Catalyst 3750-E and 3560-E Switch Software Configuration Guide Cisco IOS Release 12.2(37)SE May 2007 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xliii Audience Purpose xliii xliii Conventions xliii Related Publications xliv Obtaining Documentation, Obtaining Support, and Security Guidelines CHAPTER 1 Overview xlvi 1-1 Features 1-1 Deployment Features 1-2 Performance Features 1-4 Management Options 1-5 Manageability Features 1-6 Availability and Redundancy Features VLAN Features 1-8 Security Features 1-8 QoS and CoS Features 1-10 Layer 3 Features 1-11 Power over Ethernet Features 1-12 Monitoring Features 1-13 1
Contents Understanding Abbreviated Commands 2-4 Understanding no and default Forms of Commands Understanding CLI Error Messages Using Configuration Logging 2-4 2-5 2-5 Using Command History 2-6 Changing the Command History Buffer Size 2-6 Recalling Commands 2-6 Disabling the Command History Feature 2-7 Using Editing Features 2-7 Enabling and Disabling Editing Features 2-7 Editing Commands through Keystrokes 2-8 Editing Command Lines that Wrap 2-9 Searching and Filtering Output of show and more Comman
Contents Scheduling a Reload of the Software Image 3-17 Configuring a Scheduled Reload 3-17 Displaying Scheduled Reload Information 3-18 CHAPTER 4 Configuring Cisco IOS CNS Agents 4-1 Understanding Cisco Configuration Engine Software 4-1 Configuration Service 4-2 Event Service 4-3 NameSpace Mapper 4-3 What You Should Know About the CNS IDs and Device Hostnames ConfigID 4-3 DeviceID 4-4 Hostname and DeviceID 4-4 Using Hostname, DeviceID, and ConfigID 4-4 Understanding Cisco IOS Agents 4-5 Initial Confi
Contents Stack Protocol Version Compatibility 5-11 Major Version Number Incompatibility Among Switches 5-11 Minor Version Number Incompatibility Among Switches 5-11 Understanding Auto-Upgrade and Auto-Advise 5-12 Auto-Upgrade and Auto-Advise Example Messages 5-13 Incompatible Software and Stack Member Image Upgrades 5-15 Switch Stack Configuration Files 5-15 Additional Considerations for System-Wide Configuration on Switch Stacks 5-16 Switch Stack Management Connectivity 5-16 Connectivity to the Switch Sta
Contents HSRP and Standby Cluster Command Switches 6-11 Virtual IP Addresses 6-12 Other Considerations for Cluster Standby Groups 6-12 Automatic Recovery of Cluster Configuration 6-13 IP Addresses 6-14 Hostnames 6-14 Passwords 6-15 SNMP Community Strings 6-15 Switch Clusters and Switch Stacks 6-16 TACACS+ and RADIUS 6-17 LRE Profiles 6-17 Using the CLI to Manage Switch Clusters 6-18 Catalyst 1900 and Catalyst 2820 CLI Considerations Using SNMP to Manage Switch Clusters CHAPTER 7 Administering the Switch
Contents Creating a Banner 7-17 Default Banner Configuration 7-17 Configuring a Message-of-the-Day Login Banner Configuring a Login Banner 7-19 7-18 Managing the MAC Address Table 7-19 Building the Address Table 7-20 MAC Addresses and VLANs 7-20 MAC Addresses and Switch Stacks 7-21 Default MAC Address Table Configuration 7-21 Changing the Address Aging Time 7-21 Removing Dynamic Address Entries 7-22 Configuring MAC Address Notification Traps 7-22 Adding and Removing Static Address Entries 7-24 Configurin
Contents Configuring Multiple Privilege Levels 9-7 Setting the Privilege Level for a Command 9-8 Changing the Default Privilege Level for Lines 9-9 Logging into and Exiting a Privilege Level 9-9 Controlling Switch Access with TACACS+ 9-10 Understanding TACACS+ 9-10 TACACS+ Operation 9-12 Configuring TACACS+ 9-12 Default TACACS+ Configuration 9-13 Identifying the TACACS+ Server Host and Setting the Authentication Key 9-13 Configuring TACACS+ Login Authentication 9-14 Configuring TACACS+ Authorization for Pr
Contents Configuring the Switch for Secure Shell 9-37 Understanding SSH 9-38 SSH Servers, Integrated Clients, and Supported Versions Limitations 9-39 Configuring SSH 9-39 Configuration Guidelines 9-39 Setting Up the Switch to Run SSH 9-40 Configuring the SSH Server 9-41 Displaying the SSH Configuration and Status 9-41 9-38 Configuring the Switch for Secure Socket Layer HTTP 9-42 Understanding Secure HTTP Servers and Clients 9-42 Certificate Authority Trustpoints 9-42 CipherSuites 9-44 Configuring Secure
Contents Using IEEE 802.1x Authentication with Port Security 10-16 Using IEEE 802.1x Authentication with Wake-on-LAN 10-17 Using IEEE 802.1x Authentication with MAC Authentication Bypass Network Admission Control Layer 2 IEEE 802.1x Validation 10-19 Using Multidomain Authentication 10-19 Using Web Authentication 10-20 10-17 Configuring IEEE 802.1x Authentication 10-21 Default IEEE 802.1x Authentication Configuration 10-22 IEEE 802.1x Authentication Configuration Guidelines 10-23 IEEE 802.
Contents CHAPTER 11 Configuring Interface Characteristics 11-1 Understanding Interface Types 11-1 Port-Based VLANs 11-2 Switch Ports 11-2 Access Ports 11-3 Trunk Ports 11-3 Tunnel Ports 11-4 Routed Ports 11-4 Switch Virtual Interfaces 11-5 EtherChannel Port Groups 11-5 10-Gigabit Ethernet Interfaces 11-6 Power over Ethernet Ports 11-6 Supported Protocols and Standards 11-6 Powered-Device Detection and Initial Power Allocation Power Management Modes 11-8 Power Monitoring and Power Policing 11-9 Connecti
Contents Configuring the Power Supplies 11-37 Monitoring and Maintaining the Interfaces 11-38 Monitoring Interface Status 11-38 Clearing and Resetting Interfaces and Counters 11-39 Shutting Down and Restarting the Interface 11-40 CHAPTER 12 Configuring Smartports Macros 12-1 Understanding Smartports Macros 12-1 Configuring Smartports Macros 12-2 Default Smartports Macro Configuration 12-2 Smartports Macro Configuration Guidelines 12-3 Creating Smartports Macros 12-4 Applying Smartports Macros 12-5
Contents Trunking Overview 13-16 Encapsulation Types 13-18 IEEE 802.
Contents Configuring VTP 14-6 Default VTP Configuration 14-7 VTP Configuration Options 14-7 VTP Configuration in Global Configuration Mode 14-7 VTP Configuration in VLAN Database Configuration Mode VTP Configuration Guidelines 14-8 Domain Names 14-8 Passwords 14-8 VTP Version 14-9 Configuration Requirements 14-9 Configuring a VTP Server 14-9 Configuring a VTP Client 14-11 Disabling VTP (VTP Transparent Mode) 14-12 Enabling VTP Version 2 14-13 Enabling VTP Pruning 14-14 Adding a VTP Client Switch to a VTP D
Contents Configuring Private VLANs 16-6 Tasks for Configuring Private VLANs 16-6 Default Private-VLAN Configuration 16-7 Private-VLAN Configuration Guidelines 16-7 Secondary and Primary VLAN Configuration 16-7 Private-VLAN Port Configuration 16-8 Limitations with Other Features 16-9 Configuring and Associating VLANs in a Private VLAN 16-10 Configuring a Layer 2 Interface as a Private-VLAN Host Port 16-12 Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port 16-13 Mapping Secondary VLANs to a P
Contents Bridge ID, Switch Priority, and Extended System ID 18-4 Spanning-Tree Interface States 18-5 Blocking State 18-7 Listening State 18-7 Learning State 18-7 Forwarding State 18-7 Disabled State 18-8 How a Switch or Port Becomes the Root Switch or Root Port 18-8 Spanning Tree and Redundant Connectivity 18-9 Spanning-Tree Address Management 18-9 Accelerated Aging to Retain Connectivity 18-9 Spanning-Tree Modes and Protocols 18-10 Supported Spanning-Tree Instances 18-10 Spanning-Tree Interoperability and
Contents CHAPTER 19 Configuring MSTP 19-1 Understanding MSTP 19-2 Multiple Spanning-Tree Regions 19-2 IST, CIST, and CST 19-3 Operations Within an MST Region 19-3 Operations Between MST Regions 19-4 IEEE 802.1s Terminology 19-5 Hop Count 19-5 Boundary Ports 19-6 IEEE 802.1s Implementation 19-6 Port Role Naming Change 19-7 Interoperation Between Legacy and Standard Switches Detecting Unidirectional Link Failure 19-8 MSTP and Switch Stacks 19-8 Interoperability with IEEE 802.
