXEC mode, follow these steps to configure the SSH server: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip ssh version [1 | 2] (Optional) Configure the switch to run SSH Version 1 or SSH Version 2. • 1—Configure the switch to run SSH Version 1. • 2—Configure the switch to run SSH Version 2.
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP For more information about these commands, see the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fothercr/ srfssh.htm.
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP When a connection attempt is made, the HTTPS server provides a secure connection by issuing a certified X.509v3 certificate, obtained from a specified CA trustpoint, to the client. The client (usually a Web browser), in turn, has a public key that allows it to authenticate the certificate. For secure HTTP connections, we highly recommend that you configure a CA trustpoint.
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP CipherSuites A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection. When connecting to the HTTPS server, the client Web browser offers a list of supported CipherSuites, and the client and server negotiate the best encryption algorithm to use from those on the list that are supported by both. For example, Netscape Communicator 4.76 supports U.S.
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP SSL Configuration Guidelines Before you configure a CA trustpoint, you should ensure that the system clock is set. If the clock is not set, the certificate is rejected due to an incorrect date. Configuring a CA Trustpoint For secure HTTP connections, we recommend that you configure an official CA trustpoint. A CA trustpoint is more secure than a self-signed certificate.
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Configuring the Secure HTTP Server If you are using a certificate authority for certification, you should use the previous procedure to configure the CA trustpoint on the switch before enabling the HTTP server. If you have not configured a CA trustpoint, a self-signed certificate is generated the first time that you enable the secure HTTP server.
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Command Step 11 Purpose ip http timeout-policy idle seconds life (Optional) Specify how long a connection to the HTTP server can remain seconds requests value open under the defined circumstances: • idle—the maximum time period when no data is received or response data cannot be sent. The range is 1 to 600 seconds. The default is 180 seconds (3 minutes).
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Command Purpose Step 3 ip http client secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-md5] [rc4-128-sha] [des-cbc-sha]} (Optional) Specify the CipherSuites (encryption algorithms) to be used for encryption over the HTTPS connection. If you do not have a reason to specify a particular CipherSuite, you should allow the server and client to negotiate a CipherSuite that they both support.
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Information About Secure Copy To configure Secure Copy feature, you should understand these concepts. The behavior of SCP is similar to that of remote copy (rcp), which comes from the Berkeley r-tools suite, except that SCP relies on SSH for security.
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide 6-50 OL-8915-01
C H A P T E R 7 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the switch. IEEE 802.1x authentication prevents unauthorized devices (clients) from gaining access to the network. Note For complete syntax and usage information for the commands used in this chapter, see the “RADIUS Commands” section in the Cisco IOS Security Command Reference, Release 12.2 and the command reference for this release.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • IEEE 802.1x Accounting Attribute-Value Pairs, page 7-9 • Using IEEE 802.1x Authentication with VLAN Assignment, page 7-10 • Using IEEE 802.1x Authentication with Per-User ACLs, page 7-11 • Using IEEE 802.1x Authentication with Guest VLAN, page 7-12 • Using IEEE 802.1x Authentication with Restricted VLAN, page 7-13 • Using IEEE 802.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • Switch (edge switch or wireless access point)—controls the physical access to the network based on the authentication status of the client. The switch acts as an intermediary (proxy) between the client and the authentication server, requesting identity information from the client, verifying that information with the authentication server, and relaying a response to the client.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 7-2 shows the authentication process. Figure 7-2 Authentication Flowchart Start No Is the client IEEE 802.1x capable? IEEE 802.1x authentication process times out. Is MAC authentication bypass enabled? 1 Yes Yes Start IEEE 802.1x port-based authentication. Client identity is invalid The switch gets an EAPOL message, and the EAPOL message exchange begins.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The Termination-Action RADIUS attribute (Attribute [29]) specifies the action to take during re-authentication. The actions are Initialize and ReAuthenticate. When the Initialize action is set (the attribute value is DEFAULT), the IEEE 802.1x session ends, and connectivity is lost during re-authentication.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The specific exchange of EAP frames depends on the authentication method being used. Figure 7-3 shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 7-4 Message Exchange During MAC Authentication Bypass Client Authentication server (RADIUS) Switch EAPOL Request/Identity EAPOL Request/Identity EAPOL Request/Identity RADIUS Access/Request RADIUS Access/Accept 141681 Ethernet packet Ports in Authorized and Unauthorized States During IEEE 802.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication If the client is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated client are allowed through the port. If the authentication fails, the port remains in the unauthorized state, but authentication can be retried.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication IEEE 802.1x Accounting The IEEE 802.1x standard defines how users are authorized and authenticated for network access but does not keep track of network usage. IEEE 802.1x accounting is disabled by default. You can enable IEEE 802.1x accounting to monitor this activity on IEEE 802.1x-enabled ports: • User successfully authenticates. • User logs off. • Link-down occurs.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Table 7-1 Accounting AV Pairs (continued) Attribute Number AV Pair Name START INTERIM STOP Attribute[46] Acct-Session-Time Never Never Always Attribute[49] Acct-Terminate-Cause Never Never Always Attribute[61] NAS-Port-Type Always Always Always 1.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The IEEE 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS). To configure VLAN assignment you need to perform these tasks: • Enable AAA authorization by using the network keyword to allow interface configuration from the RADIUS server. • Enable IEEE 802.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The maximum size of the per-user ACL is 4000 ASCII characters but is limited by the maximum size of RADIUS-server per-user ACLs. For examples of vendor-specific attributes, see the “Configuring the Switch to Use Vendor-Specific RADIUS Attributes” section on page 6-29. For more information about configuring ACLs, see Chapter 26, “Configuring Network Security with ACLs.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication a username and password based on the MAC address. If authorization succeeds, the switch grants the client access to the network. If authorization fails, the switch assigns the port to the guest VLAN if one is specified. For more information, see the“Using IEEE 802.1x Authentication with MAC Authentication Bypass” section on page 7-17.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass When the switch cannot reach the configured RADIUS servers and hosts cannot be authenticated, you can configure the switch to allow network access to the hosts connected to critical ports.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • Restricted VLAN—If the port is already authorized in a restricted VLAN and the RADIUS servers are unavailable, the switch puts the critical port in the critical-authentication state in the restricted VLAN. • IEEE 802.1x accounting—Accounting is not affected if the RADIUS servers are unavailable.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication IEEE 802.1x authentication authenticates the port, and port security manages network access for all MAC addresses, including that of the client. You can then limit the number or group of clients that can access the network through an IEEE 802.1x port. These are some examples of the interaction between IEEE 802.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Note If PortFast is not enabled on the port, the port is forced to the bidirectional state. When you configure a port as unidirectional by using the dot1x control-direction in interface configuration command, the port changes to the spanning-tree forwarding state. The port can send packets to the host but cannot receive packets from the host.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication MAC authentication bypass interacts with the features: • IEEE 802.1x authentication—You can enable MAC authentication bypass only if IEEE 802.1x authentication is enabled on the port. • Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a guest VLAN if one is configured. • Restricted VLAN—This feature is not supported when the client connected to an IEEE 802.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Default IEEE 802.1x Authentication Configuration Table 7-2 shows the default IEEE 802.1x authentication configuration. Table 7-2 Default IEEE 802.1x Authentication Configuration Feature Default Setting Switch IEEE 802.1x enable state Disabled. Per-port IEEE 802.1x enable state Disabled (force-authorized). The port sends and receives normal traffic without IEEE 802.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Table 7-2 Default IEEE 802.1x Authentication Configuration (continued) Feature Default Setting Authenticator (switch) mode None specified. MAC authentication bypass Disabled. IEEE 802.1x Authentication Configuration Guidelines These section has configuration guidelines for these features: • IEEE 802.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication – Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable IEEE 802.1x authentication on a port that is a SPAN or RSPAN destination port. However, IEEE 802.1x authentication is disabled until the port is removed as a SPAN or RSPAN destination port. You can enable IEEE 802.1x authentication on a SPAN or RSPAN source port. • Before globally enabling IEEE 802.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication MAC Authentication Bypass These are the MAC authentication bypass configuration guidelines: • Unless otherwise stated, the MAC authentication bypass guidelines are the same as the IEEE 802.1x authentication guidelines. For more information, see the “IEEE 802.1x Authentication” section on page 7-20.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 3 Command Purpose aaa authentication dot1x {default} method1 Create an IEEE 802.1x authentication method list. To create a default list that is used when a named list is not specified in the authentication command, use the default keyword followed by the method that is to be used in default situations. The default method list is automatically applied to all ports.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on the switch. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Configure the RADIUS server parameters.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring the Host Mode Beginning in privileged EXEC mode, follow these steps to allow multiple hosts (clients) on an IEEE 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Step 4 Purpose dot1x timeout reauth-period {seconds | Set the number of seconds between re-authentication attempts. server} The keywords have these meanings: • seconds—Sets the number of seconds from 1 to 65535; the default is 3600 seconds.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 3 Command Purpose dot1x timeout quiet-period seconds Set the number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client. The range is 1 to 65535 seconds; the default is 60. Step 4 end Return to privileged EXEC mode. Step 5 show dot1x interface interface-id Verify your entries.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Setting the Switch-to-Client Frame-Retransmission Number In addition to changing the switch-to-client retransmission time, you can change the number of times that the switch sends an EAP-request/identity frame (assuming no response is received) to the client before restarting the authentication process.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Setting the Re-Authentication Number You can also change the number of times that the switch restarts the authentication process before the port changes to the unauthorized state. Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Note You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and interim-update messages and time stamps. To turn on these functions, enable logging of “Update/Watchdog packets from this AAA client” in your RADIUS server Network Configuration tab. Next, enable “CVS RADIUS Accounting” in your RADIUS server System Configuration tab.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose switchport mode access Set the port to access mode, or or switchport mode private-vlan host Configure the port as a private-VLAN host port. Step 4 dot1x port-control auto Enable IEEE 802.1x authentication on the port. Step 5 dot1x guest-vlan vlan-id Specify an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to 4094.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 5 Command Purpose dot1x auth-fail vlan vlan-id Specify an active VLAN as an IEEE 802.1x restricted VLAN. The range is 1 to 4094. You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x restricted VLAN. Step 6 end Return to privileged EXEC mode. Step 7 show dot1x interface interface-id (Optional) Verify your entries.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication This example shows how to set 2 as the number of authentication attempts allowed before the port moves to the restricted VLAN: Switch(config-if)# dot1x auth-fail max-attempts 2 Configuring the Inaccessible Authentication Bypass Feature You can configure the inaccessible bypass feature, also referred to as critical authentication or the AAA fail policy.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 4 Command Purpose radius-server host ip-address [acct-port udp-port] [auth-port udp-port] [key string] [test username name [idle-time time] [ignore-acct-port] [ignore-auth-port]] (Optional) Configure the RADIUS server parameters by using these keywords: • acct-port udp-port—Specify the UDP port for the RADIUS accounting server. The range for the UDP port number is from 0 to 65536.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 7 Command Purpose dot1x critical [recovery action reinitialize | vlan vlan-id] Enable the inaccessible authentication bypass feature, and use these keywords to configure the feature: • recovery action reinitialize—Enable the recovery feature, and specify that the recovery action is to authenticate the port when an authentication server is available.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show dot1x interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable IEEE 802.1x authentication with WoL, use the no dot1x control-direction interface configuration command. This example shows how to enable IEEE 802.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring IEEE 802.1x Authentication Using a RADIUS Server You can configure IEEE 802.1x authentication with a RADIUS server. Beginning in privileged EXEC mode, follow these steps to configure IEEE 802.1x authentication with a RADIUS server. The procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Disabling IEEE 802.1x Authentication on the Port You can disable IEEE 802.1x authentication on the port by using the no dot1x pae interface configuration command. Beginning in privileged EXEC mode, follow these steps to disable IEEE 802.1x authentication on the port. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Displaying IEEE 802.1x Statistics and Status Displaying IEEE 802.1x Statistics and Status To display IEEE 802.1x statistics for all ports, use the show dot1x all statistics privileged EXEC command. To display IEEE 802.1x statistics for a specific port, use the show dot1x statistics interface interface-id privileged EXEC command. To display the IEEE 802.
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Displaying IEEE 802.
C H A P T E R 8 Configuring Interface Characteristics This chapter defines the types of interfaces on the switch and describes how to configure them.
Chapter 8 Configuring Interface Characteristics Understanding Interface Types Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 10, “Configuring VLANs.” Packets received on a port are forwarded only to ports that belong to the same VLAN as the receiving port.
Chapter 8 Configuring Interface Characteristics Understanding Interface Types Access Ports An access port belongs to and carries the traffic of only one VLAN (unless it is configured as a voice VLAN port). Traffic is received and sent in native formats with no VLAN tagging. Traffic arriving on an access port is assumed to belong to the VLAN assigned to the port. If an access port receives a tagged packet (Inter-Switch Link [ISL] or IEEE 802.
Chapter 8 Configuring Interface Characteristics Understanding Interface Types EtherChannel Port Groups EtherChannel port groups treat multiple switch ports as one switch port. These port groups act as a single logical port for high-bandwidth connections between switches or between switches and servers. An EtherChannel balances the traffic load across the links in the channel. If a link within the EtherChannel fails, traffic previously carried over the failed link changes to the remaining links.
Chapter 8 Configuring Interface Characteristics Understanding Interface Types Connecting Interfaces Devices within a single VLAN can communicate directly through any switch. Ports in different VLANs cannot exchange data without going through a routing device. In the configuration shown in Figure 8-1, when Blade Server A in VLAN 20 sends data to Blade Server B in VLAN 30, the data must go from Blade Server A to the switch, to the router, back to the switch, and then to Blade Server B.
Chapter 8 Configuring Interface Characteristics Using Interface Configuration Mode Using Interface Configuration Mode The switch supports these interface types: • Physical ports—switch ports • VLANs—switch virtual interfaces • Port channels—EtherChannel interfaces You can also configure a range of interfaces (see the “Configuring a Range of Interfaces” section on page 8-7).
Chapter 8 Configuring Interface Characteristics Using Interface Configuration Mode Step 3 Follow each interface command with the interface configuration commands that the interface requires. The commands that you enter define the protocols and applications that will run on the interface. The commands are collected and applied to the interface when you enter another interface command or enter end to return to privileged EXEC mode.
Chapter 8 Configuring Interface Characteristics Using Interface Configuration Mode When using the interface range global configuration command, note these guidelines: • Valid entries for port-range: – vlan vlan-ID, where the VLAN ID is 1 to 4094 – gigabitethernet module/{first port} - {last port}, where the module is always 0 – port-channel port-channel-number - port-channel-number, where the port-channel-number is 1 to 48 Note When you use the interface range command with port channels, the first an
Chapter 8 Configuring Interface Characteristics Using Interface Configuration Mode Step 3 Command Purpose interface range macro macro_name Select the interface range to be configured using the values saved in the interface-range macro called macro_name. You can now use the normal configuration commands to apply the configuration to all interfaces in the defined macro. Step 4 end Return to privileged EXEC mode.
Chapter 8 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to delete the interface-range macro enet_list and to verify that it was deleted.
Chapter 8 Configuring Interface Characteristics Configuring Ethernet Interfaces Table 8-1 Default Layer 2 Ethernet Interface Configuration (continued) Feature Default Setting Port security Disabled. See the “Default Port Security Configuration” section on page 19-10. Port Fast Disabled. Enabled by default on Gigabit Ethernet interfaces 0/1 to 0/16. See the “Default Optional Spanning-Tree Configuration” section on page 15-9. Auto-MDIX Enabled.
Chapter 8 Configuring Interface Characteristics Configuring Ethernet Interfaces Caution • If both ends of the line support autonegotiation, we highly recommend the default setting of auto negotiation. • If one interface supports autonegotiation and the other end does not, configure duplex and speed on both interfaces; do not use the auto setting on the supported side. • When STP is enabled and a port is reconfigured, the switch can take up to 30 seconds to check for loops.
Chapter 8 Configuring Interface Characteristics Configuring Ethernet Interfaces Step 3 Command Purpose media-type {auto-select | rj45 | sfp | internal} Select the interface and type of a dual-purpose uplink port. These keyword meanings apply on Gigabit Ethernet interfaces 0/17 to 0/20 and 0/23 to 0/24; they do not apply on Gigabit Ethernet interfaces 0/1 to 0/16 or 0/21 to 0/22. The keywords have these meanings: • Note auto-select—The switch dynamically selects the type.
Chapter 8 Configuring Interface Characteristics Configuring Ethernet Interfaces Setting the Interface Speed and Duplex Parameters Beginning in privileged EXEC mode, follow these steps to set the speed and duplex mode for a physical interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the physical interface to be configured, and enter interface configuration mode.
Chapter 8 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring IEEE 802.3x Flow Control Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. If one port experiences congestion and cannot receive any more traffic, it notifies the other port by sending a pause frame to stop sending until the condition clears.
Chapter 8 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Auto-MDIX on an Interface When automatic medium-dependent interface crossover (auto-MDIX) is enabled on an interface, the interface automatically detects the required cable connection type (straight through or crossover) and configures the connection appropriately.
Chapter 8 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to enable auto-MDIX on a port: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# speed auto Switch(config-if)# duplex auto Switch(config-if)# mdix auto Switch(config-if)# end Adding a Description for an Interface You can add a description about an interface to help you remember its function.
Chapter 8 Configuring Interface Characteristics Configuring the System MTU Configuring the System MTU The default maximum transmission unit (MTU) size for frames received and transmitted on all interfaces on the switch is 1500 bytes. You can increase the MTU size for all interfaces operating at 10 or 100 Mbps by using the system mtu global configuration command.
Chapter 8 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces This example shows the response when you try to set Gigabit Ethernet interfaces to an out-of-range number: Switch(config)# system mtu jumbo 25000 ^ % Invalid input detected at '^' marker.
Chapter 8 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Clearing and Resetting Interfaces and Counters Table 8-4 lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces. Table 8-4 Clear Commands for Interfaces Command Purpose clear counters [interface-id] Clear interface counters. clear interface interface-id Reset the hardware logic on an interface.
C H A P T E R 9 Configuring Smartports Macros This chapter describes how to configure and apply Smartports macros on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 9 Configuring Smartports Macros Configuring Smartports Macros Table 9-1 Cisco-Default Smartports Macros (continued) Macro Name1 Description cisco-phone Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Chapter 9 Configuring Smartports Macros Configuring Smartports Macros Smartports Macro Configuration Guidelines Follow these guidelines when configuring macros on your switch: • When creating a macro, do not use the exit or end commands or change the command mode by using interface interface-id. This could cause commands that follow exit, end, or interface interface-id to execute in a different command mode. • When creating a macro, all CLI commands should be in the same configuration mode.
Chapter 9 Configuring Smartports Macros Configuring Smartports Macros Follow these guidelines when you apply a Cisco-default Smartports macro on an interface: • Display all macros on the switch by using the show parser macro user EXEC command. Display the contents of a specific macro by using the show parser macro macro-name user EXEC command. • Keywords that begin with $ mean that a unique parameter value is required.
Chapter 9 Configuring Smartports Macros Configuring Smartports Macros Applying Smartports Macros Beginning in privileged EXEC mode, follow these steps to apply a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro global {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Apply each individual command defined in the macro to the switch by entering macro global apply macro-name.
Chapter 9 Configuring Smartports Macros Configuring Smartports Macros This example shows how to apply the user-created macro called snmp, to set the hostname address to test-server, and to set the IP precedence value to 7: Switch(config)# macro global apply snmp ADDRESS test-server VALUE 7 This example shows how to debug the user-created macro called snmp by using the macro global trace global configuration command to find any syntax or configuration errors in the macro when it is applied to the switch.
Chapter 9 Configuring Smartports Macros Configuring Smartports Macros Step 7 Command Purpose macro {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Append the Cisco-default macro with the required values by using the parameter value keywords, and apply the macro to the interface. Keywords that begin with $ mean that a unique parameter value is required. You can use the macro apply macro-name ? command to display a list of any required values in the macro.
Chapter 9 Configuring Smartports Macros Displaying Smartports Macros Displaying Smartports Macros To display the Smartports macros, use one or more of the privileged EXEC commands in Table 9-2. Table 9-2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros. show parser macro name macro-name Displays a specific macro. show parser macro brief Displays the configured macro names.
C H A P T E R 10 Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS). Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 10 Configuring VLANs Understanding VLANs Figure 10-1 shows an example of VLANs segmented into logically defined networks. Figure 10-1 VLANs as Logically Defined Networks Engineering VLAN Marketing VLAN Accounting VLAN Cisco router Floor 3 Gigabit Ethernet Floor 2 90571 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Chapter 10 Configuring VLANs Understanding VLANs VLAN Port Membership Modes You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries and the number of VLANs to which it can belong. Table 10-1 lists the membership modes and membership and VTP characteristics.
Chapter 10 Configuring VLANs Configuring Normal-Range VLANs Configuring Normal-Range VLANs Normal-range VLANs are VLANs with VLAN IDs 1 to 1005. If the switch is in VTP server or VTP transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database. (VLAN IDs 1 and 1002 to 1005 are automatically created and cannot be removed.
Chapter 10 Configuring VLANs Configuring Normal-Range VLANs These sections contain normal-range VLAN configuration information: • Token Ring VLANs, page 10-5 • Normal-Range VLAN Configuration Guidelines, page 10-5 • VLAN Configuration Mode Options, page 10-6 • Saving VLAN Configuration, page 10-6 • Default Ethernet VLAN Configuration, page 10-7 • Creating or Modifying an Ethernet VLAN, page 10-8 • Deleting a VLAN, page 10-9 • Assigning Static-Access Ports to a VLAN, page 10-10 Token Ring V
Chapter 10 Configuring VLANs Configuring Normal-Range VLANs are several adjacent switches that all have run out of spanning-tree instances. You can prevent this possibility by setting allowed lists on the trunk ports of switches that have used up their allocation of spanning-tree instances. If the number of VLANs on the switch exceeds the number of supported spanning-tree instances, we recommend that you configure the IEEE 802.
Chapter 10 Configuring VLANs Configuring Normal-Range VLANs When you save VLAN and VTP information (including extended-range VLAN configuration information) in the startup configuration file and reboot the switch, the switch configuration is selected as follows: Caution • If the VTP mode is transparent in the startup configuration, and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file, the VLAN database is ignored (cleared), and the VTP and
Chapter 10 Configuring VLANs Configuring Normal-Range VLANs Creating or Modifying an Ethernet VLAN Each Ethernet VLAN in the VLAN database has a unique, 4-digit ID that can be a number from 1 to 1001. VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs. To create a normal-range VLAN to be added to the VLAN database, assign a number and name to the VLAN. Note When the switch is in VTP transparent mode, you can assign VLAN IDs greater than 1006, but they are not added to the VLAN database.
Chapter 10 Configuring VLANs Configuring Normal-Range VLANs You can also create or modify Ethernet VLANs by using the VLAN database configuration mode. Note VLAN database configuration mode does not support RSPAN VLAN configuration or extended-range VLANs. Beginning in privileged EXEC mode, follow these steps to use VLAN database configuration mode to create or modify an Ethernet VLAN: Command Purpose Step 1 vlan database Enter VLAN database configuration mode.
Chapter 10 Configuring VLANs Configuring Normal-Range VLANs Caution When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN. Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no vlan vlan-id Remove the VLAN by entering the VLAN ID.
Chapter 10 Configuring VLANs Configuring Extended-Range VLANs To return an interface to its default configuration, use the default interface interface-id interface configuration command. This example shows how to configure a port as an access port in VLAN 2: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 10 Configuring VLANs Configuring Extended-Range VLANs Extended-Range VLAN Configuration Guidelines Follow these guidelines when creating extended-range VLANs: • To add an extended-range VLAN, you must use the vlan vlan-id global configuration command and access config-vlan mode. You cannot add extended-range VLANs in VLAN database configuration mode (accessed by entering the vlan database privileged EXEC command).
Chapter 10 Configuring VLANs Displaying VLANs Command Purpose Step 3 vlan vlan-id Enter an extended-range VLAN ID and enter config-vlan mode. The range is 1006 to 4094. Step 4 mtu mtu-size (Optional) Modify the VLAN by changing the MTU size. Note Although all VLAN commands appear in the CLI help in config-vlan mode, only the mtu mtu-size, and remote-span commands are supported for extended-range VLANs. Step 5 remote-span (Optional) Configure the VLAN as the RSPAN VLAN.
Chapter 10 Configuring VLANs Configuring VLAN Trunks Table 10-3 VLAN Monitoring Commands (continued) Command Command Mode Purpose show interfaces [vlan vlan-id] Privileged EXEC Display characteristics for all interfaces or for the specified VLAN configured on the switch. show vlan [id vlan-id] Privileged EXEC Display parameters for all VLANs or the specified VLAN on the switch.
Chapter 10 Configuring VLANs Configuring VLAN Trunks Figure 10-2 shows a network of blade switches that are connected by ISL trunks. Figure 10-2 Blade Switches in an ISL Trunking Environment Catalyst 6500 series switch ISL trunk ISL trunk ISL trunk ISL trunk Blade switch Blade switch Blade switch VLAN1 VLAN3 VLAN2 VLAN2 VLAN1 VLAN3 119945 Blade switch You can configure a trunk on a single Ethernet interface or on an EtherChannel bundle.
Chapter 10 Configuring VLANs Configuring VLAN Trunks Table 10-4 Layer 2 Interface Modes Mode Function switchport mode access Puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface regardless of whether or not the neighboring interface is a trunk interface. switchport mode dynamic auto Makes the interface able to convert the link to a trunk link.
Chapter 10 Configuring VLANs Configuring VLAN Trunks • Make sure the native VLAN for an IEEE 802.1Q trunk is the same on both ends of the trunk link. If the native VLAN on one end of the trunk is different from the native VLAN on the other end, spanning-tree loops might result. • Disabling spanning tree on the native VLAN of an IEEE 802.1Q trunk without disabling spanning tree on every VLAN in the network can potentially cause spanning-tree loops.
Chapter 10 Configuring VLANs Configuring VLAN Trunks – STP Port Fast setting. – trunk status: if one port in a port group ceases to be a trunk, all ports cease to be trunks. • We recommend that you configure no more than 24 trunk ports in PVST mode and no more than 40 trunk ports in MST mode. • If you try to enable IEEE 802.1x on a trunk port, an error message appears, and IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to trunk, the port mode is not changed.
Chapter 10 Configuring VLANs Configuring VLAN Trunks To return an interface to its default configuration, use the default interface interface-id interface configuration command. To reset all trunking characteristics of a trunking interface to the defaults, use the no switchport trunk interface configuration command. To disable trunking, use the switchport mode access interface configuration command to configure the port as a static-access port. This example shows how to configure a port as an IEEE 802.
Chapter 10 Configuring VLANs Configuring VLAN Trunks Step 4 Command Purpose switchport trunk allowed vlan {add | all | except | remove} vlan-list (Optional) Configure the list of VLANs allowed on the trunk. For explanations about using the add, all, except, and remove keywords, see the command reference for this release. The vlan-list parameter is either a single VLAN number from 1 to 4094 or a range of VLANs described by two VLAN numbers, the lower one first, separated by a hyphen.
Chapter 10 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 5 show interfaces interface-id switchport Verify your entries in the Pruning VLANs Enabled field of the display. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default pruning-eligible list of all VLANs, use the no switchport trunk pruning vlan interface configuration command.
Chapter 10 Configuring VLANs Configuring VLAN Trunks You configure load sharing on trunk ports by using STP port priorities or STP path costs. For load sharing using STP port priorities, both load-sharing links must be connected to the same switch. For load sharing using STP path costs, each load-sharing link can be connected to the same switch or to two different switches. For more information about STP, see Chapter 13, “Configuring STP.
Chapter 10 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 6 show vlan Verify that the VLANs exist in the database on Switch A. Step 7 configure terminal Enter global configuration mode. Step 8 interface gigabitethernet 0/1 Define the interface to be configured as a trunk, and enter interface configuration mode. Step 9 switchport trunk encapsulation {isl | dot1q | negotiate} Configure the port to support ISL or IEEE 802.
Chapter 10 Configuring VLANs Configuring VLAN Trunks Figure 10-4 Load-Sharing Trunks with Traffic Distributed by Path Cost Switch A Trunk port 2 VLANs 8 – 10 (path cost 30) VLANs 2 – 4 (path cost 19) 90573 Trunk port 1 VLANs 2 – 4 (path cost 30) VLANs 8 – 10 (path cost 19) Switch B Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 10-4: Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A.
Chapter 10 Configuring VLANs Configuring VMPS Configuring VMPS The VLAN Query Protocol (VQP) is used to support dynamic-access ports, which are not permanently assigned to a VLAN, but give VLAN assignments based on the MAC source addresses seen on the port. Each time an unknown MAC address is seen, the switch sends a VQP query to a remote VMPS; the query includes the newly seen MAC address and the port on which it was seen. The VMPS responds with a VLAN assignment for the port.
Chapter 10 Configuring VLANs Configuring VMPS Dynamic-Access Port VLAN Membership A dynamic-access port can belong to only one VLAN with an ID from 1 to 4094. When the link comes up, the switch does not forward traffic to or from this port until the VMPS provides the VLAN assignment. The VMPS receives the source MAC address from the first packet of a new host connected to the dynamic-access port and attempts to match the MAC address to a VLAN in the VMPS database.
Chapter 10 Configuring VLANs Configuring VMPS • Trunk ports cannot be dynamic-access ports, but you can enter the switchport access vlan dynamic interface configuration command for a trunk port. In this case, the switch retains the setting and applies it if the port is later configured as an access port. You must turn off trunking on the port before the dynamic-access setting takes effect. • Dynamic-access ports cannot be monitor ports. • Secure ports cannot be dynamic-access ports.
Chapter 10 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to configure a dynamic-access port on a VMPS client switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the switch port that is connected to the end station, and enter interface configuration mode. Step 3 switchport mode access Set the port to access mode.
Chapter 10 Configuring VLANs Configuring VMPS To return the switch to its default setting, use the no vmps reconfirm global configuration command. Changing the Retry Count Beginning in privileged EXEC mode, follow these steps to change the number of times that the switch attempts to contact the VMPS before querying the next server: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vmps retry count Change the retry count. The retry range is 1 to 10; the default is 3.
Chapter 10 Configuring VLANs Configuring VMPS Troubleshooting Dynamic-Access Port VLAN Membership The VMPS shuts down a dynamic-access port under these conditions: • The VMPS is in secure mode, and it does not allow the host to connect to the port. The VMPS shuts down the port to prevent the host from connecting to the network. • More than 20 active hosts reside on a dynamic-access port.
Chapter 10 Configuring VLANs Configuring VMPS Figure 10-5 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6500 series switch A Primary VMPS Server 1 Router 172.20.26.150 172.20.22.7 Client switch B End station 1 Dynamic-access port 172.20.26.151 Trunk port Switch C 172.20.26.152 Switch D 172.20.26.153 Switch E 172.20.26.154 Switch F 172.20.26.155 Switch G 172.20.26.156 Switch H 172.20.26.
Chapter 10 Configuring VLANs Configuring VMPS Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide 10-32 OL-8915-01
C H A P T E R 11 Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the switch. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco Catalyst Blade Switch 3020 for HP Command Reference for this release.
Chapter 11 Configuring VTP Understanding VTP These sections contain this conceptual information: • The VTP Domain, page 11-2 • VTP Modes, page 11-3 • VTP Advertisements, page 11-3 • VTP Version 2, page 11-4 • VTP Pruning, page 11-4 The VTP Domain A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name. A switch can be in only one VTP domain.
Chapter 11 Configuring VTP Understanding VTP VTP Modes You can configure a supported switch to be in one of the VTP modes listed in Table 11-1. Table 11-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
Chapter 11 Configuring VTP Understanding VTP • MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN. • Frame format VTP advertisements distribute this VLAN information for each configured VLAN: • VLAN IDs (ISL and IEEE 802.1Q) • VLAN name • VLAN type • VLAN state • Additional VLAN configuration information specific to the VLAN type VTP Version 2 If you use VTP in your network, you must decide whether to use Version 1 or Version 2.
Chapter 11 Configuring VTP Understanding VTP Figure 11-1 shows a switched network without VTP pruning enabled. Port 1 on Switch A and Port 2 on Switch D are assigned to the Red VLAN. If a broadcast is sent from the host connected to Switch A, Switch A floods the broadcast and every switch in the network receives it, even though Switches C, E, and F have no ports in the Red VLAN.
Chapter 11 Configuring VTP Configuring VTP See the “Enabling VTP Pruning” section on page 11-14. VTP pruning takes effect several seconds after you enable it. VTP pruning does not prune traffic from VLANs that are pruning-ineligible. VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs cannot be pruned. Extended-range VLANs (VLAN IDs higher than 1005) are also pruning-ineligible. VTP pruning is not designed to function in VTP transparent mode.
Chapter 11 Configuring VTP Configuring VTP VTP Configuration Options You can configure VTP by using these configuration modes. • VTP Configuration in Global Configuration Mode, page 11-7 • VTP Configuration in VLAN Database Configuration Mode, page 11-7 You access VLAN database configuration mode by entering the vlan database privileged EXEC command. For detailed information about vtp commands, see the command reference for this release.
Chapter 11 Configuring VTP Configuring VTP VTP Configuration Guidelines These sections describe guidelines you should follow when implementing VTP in your network. Domain Names When configuring VTP for the first time, you must always assign a domain name. You must configure all switches in the VTP domain with the same domain name. Switches in VTP transparent mode do not exchange VTP messages with other switches, and you do not need to configure a VTP domain name for them.
Chapter 11 Configuring VTP Configuring VTP • Do not enable VTP Version 2 on a switch unless all of the switches in the same VTP domain are Version-2-capable. When you enable Version 2 on a switch, all of the Version-2-capable switches in the domain enable Version 2. If there is a Version 1-only switch, it does not exchange VTP information with switches that have Version 2 enabled.
Chapter 11 Configuring VTP Configuring VTP This example shows how to use global configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# config terminal Switch(config)# vtp mode server Switch(config)# vtp domain eng_group Switch(config)# vtp password mypassword Switch(config)# end You can also use VLAN database configuration mode to configure VTP parameters.
Chapter 11 Configuring VTP Configuring VTP Configuring a VTP Client When a switch is in VTP client mode, you cannot change its VLAN configuration. The client switch receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly. Note Caution If extended-range VLANs are configured on the switch, you cannot change VTP mode to client. You receive an error message, and the configuration is not allowed.
Chapter 11 Configuring VTP Configuring VTP Disabling VTP (VTP Transparent Mode) When you configure the switch for VTP transparent mode, VTP is disabled on the switch. The switch does not send VTP updates and does not act on VTP updates received from other switches. However, a VTP transparent switch running VTP Version 2 does forward received VTP advertisements on its trunk links.
Chapter 11 Configuring VTP Configuring VTP Enabling VTP Version 2 VTP Version 2 is disabled by default on VTP Version 2-capable switches. When you enable VTP Version 2 on a switch, every VTP Version 2-capable switch in the VTP domain enables Version 2. You can only configure the version when the switches are in VTP server or transparent mode. Caution VTP Version 1 and VTP Version 2 are not interoperable on switches in the same VTP domain. Every switch in the VTP domain must use the same VTP version.