Contents Specifying the Link Type to Ensure Rapid Transitions Designating the Neighbor Type 19-25 Restarting the Protocol Migration Process 19-26 Displaying the MST Configuration and Status CHAPTER 20 Configuring Optional Spanning-Tree Features 19-24 19-26 20-1 Understanding Optional Spanning-Tree Features 20-1 Understanding Port Fast 20-2 Understanding BPDU Guard 20-2 Understanding BPDU Filtering 20-3 Understanding UplinkFast 20-3 Understanding Cross-Stack UplinkFast 20-5 How CSUF Works 20-6 Events
Contents Configuring Flex Links and MAC Address-Table Move Update Configuration Guidelines 21-5 Default Configuration 21-5 21-5 Configuring Flex Links and MAC Address-Table Move Update 21-6 Configuring Flex Links 21-6 Configuring VLAN Load Balancing on Flex Links 21-8 Configuring the MAC Address-Table Move Update Feature 21-9 Monitoring Flex Links and the MAC Address-Table Move Update CHAPTER 22 Configuring DHCP Features and IP Source Guard 21-11 22-1 Understanding DHCP Features 22-1 DHCP Server 22
Contents CHAPTER 23 Configuring Dynamic ARP Inspection 23-1 Understanding Dynamic ARP Inspection 23-1 Interface Trust States and Network Security 23-3 Rate Limiting of ARP Packets 23-4 Relative Priority of ARP ACLs and DHCP Snooping Entries Logging of Dropped Packets 23-5 Configuring Dynamic ARP Inspection 23-5 Default Dynamic ARP Inspection Configuration 23-5 Dynamic ARP Inspection Configuration Guidelines 23-6 Configuring Dynamic ARP Inspection in DHCP Environments Configuring ARP ACLs for Non-DHCP E
Contents Displaying IGMP Snooping Information 24-17 Understanding Multicast VLAN Registration 24-18 Using MVR in a Multicast Television Application Configuring MVR 24-20 Default MVR Configuration 24-20 MVR Configuration Guidelines and Limitations Configuring MVR Global Parameters 24-21 Configuring MVR Interfaces 24-22 Displaying MVR Information 24-19 24-21 24-24 Configuring IGMP Filtering and Throttling 24-24 Default IGMP Filtering and Throttling Configuration 24-25 Configuring IGMP Profiles 24-25 Ap
Contents CHAPTER 26 Configuring Port-Based Traffic Control 26-1 Configuring Storm Control 26-1 Understanding Storm Control 26-1 Default Storm Control Configuration 26-3 Configuring Storm Control and Threshold Levels 26-3 Configuring Protected Ports 26-5 Default Protected Port Configuration 26-5 Protected Port Configuration Guidelines 26-6 Configuring a Protected Port 26-6 Configuring Port Blocking 26-6 Default Port Blocking Configuration 26-7 Blocking Flooded Traffic on an Interface 26-7 Configuring
Contents Configuring LLDP and LLDP-MED 28-3 Default LLDP Configuration 28-3 Configuring LLDP Characteristics 28-3 Disabling and Enabling LLDP Globally 28-4 Disabling and Enabling LLDP on an Interface Configuring LLDP-MED TLVs 28-6 28-5 Monitoring and Maintaining LLDP and LLDP-MED CHAPTER 29 Configuring UDLD 29-1 Understanding UDLD 29-1 Modes of Operation 29-1 Methods to Detect Unidirectional Links Configuring UDLD 29-3 Default UDLD Configuration 29-4 Configuration Guidelines 29-4 Enabling UDLD Globa
Contents Configuring Local SPAN 30-11 SPAN Configuration Guidelines 30-11 Creating a Local SPAN Session 30-12 Creating a Local SPAN Session and Configuring Incoming Traffic 30-14 Specifying VLANs to Filter 30-15 Configuring RSPAN 30-16 RSPAN Configuration Guidelines 30-16 Configuring a VLAN as an RSPAN VLAN 30-17 Creating an RSPAN Source Session 30-18 Creating an RSPAN Destination Session 30-19 Creating an RSPAN Destination Session and Configuring Incoming Traffic Specifying VLANs to Filter 30-22 Displayin
Contents Configuring UNIX Syslog Servers 32-12 Logging Messages to a UNIX Syslog Daemon Configuring the UNIX System Logging Facility Displaying the Logging Configuration CHAPTER 33 Configuring SNMP 32-12 32-13 32-14 33-1 Understanding SNMP 33-1 SNMP Versions 33-2 SNMP Manager Functions 33-3 SNMP Agent Functions 33-4 SNMP Community Strings 33-4 Using SNMP to Access MIB Variables 33-4 SNMP Notifications 33-5 SNMP ifIndex MIB Object Values 33-6 Configuring SNMP 33-6 Default SNMP Configuration 33-7 SNMP
Contents Creating a Numbered Extended ACL 34-11 Resequencing ACEs in an ACL 34-15 Creating Named Standard and Extended ACLs 34-15 Using Time Ranges with ACLs 34-17 Including Comments in ACLs 34-19 Applying an IPv4 ACL to a Terminal Line 34-19 Applying an IPv4 ACL to an Interface 34-20 Hardware and Software Treatment of IP ACLs 34-22 IPv4 ACL Configuration Examples 34-22 Numbered ACLs 34-24 Extended ACLs 34-24 Named ACLs 34-25 Time Range Applied to an IP ACL 34-25 Commented IP ACL Entries 34-25 ACL Logging
Contents Configuring IPv6 ACLs 35-4 Default IPv6 ACL Configuration 35-4 Interaction with Other Features and Switches Creating IPv6 ACLs 35-5 Applying an IPv6 ACL to an Interface 35-8 Displaying IPv6 ACLs CHAPTER 36 Configuring QoS 35-4 35-9 36-1 Understanding QoS 36-2 Basic QoS Model 36-3 Classification 36-5 Classification Based on QoS ACLs 36-7 Classification Based on Class Maps and Policy Maps Policing and Marking 36-8 Policing on Physical Ports 36-9 Policing on SVIs 36-10 Mapping Tables 36-12 Que
Contents Standard QoS Configuration Guidelines 36-35 QoS ACL Guidelines 36-35 Applying QoS on Interfaces 36-35 Policing Guidelines 36-36 General QoS Guidelines 36-36 Enabling QoS Globally 36-37 Enabling VLAN-Based QoS on Physical Ports 36-37 Configuring Classification Using Port Trust States 36-38 Configuring the Trust State on Ports within the QoS Domain 36-38 Configuring the CoS Value for an Interface 36-40 Configuring a Trusted Boundary to Ensure Port Security 36-41 Enabling DSCP Transparency Mode 36-42
Contents CHAPTER 37 Configuring EtherChannels and Link-State Tracking 37-1 Understanding EtherChannels 37-1 EtherChannel Overview 37-2 Port-Channel Interfaces 37-4 Port Aggregation Protocol 37-5 PAgP Modes 37-6 PAgP Interaction with Other Features 37-6 Link Aggregation Control Protocol 37-7 LACP Modes 37-7 LACP Interaction with Other Features 37-7 EtherChannel On Mode 37-8 Load-Balancing and Forwarding Methods 37-8 EtherChannel and Switch Stacks 37-10 Configuring EtherChannels 37-11 Default EtherChanne
Contents Configuring IP Addressing 38-5 Default Addressing Configuration 38-6 Assigning IP Addresses to Network Interfaces 38-7 Use of Subnet Zero 38-7 Classless Routing 38-8 Configuring Address Resolution Methods 38-9 Define a Static ARP Cache 38-10 Set ARP Encapsulation 38-11 Enable Proxy ARP 38-12 Routing Assistance When IP Routing is Disabled 38-12 Proxy ARP 38-12 Default Gateway 38-12 ICMP Router Discovery Protocol (IRDP) 38-13 Configuring Broadcast Packet Handling 38-14 Enabling Directed Broadcast-to
Contents Configuring Basic EIGRP Parameters 38-39 Configuring EIGRP Interfaces 38-40 Configuring EIGRP Route Authentication 38-41 EIGRP Stub Routing 38-42 Monitoring and Maintaining EIGRP 38-43 Configuring BGP 38-43 Default BGP Configuration 38-45 Nonstop Forwarding Awareness 38-47 Enabling BGP Routing 38-48 Managing Routing Policy Changes 38-50 Configuring BGP Decision Attributes 38-52 Configuring BGP Filtering with Route Maps 38-54 Configuring BGP Filtering by Neighbor 38-54 Configuring Prefix Lists for
Contents Configuring Policy-Based Routing 38-83 PBR Configuration Guidelines 38-84 Enabling PBR 38-85 Filtering Routing Information 38-87 Setting Passive Interfaces 38-87 Controlling Advertising and Processing in Routing Updates Filtering Sources of Routing Information 38-88 Managing Authentication Keys 38-89 Monitoring and Maintaining the IP Network CHAPTER 39 Configuring IPv6 Unicast Routing 38-88 38-90 39-1 Understanding IPv6 39-1 IPv6 Addresses 39-2 Supported IPv6 Unicast Routing Features 39-3 1
Contents CHAPTER 40 Configuring HSRP and Enhanced Object Tracking Understanding HSRP 40-1 Multiple HSRP 40-3 HSRP and Switch Stacks 40-1 40-4 Configuring HSRP 40-4 Default HSRP Configuration 40-5 HSRP Configuration Guidelines 40-5 Enabling HSRP 40-5 Configuring HSRP Priority 40-7 Configuring MHSRP 40-9 Configuring HSRP Authentication and Timers 40-9 Enabling HSRP Support for ICMP Redirect Messages Configuring HSRP Groups and Clustering 40-11 Displaying HSRP Configurations 40-11 40-11 Configuring En
Contents CHAPTER 42 Configuring IP Multicast Routing 42-1 Understanding Cisco’s Implementation of IP Multicast Routing Understanding IGMP 42-3 IGMP Version 1 42-3 IGMP Version 2 42-3 Understanding PIM 42-4 PIM Versions 42-4 PIM Modes 42-4 PIM Stub Routing 42-5 Auto-RP 42-6 Bootstrap Router 42-7 Multicast Forwarding and Reverse Path Check 42-7 Understanding DVMRP 42-8 Understanding CGMP 42-9 Multicast Routing and Switch Stacks 42-2 42-9 Configuring IP Multicast Routing 42-10 Default Multicast Routing
Contents Changing the IGMP Query Timeout for IGMPv2 42-32 Changing the Maximum Query Response Time for IGMPv2 Configuring the Switch as a Statically Connected Member 42-33 42-33 Configuring Optional Multicast Routing Features 42-34 Enabling CGMP Server Support 42-34 Configuring sdr Listener Support 42-35 Enabling sdr Listener Support 42-36 Limiting How Long an sdr Cache Entry Exists 42-36 Configuring an IP Multicast Boundary 42-37 Configuring Basic DVMRP Interoperability Features 42-38 Configuring DVMRP
Contents Controlling Source Information that Your Switch Originates 43-9 Redistributing Sources 43-9 Filtering Source-Active Request Messages 43-11 Controlling Source Information that Your Switch Forwards 43-12 Using a Filter 43-12 Using TTL to Limit the Multicast Data Sent in SA Messages 43-14 Controlling Source Information that Your Switch Receives 43-14 Configuring an MSDP Mesh Group 43-16 Shutting Down an MSDP Peer 43-16 Including a Bordering PIM Dense-Mode Region in MSDP 43-17 Configuring an Originati
Contents Recovering from Lost Cluster Member Connectivity Preventing Autonegotiation Mismatches 45-13 Troubleshooting Power over Ethernet Switch Ports Disabled Port Caused by Power Loss 45-14 Disabled Port Caused by False Link Up 45-14 SFP Module Security and Identification Monitoring SFP Module Status Monitoring Temperature 45-13 45-13 45-14 45-15 45-15 Using Ping 45-15 Understanding Ping 45-15 Executing Ping 45-16 Using Layer 2 Traceroute 45-17 Understanding Layer 2 Traceroute 45-17 Usage Guideli
Contents Configuring Online Diagnostics 46-2 Scheduling Online Diagnostics 46-2 Configuring Health-Monitoring Diagnostics 46-3 Running Online Diagnostic Tests 46-5 Starting Online Diagnostic Tests 46-5 Displaying Online Diagnostic Tests and Test Results APPENDIX A Supported MIBs MIB List A-1 A-1 Using FTP to Access the MIB Files APPENDIX B 46-6 A-4 Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System B-1 Displaying Available File S
Contents Clearing Configuration Information B-19 Clearing the Startup Configuration File B-20 Deleting a Stored Configuration File B-20 Working with Software Images B-20 Image Location on the Switch B-21 File Format of Images on a Server or Cisco.
Contents HSRP C-4 Unsupported Global Configuration Commands C-4 Unsupported Interface Configuration Commands C-5 IGMP Snooping Commands C-5 Unsupported Global Configuration Commands C-5 Interface Commands C-5 Unsupported Privileged EXEC Commands C-5 Unsupported Global Configuration Commands C-5 Unsupported Interface Configuration Commands C-5 IP Multicast Routing C-5 Unsupported Privileged EXEC Commands C-5 Unsupported Global Configuration Commands C-6 Unsupported Interface Configuration Commands C-6 IP
Contents RADIUS C-11 Unsupported Global Configuration Commands C-11 SNMP C-12 Unsupported Global Configuration Commands C-12 Spanning Tree C-12 Unsupported Global Configuration Command C-12 Unsupported Interface Configuration Command C-12 VLAN C-12 Unsupported Global Configuration Command Unsupported User EXEC Commands C-12 VTP C-12 C-12 Unsupported Privileged EXEC Command C-12 INDEX Catalyst 3750-E and 3560-E Switch Software Configuration Guide xlii OL-9775-02
Preface Audience This guide is for the networking professional managing the standalone Catalyst 3750-E or 3560-E switch or the Catalyst 3750-E switch stack, referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking. Purpose This guide provides procedures for using the commands that have been created or changed for use with the Catalyst 3750-E and 3560-E switches.
Preface Related Publications • Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements. • Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional element. Interactive examples use these conventions: • Terminal sessions and system displays are in screen font. • Information you enter is in boldface • Nonprinting characters, such as passwords or tabs, are in angle brackets (< >). screen font.
Preface Related Publications • Catalyst 3750-E and 3560-E Switch System Message Guide (not orderable but available on Cisco.com) • Cisco Software Activation and Compatibility Document (not orderable but available on Cisco.com) • Device manager online help (available on the switch) • Catalyst 3750-E and 3560-E Switch Hardware Installation Guide (not orderable but available on Cisco.
Preface Obtaining Documentation, Obtaining Support, and Security Guidelines Obtaining Documentation, Obtaining Support, and Security Guidelines For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.
C H A P T E R 1 Overview This chapter provides these topics about the Catalyst 3750-E and 3560-E switch software: • Features, page 1-1 • Default Settings After Initial Switch Configuration, page 1-13 • Network Configuration Examples, page 1-16 • Where to Go Next, page 1-31 The term switch refers to a standalone Catalyst 3750-E or 3560-E switch and to a Catalyst 3750-E switch stack. In this document, IP refers to IP Version 4 (IPv4) unless there is a specific reference to IP Version 6 (IPv6).
Chapter 1 Overview Features • IP services feature set, which provides a richer set of enterprise-class intelligent services. It includes all IP base features plus full Layer 3 routing (IP unicast routing, IP multicast routing, and fallback bridging). The IP services feature set includes protocols such as the Enhanced Interior Gateway Routing Protocol (EIGRP) and the Open Shortest Path First (OSPF) Protocol.
Chapter 1 Overview Features • An embedded device manager GUI for configuring and monitoring a single switch through a web browser. For information about starting the device manager, see the getting started guide. For more information about the device manager, see the switch online help. • Cisco Network Assistant (referred to as Network Assistant) for – Managing communities, which are device groups like clusters, except that they can contain routers and access points and can be made more secure.
Chapter 1 Overview Features • Switch clustering technology for – Unified configuration, monitoring, authentication, and software upgrade of multiple, cluster-capable switches, regardless of their geographic proximity and interconnection media, including Ethernet, Fast Ethernet, Fast EtherChannel, small form-factor pluggable (SFP) modules, Gigabit Ethernet, Gigabit EtherChannel, 10-Gigabit Ethernet, and 10-Gigabit EtherChannel connections. For a list of cluster-capable switches, see the release notes.
Chapter 1 Overview Features • IGMP snooping querier support to configure switch to generate periodic IGMP General Query messages • Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP Version 6 (IPv6) multicast data to clients and routers in a switched network.
Chapter 1 Overview Features Manageability Features These are the manageability features: Note • CNS embedded agents for automating switch management, configuration storage, and delivery • DHCP for automating configuration of switch information (such as IP address, default gateway, hostname, and Domain Name System [DNS] and TFTP server names) • DHCP relay for forwarding User Datagram Protocol (UDP) broadcasts, including IP address requests, from DHCP clients • DHCP server for automatic assignment
Chapter 1 Overview Features Availability and Redundancy Features These are the availability and redundancy features: • HSRP for command switch and Layer 3 router redundancy • Automatic stack master re-election (failover support) for replacing stack masters that become unavailable only on Catalyst 3750-E switches The newly elected stack master begins accepting Layer 2 traffic in less than 1 second and Layer 3 traffic between 3 to 5 seconds.
Chapter 1 Overview Features • Link-state tracking to mirror the state of the ports that carry upstream traffic from connected hosts and servers and to allow the failover of the server traffic to an operational link on another Cisco Ethernet switch • RPS support through the Cisco Redundant Power System 2300, also referred to as RPS 2300, for enhancing power reliability, including the ability to configure and manage the redundant power system.
Chapter 1 Overview Features • Protected port option for restricting the forwarding of traffic to designated ports on the same switch • Port security option for limiting and identifying MAC addresses of the stations allowed to access the port • VLAN aware port security option to shut down the VLAN on the port when a violation occurs, instead of shutting down the entire port • Port security aging to set the aging time for secure addresses on a port • BPDU guard for shutting down a Port Fast-configu
Chapter 1 Overview Features • MAC authentication bypass to authorize clients based on the client MAC address. • Network Admission Control (NAC) features: – NAC Layer 2 IEEE 802.1x validation of the antivirus condition or posture of endpoint systems or clients before granting the devices network access. For information about configuring NAC Layer 2 IEEE 802.1x validation, see the “Configuring NAC Layer 2 IEEE 802.1x Validation” section on page 10-40.
Chapter 1 Overview Features – Trusted boundary for detecting the presence of a Cisco IP Phone, trusting the CoS value received, and ensuring port security • Policing – Traffic-policing policies on the switch port for managing how much of the port bandwidth should be allocated to a specific traffic flow – If you configure multiple class maps for a hierarchical policy map, each class map can be associated with its own port-level (second-level) policy map.
Chapter 1 Overview Features • Policy-based routing (PBR) for configuring defined policies for traffic flows • Multiple VPN routing/forwarding (multi-VRF) instances in customer edge devices to allow service providers to support multiple virtual private networks (VPNs) and overlap IP addresses between VPNs (requires the IP services feature set) • Fallback bridging for forwarding non-IP traffic between two or more VLANs (requires the IP services feature set) • Static IP routing for manually building
Chapter 1 Overview Default Settings After Initial Switch Configuration • Ability to monitor the real-time power consumption. On a per-PoE port basis, the switch senses the total power consumption, polices the power usage, and reports the power usage.
Chapter 1 Overview Default Settings After Initial Switch Configuration If you do not configure the switch at all, the switch operates with these default settings: • Default switch IP address, subnet mask, and default gateway is 0.0.0.0. For more information, see Chapter 3, “Assigning the Switch IP Address and Default Gateway,” and Chapter 22, “Configuring DHCP Features and IP Source Guard.” • Default domain name is not configured.
Chapter 1 Overview Default Settings After Initial Switch Configuration • VLANs – Default VLAN is VLAN 1. For more information, see Chapter 13, “Configuring VLANs.” – VLAN trunking setting is dynamic auto (DTP). For more information, see Chapter 13, “Configuring VLANs.” – Trunk encapsulation is negotiate. For more information, see Chapter 13, “Configuring VLANs.” – VTP mode is server. For more information, see Chapter 14, “Configuring VTP.” – VTP version is Version 1.
Chapter 1 Overview Network Configuration Examples • UDLD is disabled. For more information, see Chapter 29, “Configuring UDLD.” • SPAN and RSPAN are disabled. For more information, see Chapter 30, “Configuring SPAN and RSPAN.” • RMON is disabled. For more information, see Chapter 31, “Configuring RMON.” • Syslog messages are enabled and appear on the console. For more information, see Chapter 32, “Configuring System Message Logging.” • SNMP is enabled (Version 1).
Chapter 1 Overview Network Configuration Examples Table 1-1 Increasing Network Performance Network Demands Suggested Design Methods Too many users on a single network segment and a growing number of users accessing the Internet • Increased power of new PCs, workstations, and servers • High bandwidth demand from networked applications (such as e-mail with large attached files) and from bandwidth-intensive applications (such as multimedia) • Create smaller network segments so that fewer users share
Chapter 1 Overview Network Configuration Examples Table 1-2 Providing Network Services (continued) Network Demands Suggested Design Methods An evolving demand for IP telephony • Use QoS to prioritize applications such as IP telephony during congestion and to help control both delay and jitter within the network. • Use switches that support at least two queues per port to prioritize voice and data traffic as either high- or low-priority, based on IEEE 802.1p/Q.