Chapter 11 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode. Beginning in privileged EXEC mode, follow these steps to enable VTP pruning in the VTP domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 11 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to verify and reset the VTP configuration revision number on a switch before adding it to a VTP domain: Step 1 Command Purpose show vtp status Check the VTP configuration revision number. If the number is 0, add the switch to the VTP domain. If the number is greater than 0, follow these steps: a. Write down the domain name. b. Write down the configuration revision number. c.
Chapter 11 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 11-3 shows the privileged EXEC commands for monitoring VTP activity. Table 11-3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information.
C H A P T E R 12 Configuring Voice VLAN This chapter describes how to configure the voice VLAN feature on the switch. Voice VLAN is referred to as an auxiliary VLAN in some Catalyst 6500 family switch documentation. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 12 Configuring Voice VLAN Understanding Voice VLAN Figure 12-1 shows one way to connect a Cisco 7960 IP Phone. Figure 12-1 Cisco 7960 IP Phone Connected to a Switch Cisco IP Phone 7960 Phone ASIC P2 3-port switch P3 Access port 101351 P1 PC Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone.
Chapter 12 Configuring Voice VLAN Configuring Voice VLAN Note Untagged traffic from the device attached to the Cisco IP Phone passes through the phone unchanged, regardless of the trust state of the access port on the phone.
Chapter 12 Configuring Voice VLAN Configuring Voice VLAN – The Cisco IP Phone uses IEEE 802.1p frames, and the device uses untagged frames. – The Cisco IP Phone uses untagged frames, and the device uses IEEE 802.1p frames. – The Cisco IP Phone uses IEEE 802.1Q frames, and the voice VLAN is the same as the access VLAN.
Chapter 12 Configuring Voice VLAN Configuring Voice VLAN voice traffic a higher priority and forward all voice traffic through the native (access) VLAN. The Cisco IP Phone can also send untagged voice traffic or use its own configuration to send voice traffic in the access VLAN. In all configurations, the voice traffic carries a Layer 3 IP precedence value (the default is 5).
Chapter 12 Configuring Voice VLAN Displaying Voice VLAN Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.1p frames), you can configure the switch to send CDP packets to instruct the phone how to send data packets from the device attached to the access port on the Cisco IP Phone. The PC can generate packets with an assigned CoS value.
C H A P T E R 13 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.
Chapter 13 Configuring STP Understanding Spanning-Tree Features • Spanning-Tree Interoperability and Backward Compatibility, page 13-10 • STP and IEEE 802.1Q Trunks, page 13-10 For configuration information, see the “Configuring Spanning-Tree Features” section on page 13-10. For information about optional spanning-tree features, see Chapter 15, “Configuring Optional Spanning-Tree Features.
Chapter 13 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch. • The spanning-tree path cost to the root switch. • The port identifier (port priority and MAC address) associated with each Layer 2 interface.
Chapter 13 Configuring STP Understanding Spanning-Tree Features Bridge ID, Switch Priority, and Extended System ID The IEEE 802.1D standard requires that each switch has an unique bridge identifier (bridge ID), which controls the selection of the root switch. Because each VLAN is considered as a different logical bridge with PVST+ and rapid PVST+, the same switch must have a different bridge IDs for each configured VLAN. Each VLAN on the switch has a unique 8-byte bridge ID.
Chapter 13 Configuring STP Understanding Spanning-Tree Features An interface moves through these states: • From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled • From learning to forwarding or to disabled • From forwarding to disabled Figure 13-1 illustrates how an interface moves through the states.
Chapter 13 Configuring STP Understanding Spanning-Tree Features Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each switch interface. A switch initially functions as the root until it exchanges BPDUs with other switches. This exchange establishes which switch in the network is the root or root switch.
Chapter 13 Configuring STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational.
Chapter 13 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices, as shown in Figure 13-3. Spanning tree automatically disables one interface but enables it if the other one fails. If one link is high-speed and the other is low-speed, the low-speed link is always disabled.
Chapter 13 Configuring STP Understanding Spanning-Tree Features Because each VLAN is a separate spanning-tree instance, the switch accelerates aging on a per-VLAN basis. A spanning-tree reconfiguration on one VLAN can cause the dynamic addresses learned on that VLAN to be subject to accelerated aging. Dynamic addresses on other VLANs can be unaffected and remain subject to the aging interval entered for the switch.
Chapter 13 Configuring STP Configuring Spanning-Tree Features Spanning-Tree Interoperability and Backward Compatibility Table 13-2 lists the interoperability and compatibility among the supported spanning-tree modes in a network.
Chapter 13 Configuring STP Configuring Spanning-Tree Features • Disabling Spanning Tree, page 13-14 (optional) • Configuring the Root Switch, page 13-14 (optional) • Configuring a Secondary Root Switch, page 13-16 (optional) • Configuring Port Priority, page 13-16 (optional) • Configuring Path Cost, page 13-18 (optional) • Configuring the Switch Priority of a VLAN, page 13-19 (optional) • Configuring Spanning-Tree Timers, page 13-20 (optional) Default Spanning-Tree Configuration Table 13-3 s
Chapter 13 Configuring STP Configuring Spanning-Tree Features Spanning-Tree Configuration Guidelines If more VLANs are defined in the VTP than there are spanning-tree instances, you can enable PVST+ or rapid PVST+ on only 128 VLANs on the switch. The remaining VLANs operate with spanning tree disabled. However, you can map multiple VLANs to the same spanning-tree instances by using MSTP. For more information, see Chapter 14, “Configuring MSTP.
Chapter 13 Configuring STP Configuring Spanning-Tree Features Changing the Spanning-Tree Mode. The switch supports three spanning-tree modes: PVST+, rapid PVST+, or MSTP. By default, the switch runs the PVST+ protocol. Beginning in privileged EXEC mode, follow these steps to change the spanning-tree mode. If you want to enable a mode that is different from the default mode, this procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 13 Configuring STP Configuring Spanning-Tree Features Disabling Spanning Tree Spanning tree is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit specified in the “Supported Spanning-Tree Instances” section on page 13-9. Disable spanning tree only if you are sure there are no loops in the network topology.
Chapter 13 Configuring STP Configuring Spanning-Tree Features Note The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not configure an access switch as the spanning-tree primary root. Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).
Chapter 13 Configuring STP Configuring Spanning-Tree Features Configuring a Secondary Root Switch When you configure a switch as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified VLAN if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch.
Chapter 13 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure the port priority of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports and port-channel logical interfaces (port-channel port-channel-number).
Chapter 13 Configuring STP Configuring Spanning-Tree Features Configuring Path Cost The spanning-tree path cost default value is derived from the media speed of an interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 13 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree path costs, see the “Configuring Trunk Ports for Load Sharing” section on page 10-21. Configuring the Switch Priority of a VLAN You can configure the switch priority and make it more likely that the switch will be chosen as the root switch.
Chapter 13 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 13-4 describes the timers that affect the entire spanning-tree performance. Table 13-4 Spanning-Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches. Forward-delay timer Controls how long each of the listening and learning states last before the interface begins forwarding.
Chapter 13 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id forward-time seconds Configure the forward time of a VLAN.
Chapter 13 Configuring STP Displaying the Spanning-Tree Status Configuring the Transmit Hold-Count You can configure the BPDU burst size by changing the transmit hold count value. Note Changing this parameter to a higher value can have a significant impact on CPU utilization, especially in Rapid-PVST mode. Lowering this value can slow down convergence in certain scenarios. We recommend that you maintain the default setting.
C H A P T E R 14 Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the switch. Note The multiple spanning-tree (MST) implementation in Cisco IOS Release 12.2(25)SEDis based on the IEEE 802.1s standard. The MST implementations in earlier Cisco IOS releases are prestandard.
Chapter 14 Configuring MSTP Understanding MSTP Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning-tree instances required to support a large number of VLANs.
Chapter 14 Configuring MSTP Understanding MSTP IST, CIST, and CST Unlike PVST+ and rapid PVST+ in which all the spanning-tree instances are independent, the MSTP establishes and maintains two types of spanning trees: • An internal spanning tree (IST), which is the spanning tree that runs in an MST region. Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance for a region, known as the internal spanning tree (IST).
Chapter 14 Configuring MSTP Understanding MSTP For correct operation, all switches in the MST region must agree on the same CIST regional root. Therefore, any two switches in the region only synchronize their port roles for an MST instance if they converge to a common CIST regional root. Operations Between MST Regions If there are multiple regions or legacy IEEE 802.
Chapter 14 Configuring MSTP Understanding MSTP hello time, forward time, max-age, and max-hops) are configured only on the CST instance but affect all MST instances. Parameters related to the spanning-tree topology (for example, switch priority, port VLAN cost, and port VLAN priority) can be configured on both the CST instance and the MST instance. MSTP switches use Version 3 RSTP BPDUs or IEEE 802.1D STP BPDUs to communicate with legacy IEEE 802.1D switches.
Chapter 14 Configuring MSTP Understanding MSTP maximum value. When a switch receives this BPDU, it decrements the received remaining hop count by one and propagates this value as the remaining hop count in the BPDUs it generates. When the count reaches zero, the switch discards the BPDU and ages the information held for the port.
Chapter 14 Configuring MSTP Understanding MSTP Port Role Naming Change The boundary role is no longer in the final MST standard, but this boundary concept is maintained in Cisco’s implementation. However, an MST instance port at a boundary of the region might not follow the state of the corresponding CIST port.
Chapter 14 Configuring MSTP Understanding RSTP Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
Chapter 14 Configuring MSTP Understanding RSTP These sections describe how the RSTP works: • Port Roles and the Active Topology, page 14-9 • Rapid Convergence, page 14-10 • Synchronization of Port Roles, page 14-11 • Bridge Protocol Data Unit Format and Processing, page 14-12 For configuration information, see the “Configuring MSTP Features” section on page 14-14.
Chapter 14 Configuring MSTP Understanding RSTP Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN. It provides rapid convergence for edge ports, new root ports, and ports connected through point-to-point links as follows: • Edge ports—If you configure a port as an edge port on an RSTP switch by using the spanning-tree portfast interface configuration command, the edge port immediately transitions to the forwarding state.
Chapter 14 Configuring MSTP Understanding RSTP Figure 14-4 Proposal and Agreement Handshaking for Rapid Convergence Switch A Proposal Switch B Root Agreement Designated switch F DP F RP Root F DP Proposal Designated switch Agreement F RP Root F DP Designated switch F RP F DP Switch C F RP 88760 DP = designated port RP = root port F = forwarding Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new root port
Chapter 14 Configuring MSTP Understanding RSTP After ensuring that all of the ports are synchronized, the switch sends an agreement message to the designated switch corresponding to its root port. When the switches connected by a point-to-point link are in agreement about their port roles, the RSTP immediately transitions the port states to forwarding. The sequence of events is shown in Figure 14-5. Figure 14-5 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5.
Chapter 14 Configuring MSTP Understanding RSTP The sending switch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN. The port role in the proposal message is always set to the designated port. The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal. The port role in the agreement message is always set to the root port. The RSTP does not have a separate topology change notification (TCN) BPDU.
Chapter 14 Configuring MSTP Configuring MSTP Features • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them. • Protocol migration—For backward compatibility with IEEE 802.1D switches, RSTP selectively sends IEEE 802.
Chapter 14 Configuring MSTP Configuring MSTP Features Table 14-4 Default MSTP Configuration (continued) Feature Default Setting Spanning-tree port priority (configurable on a per-CIST port basis) 128. Spanning-tree port cost (configurable on a per-CIST port basis) 1000 Mbps: 4. 100 Mbps: 19. 10 Mbps: 100. Hello time 2 seconds. Forward-delay time 15 seconds. Maximum-aging time 20 seconds. Maximum hop count 20 hops.
Chapter 14 Configuring MSTP Configuring MSTP Features • Partitioning the network into a large number of regions is not recommended. However, if this situation is unavoidable, we recommend that you partition the switched LAN into smaller LANs interconnected by routers or non-Layer 2 devices. • For configuration guidelines about UplinkFast and BackboneFast, see the “Optional Spanning-Tree Configuration Guidelines” section on page 15-10.
Chapter 14 Configuring MSTP Configuring MSTP Features Command Purpose Step 9 end Return to privileged EXEC mode. Step 10 show running-config Verify your entries. Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default MST region configuration, use the no spanning-tree mst configuration global configuration command.
Chapter 14 Configuring MSTP Configuring MSTP Features The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not configure an access switch as the spanning-tree primary root. Use the diameter keyword, which is available only for MST instance 0, to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).
Chapter 14 Configuring MSTP Configuring MSTP Features You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree mst instance-id root primary global configuration command. Beginning in privileged EXEC mode, follow these steps to configure a switch as the secondary root switch. This procedure is optional.
Chapter 14 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the MSTP port priority of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports and port-channel logical interfaces. The port-channel range is 1 to 48.
Chapter 14 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the MSTP cost of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports and port-channel logical interfaces. The port-channel range is 1 to 48.
Chapter 14 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the switch priority. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst instance-id priority priority Configure the switch priority. • For instance-id, you can specify a single instance, a range of instances separated by a hyphen, or a series of instances separated by a comma. The range is 0 to 4094.
Chapter 14 Configuring MSTP Configuring MSTP Features Configuring the Forwarding-Delay Time Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst forward-time seconds Configure the forward time for all MST instances.
Chapter 14 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Hop Count Beginning in privileged EXEC mode, follow these steps to configure the maximum-hop count for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-hops hop-count Specify the number of hops in a region before the BPDU is discarded, and the information held for a port is aged.
Chapter 14 Configuring MSTP Configuring MSTP Features Designating the Neighbor Type A topology could contain both prestandard and IEEE 802.1s standard compliant devices. By default, ports can automatically detect prestandard devices, but they can still receive both standard and prestandard BPDUs. When there is a mismatch between a device and its neighbor, only the CIST runs on the interface. You can choose to set a port to send only prestandard BPDUs.
Chapter 14 Configuring MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 14-5: Table 14-5 Commands for Displaying MST Status Command Purpose show spanning-tree mst configuration Displays the MST region configuration. show spanning-tree mst configuration digest Displays the MD5 digest included in the current MSTCI.
C H A P T E R 15 Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+). You can configure only the noted features when your switch is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol.
Chapter 15 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. In Figure 15-1, Port Fast is configured on the interfaces that are connected to blade servers. The devices can immediately connect to the network, rather than waiting for the spanning tree to converge.
Chapter 15 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service. Use the BPDU guard feature in a service-provider network to prevent an access port from participating in the spanning tree. You can enable the BPDU guard feature for the entire switch or for an interface.
Chapter 15 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 15-2 Switches in a Hierarchical Network Backbone switches Root bridge 126763 Distribution switches Active link Blocked link Blade switches If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port.
Chapter 15 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 15-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B L1 L2 L3 43575 Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure
Chapter 15 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features The switch tries to find if it has an alternate path to the root switch. If the inferior BPDU arrives on a blocked interface, the root port and other blocked interfaces on the switch become alternate paths to the root switch. (Self-looped ports are not considered alternate paths to the root switch.
Chapter 15 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 15-6 BackboneFast Example After Indirect Link Failure Switch A (Root) Switch B L1 Link failure L3 BackboneFast changes port through listening and learning states to forwarding state.
Chapter 15 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Root Guard The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. In such a topology, the spanning tree can reconfigure itself and select a customer switch as the root switch, as shown in Figure 15-8. You can avoid this situation by enabling root guard on SP switch interfaces that connect to switches in your customer’s network.
Chapter 15 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Understanding Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. This feature is most effective when it is enabled on the entire switched network. Loop guard prevents alternate and root ports from becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports.
Chapter 15 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Optional Spanning-Tree Configuration Guidelines You can configure PortFast, BPDU guard, BPDU filtering, EtherChannel guard, root guard, or loop guard if your switch is running PVST+, rapid PVST+, or MSTP. You can configure the UplinkFast or the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
Chapter 15 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Note You can use the spanning-tree portfast default global configuration command to globally enable the Port Fast feature on all nontrunking ports. To disable the Port Fast feature, use the spanning-tree portfast disable interface configuration command.
Chapter 15 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BPDU Filtering When you globally enable BPDU filtering on Port Fast-enabled interfaces, it prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs.
Chapter 15 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling UplinkFast for Use with Redundant Links UplinkFast cannot be enabled on VLANs that have been configured with a switch priority. To enable UplinkFast on a VLAN with switch priority configured, first restore the switch priority on the VLAN to the default value by using the no spanning-tree vlan vlan-id priority global configuration command.
Chapter 15 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can configure the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+. Beginning in privileged EXEC mode, follow these steps to enable BackboneFast. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 15 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Root Guard Root guard enabled on an interface applies to all the VLANs to which the interface belongs. Do not enable the root guard on interfaces to be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in the blocked state) replace the root port in the case of a failure.
Chapter 15 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Step 3 Command Purpose spanning-tree loopguard default Enable loop guard. By default, loop guard is disabled. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To globally disable loop guard, use the no spanning-tree loopguard default global configuration command.
C H A P T E R 16 Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 16 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature only one of the interfaces is in the linkup state and forwarding traffic. If the primary link shuts down, the standby link starts forwarding traffic. When the active link comes back up, it goes into standby mode and does not forward traffic. STP is disabled on Flex Link interfaces. In Figure 16-1, ports 1 and 2 on switch A are connected to uplink switches B and C.
Chapter 16 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update You can configure the access switch, switch A, to send MAC address-table move update messages. You can also configure the uplink switches B, C, and D to get and process the MAC address-table move update messages. When switch C gets a MAC address-table move update message from switch A, switch C learns the MAC address of the PC on port 4.
Chapter 16 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links and MAC Address-Table Move Update These sections contain this information: • Configuration Guidelines, page 16-4 • Default Configuration, page 16-4 Configuration Guidelines Follow these guidelines to configure Flex Links: • You can configure only one Flex Link backup link for any active link, and it must be a different interface from the acti
Chapter 16 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links and MAC Address-Table Move Update This section contains this information: • Configuring Flex Links, page 16-5 • Configuring the MAC Address-Table Move Update Feature, page 16-6 Configuring Flex Links Beginning in privileged EXEC mode, follow these steps to configure a pair of Flex Links: Command Purpose Step 1 configure terminal Enter globa
Chapter 16 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Command Purpose Step 3 switchport backup interface interface-id Configure a physical Layer 2 interface (or port channel) as part of a Flex Links pair with the interface. When one link is forwarding traffic, the other interface is in standby mode.
Chapter 16 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Beginning in privileged EXEC mode, follow these steps to configure an access switch to send MAC address-table move updates: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface, and enter interface configuration mode.
Chapter 16 Configuring Flex Links and the MAC Address-Table Move Update Feature Monitoring Flex Links and the MAC Address-Table Move Update Rcv Rcv Rcv Rcv Rcv Rcv Rcv Xmt Xmt Xmt Xmt Xmt invalid packet count : 0 packet count this min : 0 threshold exceed count : 0 last sequence# this min : 0 last interface : Po2 last src-mac-address : 000b.462d.c502 last switch-ID : 0403.fd6a.
C H A P T E R 17 Configuring DHCP Features This chapter describes how to configure DHCP snooping and the option-82 data insertion features on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release, and see the “DHCP Commands” section in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2.
Chapter 17 Configuring DHCP Features Understanding DHCP Features DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them. If the DHCP server cannot give the DHCP client the requested configuration parameters from its database, it forwards the request to one or more secondary DHCP servers defined by the network administrator.
Chapter 17 Configuring DHCP Features Understanding DHCP Features The switch drops a DHCP packet when one of these situations occurs: • A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received from outside the network or firewall. • A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match.
Chapter 17 Configuring DHCP Features Understanding DHCP Features Figure 17-1 is an example of a metropolitan Ethernet network in which a centralized DHCP server assigns IP addresses to subscribers connected to the switch at the access layer.
Chapter 17 Configuring DHCP Features Understanding DHCP Features – Length of the suboption type – Remote-ID type – Length of the remote-ID type In the port field of the circuit ID suboption, the port numbers start at 1. For example, on a Cisco Catalyst Blade Switch 3020 for HP, which has 24 ports, port 1 is the Gigabit Ethernet 0/1 port, port 2 is the Gigabit Ethernet 0/2 port, port 3 is the Gigabit Ethernet 0/3 port, and so on.
Chapter 17 Configuring DHCP Features Configuring DHCP Features • Remote-ID suboption fields – The remote-ID type is 1. – The length values are variable, depending on the length of the string that you configure.
Chapter 17 Configuring DHCP Features Configuring DHCP Features Table 17-1 Default DHCP Configuration (continued) Feature Default Setting DHCP relay agent forwarding policy Replace the existing relay agent information2 DHCP snooping enabled globally Disabled DHCP snooping information option Enabled DHCP snooping option to accept packets on untrusted input interfaces3 Disabled DHCP snooping limit rate None configured DHCP snooping trust Untrusted DHCP snooping VLAN Disabled DHCP snooping M
Chapter 17 Configuring DHCP Features Configuring DHCP Features • If a switch port is connected to a DHCP client, configure a port as untrusted by entering the no ip dhcp snooping trust interface configuration command. • Do not enter the ip dhcp snooping information option allow-untrusted command on an aggregation switch to which an untrusted device is connected. If you enter this command, an untrusted device might spoof the option-82 information.
Chapter 17 Configuring DHCP Features Configuring DHCP Features Command Step 5 Purpose ip dhcp snooping information option (Optional) Configure the remote-ID suboption. format remote-id [string ASCII-string | You can configure the remote ID to be: hostname] • String of up to 63 ASCII characters (no spaces) • Note Configured hostname for the switch If the hostname is longer than 63 characters, it is truncated to 63 characters in the remote-ID configuration.
Chapter 17 Configuring DHCP Features Displaying DHCP Snooping Information To disable DHCP snooping, use the no ip dhcp snooping global configuration command. To disable DHCP snooping on a VLAN or range of VLANs, use the no ip dhcp snooping vlan vlan-range global configuration command. To disable the insertion and removal of the option-82 field, use the no ip dhcp snooping information option global configuration command.
C H A P T E R 18 Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on the switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action.
Chapter 18 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Note For more information on IP multicast and IGMP, see RFC 1112 and RFC 2236. The multicast router sends out periodic general queries to all VLANs. All hosts interested in this multicast traffic send join requests and are added to the forwarding table entry. The switch creates one entry per VLAN in the IGMP snooping IP multicast forwarding table for each group from which it receives an IGMP join request.
Chapter 18 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Note IGMPv3 join and leave messages are not supported on switches running IGMP filtering or MVR. An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast (SSM) feature. For more information about source-specific multicast with IGMPv3 and IGMP, see the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t5/dtssm5t.
Chapter 18 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Router A sends a general query to the switch, which forwards the query to ports 2 through 5, which are all members of the same VLAN. Blade Server 1 wants to join multicast group 224.1.2.3 and multicasts an IGMP membership report (IGMP join message) to the group.
Chapter 18 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Leaving a Multicast Group The router sends periodic multicast general queries, and the switch forwards these queries through all ports in the VLAN. Interested blade servers respond to the queries. If at least one blade server in the VLAN wishes to receive multicast traffic, the router continues forwarding the multicast traffic to the VLAN.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. This feature is not supported when the query includes IGMPv3 reports. The switch uses IGMP report suppression to forward only one IGMP report per multicast router query to multicast devices.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Table 18-3 Default IGMP Snooping Configuration (continued) Feature Default Setting Multicast router learning (snooping) method PIM-DVMRP IGMP snooping Immediate Leave Disabled Static groups None configured 1 TCN flood query count 2 TCN query solicitation Disabled IGMP snooping querier Disabled IGMP report suppression Enabled 1.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable IGMP snooping on a VLAN interface, use the no ip igmp snooping vlan vlan-id global configuration command for the specified VLAN number.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping To return to the default learning method, use the no ip igmp snooping vlan vlan-id mrouter learn cgmp global configuration command.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to add a Layer 2 port as a member of a multicast group: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id static ip_address Statically configure a Layer 2 port as a member of a multicast interface interface-id group: • vlan-id is the multicast group VLAN ID. The range is 1 to 1001 and 1006 to 4094.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping To disable IGMP Immediate Leave on a VLAN, use the no ip igmp snooping vlan vlan-id immediate-leave global configuration command.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Controlling the Multicast Flooding Time After a TCN Event You can control the time that multicast traffic is flooded after a TCN event by using the ip igmp snooping tcn flood query count global configuration command. This command configures the number of general queries for which multicast data traffic is flooded after a TCN event.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 4 show ip igmp snooping Verify the TCN settings. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default query solicitation, use the no ip igmp snooping tcn query solicit global configuration command.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping • When administratively enabled, the IGMP snooping querier moves to the nonquerier state if it detects the presence of a multicast router in the network. • When it is administratively enabled, the IGMP snooping querier moves to the operationally disabled state under these conditions: – IGMP snooping is disabled in the VLAN. – PIM is enabled on the SVI of the corresponding VLAN.
Chapter 18 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information This example shows how to set the IGMP snooping querier feature to version 2: Switch# configure terminal Switch(config)# no ip igmp snooping querier version 2 Switch(config)# end Disabling IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. This feature is not supported when the query includes IGMPv3 reports.
Chapter 18 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information To display IGMP snooping information, use one or more of the privileged EXEC commands in Table 18-4. Table 18-4 Commands for Displaying IGMP Snooping Information Command Purpose show ip igmp snooping [vlan vlan-id] Display the snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.
Chapter 18 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service-provider network (for example, the broadcast of multiple television channels over a service-provider network). MVR allows a subscriber on a port to subscribe and unsubscribe to a multicast stream on the network-wide multicast VLAN.
Chapter 18 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Using MVR in a Multicast Television Application In a multicast television application, a PC or a television with a set-top box can receive the multicast stream. Multiple set-top boxes or PCs can be connected to one subscriber port, which is a switch port configured as an MVR receiver port. Figure 18-3 is an example configuration. DHCP assigns an IP address to the set-top box or the PC.
Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR When a subscriber changes channels or turns off the television, the set-top box sends an IGMP leave message for the multicast stream. The switch CPU sends a MAC-based general query through the receiver port VLAN. If there is another set-top box in the VLAN still subscribing to this group, that set-top box must respond within the maximum response time specified in the query.
Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR Table 18-5 Default MVR Configuration (continued) Feature Default Setting Interface (per port) default Neither a receiver nor a source port Immediate Leave Disabled on all ports MVR Configuration Guidelines and Limitations Follow these guidelines when configuring MVR: • Receiver ports can only be access ports; they cannot be trunk ports. Receiver ports on a switch can be in different VLANs, but should not belong to the multicast VLAN.
Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 4 mvr querytime value (Optional) Define the maximum time to wait for IGMP report memberships on a receiver port before removing the port from multicast group membership. The value is in units of tenths of a second. The range is 1 to 100, and the default is 5 tenths or one-half second. Step 5 mvr vlan vlan-id (Optional) Specify the VLAN in which multicast data is received; all source ports must belong to this VLAN.
Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR Step 4 Command Purpose mvr type {source | receiver} Configure an MVR port as one of these: • source—Configure uplink ports that receive and send multicast data as source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN. • receiver—Configure a port as a receiver port if it is a subscriber port and should only receive multicast data.
Chapter 18 Configuring IGMP Snooping and MVR Displaying MVR Information Displaying MVR Information You can display MVR information for the switch or for a specified interface.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling IGMP filtering is applicable only to the dynamic learning of IP multicast group addresses, not static configuration. With the IGMP throttling feature, you can set the maximum number of IGMP groups that a Layer 2 interface can join.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling • permit: Specifies that matching addresses are permitted. • range: Specifies a range of IP addresses for the profile. You can enter a single IP address or a range with a start and an end address. The default is for the switch to have no IGMP profiles configured. When a profile is configured, if neither the permit nor deny keyword is included, the default is to deny access to the range of IP addresses.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Beginning in privileged EXEC mode, follow these steps to apply an IGMP profile to a switch port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the physical interface, and enter interface configuration mode. The interface must be a Layer 2 port that does not belong to an EtherChannel port group.
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling To remove the maximum group limitation and return to the default of no maximum, use the no ip igmp max-groups interface configuration command. This example shows how to limit to 25 the number of IGMP groups that a port can join.
Chapter 18 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config interface interface-id Verify the configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default action of dropping the report, use the no ip igmp max-groups action interface configuration command.
C H A P T E R 19 Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 19 Configuring Port-Based Traffic Control Configuring Storm Control Storm control uses one of these methods to measure traffic activity: • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received • Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received With each method, the p
Chapter 19 Configuring Port-Based Traffic Control Configuring Storm Control Default Storm Control Configuration By default, unicast, broadcast, and multicast storm control are disabled on the switch interfaces; that is, the suppression level is 100 percent. Configuring Storm Control and Threshold Levels You configure storm control on a port and enter the threshold level that you want to be used for a particular type of traffic.
Chapter 19 Configuring Port-Based Traffic Control Configuring Storm Control Step 3 Command Purpose storm-control {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]} Configure broadcast, multicast, or unicast storm control. By default, storm control is disabled. The keywords have these meanings: • For level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage (up to two decimal places) of the bandwidth.
Chapter 19 Configuring Port-Based Traffic Control Configuring Protected Ports Command Purpose Step 6 show storm-control [interface-id] [broadcast | Verify the storm control suppression levels set on the interface for multicast | unicast] the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Blocking Default Protected Port Configuration The default is to have no protected ports defined. Protected Port Configuration Guidelines You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Default Port Blocking Configuration The default is to not block flooding of unknown multicast and unicast traffic out of a port, but to flood these packets to all ports. Blocking Flooded Traffic on an Interface Note The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security These sections contain this conceptual and configuration information: • Understanding Port Security, page 19-8 • Default Port Security Configuration, page 19-10 • Port Security Configuration Guidelines, page 19-10 • Enabling and Configuring Port Security, page 19-11 • Enabling and Configuring Port Security Aging, page 19-15 Understanding Port Security These sections contain this conceptual information: • Secure MAC Add
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. This number is the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Default Port Security Configuration Table 19-2 shows the default port security configuration for an interface. Table 19-2 Default Port Security Configuration Feature Default Setting Port security Disabled on a port. Sticky address learning Disabled. Maximum number of secure MAC addresses per port 1. Violation mode Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Table 19-3 summarizes port security compatibility with other port-based features. Table 19-3 Port Security Compatibility with Other Switch Features Type of Port or Feature on Port 1 DTP port Compatible with Port Security 2 No Trunk port Yes Dynamic-access port3 No SPAN source port Yes SPAN destination port No EtherChannel No Protected port Yes IEEE 802.1x port Voice VLAN port Yes 4 Yes Flex Links Yes 1.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Step 6 Command Purpose switchport port-security [maximum value [vlan {vlan-list | {access | voice}}]] (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Step 8 Command Purpose switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}] (Optional) Enter a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table. All addresses are now dynamically learned.
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# switchport switchport switchport switchport switchport port-security port-security port-security port-security port-security mac-address 0000.0000.0003 mac-address sticky 0000.0000.0001 vlan voice mac-address 0000.0000.
Chapter 19 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings To disable port security aging for all secure addresses on a port, use the no switchport port-security aging time interface configuration command. To disable aging for only statically configured secure addresses, use the no switchport port-security aging static interface configuration command.
C H A P T E R 20 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 20 Configuring CDP Configuring CDP Configuring CDP These sections contain this configuration information: • Default CDP Configuration, page 20-2 • Configuring the CDP Characteristics, page 20-2 • Disabling and Enabling CDP, page 20-3 • Disabling and Enabling CDP on an Interface, page 20-4 Default CDP Configuration Table 20-1 shows the default CDP configuration.
Chapter 20 Configuring CDP Configuring CDP Command Purpose Step 6 show cdp Verify your settings. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure CDP characteristics.
Chapter 20 Configuring CDP Monitoring and Maintaining CDP Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and to receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on a port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you are disabling CDP, and enter interface configuration mode.
Chapter 20 Configuring CDP Monitoring and Maintaining CDP Command Description show cdp entry entry-name [protocol | version] Display information about a specific neighbor. You can enter an asterisk (*) to display all CDP neighbors, or you can enter the name of the neighbor about which you want information. You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device.
Chapter 20 Configuring CDP Monitoring and Maintaining CDP Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide 20-6 OL-8915-01
C H A P T E R 21 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 21 Configuring UDLD Understanding UDLD In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection. If the ports are connected correctly but the traffic is one way, UDLD does not detect the unidirectional link because the Layer 1 mechanism, which is supposed to detect this condition, does not do so.
Chapter 21 Configuring UDLD Configuring UDLD If the detection window ends and no valid reply message is received, the link might shut down, depending on the UDLD mode. When UDLD is in normal mode, the link might be considered undetermined and might not be shut down. When UDLD is in aggressive mode, the link is considered unidirectional, and the port is disabled.
Chapter 21 Configuring UDLD Configuring UDLD Default UDLD Configuration Table 21-1 shows the default UDLD configuration.
Chapter 21 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 21 Configuring UDLD Displaying UDLD Status Step 3 Command Purpose udld port [aggressive] UDLD is disabled by default. • udld port—Enables UDLD in normal mode on the specified port. • udld port aggressive—Enables UDLD in aggressive mode on the specified port. Note Use the no udld port interface configuration command to disable UDLD on a specified fiber-optic port. For more information about aggressive and normal modes, see the “Modes of Operation” section on page 21-1.
C H A P T E R 22 Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN These sections contain this conceptual information: • Local SPAN, page 22-2 • Remote SPAN, page 22-2 • SPAN and RSPAN Concepts and Terminology, page 22-3 • SPAN and RSPAN Interaction with Other Features, page 22-8 Local SPAN Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and destination ports are in the same switch.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 22-2 Example of RSPAN Configuration RSPAN destination ports RSPAN destination session Switch C Intermediate switches must support RSPAN VLAN RSPAN VLAN RSPAN source session A RSPAN source ports Switch B RSPAN source session B RSPAN source ports 101366 Switch A SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed over normal trunk ports to the destination switch. An RSPAN destination session takes all packets received on the RSPAN VLAN, strips off the VLAN tagging, and presents them on the destination port.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • Transmit (Tx) SPAN—The goal of transmit (or egress) SPAN is to monitor as much as possible all the packets sent by the source interface after all modification and processing is performed by the switch. A copy of each packet sent by the source is sent to the destination port for that SPAN session. The copy is provided after the packet is modified.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • It can be an access port, trunk port, or voice VLAN port. • It cannot be a destination port. • Source ports can be in the same or different VLANs. • You can monitor multiple source ports in a single session. Source VLANs VLAN-based SPAN (VSPAN) is the monitoring of the network traffic in one or more VLANs. The SPAN or RSPAN source interface in VSPAN is a VLAN ID, and traffic is monitored on all the ports for that VLAN.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN A destination port has these characteristics: • For a local SPAN session, the destination port must reside on the same switch as the source port. For an RSPAN session, it is located on the switch containing the RSPAN destination session. There is no destination port on a switch running only an RSPAN source session. • When a port is configured as a SPAN destination port, the configuration overwrites the original port configuration.