Chapter 1 Overview Network Configuration Examples For high-speed IP forwarding at the distribution layer, connect the switches in the access layer to a Gigabit multilayer switch in the backbone, such as a Catalyst 4500 Gigabit switch or Catalyst 6500 Gigabit switch.
Chapter 1 Overview Network Configuration Examples Figure 1-3 High-Performance Workgroup (Gigabit-to-the-Desktop) Catalyst 3750-E switches 200853 Access-layer Catalyst 3560-E switches WAN Cisco 2600 router 200854 Access-layer Catalyst 3560-E switches • Redundant Gigabit backbone (Figure 1-4)—Using HSRP, you can create backup paths between two Catalyst 3750-E multilayer Gigabit switches to enhance network reliability and load-balancing for different VLANs and subnets.
Chapter 1 Overview Network Configuration Examples Figure 1-4 Redundant Gigabit Backbone Catalyst 3750-E switch Catalyst 3750-E switch Catalyst switches • 200855 1-Gbps HSRP Server aggregation (Figure 1-5) and Linux server cluster (Figure 1-6)—You can use the Catalyst 3560-E switches and Catalyst 3750-E-only switch stacks to interconnect groups of servers, centralizing physical security and administration of your network.
Chapter 1 Overview Network Configuration Examples Figure 1-5 Server Aggregation Campus core Catalyst 6500 switches Si Si Si Si Si Si Catalyst 4500 multilayer switches Server racks 86931 Catalyst 3750-E-only StackWise Plus switch stacks Campus core Catalyst 6500 switches Catalyst 3750 StackWise switch stacks Server racks 200857 Access-layer Catalyst 3560-E switches Catalyst 3750-E and 3560-E Switch Software Configuration Guide 1-22 OL-9775-02
Chapter 1 Overview Network Configuration Examples Figure 1-6 Linux Server Cluster Catalyst 3750-E-only StackWise Plus Redundant SFP switch stack module uplinks Linux cluster parallelprocessing server farm 32-Gbps ring Catalyst 3750-E-only StackWise Plus switch stack 200858 Campus core EtherChannel across uplinks Small to Medium-Sized Network Using Catalyst 3750-E and 3560-E Switches Figure 1-7 and Figure 1-8 show a configuration for a network of up to 500 employees.
Chapter 1 Overview Network Configuration Examples When an end station in one VLAN needs to communicate with an end station in another VLAN, a router or Layer 3 switch routes the traffic to the destination VLAN. In this network, the Catalyst 3750-E-only switch stack or Catalyst 3560-E switches are providing inter-VLAN routing. VLAN access control lists (VLAN maps) on the switch stack or switch provide intra-VLAN security and prevent unauthorized users from accessing critical areas of the network.
Chapter 1 Overview Network Configuration Examples Figure 1-8 Catalyst 3560-E Switches in a Collapsed Backbone Configuration Internet Cisco 2600 or 3700 routers IP Cisco IP phones IP Workstations running Cisco SoftPhone software Aironet wireless access points 200860 Gigabit servers Catalyst 3560-E switches Catalyst 3750-E and 3560-E Switch Software Configuration Guide OL-9775-02 1-25
Chapter 1 Overview Network Configuration Examples Large Network Using Catalyst 3750-E and 3560-E Switches Switches in the wiring closet have traditionally been only Layer 2 devices, but as network traffic profiles evolve, switches in the wiring closet are increasingly employing multilayer services such as multicast management and traffic classification.
Chapter 1 Overview Network Configuration Examples Figure 1-9 Catalyst 3750-E Switch Stacks in Wiring Closets in a Backbone Configuration WAN Cisco 7x00 routers Catalyst 6500 multilayer switches Mixed hardware stack with Catalyst 3750-E and 3750 switches, including the Catalyst 3750G Integrated Wireless LAN Controller Mixed hardware stack with Catalyst 3750-E and 3750 switches, including the Catalyst 3750G Integrated Wireless LAN Controller IEEE 802.
Chapter 1 Overview Network Configuration Examples Figure 1-10 Catalyst 3560-E Switches in Wiring Closets in a Backbone Configuration WAN Cisco 7x00 routers Catalyst 6500 multilayer switches Catalyst 3560-E switches Catalyst 3560-E switches IEEE 802.3af-compliant powered device (such as a web cam) Aironet wireless access points IEEE 802.
Chapter 1 Overview Network Configuration Examples Multidwelling Network Using Catalyst 3750-E Switches A growing segment of residential and commercial customers are requiring high-speed access to Ethernet metropolitan-area networks (MANs). Figure 1-11 shows a configuration for a Gigabit Ethernet MAN ring using multilayer switch stacks as aggregation switches in the mini-point-of-presence (POP) location. These switches are connected through 1000BASE-X SFP module ports.
Chapter 1 Overview Network Configuration Examples Figure 1-11 Catalyst 3750-E Switches in a MAN Configuration Service Provider POP Cisco 12000 Gigabit switch routers Catalyst 6500 switches Si Si Catalyst 3750 StackWise switch stack Mini-POP Gigabit MAN Si Residential location Catalyst 3750-E switches Set-top box Residential gateway (hub) Set-top box 200863 TV PC TV Long-Distance, High-Bandwidth Transport Configuration Figure 1-12 shows a configuration for sending 8 Gigabits of data over a
Chapter 1 Overview Where to Go Next Figure 1-12 Long-Distance, High-Bandwidth Transport Configuration Access layer Aggregation layer CWDM OADM modules Eight 1-Gbps connections CWDM OADM modules Catalyst 4500 multilayer switches 95750 8 Gbps Catalyst switches Where to Go Next Before configuring the switch, review these sections for startup information: • Chapter 2, “Using the Command-Line Interface” • Chapter 3, “Assigning the Switch IP Address and Default Gateway” Catalyst 3750-E and 3560-E
Chapter 1 Overview Where to Go Next Catalyst 3750-E and 3560-E Switch Software Configuration Guide 1-32 OL-9775-02
C H A P T E R 2 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your standalone Catalyst 3750-E or 3560-E switch and to a Catalyst 3750-E switch stack, referred to as the switch.
Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the hostname Switch. Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with your switch. Switch> Enter logout or quit. Use this mode to • Change terminal settings. • Perform basic tests.
Chapter 2 Using the Command-Line Interface Understanding the Help System Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method Interface configuration While in global configuration mode, enter the interface command (with a specific interface). Switch(config-if)# Use this mode to configure To exit to global configuration mode, parameters for the Ethernet ports. enter exit. To return to privileged EXEC mode, press Ctrl-Z or enter end.
Chapter 2 Using the Command-Line Interface Understanding Abbreviated Commands Table 2-2 Help Summary (continued) Command Purpose ? List all commands available for a particular command mode. For example: Switch> ? command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword.
Chapter 2 Using the Command-Line Interface Understanding CLI Error Messages Understanding CLI Error Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Table 2-3 Common CLI Error Messages Error Message Meaning How to Get Help % Ambiguous command: "show con" You did not enter enough characters for your switch to recognize the command.
Chapter 2 Using the Command-Line Interface Using Command History Using Command History The software provides a history or record of commands that you have entered. The command history feature is particularly useful for recalling long or complex commands or entries, including access lists.
Chapter 2 Using the Command-Line Interface Using Editing Features Disabling the Command History Feature The command history feature is automatically enabled. You can disable it for the current terminal session or for the command line. These procedures are optional. To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command.
Chapter 2 Using the Command-Line Interface Using Editing Features Editing Commands through Keystrokes Table 2-5 shows the keystrokes that you need to edit command lines. These keystrokes are optional. Table 2-5 Editing Commands through Keystrokes Capability Keystroke1 Move around the command line to make changes or corrections. Press Ctrl-B, or press the Move the cursor back one character. left arrow key. Purpose Press Ctrl-F, or press the right arrow key. Move the cursor forward one character.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Scroll down a line or screen on displays that are longer than the terminal screen can display. Press the Return key. Scroll down one line. Press the Space bar. Scroll down one screen. Press Ctrl-L or Ctrl-R. Redisplay the current command line.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Use line wrapping with the command history feature to recall and modify previous complex command entries. For information about recalling previous command entries, see the “Editing Commands through Keystrokes” section on page 2-8. Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands.
Chapter 2 Using the Command-Line Interface Accessing the CLI Accessing the CLI through a Console Connection or through Telnet Before you can access the CLI, you must connect a terminal or a PC to the switch console or connect a PC to the Ethernet management port and then power on the switch, as described in the hardware installation guide that shipped with your switch.
Chapter 2 Using the Command-Line Interface Accessing the CLI Catalyst 3750-E and 3560-E Switch Software Configuration Guide 2-12 OL-9775-02
C H A P T E R 3 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assigning the IP address and default gateway information) by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The normal boot process involves the operation of the boot loader software, which performs these activities: • Performs low-level CPU initialization. It initializes the CPU registers, which control where physical memory is mapped, its quantity, its speed, and so forth. • Performs power-on self-test (POST) for the CPU subsystem.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Note Stack members retain their IP address when you remove them from a switch stack. To avoid a conflict by having two devices with the same IP address in your network, change the IP address of the switch that you removed from the switch stack. Use a DHCP server for centralized control and automatic assignment of IP information after the server is configured.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information With DHCP-based autoconfiguration, no DHCP client-side configuration is needed on your switch. However, you need to configure the DHCP server for various lease options associated with IP addresses. If you are using DHCP to relay the configuration file location on the network, you might also need to configure a Trivial File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The DHCP server sends the client a DHCPNAK denial broadcast message, which means that the offered configuration parameters have not been assigned, that an error has occurred during the negotiation of the parameters, or that the client has been slow in responding to the DHCPOFFER message (the DHCP server assigned the parameters to another client).