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN For VLANs 1 to 1005 that are visible to VLAN Trunking Protocol (VTP), the VLAN ID and its associated RSPAN characteristic are propagated by VTP. If you assign an RSPAN VLAN ID in the extended VLAN range (1006 to 4094), you must manually configure all intermediate switches. It is normal to have multiple RSPAN VLANs in a network at the same time with each RSPAN VLAN defining a network-wide RSPAN session.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • An IEEE 802.1x port can be a SPAN source port. You can enable IEEE 802.1x on a port that is a SPAN destination port; however, IEEE 802.1x is disabled until the port is removed as a SPAN destination. For SPAN sessions, do not enable IEEE 802.1x on ports with monitored egress when ingress forwarding is enabled on the destination port. For RSPAN source sessions, do not enable IEEE 802.1x on any ports that are egress monitored.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN SPAN Configuration Guidelines Follow these guidelines when configuring SPAN: • For SPAN sources, you can monitor traffic for a single port or VLAN or a series or range of ports or VLANs for each session. You cannot mix source ports and source VLANs within a single SPAN session. • The destination port cannot be a source port; a source port cannot be a destination port. • You cannot have two SPAN sessions using the same destination port.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 3 Command Purpose monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx] Specify the SPAN session and the source port (monitored port). For session_number, the range is 1 to 66. For interface-id, specify the source port or source VLAN to monitor. • For source interface-id, specify the source port to monitor.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 6 Command Purpose show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating a Local SPAN Session and Configuring Incoming Traffic Beginning in privileged EXEC mode, follow these steps to create a SPAN session, to specify the source ports or VLANs and the destination ports, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance).
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN To delete a SPAN session, use the no monitor session session_number global configuration command. To remove a source or destination port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command or the no monitor session session_number destination interface interface-id global configuration command.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 5 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]} Specify the SPAN session and the destination port (monitoring port). For session_number, specify the session number entered in Step 3. For interface-id, specify the destination port. The destination interface must be a physical port; it cannot be an EtherChannel, and it cannot be a VLAN.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets. Specify these ACLs on the RSPAN VLAN in the RSPAN source switches. • For RSPAN configuration, you can distribute the source ports and the destination ports across multiple switches in your network. • RSPAN does not support BPDU packet monitoring or other Layer 2 switch protocols.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Beginning in privileged EXEC mode, follow these steps to create an RSPAN VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan vlan-id Enter a VLAN ID to create a VLAN, or enter the VLAN ID of an existing VLAN, and enter VLAN configuration mode. The range is 2 to 1001 and 1006 to 4094.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 3 Command Purpose monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx] Specify the RSPAN session and the source port (monitored port). For session_number, the range is 1 to 66. Enter a source port or source VLAN for the RSPAN session: • For interface-id, specify the source port to monitor.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating an RSPAN Destination Session You configure the RSPAN destination session on a different switch; that is, not the switch on which the source session was configured.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to configure VLAN 901 as the source remote VLAN and port 1 as the destination interface: Switch(config)# monitor session 1 source remote vlan 901 Switch(config)# monitor session 1 destination interface gigabitethernet0/1 Switch(config)# end Creating an RSPAN Destination Session and Configuring Incoming Traffic Beginning in privileged EXEC mode, follow these steps to create an RSPAN destination session, to specify the
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Step 4 Purpose monitor session session_number Specify the SPAN session, the destination port, the packet destination {interface interface-id [, | -] encapsulation, and the incoming VLAN and encapsulation. [ingress {dot1q vlan vlan-id | isl | untagged For session_number, enter the number defined in Step 4.
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to configure the RSPAN source session to limit RSPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Remove any existing SPAN configuration for the session. For session_number, the range is 1 to 66.
Chapter 22 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions.
Chapter 22 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide 22-24 OL-8915-01
C H A P T E R 23 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the switch. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information.
Chapter 23 Configuring RMON Configuring RMON Figure 23-1 Remote Monitoring Example Network management station with generic RMON console application RMON history and statistic collection enabled. Blade Servers RMON alarms and events configured. SNMP configured.
Chapter 23 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station. We recommend that you use a generic RMON console application on the network management station (NMS) to take advantage of the RMON network management capabilities.
Chapter 23 Configuring RMON Configuring RMON Command Step 3 Purpose rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535. • (Optional) For description string, specify a description of the event. • (Optional) Use the log keyword to generate an RMON log entry when the event is triggered.
Chapter 23 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 23 Configuring RMON Displaying RMON Status Command Step 3 Purpose rmon collection stats index [owner ownername] Enable RMON statistic collection on the interface. • For index, specify the RMON group of statistics. The range is from 1 to 65535. • (Optional) For owner ownername, enter the name of the owner of the RMON group of statistics. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries.
C H A P T E R 24 Configuring System Message Logging This chapter describes how to configure system message logging on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Configuring System Message Logging These sections contain this configuration information: • System Log Message Format, page 24-2 • Default System Message Logging Configuration, page 24-3 • Disabling Message Logging, page 24-3 (optional) • Setting the Message Display Destination Device, page 24-4 (optional) • Synchronizing Log Messages, page 24-5 (optional) • Enabling and Disabling Time Stamps on Log Messages, page
Chapter 24 Configuring System Message Logging Configuring System Message Logging Table 24-1 System Log Message Elements (continued) Element Description MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to disable message logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no logging console Disable message logging. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server. To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 24-10.
Chapter 24 Configuring System Message Logging Configuring System Message Logging is returned. Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt. Beginning in privileged EXEC mode, follow these steps to configure synchronous logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Time Stamps on Log Messages By default, log messages are not time-stamped. Beginning in privileged EXEC mode, follow these steps to enable time-stamping of log messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log time stamps.
Chapter 24 Configuring System Message Logging Configuring System Message Logging To disable sequence numbers, use the no service sequence-numbers global configuration command. This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message, which are described in Table 24-3.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Table 24-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging history size number Specify the number of syslog messages that can be stored in the history table. The default is to store one message. The range is 0 to 500 messages. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. 1.
Chapter 24 Configuring System Message Logging Configuring System Message Logging Step 3 Make sure the syslog daemon reads the new changes: $ kill -HUP `cat /etc/syslog.pid` For more information, see the man syslog.conf and man syslogd commands on your UNIX system. Configuring the UNIX System Logging Facility When sending system log messages to an external device, you can cause the switch to identify its messages as originating from any of the UNIX syslog facilities.
Chapter 24 Configuring System Message Logging Displaying the Logging Configuration Table 24-4 Logging Facility-Type Keywords (continued) Facility Type Keyword Description mail Mail system news USENET news sys9-14 System use syslog System log user User process uucp UNIX-to-UNIX copy system Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command.
C H A P T E R 25 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 25 Configuring SNMP Understanding SNMP • Using SNMP to Access MIB Variables, page 25-4 • SNMP Notifications, page 25-5 • SNMP ifIndex MIB Object Values, page 25-5 SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157.
Chapter 25 Configuring SNMP Understanding SNMP Table 25-1 identifies the characteristics of the different combinations of security models and levels. Table 25-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication.
Chapter 25 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. • Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Chapter 25 Configuring SNMP Understanding SNMP SNMP Notifications SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP notifications can be sent as traps or inform requests. In command syntax, unless there is an option in the command to select either traps or informs, the keyword traps refers to either traps or informs, or both. Use the snmp-server host command to specify whether to send SNMP notifications as traps or informs.
Chapter 25 Configuring SNMP Configuring SNMP Configuring SNMP These sections contain this configuration information: • Default SNMP Configuration, page 25-6 • SNMP Configuration Guidelines, page 25-6 • Disabling the SNMP Agent, page 25-7 • Configuring Community Strings, page 25-8 • Configuring SNMP Groups and Users, page 25-9 • Configuring SNMP Notifications, page 25-11 • Setting the Agent Contact and Location Information, page 25-14 • Limiting TFTP Servers Used Through SNMP, page 25-15 •
Chapter 25 Configuring SNMP Configuring SNMP When configuring SNMP, follow these guidelines: • When configuring an SNMP group, do not specify a notify view. The snmp-server host global configuration command autogenerates a notify view for the user and then adds it to the group associated with that user. Modifying the group's notify view affects all users associated with that group. See the Cisco IOS Configuration Fundamentals Command Reference, Release 12.
Chapter 25 Configuring SNMP Configuring SNMP Configuring Community Strings You use the SNMP community string to define the relationship between the SNMP manager and the agent. The community string acts like a password to permit access to the agent on the switch.
Chapter 25 Configuring SNMP Configuring SNMP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note To disable access for an SNMP community, set the community string for that community to the null string (do not enter a value for the community string). To remove a specific community string, use the no snmp-server community string global configuration command.
Chapter 25 Configuring SNMP Configuring SNMP Command Step 3 Purpose snmp-server group groupname {v1 | v2c | v3 Configure a new SNMP group on the remote device. {auth | noauth | priv}} [read readview] • For groupname, specify the name of the group. [write writeview] [notify notifyview] [access • Specify a security model: access-list] – v1 is the least secure of the possible security models. – v2c is the second least secure model. It allows transmission of informs and integers twice the normal width.
Chapter 25 Configuring SNMP Configuring SNMP Command Step 4 Purpose Add a new user for an SNMP group. snmp-server user username groupname {remote host [udp-port port]} {v1 [access • The username is the name of the user on the host that connects access-list] | v2c [access access-list] | v3 to the agent. [encrypted] [access access-list] [auth {md5 | • The groupname is the name of the group to which the user is sha} auth-password]} associated.
Chapter 25 Configuring SNMP Configuring SNMP Table 25-5 Note Switch Notification Types (continued) Notification Type Keyword Description config-copy Generates a trap for SNMP copy configuration changes. entity Generates a trap for SNMP entity changes. envmon Generates environmental monitor traps. You can enable any or all of these environmental traps: fan, shutdown, status, supply, temperature. flash Generates SNMP FLASH notifications.
Chapter 25 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure the switch to send traps or informs to a host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID remote ip-address engineid-string Specify the engine ID for the remote host.
Chapter 25 Configuring SNMP Configuring SNMP Command Purpose Step 9 snmp-server trap-timeout seconds (Optional) Define how often to resend trap messages. The range is 1 to 1000; the default is 30 seconds. Step 10 end Return to privileged EXEC mode. Step 11 show running-config Verify your entries. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. The snmp-server host command specifies which hosts receive the notifications.
Chapter 25 Configuring SNMP Configuring SNMP Limiting TFTP Servers Used Through SNMP Beginning in privileged EXEC mode, follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP to the servers specified in an access list: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server tftp-server-list access-list-number Limit TFTP servers used for configuration file copies through SNMP to the servers in the access list.
Chapter 25 Configuring SNMP Displaying SNMP Status This example shows how to allow read-only access for all objects to members of access list 4 that use the comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco.com using the community string public. Switch(config)# snmp-server community comaccess ro 4 Switch(config)# snmp-server enable traps snmp authentication Switch(config)# snmp-server host cisco.
C H A P T E R 26 Configuring Network Security with ACLs This chapter describes how to configure network security on the switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists. Note Information in this chapter about IP ACLs is specific to IP Version 4 (IPv4).
Chapter 26 Configuring Network Security with ACLs Understanding ACLs You configure access lists on a switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use ACLs to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked. For example, you can allow e-mail traffic to be forwarded but not Telnet traffic.
Chapter 26 Configuring Network Security with ACLs Understanding ACLs Port ACLs Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only on physical interfaces and not on EtherChannel interfaces and can be applied only on interfaces in the inbound direction.
Chapter 26 Configuring Network Security with ACLs Understanding ACLs Note You cannot apply more than one IP access list and one MAC access list to a Layer 2 interface. If an IP access list or MAC access list is already configured on a Layer 2 interface and you apply a new IP access list or MAC access list to the interface, the new ACL replaces the previously configured one. VLAN Maps You use VLAN ACLs or VLAN maps to filter traffic between devices in the same VLAN.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Consider access list 102, configured with these commands, applied to three fragmented packets: Switch(config)# Switch(config)# Switch(config)# Switch(config)# Note access-list access-list access-list access-list 102 102 102 102 permit tcp any host 10.1.1.1 eq smtp deny tcp any host 10.1.1.2 eq telnet permit tcp any host 10.1.1.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs These are the steps to use IP ACLs on the switch: Step 1 Create an ACL by specifying an access list number or name and the access conditions. Step 2 Apply the ACL to interfaces or terminal lines. You can also apply standard and extended IP ACLs to VLAN maps.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Access List Numbers The number you use to denote your ACL shows the type of access list that you are creating. Table 26-1 lists the access-list number and corresponding access list type and shows whether or not they are supported in the switch. The switch supports IPv4 standard and extended access lists, numbers 1 to 199 and 1300 to 2699.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Creating a Numbered Standard ACL Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} Define a standard IPv4 access list by using a source address and source [source-wildcard] wildcard. The access-list-number is a decimal number from 1 to 99 or 1300 to 1999.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs The switch always rewrites the order of standard access lists so that entries with host matches and entries with matches having a don’t care mask of 0.0.0.0 are moved to the top of the list, above any entries with non-zero don’t care masks. Therefore, in show command output and in the configuration file, the ACEs do not necessarily appear in the order in which they were entered.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2a access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [dscp dscp] Define an extended IPv4 access list and the access conditions.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs or Step 2b Command Purpose access-list access-list-number {deny | permit} protocol host source host destination [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [dscp dscp] Define an extended IP access list by using an abbreviation for a source and a source wildcard of source 0.0.0.0 and an abbreviation for a destination and destination wildcard of destination 0.0.0.0.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Step 2d Step 2e Command Purpose access-list access-list-number {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [dscp dscp] (Optional) Define an extended ICMP access list and the access conditions. Enter icmp for Internet Control Message Protocol.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs After creating a numbered extended ACL, you can apply it to terminal lines (see the “Applying an IPv4 ACL to a Terminal Line” section on page 26-17), to interfaces (see the “Applying an IPv4 ACL to an Interface” section on page 26-18), or to VLANs (see the “Configuring VLAN Maps” section on page 26-23).
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Step 3 Command Purpose deny {source [source-wildcard] | host source | any} In access-list configuration mode, specify one or more conditions denied or permitted to decide if the packet is forwarded or dropped. or • host source—A source and source wildcard of source 0.0.0.0. permit {source [source-wildcard] | host source | any} • any—A source and source wildcard of 0.0.0.0 255.255.255.255.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACL entries to a specific ACL. However, you can use no permit and no deny access-list configuration mode commands to remove entries from a named ACL.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show time-range Verify the time-range configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Repeat the steps if you have multiple items that you want in effect at different times. To remove a configured time-range limitation, use the no time-range time-range-name global configuration command.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Including Comments in ACLs You can use the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters. The remark can go before or after a permit or deny statement.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Display the access list configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove an ACL from a terminal line, use the no access-class access-list-number {in | out} line configuration command.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Hardware and Software Treatment of IP ACLs ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to the CPU for software processing. If the hardware reaches its capacity to store ACL configurations, packets are sent to the CPU for forwarding. The forwarding rate for software-forwarded traffic is substantially less than for hardware-forwarded traffic.
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same port numbers are used throughout the life of the connection. Mail packets coming in from the Internet have a destination port of 25. Because the secure system of the network always accepts mail connections on port 25, the incoming services are controlled. Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.
Chapter 26 Configuring Network Security with ACLs Creating Named MAC Extended ACLs In this example of a numbered ACL, the Winter and Smith servers are not allowed to browse the web: Switch(config)# Switch(config)# Switch(config)# Switch(config)# access-list access-list access-list access-list 100 100 100 100 remark Do deny host remark Do deny host not allow Winter to browse the web 171.69.3.85 any eq www not allow Smith to browse the web 171.69.3.
Chapter 26 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Step 3 Command Purpose {deny | permit} {any | host source MAC address | source MAC address mask} {any | host destination MAC address | destination MAC address mask} [type mask | lsap lsap mask | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump | msdos | mumps | netbios | vines-echo |vines-ip | xns-idp | 0-65535] [cos cos] In extended MAC acce
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps • A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one. Beginning in privileged EXEC mode, follow these steps to apply a MAC access list to control access to a Layer 2 interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps To create a VLAN map and apply it to one or more VLANs, perform these steps: Step 1 Create the standard or extended IPv4 ACLs or named MAC extended ACLs that you want to apply to the VLAN. See the “Creating Standard and Extended IPv4 ACLs” section on page 26-6 and the “Creating a VLAN Map” section on page 26-25. Step 2 Enter the vlan access-map global configuration command to create a VLAN ACL map entry.
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps Creating a VLAN Map Each VLAN map consists of an ordered series of entries. Beginning in privileged EXEC mode, follow these steps to create, add to, or delete a VLAN map entry: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan access-map name [number] Create a VLAN map, and give it a name and (optionally) a number. The number is the sequence number of the entry within the map.
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps This example shows how to create a VLAN map to permit a packet. ACL ip2 permits UDP packets and any packets that match the ip2 ACL are forwarded. In this map, any IP packets that did not match any of the previous ACLs (that is, packets that are not TCP packets or UDP packets) would get dropped.
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps Switch(config-ext-macl)# permit any any decnet-ip Switch(config-ext-macl)# permit any any vines-ip Switch(config-ext-nacl)# exit Switch(config)# vlan access-map drop-mac-default 10 Switch(config-access-map)# match mac address good-hosts Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan access-map drop-mac-default 20 Switch(config-access-map)# match mac address good-protocols Switch(config-a
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps Using VLAN Maps in Your Network These sections describes some typical uses for VLAN maps: • Wiring Closet Configuration, page 26-28 • Denying Access to a Server on a VLAN, page 26-29 Wiring Closet Configuration In a wiring closet configuration, the switch can support a VLAN map and a QoS classification ACL. In Figure 26-3, assume that Host X and Host Y are in different VLANs and are connected to wiring closet switches A and C.
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps Next, create VLAN access map map2 so that traffic that matches the http access list is dropped and all other IP traffic is forwarded.
Chapter 26 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Switch(config)# vlan access-map SERVER1_MAP 20 Switch(config-access-map)# action forward Switch(config-access-map)# exit Step 3 Apply the VLAN map to VLAN 10. Switch(config)# vlan filter SERVER1_MAP vlan-list 10. Displaying IPv4 ACL Configuration You can display the ACLs that are configured on the switch, and you can display the ACLs that have been applied to interfaces and VLANs.