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information If you do not configure the DHCP server with the lease options described previously, it replies to client requests with only those parameters that are configured. If the IP address and the subnet mask are not in the reply, the switch is not configured. If the router IP address or the TFTP server name are not found, the switch might send broadcast, instead of unicast, TFTP requests.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the Relay Device You must configure a relay device, also referred to as a relay agent, when a switch sends broadcast packets that require a response from a host on a different LAN. Examples of broadcast packets that the switch might send are DHCP, DNS, and in some cases, TFTP packets. You must configure this relay device to forward received broadcast packets on an interface to the destination host.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information • The IP address and the configuration filename is reserved for the switch, but the TFTP server address is not provided in the DHCP reply (one-file read method). The switch receives its IP address, subnet mask, and the configuration filename from the DHCP server.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Table 3-2 shows the configuration of the reserved leases on the DHCP server. Table 3-2 DHCP Server Configuration Switch A Switch B Switch C Switch D Binding key (hardware address) 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 IP address 10.0.0.21 10.0.0.22 10.0.0.23 10.0.0.24 Subnet mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Router address 10.0.0.10 10.0.0.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information • It reads its host table by indexing its IP address 10.0.0.21 to its hostname (switcha). • It reads the configuration file that corresponds to its hostname; for example, it reads switch1-confg from the TFTP server. Switches B through D retrieve their configuration files and IP addresses in the same way.
Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Checking and Saving the Running Configuration You can check the configuration settings you entered or changes you made by entering this privileged EXEC command: Switch# show running-config Building configuration... Current configuration: 1363 bytes ! version 12.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Modifying the Startup Configuration These sections describe how to modify the switch startup configuration: • Default Boot Configuration, page 3-12 • Automatically Downloading a Configuration File, page 3-12 • Booting Manually, page 3-13 • Booting a Specific Software Image, page 3-14 • Controlling Environment Variables, page 3-15 See also Appendix B, “Working with the Cisco IOS File System, Configu
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Note On Catalyst 3750-E switches, this command only works properly from a standalone switch. Beginning in privileged EXEC mode, follow these steps to specify a different configuration filename: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 boot config-file flash:/file-url Specify the configuration file to load during the next boot cycle.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Step 4 Command Purpose show boot Verify your entries. The boot manual global command changes the setting of the MANUAL_BOOT environment variable. The next time you reboot the system, the switch is in boot loader mode, shown by the switch: prompt. To boot up the system, use the boot filesystem:/file-url boot loader command. • For filesystem:, use flash: for the system board flash device.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Step 3 Command Purpose boot system switch {number | all} (Optional) For Catalyst 3750-E switches, specify the switch members on which the system image is loaded during the next boot cycle: • Use number to specify a stack member. • Use all to specify all stack members.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Note For complete syntax and usage information for the boot loader commands and environment variables, see the command reference for this release. Table 3-4 describes the function of the most common environment variables. Table 3-4 Environment Variables Variable Boot Loader Command Cisco IOS Global Configuration Command BOOT set BOOT filesystem:/file-url ... boot system {filesystem:/file-url ...
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image When the switch is connected to a PC through the Ethernet management port, you can download or upload a configuration file to the boot loader by using TFTP. Make sure the environment variables in Table 3-5 are configured. Table 3-5 Environment Variables for TFTP Variable Description MAC_ADDR Specifies the MAC address of the switch. Note We recommend that you do not modify this variable.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Note Use the at keyword only if the switch system clock has been set (through Network Time Protocol (NTP), the hardware calendar, or manually). The time is relative to the configured time zone on the switch. To schedule reloads across several switches to occur simultaneously, the time on each switch must be synchronized with NTP. The reload command halts the system.
C H A P T E R 4 Configuring Cisco IOS CNS Agents This chapter describes how to configure the Cisco IOS CNS agents on the Catalyst 3750-E and 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. Note For complete configuration information for the Cisco Configuration Engine, see this URL on Cisco.com http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software Figure 4-1 Configuration Engine Architectural Overview Service provider network Configuration engine Data service directory Configuration server Event service 141327 Web-based user interface Order entry configuration management These sections contain this conceptual information: • Configuration Service, page 4-2 • Event Service, page 4-3 • What You Should Know About the CNS IDs and Device Hostnames, p
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software Event Service The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine. The Event Service is a highly capable publish-and-subscribe communication method.
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software DeviceID Each configured switch participating on the event bus has a unique DeviceID, which is analogous to the switch source address so that the switch can be targeted as a specific destination on the bus. All switches configured with the cns config partial global configuration command must access the event bus.
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco IOS Agents Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Incremental (Partial) Configuration After the network is running, new services can be added by using the Cisco IOS agent. Incremental (partial) configurations can be sent to the switch. The actual configuration can be sent as an event payload by way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation. The switch can check the syntax of the configuration before applying it.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Table 4-1 Prerequisites for Enabling Automatic Configuration Device Required Configuration Access switch Factory default (no configuration file) Distribution switch DHCP server TFTP server CNS Configuration Engine Note • IP helper address • Enable DHCP relay agent • IP routing (if used as default gateway) • IP address assignment • TFTP server IP address • Path to bootstrap configuration file on the TFTP server •
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Enabling the CNS Event Agent Note You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: • The cns config initial global configuration command enables the Cisco IOS agent and initiates an initial configuration on the switch.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Step 7 Step 8 Command Purpose cns id interface num {dns-reverse | ipaddress | mac-address} [event] or cns id {hardware-serial | hostname | string string} [event] Set the unique EventID or ConfigID used by the Configuration Engine.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Command Purpose Step 10 show cns config connections Verify information about the configuration agent. Step 11 show running-config Verify your entries. To disable the CNS Cisco IOS agent, use the no cns config initial {ip-address | hostname} global configuration command. This example shows how to configure an initial configuration on a remote switch. The switch hostname is the unique ID.
Chapter 4 Configuring Cisco IOS CNS Agents Displaying CNS Configuration Displaying CNS Configuration You can use the privileged EXEC commands in Table 4-2 to display CNS configuration information. Table 4-2 Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed.
C H A P T E R 5 Managing Switch Stacks This chapter provides the concepts and procedures to manage Catalyst 3750-E switch stacks. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks – A mixed software stack with only Catalyst 3750-E switches supporting different features or only Catalyst 3750 switches supporting different features as stack members. For example, a Catalyst 3750-E-only stack with some members running the IP base feature set, other members running the IP services feature set, and the remaining members running the advanced IP services feature set.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks To manage switch stacks, you should understand: • These concepts on how switch stacks are formed: – Switch Stack Membership, page 5-3 – Stack Master Election and Re-Election, page 5-5 • These concepts on how switch stacks and stack members are configured: – Switch Stack Bridge ID and Router MAC Address, page 5-6 – Stack Member Numbers, page 5-6 – Stack Member Priority Values, page 5-7 – Switch Stack Offline Configuration, page 5-8 – Hardware
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Note Make sure that you power off the switches that you add to or remove from the switch stack. After adding or removing stack members, make sure that the switch stack is operating at full bandwidth (64 Gb/s). Press the Mode button on a stack member until the Stack mode LED is on. The last two right port LEDs on all switches in the stack should be green.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Figure 5-2 Adding a Standalone Switch to a Switch Stack Stack member 1 Stack member 2 and stack master Stack member 3 Stack member 1 Stack member 1 Stack member 3 Stack member 4 157553 Stack member 2 and stack master Stack Master Election and Re-Election The stack master is elected or re-elected based on one of these factors and in the order listed: 1. The switch that is currently the stack master. 2.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks A stack master retains its role unless one of these events occurs: • The switch stack is reset.* • The stack master is removed from the switch stack. • The stack master is reset or powered off. • The stack master fails. • The switch stack membership is increased by adding powered-on standalone switches or switch stacks.* In the events marked by an asterisk (*), the current stack master might be re-elected based on the listed factors.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Stack members in the same switch stack cannot have the same stack member number. Every stack member, including a standalone switch, retains its member number until you manually change the number or unless the number is already being used by another member in the stack.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Switch Stack Offline Configuration You can use the offline configuration feature to provision (to supply a configuration to) a new switch before it joins the switch stack. You can configure in advance the stack member number, the switch type, and the interfaces associated with a switch that is not currently part of the stack. The configuration that you create on the switch stack is called the provisioned configuration.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Table 5-1 Results of Comparing the Provisioned Configuration with the Provisioned Switch (continued) Scenario Result The stack member number is not found in the provisioned configuration. The switch stack applies the default configuration to the provisioned switch and adds it to the stack. The provisioned configuration is changed to reflect the new information.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Note If the switch stack does not contain a provisioned configuration for a new switch, the switch joins the stack with the default interface configuration. The switch stack then adds to its running configuration a switch stack-member-number provision type global configuration command that matches the new switch. For configuration information, see the “Provisioning a New Member for a Switch Stack” section on page 5-23.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks For more information, see the “Stack Protocol Version Compatibility” section on page 5-11 and the Cisco Software Activation and Compatibility Document on Cisco.com. For information about mixed hardware and software stacks, see the Cisco Software Activation and Compatibility Document on Cisco.com. Stack Protocol Version Compatibility Each software image includes a stack protocol version.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Understanding Auto-Upgrade and Auto-Advise When the software detects mismatched software and tries to upgrade the switch in VM mode, two software processes are involved: automatic upgrade and automatic advise. • The automatic upgrade (auto-upgrade) process includes an auto-copy process and an auto-extract process. By default, auto-upgrade is enabled (the boot auto-copy-sw global configuration command is enabled).
Chapter 5 Managing Switch Stacks Understanding Switch Stacks You can use the archive-download-sw /allow-feature-upgrade privileged EXEC command to allow installing an different software image. Auto-Upgrade and Auto-Advise Example Messages When you add a switch that has a different minor version number to the switch stack, the software displays messages in sequence (assuming that there are no other system messages generated by the switch).