C H A P T E R 27 Configuring QoS This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 27 Configuring QoS Understanding QoS The QoS implementation is based on the Differentiated Services (Diff-Serv) architecture, an emerging standard from the Internet Engineering Task Force (IETF). This architecture specifies that each packet is classified upon entry into the network. The classification is carried in the IP packet header, using 6 bits from the deprecated IP type of service (ToS) field to carry the classification (class) information.
Chapter 27 Configuring QoS Understanding QoS Figure 27-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 header IP header Data Layer 2 ISL Frame ISL header (26 bytes) Encapsulated frame 1... (24.5 KB) FCS (4 bytes) 3 bits used for CoS Layer 2 802.1Q and 802.
Chapter 27 Configuring QoS Understanding QoS Figure 27-2 shows the basic QoS model. Actions at the ingress port include classifying traffic, policing, marking, queueing, and scheduling: • Classifying a distinct path for a packet by associating it with a QoS label. The switch maps the CoS or DSCP in the packet to a QoS label to distinguish one kind of traffic from another. The QoS label that is generated identifies all future QoS actions to be performed on this packet.
Chapter 27 Configuring QoS Understanding QoS Classification Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification is enabled only if QoS is globally enabled on the switch. By default, QoS is globally disabled, so no classification occurs. During classification, the switch performs a lookup and assigns a QoS label to the packet.
Chapter 27 Configuring QoS Understanding QoS After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Figure 27-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface configuration for classification. Trust DSCP (IP traffic). IP and non-IP traffic Trust DSCP or IP precedence (non-IP traffic). Trust IP precedence (IP traffic). Assign DSCP identical to DSCP in packet.
Chapter 27 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: Note • If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken.
Chapter 27 Configuring QoS Understanding QoS The policy map can contain the police and police aggregate policy-map class configuration commands, which define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded. To enable the policy map, you attach it to a port by using the service-policy interface configuration command. You can apply a nonhierarchical policy map to a physical port or an SVI.
Chapter 27 Configuring QoS Understanding QoS Policing on Physical Ports In policy maps on physical ports, you can create these types of policers: • Individual—QoS applies the bandwidth limits specified in the policer separately to each matched traffic class. You configure this type of policer within a policy map by using the police policy-map class configuration command. • Aggregate—QoS applies the bandwidth limits specified in an aggregate policer cumulatively to all matched traffic flows.
Chapter 27 Configuring QoS Understanding QoS Figure 27-4 Policing and Marking Flowchart on Physical Ports Start Get the clasification result for the packet. No Is a policer configured for this packet? Yes Check if the packet is in profile by querying the policer. No Yes Pass through Check out-of-profile action configured for this policer. Drop Drop packet. Mark Done 86835 Modify DSCP according to the policed-DSCP map. Generate a new QoS label.
Chapter 27 Configuring QoS Understanding QoS See the “Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps” section on page 27-51 for an example of a hierarchical policy map. Figure 27-5 shows the policing and marking process when hierarchical policy maps on an SVI. Figure 27-5 Policing and Marking Flowchart on SVIs Start Get the VLAN and interface-level classification results for the packet.
Chapter 27 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an QoS label based on the DSCP or CoS value from the classification stage: • During classification, QoS uses configurable mapping tables to derive a corresponding DSCP or CoS value from a received CoS, DSCP, or IP precedence value. These maps include the CoS-to-DSCP map and the IP-precedence-to-DSCP map.
Chapter 27 Configuring QoS Understanding QoS Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 27-6.
Chapter 27 Configuring QoS Understanding QoS CoS 6-7 CoS 4-5 CoS 0-3 WTD and Queue Operation 100% 1000 60% 600 40% 400 0 86692 Figure 27-7 For more information, see the “Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds” section on page 27-66, the “Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set” section on page 27-70, and the “Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID” section on page 27-72.
Chapter 27 Configuring QoS Understanding QoS Queueing and Scheduling on Ingress Queues Figure 27-8 shows the queueing and scheduling flowchart for ingress ports. Figure 27-8 Queueing and Scheduling Flowchart for Ingress Ports Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds. Are thresholds being exceeded? Yes No Drop packet. Queue the packet. Service the queue according to the SRR weights.
Chapter 27 Configuring QoS Understanding QoS You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Chapter 27 Configuring QoS Understanding QoS Queueing and Scheduling on Egress Queues Figure 27-9 shows the queueing and scheduling flowchart for egress ports. Note If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Figure 27-9 Queueing and Scheduling Flowchart for Egress Ports Start Receive packet from the internal ring. Read QoS label (DSCP or CoS value). Determine egress queue number and threshold based on the label.
Chapter 27 Configuring QoS Understanding QoS Figure 27-10 shows the egress queue buffer. The buffer space is divided between the common pool and the reserved pool. The switch uses a buffer allocation scheme to reserve a minimum amount of buffers for each egress queue, to prevent any queue or port from consuming all the buffers and depriving other queues, and to control whether to grant buffer space to a requesting queue.
Chapter 27 Configuring QoS Understanding QoS WTD Thresholds You can assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an egress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue output dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue output cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Chapter 27 Configuring QoS Configuring Auto-QoS • During policing, IP and non-IP packets can have another DSCP assigned to them (if they are out of profile and the policer specifies a markdown DSCP). Once again, the DSCP in the packet is not modified, but an indication of the marked-down value is carried along. For IP packets, the packet modification occurs at a later stage; for non-IP packets the DSCP is converted to CoS and used for queueing and scheduling decisions.
Chapter 27 Configuring QoS Configuring Auto-QoS Generated Auto-QoS Configuration By default, auto-QoS is disabled on all ports. When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress and egress queues as shown in Table 27-2.
Chapter 27 Configuring QoS Configuring Auto-QoS trust the QoS label received in the packet. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet. The switch configures ingress and egress queues on the port according to the settings in Table 27-3 and Table 27-4.
Chapter 27 Configuring QoS Configuring Auto-QoS Table 27-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically maps DSCP values to an ingress queue and to a threshold ID.
Chapter 27 Configuring QoS Configuring Auto-QoS Table 27-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically configures the egress queue buffer sizes. It configures the bandwidth and the SRR mode (shaped or shared) on the egress queues mapped to the port.
Chapter 27 Configuring QoS Configuring Auto-QoS Effects of Auto-QoS on the Configuration When auto-QoS is enabled, the auto qos voip interface configuration command and the generated configuration are added to the running configuration. The switch applies the auto-QoS-generated commands as if the commands were entered from the CLI. An existing user configuration can cause the application of the generated commands to fail or to be overridden by the generated commands. These actions occur without warning.
Chapter 27 Configuring QoS Configuring Auto-QoS Enabling Auto-QoS for VoIP Beginning in privileged EXEC mode, follow these steps to enable auto-QoS for VoIP within a QoS domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring QoS Configuring Auto-QoS Auto-QoS Configuration Example This section describes how you could implement auto-QoS in a network, as shown in Figure 27-11. For optimum QoS performance, enable auto-QoS on all the devices in the network. Figure 27-11 Auto-QoS Configuration Example Network Cisco router To Internet Trunk link Trunk link Video server 172.20.10.
Chapter 27 Configuring QoS Configuring Auto-QoS Note You should not configure any standard QoS commands before entering the auto-QoS commands. You can fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoS configuration is completed. Beginning in privileged EXEC mode, follow these steps to configure the switch at the edge of the QoS domain to prioritize the VoIP traffic over all other traffic: Command Purpose Step 1 debug auto qos Enable debugging for auto-QoS.
Chapter 27 Configuring QoS Displaying Auto-QoS Information Displaying Auto-QoS Information To display the initial auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings.
Chapter 27 Configuring QoS Configuring Standard QoS Default Standard QoS Configuration QoS is disabled. There is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
Chapter 27 Configuring QoS Configuring Standard QoS Default Egress Queue Configuration Table 27-9 shows the default egress queue configuration for each queue-set when QoS is enabled. All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited.
Chapter 27 Configuring QoS Configuring Standard QoS Default Mapping Table Configuration The default CoS-to-DSCP map is shown in Table 27-12 on page 27-59. The default IP-precedence-to-DSCP map is shown in Table 27-13 on page 27-60. The default DSCP-to-CoS map is shown in Table 27-14 on page 27-62. The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value.
Chapter 27 Configuring QoS Configuring Standard QoS • Follow these guidelines when configuring policy maps on physical ports or SVIs: – You cannot apply the same policy map to a physical port and to an SVI. – If VLAN-based QoS is configured on a physical port, the switch removes all the port-based policy maps on the port. The traffic on this physical port is now affected by the policy map attached to the SVI to which the physical port belongs.
Chapter 27 Configuring QoS Configuring Standard QoS Enabling QoS Globally By default, QoS is disabled on the switch. Beginning in privileged EXEC mode, follow these steps to enable QoS. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS globally.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring Classification Using Port Trust States These sections describe how to classify incoming traffic by using port trust states.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be trusted, and enter interface configuration mode. Valid interfaces include physical ports. Step 3 mls qos trust [cos | dscp | ip-precedence] Configure the port trust state.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the CoS Value for an Interface QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports. Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring QoS Configuring Standard QoS the telephone is connected to trust the CoS labels of all traffic received on that port. Use the mls qos trust dscp interface configuration command to configure a routed port to which the telephone is connected to trust the DSCP labels of all traffic received on that port.
Chapter 27 Configuring QoS Configuring Standard QoS Enabling DSCP Transparency Mode The switch supports the DSCP transparency feature. It affects only the DSCP field of a packet at egress. By default, DSCP transparency is disabled. The switch modifies the DSCP field in an incoming packet, and the DSCP field in the outgoing packet is based on the quality of service (QoS) configuration, including the port trust setting, policing and marking, and the DSCP-to-DSCP mutation map.
Chapter 27 Configuring QoS Configuring Standard QoS Figure 27-13 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. 101235 IP traffic Beginning in privileged EXEC mode, follow these steps to configure the DSCP-trusted state on a port and modify the DSCP-to-DSCP-mutation map.
Chapter 27 Configuring QoS Configuring Standard QoS To return a port to its non-trusted state, use the no mls qos trust interface configuration command. To return to the default DSCP-to-DSCP-mutation map values, use the no mls qos map dscp-mutation dscp-mutation-name global configuration command.
Chapter 27 Configuring QoS Configuring Standard QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify non-IP traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended ACL, repeating the command as many times as necessary. • For access-list-number, enter the access list number.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Create a Layer 2 MAC ACL by specifying the name of the list. After entering this command, the mode changes to extended MAC ACL configuration.
Chapter 27 Configuring QoS Configuring Standard QoS Classifying Traffic by Using Class Maps You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. The class map defines the criteria to use to match against a specific traffic flow to further classify it. Match statements can include criteria such as an ACL, IP precedence values, or DSCP values.
Chapter 27 Configuring QoS Configuring Standard QoS Command Step 4 Purpose match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported. • For access-group acl-index-or-name, specify the number or name of the ACL created in Step 2.
Chapter 27 Configuring QoS Configuring Standard QoS Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps You can configure a nonhierarchical policy map on a physical port that specifies which traffic class to act on.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a nonhierarchical policy map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 class-map [match-all | match-any] class-map-name Create a class map, and enter class-map configuration mode. By default, no class maps are defined. • (Optional) Use the match-all keyword to perform a logical-AND of all matching statements under this class map.
Chapter 27 Configuring QoS Configuring Standard QoS Step 5 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, go to Step 6. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 8 exit Return to policy map configuration mode. Step 9 exit Return to global configuration mode. Step 10 interface interface-id Specify the port to attach to the policy map, and enter interface configuration mode. Valid interfaces include physical ports. Step 11 service-policy input policy-map-name Specify the policy-map name, and apply it to an ingress port. Only one policy map per ingress port is supported.
Chapter 27 Configuring QoS Configuring Standard QoS Switch(config-ext-mac)# exit Switch(config)# class-map macclass1 Switch(config-cmap)# match access-group maclist1 Switch(config-cmap)# exit Switch(config)# policy-map macpolicy1 Switch(config-pmap)# class macclass1 Switch(config-pmap-c)# set dscp 63 Switch(config-pmap-c)# exit Switch(config-pmap)# class macclass2 maclist2 Switch(config-pmap-c)# set dscp 45 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet0/1
Chapter 27 Configuring QoS Configuring Standard QoS • The hierarchical policy map is attached to the SVI and affects all traffic belonging to the VLAN. The actions specified in the VLAN-level policy map affect the traffic belonging to the SVI. The police action on the port-level policy map affects the ingress traffic on the affected physical interfaces. • When configuring a hierarchical policy map on trunk ports, the VLAN ranges must not overlap.
Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 5 exit Return to global configuration mode. Step 6 class-map [match-all | match-any] class-map-name Create an interface-level class map, and enter class-map configuration mode. By default, no class maps are defined. • (Optional) Use the match-all keyword to perform a logical-AND of all matching statements under this class map. All match criteria in the class map must be matched.
Chapter 27 Configuring QoS Configuring Standard QoS Step 12 Command Purpose police rate-bps burst-byte [exceed-action {drop | policed-dscp-transmit}] Define an individual policer for the classified traffic. By default, no policer is defined. For information on the number of policers supported, see the “Standard QoS Configuration Guidelines” section on page 27-32. • For rate-bps, specify average traffic rate in bits per second (bps). The range is 8000 to 1000000000.
Chapter 27 Configuring QoS Configuring Standard QoS Step 17 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, omit Step 18. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 24 end Return to privileged EXEC mode. Step 25 show policy-map [policy-map-name [class Verify your entries. class-map-name]] or show mls qos vlan-based Step 26 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete an existing policy map, use the no policy-map policy-map-name global configuration command.
Chapter 27 Configuring QoS Configuring Standard QoS Switch(config-pmap)#exit Switch(config-pmap)#class-map cm-4 Switch(config-pmap-c)#trust dscp Switch(config-pmap)#exit Switch(config)#interface vlan 10 Switch(config-if)# Switch(config-if)#ser input vlan-plcmap Switch(config-if)#exit Switch(config)#exit Switch# Classifying, Policing, and Marking Traffic by Using Aggregate Policers By using an aggregate policer, you can create a policer that is shared by multiple traffic classes within the same policy map
Chapter 27 Configuring QoS Configuring Standard QoS Step 5 Command Purpose class class-map-name Define a traffic classification, and enter policy-map class configuration mode. For more information, see the “Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps” section on page 27-47. Step 6 police aggregate aggregate-policer-name Apply an aggregate policer to multiple classes in the same policy map. For aggregate-policer-name, enter the name specified in Step 2.
Chapter 27 Configuring QoS Configuring Standard QoS Switch(config-pmap)# exit Switch(config)# interface gigabitethernet0/1 Switch(config-if)# service-policy input aggflow1 Switch(config-if)# exit Configuring DSCP Maps These sections contain this configuration information: • Configuring the CoS-to-DSCP Map, page 27-59 (optional) • Configuring the IP-Precedence-to-DSCP Map, page 27-60 (optional) • Configuring the Policed-DSCP Map, page 27-61 (optional, unless the null settings in the map are not appro
Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map cos-dscp dscp1...dscp8 Modify the CoS-to-DSCP map. For dscp1...dscp8, enter eight DSCP values that correspond to CoS values 0 to 7. Separate each DSCP value with a space. The DSCP range is 0 to 63. Step 3 end Return to privileged EXEC mode. Step 4 show mls qos maps cos-dscp Verify your entries.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the IP-precedence-to-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map ip-prec-dscp dscp1...dscp8 Modify the IP-precedence-to-DSCP map. For dscp1...dscp8, enter eight DSCP values that correspond to the IP precedence values 0 to 7. Separate each DSCP value with a space. The DSCP range is 0 to 63.
Chapter 27 Configuring QoS Configuring Standard QoS To return to the default map, use the no mls qos policed-dscp global configuration command.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-CoS map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-cos dscp-list to cos Modify the DSCP-to-CoS map. • For dscp-list, enter up to eight DSCP values separated by spaces. Then enter the to keyword. • For cos, enter the CoS value to which the DSCP values correspond.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-DSCP-mutation map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-mutation dscp-mutation-name in-dscp to out-dscp Modify the DSCP-to-DSCP-mutation map. • For dscp-mutation-name, enter the mutation map name. You can create more than one map by specifying a new name.
Chapter 27 Configuring QoS Configuring Standard QoS Note In the above DSCP-to-DSCP-mutation map, the mutated values are shown in the body of the matrix. The d1 column specifies the most-significant digit of the original DSCP; the d2 row specifies the least-significant digit of the original DSCP. The intersection of the d1 and d2 values provides the mutated value. For example, a DSCP value of 12 corresponds to a mutated value of 10.
Chapter 27 Configuring QoS Configuring Standard QoS Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and to set WTD thresholds. This procedure is optional.
Chapter 27 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to allocate bandwidth between the ingress queues. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input bandwidth weight1 weight2 Assign shared round robin weights to the ingress queues. The default setting for weight1 and weight2 is 4 (1/2 of the bandwidth is equally shared between the two queues).
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the priority queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input priority-queue queue-id bandwidth weight Assign a queue as the priority queue and guarantee bandwidth on the internal ring if the ring is congested.
Chapter 27 Configuring QoS Configuring Standard QoS These sections contain this configuration information: • Configuration Guidelines, page 27-70 • Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set, page 27-70 (optional) • Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID, page 27-72 (optional) • Configuring SRR Shaped Weights on Egress Queues, page 27-74 (optional) • Configuring SRR Shared Weights on Egress Queues, page 27-75 (optional) • Configur
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and to drop thresholds for a queue-set. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos queue-set output qset-id buffers allocation1 ... allocation4 Allocate buffers to a queue-set. By default, all allocation values are equally mapped among the four queues (25, 25, 25, 25).
Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 7 show mls qos interface [interface-id] buffers Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos queue-set output qset-id buffers global configuration command.