Chapter 5 Managing Switch Stacks Understanding Switch Stacks *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting c3750e-universal-mz.122-0.0.313.SE/c3750e-universal-mz.122-35.SE2 (4945851 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting c3750e-universal-mz.122-35.SE2/info (450 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting info (104 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: *Mar 11 20:36:15.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Note Auto-advise and auto-copy identify which images are running by examining the info file and by searching the directory structure on the switch stack. If you download your image by using the copy tftp: boot loader command instead of the archive download-sw privileged EXEC command, the proper directory structure is not created. For more information about the info file, see the “File Format of Images on a Server or Cisco.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks You back up and restore the stack configuration in the same way as you would for a standalone switch configuration. For more information about file systems and configuration files, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Connectivity to the Switch Stack Through an IP Address The switch stack is managed through a single IP address. The IP address is a system-level setting and is not specific to the stack master or to any other stack member. You can still manage the stack through the same IP address even if you remove the stack master or any other stack member from the stack, provided there is IP connectivity.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Switch Stack Configuration Scenarios Table 5-2 provides switch stack configuration scenarios. Most of the scenarios assume that at least two switches are connected through their StackWise Plus ports. Table 5-2 Switch Stack Configuration Scenarios Scenario Result Stack master election Connect two powered-on switch stacks specifically determined through the StackWise Plus ports.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Table 5-2 Switch Stack Configuration Scenarios (continued) Scenario Result Assuming that all stack members have the The stack member with the cryptographic image and Stack master election same priority value: the IP base feature set is elected stack master. specifically determined by the cryptographic 1.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Configuring the Switch Stack These sections contain this configuration information: • Default Switch Stack Configuration, page 5-20 • Enabling Persistent MAC Address, page 5-20 • Assigning Stack Member Information, page 5-22 Default Switch Stack Configuration Table 5-3 shows the default switch stack configuration. Table 5-3 Default Switch Stack Configuration Feature Default Setting Stack MAC address timer Disabled.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack • Note If you enter a time delay of 1 to 60 minutes, the stack MAC address of the previous stack master is used until the configured time period expires or until you enter the no stack-mac persistent timer command. If the entire switch stack reloads, it uses with the MAC address of the stack master as the stack MAC address. Beginning in privileged EXEC mode, follow these steps to enable persistent MAC address. This procedure is optional.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack WARNING: Administrators must make sure that the old stack-mac does WARNING: not appear elsewhere in this network domain. If it does, WARNING: user traffic may be blackholed. Switch(config)# end Switch# show switch Switch/Stack Mac Address : 0016.4727.a900 Mac persistency wait time: 7 mins H/W Current Switch# Role Mac Address Priority Version State ---------------------------------------------------------*1 Master 0016.4727.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Beginning in privileged EXEC mode, follow these steps to assign a priority value to a stack member: This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 switch stack-member-number priority new-priority-number Specify the stack member number and the new priority for the stack member. The stack member number range is 1 to 9. The priority value range is 1 to 15.
Chapter 5 Managing Switch Stacks Accessing the CLI of a Specific Stack Member To remove provisioned information and to avoid receiving an error message, remove the specified switch from the stack before you use the no form of this command. This example shows how to provision a Catalyst 3750-E switch with a stack member number of 2 for the switch stack.
Chapter 5 Managing Switch Stacks Displaying Switch Stack Information Table 5-4 Commands for Displaying Switch Stack Information (continued) Command Description show switch stack-ports Displays port information for the entire switch stack. show switch stack-ring activity [detail] Displays the number of frames per stack member that are sent to the stack ring. Use the detail keyword to display the ASIC, the receive queues, and the number of frames per stack member that are sent to the stack ring.
Chapter 5 Managing Switch Stacks Displaying Switch Stack Information Catalyst 3750-E and 3560-E Switch Software Configuration Guide 5-26 OL-9775-02
C H A P T E R 6 Clustering Switches This chapter provides the concepts and procedures to create and manage Catalyst 3750-E and 3560-E switch clusters. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. You can create and manage switch clusters by using Cisco Network Assistant (hereafter known as Network Assistant), the command-line interface (CLI), or SNMP. For complete procedures, see the online help.
Chapter 6 Clustering Switches Understanding Switch Clusters In a switch cluster, 1 switch must be the cluster command switch and up to 15 other switches can be cluster member switches. The total number of switches in a cluster cannot exceed 16 switches. The cluster command switch is the single point of access used to configure, manage, and monitor the cluster member switches. Cluster members can belong to only one cluster at a time. Note A switch cluster is different from a switch stack.
Chapter 6 Clustering Switches Understanding Switch Clusters Table 6-1 Switch Software and Cluster Capability (continued) Switch Cisco IOS Release Cluster Capability Catalyst 2900 XL (8-MB switches) 12.0(5.1)XU or later Member or command switch Catalyst 2900 XL (4-MB switches) 11.2(8.5)SA6 (recommended) Member switch only Catalyst 1900 and 2820 9.
Chapter 6 Clustering Switches Planning a Switch Cluster Candidate Switch and Cluster Member Switch Characteristics Candidate switches are cluster-capable switches and switch stacks that have not yet been added to a cluster. Cluster member switches are switches and switch stacks that have actually been added to a switch cluster.
Chapter 6 Clustering Switches Planning a Switch Cluster Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies. Note Do not disable CDP on the cluster command switch, on cluster members, or on any cluster-capable switches that you might want a cluster command switch to discover.
Chapter 6 Clustering Switches Planning a Switch Cluster In Figure 6-1, the cluster command switch has ports assigned to VLANs 16 and 62. The CDP hop count is three. The cluster command switch discovers switches 11, 12, 13, and 14 because they are within three hops from the edge of the cluster. It does not discover switch 15 because it is four hops from the edge of the cluster.
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-2 shows that the cluster command switch discovers the switch that is connected to a third-party hub. However, the cluster command switch does not discover the switch that is connected to a Catalyst 5000 switch.
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-3 Discovery Through Different VLANs Command device VLAN 62 VLAN trunk 9,16 VLAN 50 VLAN trunk 9,16 VLAN 16 VLAN trunk 4,16 101322 VLAN 62 Discovery Through Different Management VLANs Catalyst 2960, Catalyst 2970, Catalyst 3550, Catalyst 3560, Catalyst 3560-E, Catalyst 3750, or Catalyst 3750-E cluster command switches can discover and manage cluster member switches in different VLANs and different management VLANs.
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-4 Discovery Through Different Management VLANs with a Layer 3 Cluster Command Switch Command device Standby command device VLAN 9 VLAN 16 VLAN 16 VLAN 62 Device 5 (management VLAN 62) VLAN trunk 4, 62 Device 7 (management VLAN 4) Device 4 (management VLAN 16) VLAN 62 Device 9 (management VLAN 62) VLAN 9 Device 6 (management VLAN 9) VLAN 9 Device 8 (management VLAN 9) VLAN 4 Device 10 (management VLAN 4) 101323 Device 3 (managemen
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-5 Discovery Through Routed Ports Command device VLAN 9 RP RP VLAN 62 VLAN 9 VLAN 62 VLAN 9 Member device 7 (management VLAN 62) 101324 VLAN 4 Discovery of Newly Installed Switches To join a cluster, the new, out-of-the-box switch must be connected to the cluster through one of its access ports. An access port (AP) carries the traffic of and belongs to only one VLAN.
Chapter 6 Clustering Switches Planning a Switch Cluster HSRP and Standby Cluster Command Switches The switch supports Hot Standby Router Protocol (HSRP) so that you can configure a group of standby cluster command switches.
Chapter 6 Clustering Switches Planning a Switch Cluster Virtual IP Addresses You need to assign a unique virtual IP address and group number and name to the cluster standby group. This information must be configured on a specific VLAN or routed port on the active cluster command switch. The active cluster command switch receives traffic destined for the virtual IP address.
Chapter 6 Clustering Switches Planning a Switch Cluster • All standby-group members must be members of the cluster. There is no limit to the number of switches that you can assign as standby cluster command switches. However, the total number of switches in the cluster—which would include the active cluster command switch, standby-group members, and cluster member switches—cannot be more than 16.
Chapter 6 Clustering Switches Planning a Switch Cluster Automatic discovery has these limitations: • This limitation applies only to clusters that have Catalyst 2950, Catalyst 2960, Catalyst 2970, Catalyst 3550, Catalyst 3560, Catalyst 3560-E, Catalyst 3750, and Catalyst 3750-E command and standby cluster command switches: If the active cluster command switch and standby cluster command switch become disabled at the same time, the passive cluster command switch with the highest priority becomes the acti
Chapter 6 Clustering Switches Planning a Switch Cluster If a switch joins a cluster and it does not have a hostname, the cluster command switch appends a unique member number to its own hostname and assigns it sequentially as each switch joins the cluster. The number means the order in which the switch was added to the cluster. For example, a cluster command switch named eng-cluster could name the fifth cluster member eng-cluster-5.
Chapter 6 Clustering Switches Planning a Switch Cluster Switch Clusters and Switch Stacks A switch cluster can have one or more Catalyst 3750-E switch stacks. Each switch stack can act as the cluster command switch or as a single cluster member. Table 6-2 describes the basic differences between switch stacks and switch clusters. For more information about switch stacks, see Chapter 5, “Managing Switch Stacks.
Chapter 6 Clustering Switches Planning a Switch Cluster These are considerations to keep in mind when you have switch stacks in switch clusters: • If the cluster command switch is not a Catalyst 3750-E switch or switch stack and a new stack master is elected in a cluster member switch stack, the switch stack loses its connectivity to the switch cluster if there are no redundant connections between the switch stack and the cluster command switch. You must add the switch stack to the switch cluster.
Chapter 6 Clustering Switches Using the CLI to Manage Switch Clusters Using the CLI to Manage Switch Clusters You can configure cluster member switches from the CLI by first logging into the cluster command switch. Enter the rcommand user EXEC command and the cluster member switch number to start a Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual.
Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Using SNMP to Manage Switch Clusters When you first power on the switch, SNMP is enabled if you enter the IP information by using the setup program and accept its proposed configuration. If you did not use the setup program to enter the IP information and SNMP was not enabled, you can enable it as described in the “Configuring SNMP” section on page 33-6. On Catalyst 1900 and Catalyst 2820 switches, SNMP is enabled by default.
Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Catalyst 3750-E and 3560-E Switch Software Configuration Guide 6-20 OL-9775-02
C H A P T E R 7 Administering the Switch This chapter describes how to perform one-time operations to administer the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Chapter 7 Administering the Switch Managing the System Time and Date The system clock can then be set from these sources: • NTP • Manual configuration The system clock can provide time to these services: • User show commands • Logging and debugging messages The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT).