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an egress queue and to a threshold ID. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue output dscp-map queue queue-id threshold threshold-id dscp1...dscp8 Map DSCP or CoS values to an egress queue and to a threshold ID.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring SRR Shaped Weights on Egress Queues You can specify how much of the available bandwidth is allocated to each queue. The ratio of the weights is the ratio of frequency in which the SRR scheduler sends packets from each queue. You can configure the egress queues for shaped or shared weights, or both. Use shaping to smooth bursty traffic or to provide a smoother output over time.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring SRR Shared Weights on Egress Queues In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue empties and does not require a share of the link, the remaining queues can expand into the unused bandwidth and share it among them.
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the Egress Expedite Queue You can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. SRR services this queue until it is empty before servicing the other queues. Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring QoS Displaying Standard QoS Information Step 3 Command Purpose srr-queue bandwidth limit weight1 Specify the percentage of the port speed to which the port should be limited. The range is 10 to 90. By default, the port is not rate limited and is set to 100 percent. Step 4 end Return to privileged EXEC mode. Step 5 show mls qos interface [interface-id] queueing Verify your entries.
Chapter 27 Configuring QoS Displaying Standard QoS Information Table 27-15 Commands for Displaying Standard QoS Information (continued) Command Purpose show policy-map [policy-map-name [class class-map-name]] Display QoS policy maps, which define classification criteria for incoming traffic. Note show running-config | include rewrite Do not use the show policy-map interface privileged EXEC command to display classification information for incoming traffic.
C H A P T E R 28 Configuring EtherChannels and Layer 2 Trunk Failover This chapter describes how to configure EtherChannels on Layer 2 ports on the switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding EtherChannels EtherChannel Overview An EtherChannel consists of individual Gigabit Ethernet links bundled into a single logical link as shown in Figure 28-1.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding EtherChannels Port-Channel Interfaces When you create a Layer 2 EtherChannel, a port-channel logical interface is involved. You can create the EtherChannel in these ways: • Use the channel-group interface configuration command. This command automatically creates the port-channel logical interface when the channel group gets its first physical port.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding EtherChannels Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding EtherChannels PAgP Interaction with Other Features The Dynamic Trunking Protocol (DTP) and the Cisco Discovery Protocol (CDP) send and receive packets over the physical ports in the EtherChannel. Trunk ports send and receive PAgP protocol data units (PDUs) on the lowest numbered VLAN. In Layer 2 EtherChannels, the first port in the channel that comes up provides its MAC address to the EtherChannel.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding EtherChannels LACP Interaction with Other Features The DTP and the CDP send and receive packets over the physical ports in the EtherChannel. Trunk ports send and receive LACP PDUs on the lowest numbered VLAN. In Layer 2 EtherChannels, the first port in the channel that comes up provides its MAC address to the EtherChannel.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding EtherChannels With source-IP address-based forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the EtherChannel based on the source-IP address of the incoming packet. Therefore, to provide load-balancing, packets from different IP addresses use different ports in the channel, but packets from the same IP address use the same port in the channel.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Figure 28-3 Blade Server 1 Load Distribution and Forwarding Methods Blade Server 16 Blade Switch with source-based forwarding enabled EtherChannel 119705 Cisco router with destination-based forwarding enabled Client Client Configuring EtherChannels These sections contain this configuration information: • Default EtherChannel Configuration, page 28-9 • EtherChannel Configuration Guidelines, page 28-9 •
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Default EtherChannel Configuration Table 28-3 shows the default EtherChannel configuration. Table 28-3 Default EtherChannel Configuration Feature Default Setting Channel groups None assigned. Port-channel logical interface None defined. PAgP mode No default. PAgP learn method Aggregate-port learning on all ports. PAgP priority 128 on all ports. LACP mode No default.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels • Do not configure an EtherChannel in both the PAgP and LACP modes. EtherChannel groups running PAgP and LACP can coexist on the same switch. Individual EtherChannel groups can run either PAgP or LACP, but they cannot interoperate. • Do not configure a Switched Port Analyzer (SPAN) destination port as part of an EtherChannel. • Do not configure a secure port as part of an EtherChannel or the reverse.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Step 3 Command Purpose switchport mode {access | trunk} Assign all ports as static-access ports in the same VLAN, or configure them as trunks. switchport access vlan vlan-id If you configure the port as a static-access port, assign it to only one VLAN. The range is 1 to 4094.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels This example shows how to configure an EtherChannel.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Command Purpose Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to configure your switch as a PAgP physical-port learner and to adjust the priority so that the same port in the bundle is selected for sending packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels If you configure more than eight links for an EtherChannel group, the software automatically decides which of the hot-standby ports to make active based on the LACP priority.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Configuring the LACP Port Priority By default, all ports use the same port priority. If the local system has a lower value for the system priority and the system ID than the remote system, you can affect which of the hot-standby links become active first by changing the port priority of LACP EtherChannel ports to a lower value than the default.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Displaying EtherChannel, PAgP, and LACP Status Displaying EtherChannel, PAgP, and LACP Status To display EtherChannel, PAgP, and LACP status information, use the privileged EXEC commands described in Table 28-4: Table 28-4 Commands for Displaying EtherChannel, PAgP, and LACP Status Command Description show etherchannel [channel-group-number {detail | port | port-channel | protocol | summary}] {detail | load-balance | port | port-channel |
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding Layer 2 Trunk Failover In a link-state group, the link states of the downstream interfaces are dependent on the link states of the upstream interfaces. If all of the upstream interfaces in a link-state group are in the link-down state, the associated downstream interfaces are forced into the link-down state.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding Layer 2 Trunk Failover Layer 2 Trunk Failover Configuration Guidelines Follow these guidelines to avoid configuration problems: • Do not configure a cross-connect interface (gi0/23 or gi0/24) as a member of a link-state group. • Do not configure an EtherChannel as a downstream interface. • Only interfaces gi0/1 through gi0/16 can be configured as downstream ports in a specific link-state group.
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding Layer 2 Trunk Failover Displaying Layer 2 Trunk Failover Status Use the show link state group command to display the link-state group information. Enter this command without keywords to display information about all link-state groups. Enter the group number to display information specific to the group. Enter the detail keyword to display detailed information about the group.
C H A P T E R 29 Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the switch. Depending on the nature of the problem, you can use the command-line interface (CLI) or the device manager to identify and solve problems. Additional troubleshooting information, such as LED descriptions, is provided in the hardware installation guide.
Chapter 29 Troubleshooting Recovering from a Software Failure Recovering from a Software Failure Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity. This procedure uses the Xmodem Protocol to recover from a corrupt or wrong image file.
Chapter 29 Troubleshooting Recovering from a Lost or Forgotten Password You can release the Mode button a second or two after the LED above port 1 goes off. Several lines of information about the software appear along with instructions: The system has been interrupted prior to initializing the flash file system.
Chapter 29 Troubleshooting Recovering from a Lost or Forgotten Password You enable or disable password recovery by using the service password-recovery global configuration command. Follow the steps in this procedure if you have forgotten or lost the switch password. Step 1 Connect a terminal or PC with terminal-emulation software to the switch console port. Step 2 Set the line speed on the emulation software to 9600 baud. Step 3 Push the release latch on the front of the switch to the open position.
Chapter 29 Troubleshooting Recovering from a Lost or Forgotten Password switch: load_helper Step 4 Display the contents of flash memory: switch: dir flash: The switch file system appears: Directory of flash: 13 drwx 192 11 -rwx 5825 18 -rwx 720 Mar 01 1993 22:30:48 Mar 01 1993 22:31:59 Mar 01 1993 02:21:30 cbs30x0-lanbase-mz.122-25.SEE config.text vlan.dat 16128000 bytes total (10003456 bytes free) Step 5 Rename the configuration file to config.text.old. This file contains the password definition.
Chapter 29 Troubleshooting Recovering from a Lost or Forgotten Password Note Step 14 This procedure is likely to leave your switch virtual interface in a shutdown state. You can see which interface is in this state by entering the show running-config privileged EXEC command. To re-enable the interface, enter the interface vlan vlan-id global configuration command, and specify the VLAN ID of the shutdown interface. With the switch in interface configuration mode, enter the no shutdown command.
Chapter 29 Troubleshooting Preventing Autonegotiation Mismatches Step 4 Boot the system: Switch: boot You are prompted to start the setup program.
Chapter 29 Troubleshooting SFP Module Security and Identification To maximize switch performance and ensure a link, follow one of these guidelines when changing the settings for duplex and speed: Note • Let both ports autonegotiate both speed and duplex. • Manually set the speed and duplex parameters for the ports on both ends of the connection. If a remote device does not autonegotiate, configure the duplex settings on the two ports to match.
Chapter 29 Troubleshooting Monitoring Temperature Monitoring Temperature The Cisco Catalyst Blade Switch 3020 for HP monitors the switch temperature conditions. Use the show env temperature status privileged EXEC command to display the temperature value, state, and thresholds. The temperature value is the temperature in the switch (not the external temperature).
Chapter 29 Troubleshooting Using Layer 2 Traceroute This example shows how to ping an IP host: Switch# ping 172.20.52.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 172.20.52.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Switch# Table 29-1 describes the possible ping character output. Table 29-1 Ping Output Display Characters Character Description ! Each exclamation point means receipt of a reply. .
Chapter 29 Troubleshooting Using Layer 2 Traceroute Usage Guidelines These are the Layer 2 traceroute usage guidelines: • Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 traceroute to function properly, do not disable CDP. For a list of switches that support Layer 2 traceroute, see the “Usage Guidelines” section on page 29-11. If any devices in the physical path are transparent to CDP, the switch cannot identify the path through these devices.
Chapter 29 Troubleshooting Using IP Traceroute Displaying the Physical Path You can display physical path that a packet takes from a source device to a destination device by using one of these privileged EXEC commands: • tracetroute mac [interface interface-id] {source-mac-address} [interface interface-id] {destination-mac-address} [vlan vlan-id] [detail] • tracetroute mac ip {source-ip-address | source-hostname}{destination-ip-address | destination-hostname} [detail] For more information, see the co
Chapter 29 Troubleshooting Using IP Traceroute Executing IP Traceroute Beginning in privileged EXEC mode, follow this step to trace that the path packets take through the network: Note Command Purpose traceroute ip host Trace the path that packets take through the network. Though other protocol keywords are available with the traceroute privileged EXEC command, they are not supported in this release. This example shows how to perform a traceroute to an IP host: Switch# traceroute ip 171.9.15.
Chapter 29 Troubleshooting Using TDR Using TDR These sections contain this information: • Understanding TDR, page 29-14 • Running TDR and Displaying the Results, page 29-14 Understanding TDR You can use the Time Domain Reflector (TDR) feature to diagnose and resolve cabling problems. When running TDR, a local device sends a signal through a cable and compares the reflected signal to the initial signal. TDR is supported only on 10/100 and 10/100/1000 copper Ethernet ports.
Chapter 29 Troubleshooting Using Debug Commands Caution Note Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users.
Chapter 29 Troubleshooting Using the show platform forward Command The no debug all privileged EXEC command disables all diagnostic output. Using the no debug all command is a convenient way to ensure that you have not accidentally left any debug commands enabled. Redirecting Debug and Error Message Output By default, the network server sends the output from debug commands and system error messages to the console.
Chapter 29 Troubleshooting Using the show platform forward Command Egress:Asic 2, switch 1 Output Packets: -----------------------------------------Packet 1 Lookup Key-Used OutptACL 50_0D020202_0D010101-00_40000014_000A0000 Port Gi0/1 Vlan SrcMac 0005 0001.0001.0001 DstMac 0002.0002.0002 Cos -----------------------------------------Packet 2 Lookup Key-Used OutptACL 50_0D020202_0D010101-00_40000014_000A0000 Port Gi0/2 Vlan SrcMac 0005 0001.0001.0001 DstMac 0002.0002.
Chapter 29 Troubleshooting Using the crashinfo Files Using the crashinfo Files The crashinfo files save information that helps Cisco technical support representatives to debug problems that caused the Cisco IOS image to fail (crash). The switch writes the crash information to the console at the time of the failure. The switch creates two types of crashinfo files: • Basic crashinfo file—The switch automatically creates this file the next time you boot the Cisco IOS image after the failure.
A P P E N D I X A Supported MIBs This appendix lists the supported management information base (MIBs) for this release on the switch. It contains these sections: • MIB List, page A-1 • Using FTP to Access the MIB Files, page A-3 • BRIDGE-MIB MIB List Note The BRIDGE-MIB supports the context of a single VLAN. By default, SNMP messages using the configured community string always provide information for VLAN 1.
Appendix A Supported MIBs MIB List • CISCO-MEMORY-POOL-MIB • CISCO-PAE-MIB • CISCO-PAGP-MIB • CISCO-PING-MIB • CISCO-PORT-QOS-MIB • CISCO-PRODUCTS-MIB • CISCO-PROCESS-MIB • CISCO-RTTMON-MIB • CISCO-SMI-MIB • CISCO-STACKMAKER-MIB • CISCO-STP-EXTENSIONS-MIB • CISCO-SYSLOG-MIB • CISCO-TC-MIB • CISCO-TCP-MIB • CISCO-UDLDP-MIB • CISCO-VLAN-IFTABLE-RELATIONSHIP-MIB • CISCO-VLAN-MEMBERSHIP-MIB • CISCO-VTP-MIB • ENTITY-MIB • ETHERLIKE-MIB • IEEE8021-PAE-MIB • IEEE8023-L
Appendix A Supported MIBs Using FTP to Access the MIB Files Note • SNMP-FRAMEWORK-MIB • SNMP-MPD-MIB • SNMP-NOTIFICATION-MIB • SNMP-TARGET-MIB • SNMPv2-MIB • SNMP-VACM-MIB (SNMP-VIEW-BASED-ACM-MIB) • SNMP-USM-MIB (SNMP-USER-BASED-SM-MIB) • TCP-MIB • UDP-MIB You can also use this URL for a list of supported MIBs for the Cisco Catalyst Blade Switch 3020 for HP: ftp://ftp.cisco.com/pub/mibs/supportlists/cbs3020 for HP/cbs3020-supportlist.
Appendix A Supported MIBs Using FTP to Access the MIB Files Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide A-4 OL-8915-01
A P P E N D I X B Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the switch flash file system, how to copy configuration files, and how to archive (upload and download) software images to a switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown in this example.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Setting the Default File System You can specify the file system or directory that the system uses as the default file system by using the cd filesystem: privileged EXEC command. You can set the default file system to omit the filesystem: argument from related commands.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Step 1 Command Purpose dir filesystem: Display the directories on the specified file system. For filesystem:, use flash: for the system board flash device. Step 2 mkdir old_configs Create a new directory.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Some invalid combinations of source and destination exist.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating a tar File To create a tar file and write files into it, use this privileged EXEC command: archive tar /create destination-url flash:/file-url For destination-url, specify the destination URL alias for the local or network file system and the name of the tar file to create.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System This example shows how to display the contents of a switch tar file that is in flash memory: Switch# archive tar /table flash:cbs30x0-lanbase-tar.122-25.SEE.tar info (219 bytes) cbs30x0-lanbase-tar.122-25.SEE/ (directory) cbs30x0-lanbase-tar.122-25.SEE/html/ (directory) cbs30x0-lanbase-tar.122-25.SEE/html/troubleshooting_OS.htm (2508 bytes) cbs30x0-lanbase-tar.122-25.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Extracting a tar File To extract a tar file into a directory on the flash file system, use this privileged EXEC command: archive tar /xtract source-url flash:/file-url [dir/file...] For source-url, specify the source URL alias for the local file system.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files You can copy (download) configuration files from a TFTP, FTP, or RCP server to the running configuration or startup configuration of the switch. You might want to perform this for one of these reasons: • To restore a backed-up configuration file. • To use the configuration file for another switch.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files some commands in the existing configuration might not be replaced or negated. In this case, the resulting configuration file is a mixture of the existing configuration file and the copied configuration file, with the copied configuration file having precedence.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Preparing to Download or Upload a Configuration File By Using TFTP Before you begin downloading or uploading a configuration file by using TFTP, do these tasks: • Ensure that the workstation acting as the TFTP server is properly configured. On a Sun workstation, make sure that the /etc/inetd.conf file contains this line: tftp dgram udp wait root /usr/etc/in.tftpd in.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to configure the software from the file tokyo-confg at IP address 172.16.2.155: Switch# copy tftp://172.16.2.155/tokyo-confg system:running-config Configure using tokyo-confg from 172.16.2.155? [confirm] y Booting tokyo-confg from 172.16.2.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The username and password must be associated with an account on the FTP server. If you are writing to the server, the FTP server must be properly configured to accept your FTP write request. Use the ip ftp username and ip ftp password commands to specify a username and password for all copies.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 4 ip ftp username username (Optional) Change the default remote username. Step 5 ip ftp password password (Optional) Change the default password. Step 6 end Return to privileged EXEC mode.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 3 Command Purpose configure terminal Enter global configuration mode. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username. Step 5 ip ftp password password (Optional) Change the default password.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: • The username specified in the copy command if a username is specified.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using RCP” section on page B-16.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using RCP” section on page B-16.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Clearing the Startup Configuration File To clear the contents of your startup configuration, use the erase nvram: or the erase startup-config privileged EXEC command. Caution You cannot restore the startup configuration file after it has been deleted.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note • Copying Image Files By Using FTP, page B-24 • Copying Image Files By Using RCP, page B-28 For a list of software images and the supported upgrade paths, see the release notes. Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Table B-3 info File Description Field Description version_suffix Specifies the Cisco IOS image version string suffix version_directory Specifies the directory where the Cisco IOS image and the HTML subdirectory are installed image_name Specifies the name of the Cisco IOS image within the tar file ios_image_file_size Specifies the Cisco IOS image size in the tar file, which is
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files. To restart the daemon, either stop the inetd process and restart it, or enter a fastboot command (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x). For more information on the TFTP daemon, see the documentation for your workstation.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 3 Step 4 Command Purpose archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tar Download the image file from the TFTP server to the switch, and overwrite the current image. archive download-sw /leave-old-sw /reload tftp:[[//location]/directory]/image-name.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Uploading an Image File By Using TFTP You can upload an image from the switch to a TFTP server. You can later download this image to the switch or to another switch of the same type. Use the upload feature only if the web management pages associated with the embedded device manager have been installed with the existing image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Preparing to Download or Upload an Image File By Using FTP You can copy images files to or from an FTP server. The FTP protocol requires a client to send a remote username and password on each FTP request to a server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Downloading an Image File By Using FTP You can download a new image file and overwrite the current image or keep the current image. Beginning in privileged EXEC mode, follow Steps 1 through 7 to download a new image from an FTP server and overwrite the existing image. To keep the current image, go to Step 7.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Step 8 Purpose archive download-sw /leave-old-sw /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and keep the current image. /image-name.tar • The /leave-old-sw option keeps the old software version after a download.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Beginning in privileged EXEC mode, follow these steps to upload an image to an FTP server: Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using FTP” section on page B-13. Step 2 Log into the switch through the console port or a Telnet session.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command, we recommend using the archive download-sw and archive upload-sw privileged EXEC commands to download and upload software image files.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images operations. The new username is stored in NVRAM. If you are accessing the switch through a Telnet session and you have a valid username, this username is used, and there is no need to set the RCP username. Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify a username only for that operation.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 6 Step 7 Command Purpose archive download-sw /overwrite /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Download the image file from the RCP server to the switch, and overwrite the current image. archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-na me.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format. Caution For the download and upload algorithms to operate properly, do not rename image names.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide B-34 OL-8915-01
A P P E N D I X C Unsupported Commands in Cisco IOS Release 12.2(25)SEF This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the switch prompt but are not supported in this release, either because they are not tested or because of switch hardware limitations. This is not a complete list. The unsupported commands are listed by software feature and command mode.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(25)SEF Miscellaneous Note Use the show ip igmp snooping groups privileged EXEC command to display Layer 2 multicast address-table entries for a VLAN.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(25)SEF RADIUS Unsupported Interface Configuration Commands priority-group rate-limit Unsupported Policy-Map Configuration Commands class class-default where class-default is the class-map-name.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(25)SEF VLAN VLAN Unsupported Global Configuration Commands vlan internal allocation policy {ascending | descending} Unsupported vlan-config Command private-vlan Unsupported User EXEC Commands show running-config vlan show vlan ifindex show vlan private-vlan VTP Unsupported Privileged EXEC Commands vtp {password password | pruning | version number} Note This command has been replaced by the vtp global configuration command.