Chapter 7 Administering the Switch Managing the System Time and Date Figure 7-1 shows a typical network example using NTP. Switch A is the NTP master, with Switches B, C, and D configured in NTP server mode, in server association with Switch A. Switch E is configured as an NTP peer to the upstream and downstream switches, Switch B and Switch F.
Chapter 7 Administering the Switch Managing the System Time and Date These sections contain this configuration information: • Default NTP Configuration, page 7-4 • Configuring NTP Authentication, page 7-4 • Configuring NTP Associations, page 7-5 • Configuring NTP Broadcast Service, page 7-6 • Configuring NTP Access Restrictions, page 7-8 • Configuring the Source IP Address for NTP Packets, page 7-10 • Displaying the NTP Configuration, page 7-11 Default NTP Configuration Table 7-1 shows the
Chapter 7 Administering the Switch Managing the System Time and Date Step 3 Command Purpose ntp authentication-key number md5 value Define the authentication keys. By default, none are defined. • For number, specify a key number. The range is 1 to 4294967295. • md5 specifies that message authentication support is provided by using the message digest algorithm 5 (MD5). • For value, enter an arbitrary string of up to eight characters for the key.
Chapter 7 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to form an NTP association with another device: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp peer ip-address [version number] [key keyid] [source interface] [prefer] Configure the switch system clock to synchronize a peer or to be synchronized by a peer (peer association).
Chapter 7 Administering the Switch Managing the System Time and Date The switch can send or receive NTP broadcast packets on an interface-by-interface basis if there is an NTP broadcast server, such as a router, broadcasting time information on the network. The switch can send NTP broadcast packets to a peer so that the peer can synchronize to it. The switch can also receive NTP broadcast packets to synchronize its own clock.
Chapter 7 Administering the Switch Managing the System Time and Date Step 5 Command Purpose ntp broadcastdelay microseconds (Optional) Change the estimated round-trip delay between the switch and the NTP broadcast server. The default is 3000 microseconds; the range is 1 to 999999. Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 7 Administering the Switch Managing the System Time and Date Step 3 Command Purpose access-list access-list-number permit source [source-wildcard] Create the access list. • For access-list-number, enter the number specified in Step 2. • Enter the permit keyword to permit access if the conditions are matched. • For source, enter the IP address of the device that is permitted access to the switch. • (Optional) For source-wildcard, enter the wildcard bits to be applied to the source.
Chapter 7 Administering the Switch Managing the System Time and Date Disabling NTP Services on a Specific Interface NTP services are enabled on all interfaces by default. Beginning in privileged EXEC mode, follow these steps to disable NTP packets from being received on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to disable.
Chapter 7 Administering the Switch Managing the System Time and Date Displaying the NTP Configuration You can use two privileged EXEC commands to display NTP information: • show ntp associations [detail] • show ntp status For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 7 Administering the Switch Managing the System Time and Date Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command. The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source such as NTP, the flag is set. If the time is not authoritative, it is used only for display purposes.
Chapter 7 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 7 Administering the Switch Configuring a System Name and Prompt Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 Configure summer time to start on the first date and end on the second clock summer-time zone date [month date year hh:mm month date year hh:mm date.
Chapter 7 Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Chapter 7 Administering the Switch Configuring a System Name and Prompt To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the hostnames, specify the name server that is present on your network, and enable the DNS.
Chapter 7 Administering the Switch Creating a Banner Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.
Chapter 7 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day.
Chapter 7 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message.
Chapter 7 Administering the Switch Managing the MAC Address Table These sections contain this configuration information: • Building the Address Table, page 7-20 • MAC Addresses and VLANs, page 7-20 • MAC Addresses and Switch Stacks, page 7-21 • Default MAC Address Table Configuration, page 7-21 • Changing the Address Aging Time, page 7-21 • Removing Dynamic Address Entries, page 7-22 • Configuring MAC Address Notification Traps, page 7-22 • Adding and Removing Static Address Entries, page
Chapter 7 Administering the Switch Managing the MAC Address Table When private VLANs are configured, address learning depends on the type of MAC address: • Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the associated VLANs. For example, a MAC address learned in a private-VLAN secondary VLAN is replicated in the primary VLAN. • Static MAC addresses configured in a primary or secondary VLAN are not replicated in the associated VLANs.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the dynamic address table aging time: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table aging-time [0 | 10-1000000] [vlan vlan-id] Set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated. The range is 10 to 1000000 seconds. The default is 300.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message. | 2c | 3}} community-string notification-type • For host-addr, specify the name or address of the NMS.
Chapter 7 Administering the Switch Managing the MAC Address Table Step 9 Command Purpose show mac address-table notification interface Verify your entries. show running-config Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the switch from sending MAC address notification traps, use the no snmp-server enable traps mac-notification global configuration command.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to add a static address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table static mac-addr vlan vlan-id interface interface-id Add a static address to the MAC address table. • For mac-addr, specify the destination MAC unicast address to add to the address table.
Chapter 7 Administering the Switch Managing the MAC Address Table • If you add a unicast MAC address as a static address and configure unicast MAC address filtering, the switch either adds the MAC address as a static address or drops packets with that MAC address, depending on which command was entered last. The second command that you entered overrides the first command.
Chapter 7 Administering the Switch Managing the ARP Table Displaying Address Table Entries You can display the MAC address table by using one or more of the privileged EXEC commands described in Table 7-4: Table 7-4 Commands for Displaying the MAC Address Table Command Description show ip igmp snooping groups Displays the Layer 2 multicast entries for all VLANs or the specified VLAN. show mac address-table address Displays MAC address table information for the specified MAC address.
Chapter 7 Administering the Switch Managing the ARP Table Catalyst 3750-E and 3560-E Switch Software Configuration Guide 7-28 OL-9775-02
C H A P T E R 8 Configuring SDM Templates This chapter describes how to configure the Switch Database Management (SDM) templates on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 8 Configuring SDM Templates Understanding the SDM Templates Table 8-1 Approximate Number of Feature Resources Allowed by Each Template Resource Access Default Routing VLAN Unicast MAC addresses 4K 6K 3K 12 K IGMP groups and multicast routes 1K 1K 1K 1K Unicast routes 6K 8K 11 K 0 • Directly connected hosts 4K 6K 3K 0 • Indirect routes 2K 2K 8K 0 Policy-based routing ACEs 0.5 K 0 0.5 K 0 QoS classification ACEs 0.5 K 0.5 K 0.5 K 0.
Chapter 8 Configuring SDM Templates Understanding the SDM Templates Table 8-2 Approximate Feature Resources Allowed by Dual IPv4-IPv6 Templates Resource IPv4-and-IPv6 Default IPv4-and-IPv6 Routing IPv4-and-IPv6 VLAN Unicast MAC addresses 2K 1.5 K 8K IPv4 IGMP groups and multicast routes 1K 1K 1 K for IGMP groups 0 for multicast routes Total IPv4 unicast routes: 3K 2.75 K 0 • Directly connected IPv4 hosts 2K 1.5 K 0 • Indirect IPv4 routes 1K 1.
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template 2d23h:%SDM-6-MISMATCH_ADVISE:compatible desktop SDM template: 2d23h:%SDM-6-MISMATCH_ADVISE: 2d23h:%SDM-6-MISMATCH_ADVISE: "sdm prefer vlan desktop" 2d23h:%SDM-6-MISMATCH_ADVISE: "reload" Configuring the Switch SDM Template These sections contain this configuration information: • Default SDM Template, page 8-4 • SDM Template Configuration Guidelines, page 8-4 • Setting the SDM Template, page 8-5 Default SDM Template The default
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template Setting the SDM Template Beginning in privileged EXEC mode, follow these steps to use the SDM template to maximize feature usage: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 8 Configuring SDM Templates Displaying the SDM Templates number of qos aces: number of security aces: 0.5K 1K On next reload, template will be “desktop vlan” template. To return to the default template, use the no sdm prefer global configuration command.
Chapter 8 Configuring SDM Templates Displaying the SDM Templates This is an example of output from the show sdm prefer dual-ipv4-and-ipv6 routing command entered on a desktop switch: Switch# show sdm prefer dual-ipv4-and-ipv6 routing The current template is "desktop IPv4 and IPv6 routing" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.
Chapter 8 Configuring SDM Templates Displaying the SDM Templates Catalyst 3750-E and 3560-E Switch Software Configuration Guide 8-8 OL-9775-02
C H A P T E R 9 Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands • If you want to use username and password pairs, but you want to store them centrally on a server instead of locally, you can store them in a database on a security server. Multiple networking devices can then use the same database to obtain user authentication (and, if necessary, authorization) information. For more information, see the “Controlling Switch Access with TACACS+” section on page 9-10.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable secret passwords: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password [level level] {password | encryption-type encrypted-password} Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2: Switch(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8 Disabling Password Recovery By default, any end user with physical access to the switch can recover from a lost password by interrupting the boot process while the switch is powering on and then by entering a new password.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting a Telnet Password for a Terminal Line When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use. The setup program also prompts you to configure your switch for Telnet access through a password.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username and a password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 username name [privilege level] {password encryption-type password} Enter the username, privilege level, and password for each user.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting the Privilege Level for a Command Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 privilege mode level level command Set the privilege level for a command.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line vty line Select the virtual terminal line on which to restrict access. Step 3 privilege level level Change the default privilege level for the line.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Controlling Switch Access with TACACS+ This section describes how to enable and configure Terminal Access Controller Access Control System Plus (TACACS+), which provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 9-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ server 1) Catalyst 6500 series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) 171.20.10.8 101230 Configure the switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers). Enable AAA. Create a login authentication method list. Apply the list to the terminal lines.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: 1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user. The user enters a username, and the switch then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ • Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 9-16 • Starting TACACS+ Accounting, page 9-17 Default TACACS+ Configuration TACACS+ and AAA are disabled by default. To prevent a lapse in security, you cannot configure TACACS+ through a network management application. When enabled, TACACS+ can authenticate users accessing the switch through the CLI.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 show tacacs Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the specified TACACS+ server name or address, use the no tacacs-server host hostname global configuration command.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Note To secure the switch for HTTP access by using AAA methods, you must configure the switch with the ip http authentication aaa global configuration command. Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Starting TACACS+ Accounting The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Understanding RADIUS RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco routers and switches. Clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Transitioning from RADIUS to TACACS+ Services Remote PC R1 RADIUS server R2 RADIUS server T1 TACACS+ server T2 TACACS+ server Workstation 86891 Figure 9-2 RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: 1. The user is prompted to enter a username and password. 2.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS You identify RADIUS security servers by their hostname or IP address, hostname and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 8 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 9-23. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information). Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the switch and all RADIUS servers.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“ This example shows how to specify an authorized VLAN in the RADIUS server database: cisco-avpair= ”tunnel-type(#64)=VLAN(13)” cisco-avpair= ”tunnel-medium-type(#65)=802 media(6)” cisco-avpair= ”tunnel-private-group-ID(#81)=vlanid” This example shows how to apply an in
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with the switch. You specify the RADIUS host and secret text string by using the radius-server global configuration commands.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos You must obtain authorization to use this feature and to download the cryptographic software files from Cisco.com.For more information, see the release notes for this release.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts (such as UNIX servers and PCs).