Appendix C Unsupported Commands in Cisco IOS Release 12.
I N D EX extended IPv4 A creating abbreviating commands access-class command 2-4 matching criteria 26-17 host keyword See ACEs 10-25 creating access lists 26-6 implicit deny accounting 7-29 with RADIUS 7-9 undefined 6-28 with TACACS+ 26-6 26-18 IPv4 6-11, 6-17 applying to interfaces ACEs creating 27-7 named 26-2 26-6 26-13 numbers 26-2 26-18 26-6 matching criteria 26-2 Ethernet 26-8 matching criteria with IEEE 802.
Index support for maximum 1-6 support in hardware time ranges for MSTP 26-19 for STP 26-15 types supported 13-21, 13-22 alarms, RMON 26-2 unsupported features, IPv4 23-3 allowed-VLAN list 26-5 VLAN maps 10-19 ARP configuration guidelines configuring active links 14-23, 14-24 defined 26-24 table 26-23 address resolution 16-1 address aliasing 1-3, 5-26 managing 18-2 addresses 5-26 5-26 attributes, RADIUS displaying the MAC address table vendor-proprietary 5-26 dynamic v
Index autonegotiation BPDU duplex mode error-disabled state 1-2 interface configuration guidelines mismatches 8-12 filtering 15-3 RSTP format 29-7 autosensing, port speed 14-12 BPDU filtering 1-2 auxiliary VLAN See voice VLAN availability, features 15-2 1-4 described 15-3 disabling 15-12 enabling 15-12 support for 1-5 BPDU guard B BackboneFast described 15-2 disabling 15-11 15-11 described 15-5 enabling disabling 15-14 support for enabling 15-13 support for bridge p
Index transmission timer and holdtime, setting updates changing the buffer size 20-2 20-2 CGMP as IGMP snooping learning method joining multicast group CipherSuites described 2-6 disabling 2-7 recalling commands 18-8 client mode, VTP Cisco 7960 IP Phone 2-6 no and default forms of commands 18-3 6-44 2-6 2-4 11-3 clock 12-1 See system clock Cisco Discovery Protocol clusters, switch See CDP Cisco Intelligence Engine 2100 Series Configuration Registrar benefits 1-2 CNS See IE2100
Index configuration files publication clearing the startup configuration creating using a text editor default name in Layer 2 frames B-19 27-2 override priority downloading trust priority automatically 12-6 12-6 CoS input queue threshold map for QoS 3-14 CoS output queue threshold map for QoS B-11, B-13, B-16 reasons for B-9 CoS-to-DSCP map for QoS 27-59 using FTP B-13 counters, clearing interface 8-20 using RCP B-17 crashinfo file using TFTP guidelines for creating and using li
Index Flex Links device 16-4 IGMP filtering 18-24 IGMP snooping 18-6 IGMP throttling 18-24 device discovery protocol benefits requirements 5-21 Cisco IOS server database configuring 5-4 optional spanning-tree configuration password and privilege level RADIUS B-19 DHCP 18-19 NTP 1-4 xxviii upgrading a switch 16-4 14-14 MVR 1-2, 1-3 in-band management MAC address-table move update MSTP 1-2 described 3-3 8-10 MAC address table 20-1 device manager initial switch information L
Index packet format, suboption Domain Name System circuit ID 17-5 See DNS remote ID 17-5 downloading remote ID suboption DHCP server configuration files 17-5 preparing 3-3 DHCP snooping accepting untrusted packets form edge switch configuration guidelines default configuration 17-7 trusted interface B-9 using FTP B-13 using RCP B-17 B-11 image files 17-10 message exchange process option 82 data insertion reasons for using TFTP 17-6 displaying binding tables 17-3, 17-9 B-11, B-1
Index dynamic port VLAN membership described LACP described 10-26 reconfirming displaying status 10-28 troubleshooting 28-17 hot-standby ports 10-30 types of connections 28-5 28-14 interaction with other features 10-27 Dynamic Trunking Protocol modes See DTP 28-5 port priority 28-16 system priority load balancing E 28-6 28-15 28-6, 28-12 PAgP aggregate-port learners editing features enabling and disabling keystrokes used wrapped lines compatibility with Catalyst 1900 2-7 descr
Index configuration guidelines configuring filtering 10-12 in a VLAN 10-11 26-23 creating 10-12 non-IP traffic defined 10-1 show and more command output extended system ID MSTP STP 26-21 2-10 filtering show and more command output 2-10 filters, IP 14-17 See ACLs, IP 13-4, 13-14 Extensible Authentication Protocol over LAN 7-1 flash device, number of B-1 Flex Links configuration guidelines F configuring fa0 interface Fast Ethernet 0 See fa0 interface features, incompatible 16-5
Index HTTPS G 6-42 configuring get-bulk-request operation 25-3 get-next-request operation 25-3, 25-4 get-request operation self-signed certificate HTTP secure server I 2-2 18-12 guest VLAN and 802.
Index flooded multicast traffic global configuration controlling the length of time disabling on an interface global leave 18-13 method joining multicast group 18-5 18-8 18-15 querier 18-12 recovering from flood mode 18-12 configuration guidelines configuring 18-3 leaving multicast group 18-10 support for 18-2 1-2 VLAN configuration 18-5 configuring report suppression 18-27 described 18-6 default configuration disabling 18-15 described supported versions defaults 18-24 18-2
Index management monitoring naming IP traceroute 1-3 8-19 8-17 physical, identifying range of named 8-20 speed and duplex, configuring 26-18 26-9 26-13 standard, creating 8-14 26-8 ISL 8-19 types of 29-12 extended, creating 8-20 supported overview applying to interfaces shutting down status 29-13 IPv4 ACLs 8-6 8-7 restarting executing and trunk ports 8-6 encapsulation 8-1 interfaces range macro command interface types 8-3 1-5, 10-14 8-8 8-6 J Inter-Switch Link See ISL
Index terms TGT local SPAN 6-33 login authentication 6-34 tickets 22-2 with RADIUS 6-32 key distribution center 6-23 with TACACS+ See KDC login banners 6-14 5-17 log messages See system message logging L loop guard LACP See EtherChannel Layer 2 frames, classification with CoS Layer 2 interfaces, default configuration 27-2 29-11 and CDP 29-11 1-5 multicast traffic default configuration 29-11 discovering multiple devices on a port displaying 29-11 Layer 2 trunk failover 5-26
Index MAC extended access lists membership mode, VLAN port applying to Layer 2 interfaces configuring for QoS messages, to users through banners 26-22 creating 26-21 accessing files with FTP defined 26-21 location of files overview 27-5 macros See Smartports macros manageability features 1-3 management access mirroring traffic for analysis 22-1 mismatches, autonegotiation 29-7 CLI session SNMP access groups 1-4 CDP 1-4 out-of-band console port connection 1-4 management options Fl
Index MSTP effects on secondary root switch unexpected behavior boundary ports configuration guidelines described implementation BPDU filtering enabling 15-12 terminology 14-7 14-5 instances supported BPDU guard 13-9 interface state, blocking to forwarding described 15-2 enabling 15-11 CIST, described described 14-3 defined 14-15, 15-10 14-3 master forward-delay time maximum aging time 14-24 14-23 maximum hop count 15-9 enabling 15-15 CIST 14-3 configuring 14-20 describe
Index effects of extended system ID unexpected behavior 14-17 configuring 14-17 shutdown Port Fast-enabled port status, displaying native VLAN default 15-2 benefits multicast groups joining 18-3 leaving 18-5 static joins 1-2 described 18-5 1-3 network configuration examples increasing network performance providing network services 18-9 multicast router interfaces, monitoring multicast router ports, adding multicast storm multicast VLAN 1-11 1-12 network design performance 19-1 multi
Index peer VTP domain 5-5 server path cost 5-5 default configuration MSTP 5-4 displaying the configuration overview STP 5-11 13-18 performance features creating an access group source IP address, configuring 1-10 1-2 persistent self-signed certificate 5-8 disabling NTP services per interface 5-10 5-10 See PVST+ 8-2 PIM-DVMRP, as snooping method 1-4 synchronizing devices character output description 5-2 synchronizing 18-8 ping 5-5 time services 6-43 per-VLAN spanning-tree pl
Index nonhierarchical on physical ports configuration guidelines configuring described guest VLAN configuration guidelines 27-32 described 27-47 host mode 27-9 port ACLs 7-12, 7-13 7-12 7-8 inaccessible authentication bypass defined 26-2 configuring types of 26-3 described Port Aggregation Protocol magic packet method lists 7-9 authentication server 7-22 7-2 7-2 configuration guidelines AAA authorization 7-22 configuration tasks 7-12 described 7-20 configuring 7-11 RADIUS s
Index voice VLAN preemption described default configuration 7-15 PVID 7-15 VVID 7-15 preemption delay default configuration wake-on-LAN, described port blocking See QoS 1-2, 19-6 preventing unauthorized access See EtherChannel primary links Port Fast 6-1 16-2 priority described 15-2 enabling 15-10 overriding CoS trusting CoS mode, spanning tree support for 10-3 privileged EXEC mode changing the default for lines exiting 13-16 ports overview 8-3 dual-purpose uplink dynamic a
Index configuration guidelines Q auto-QoS QoS 27-25 standard QoS and MQC commands 27-1 27-32 configuring auto-QoS aggregate policers categorizing traffic 27-21 auto-QoS configuration and defaults display configuration guidelines 27-29 27-25 27-57 27-20 default port CoS value DSCP maps 27-37 27-59 described 27-20 DSCP transparency disabling 27-26 DSCP trust states bordering another domain displaying generated commands 27-26 displaying the initial configuration effects on runnin
Index ingress queueing and scheduling policing and marking implicit deny policies, attaching to an interface 27-15 policing 27-10 described 27-7 ingress queues characteristics of 27-67 buffer and bandwidth allocation, described configuring shared weights for SRR configuring the priority queue displaying 27-16 hierarchical on SVIs 27-68 QoS label, defined 27-66 priority queue, described scheduling, described WTD, described high priority (expedite) location of 27-66 detection and trusted
Index authorization reconfirming dynamic VLAN membership 6-27 communication, global recovery procedures 6-21, 6-29 communication, per-server 29-1 redundancy 6-20, 6-21 multiple UDP ports 6-21 EtherChannel default configuration 6-20 STP 28-2 defining AAA server groups 6-25 backbone 13-8 displaying the configuration 6-31 path cost 10-23 identifying the server method list, defined operation of overview port priority 6-20 limiting the services to the user reloading software 6-20
Index RFC defined 1112, IP multicast and IGMP 1157, SNMPv1 1305, NTP limiting source traffic to specific VLANs 18-2 25-2 5-2 1757, RMON 1902 to 1907, SNMPv2 with ingress traffic enabled 22-20 18-2 22-22 22-5 VLAN-based 25-2 2236, IP multicast and IGMP 22-5 22-6 RSTP active topology 25-2 RMON 14-9 BPDU default configuration displaying status 14-9 designated switch, defined 23-2 14-9 interoperability with IEEE 802.
Index secure HTTP server configuring displaying Smartports macros applying Cisco-default macros 6-46 applying global parameter values 6-48 secure MAC addresses deleting applying macros creating 19-8 secure remote connections defined tracing Secure Socket Layer SNAP 19-7 security features 9-2 20-1 SNMP 1-5 sequence numbers in log messages server mode, VTP 9-8 9-3 website See SSL 9-2 9-1 displaying See SSH 9-3 9-4 default configuration 6-38 Secure Shell security, port 9-5, 9
Index MIBs location of A-3 supported 22-6 displaying status 22-23 A-1 interaction with other features 25-5 monitored ports notifications overview destination ports security levels overview 25-3 status, displaying 22-5 monitoring ports 25-1, 25-4 22-6 1-8, 22-1 ports, restrictions 25-16 system contact and location trap manager, configuring received traffic 25-14 22-8 19-11 22-4 sessions 25-13 traps configuring ingress forwarding described 25-3, 25-5 differences from informs
Index SSL configuration guidelines 6-45 configuring a secure HTTP client 6-47 configuring a secure HTTP server 6-46 cryptographic software image described support for 1-2 thresholds 19-1 STP 6-42 6-42 accelerating root port selection BackboneFast described 15-5 monitoring 6-48 disabling 15-14 standby links 16-2 enabling 15-13 startup configuration BPDU filtering booting manually 3-15 specific image clearing 3-16 configuration file automatically downloading 3-14 specifying th
Index EtherChannel guard Port Fast described 15-7 described 15-2 disabling 15-14 enabling 15-10 enabling 15-14 port priorities extended system ID preventing root switch selection effects on root switch protocols supported 13-14 effects on the secondary root switch overview features supported 13-14 1-4 IEEE 802.1D and bridge ID IEEE 802.
Index syslog T See system message logging TACACS+ system clock accounting, defined configuring daylight saving time manually time zones accounting 5-12 authorization 5-1 6-14 6-13 displaying the configuration 24-3 identifying the server 24-8 6-17 6-13 limiting the services to the user 24-3 displaying the configuration operation of 24-12 overview 24-4 facility keywords, described level keywords, described limiting messages 6-12 1-6 tracking services accessed by user 24-9 creatin
Index configuring for autoconfiguration image files 3-6 traffic suppression 19-1 transmit hold-count deleting see STP B-23 downloading transparent mode, VTP B-22 preparing the server uploading 3-2 traps B-24 limiting access by servers TFTP server trap-door mechanism B-21 11-3, 11-12 25-15 configuring MAC address notification configuring managers 1-3 threshold, traffic level defined 19-2 time 5-22, 25-11 notification types overview Time Domain Reflector 25-11 25-3 enabling Se
Index pruning-eligible list and router MAC addresses 10-20 to non-DTP device configuration guidelines 10-15 trusted boundary for QoS described 27-37 trusted port states unicast traffic, blocking 27-5 ensuring port security for IP phones support for 19-4 19-7 UniDirectional Link Detection protocol 27-37 See UDLD 1-7 within a QoS domain trustpoints, CA 19-1 unicast storm control command 27-39 classification options 5-25 5-25 unicast storm between QoS domains 5-25 UNIX syslog serv
Index support for V 1-6 wiring closet configuration example version-dependent transparent mode vlan.
Index Token Ring VTP 10-5 traffic between VTP modes adding a client to a domain 10-2 advertisements 11-3 VLAN Trunking Protocol 10-17, 11-3 and extended-range VLANs See VTP and normal-range VLANs VLAN trunks client mode, configuring 10-14 VMPS 11-1 11-1 11-11 configuration administering global configuration mode 10-29 configuration example default configuration description guidelines 10-30 configuration guidelines requirements 10-26 saving 10-25 described 10-28 troubleshoot
Index overview 11-4 support for 1-5 pruning-eligible list, changing server mode, configuring statistics 11-9 11-16 support for 1-5 Token Ring support 11-4 transparent mode, configuring using 10-20 11-12 11-1 version, guidelines Version 1 11-8 11-4 Version 2 configuration guidelines disabling 11-13 enabling 11-13 overview 11-4 11-8 W weighted tail drop See WTD WTD described 27-13 setting thresholds egress queue-sets ingress queues support for 27-70 27-66 1-7 X Xmodem protocol
Index Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide IN-34 OL-8915-01