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 9-2 Kerberos Terms (continued) Term KEYTAB Definition 3 Principal A password that a network service shares with the KDC. In Kerberos 5 and later Kerberos versions, the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it. In Kerberos versions earlier than Kerberos 5, KEYTAB is referred to as SRVTAB 4.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos 4. The KDC sends an encrypted TGT that includes the user identity to the switch. 5. The switch attempts to decrypt the TGT by using the password that the user entered. • If the decryption is successful, the user is authenticated to the switch.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization Note A Kerberos server can be a Catalyst 3750-E or 3560-E switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol. To set up a Kerberos-authenticated server-client system, follow these steps: • Configure the KDC by using Kerberos commands. • Configure the switch to use the Kerberos protocol.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Step 6 Command Purpose username name [privilege level] {password encryption-type password} Enter the local database, and establish a username-based authentication system. Repeat this command for each user. • For name, specify the user ID as one word. Spaces and quotation marks are not allowed. • (Optional) For level, specify the privilege level the user has after gaining access. The range is 0 to 15.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell For SSH configuration examples, see the “SSH Configuration Examples” section in the “Configuring Secure Shell” section in the “Other Security Features” chapter of the Cisco IOS Security Configuration Guide, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter0918 6a00800ca7d5.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell SSH also supports these user authentication methods: Note • TACACS+ (for more information, see the “Controlling Switch Access with TACACS+” section on page 9-10) • RADIUS (for more information, see the “Controlling Switch Access with RADIUS” section on page 9-17) • Local authentication and authorization (for more information, see the “Configuring the Switch for Local Authentication and Authorization” section o
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell • When generating the RSA key pair, the message No domain specified might appear. If it does, you must configure an IP domain name by using the ip domain-name global configuration command. • When configuring the local authentication and authorization authentication method, make sure that AAA is disabled on the console. Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: 1.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Configuring the SSH Server Beginning in privileged EXEC mode, follow these steps to configure the SSH server: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip ssh version [1 | 2] (Optional) Configure the switch to run SSH Version 1 or SSH Version 2. • 1—Configure the switch to run SSH Version 1. • 2—Configure the switch to run SSH Version 2.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP For more information about these commands, see the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter0918 6a00800ca7d0.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP When a connection attempt is made, the HTTPS server provides a secure connection by issuing a certified X.509v3 certificate, obtained from a specified CA trustpoint, to the client. The client (usually a Web browser), in turn, has a public key that allows it to authenticate the certificate. For secure HTTP connections, we highly recommend that you configure a CA trustpoint.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP CipherSuites A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection. When connecting to the HTTPS server, the client Web browser offers a list of supported CipherSuites, and the client and server negotiate the best encryption algorithm to use from those on the list that are supported by both. For example, Netscape Communicator 4.76 supports U.S.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP SSL Configuration Guidelines When SSL is used in a switch cluster, the SSL session terminates at the cluster commander. Cluster member switches must run standard HTTP. Before you configure a CA trustpoint, you should ensure that the system clock is set. If the clock is not set, the certificate is rejected due to an incorrect date.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Use the no crypto ca trustpoint name global configuration command to delete all identity information and certificates associated with the CA. Configuring the Secure HTTP Server If you are using a certificate authority for certification, you should use the previous procedure to configure the CA trustpoint on the switch before enabling the HTTP server.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Command Step 11 Purpose ip http timeout-policy idle seconds life (Optional) Specify how long a connection to the HTTP server can remain seconds requests value open under the defined circumstances: • idle—the maximum time period when no data is received or response data cannot be sent. The range is 1 to 600 seconds. The default is 180 seconds (3 minutes).
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Command Purpose Step 3 ip http client secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-md5] [rc4-128-sha] [des-cbc-sha]} (Optional) Specify the CipherSuites (encryption algorithms) to be used for encryption over the HTTPS connection. If you do not have a reason to specify a particular CipherSuite, you should allow the server and client to negotiate a CipherSuite that they both support.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Information About Secure Copy To configure Secure Copy feature, you should understand these concepts. The behavior of SCP is similar to that of remote copy (rcp), which comes from the Berkeley r-tools suite, except that SCP relies on SSH for security.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Catalyst 3750-E and 3560-E Switch Software Configuration Guide 9-50 OL-9775-02
C H A P T E R 10 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the Catalyst 3750-E or 3560-E switch. IEEE 802.1x authentication prevents unauthorized devices (clients) from gaining access to the network.Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • IEEE 802.1x Host Mode, page 10-8 • IEEE 802.1x Accounting, page 10-9 • IEEE 802.1x Accounting Attribute-Value Pairs, page 10-9 • Using IEEE 802.1x Authentication with VLAN Assignment, page 10-10 • Using IEEE 802.1x Authentication with Per-User ACLs, page 10-11 • Using IEEE 802.1x Authentication with Guest VLAN, page 10-12 • Using IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • Authentication server—performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 10-2 shows the authentication process. If Multi Domain Authentication (MDA) is enabled on a port, this flow can be used with some exceptions that are applicable to voice authorization. For more information on MDA, see “Using Multidomain Authentication” section on page 10-19. Figure 10-2 Authentication Flowchart Start IEEE 802.1x authentication process times out.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which re-authentication occurs. The Termination-Action RADIUS attribute (Attribute [29]) specifies the action to take during re-authentication. The actions are Initialize and ReAuthenticate. When the Initialize action is set (the attribute value is DEFAULT), the IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 10-3 Message Exchange Authentication server (RADIUS) Client EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS Access-Request EAP-Request/OTP RADIUS Access-Challenge EAP-Response/OTP RADIUS Access-Request EAP-Success RADIUS Access-Accept Port Authorized 101228 EAPOL-Logoff Port Unauthorized If IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Ports in Authorized and Unauthorized States During IEEE 802.1x authentication, depending on the switch port state, the switch can grant a client access to the network. The port starts in the unauthorized state. While in this state, the port that is not configured as a voice VLAN port disallows all ingress and egress traffic except for IEEE 802.1x authentication, CDP, and STP packets.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication If IP connectivity to the RADIUS server is interrupted because the switch that was connected to the server is removed or fails, these events occur: • Ports that are already authenticated and that do not have periodic re-authentication enabled remain in the authenticated state. Communication with the RADIUS server is not required.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication IEEE 802.1x Accounting The IEEE 802.1x standard defines how users are authorized and authenticated for network access but does not keep track of network usage. IEEE 802.1x accounting is disabled by default. You can enable IEEE 802.1x accounting to monitor this activity on IEEE 802.1x-enabled ports: • User successfully authenticates. • User logs off. • Link-down occurs.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Table 10-1 Accounting AV Pairs (continued) Attribute Number AV Pair Name START INTERIM STOP Attribute[46] Acct-Session-Time Never Never Always Attribute[49] Acct-Terminate-Cause Never Never Always Attribute[61] NAS-Port-Type Always Always Always 1.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication If an IEEE 802.1x port is authenticated and put in the RADIUS server-assigned VLAN, any change to the port access VLAN configuration does not take effect. The IEEE 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication You can use the Filter-Id attribute to specify an inbound or outbound ACL that is already configured on the switch. The attribute contains the ACL number followed by .in for ingress filtering or .out for egress filtering. If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Any number of IEEE 802.1x-incapable clients are allowed access when the switch port is moved to the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state in the user-configured access VLAN, and authentication is restarted. Guest VLANs are supported on IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication After a port moves to the restricted VLAN, a simulated EAP success message is sent to the client. This prevents clients from indefinitely attempting authentication. Some clients (for example, devices running Windows XP) cannot implement DHCP without EAP success. Restricted VLANs are supported only on IEEE 802.1x ports in single-host mode and on Layer 2 ports.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Inaccessible authentication bypass interacts with these features: • Guest VLAN—Inaccessible authentication bypass is compatible with guest VLAN. When a guest VLAN is enabled on IEEE 8021.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • When an IEEE 802.1x client logs off, the port changes to an unauthenticated state, and all dynamic entries in the secure host table are cleared, including the entry for the client. Normal authentication then takes place. • If the port is administratively shut down, the port becomes unauthenticated, and all dynamic entries are removed from the secure host table.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication frame with a username and password based on the MAC address. If authorization succeeds, the switch grants the client access to the network. If authorization fails, the switch assigns the port to the guest VLAN if one is configured. If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the device connected to that interface is an IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Network Admission Control Layer 2 IEEE 802.1x Validation The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which checks the antivirus condition or posture of endpoint systems or clients before granting the devices network access. With NAC Layer 2 IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • Until a device is authorized, the port drops its traffic. Non-Cisco IP phones or voice devices are allowed into both the data and voice VLANs. The data VLAN allows the voice device to contact a DHCP server to obtain an IP address and acquire the voice VLAN information. After the voice device starts sending on the voice VLAN, its access to the data VLAN is blocked.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Note The proxyacl entry determines the type of allowed network access. For more information, see the “Configuring Web Authentication” section on page 10-41. Configuring IEEE 802.1x Authentication These sections contain this configuration information: • Default IEEE 802.1x Authentication Configuration, page 10-22 • IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Default IEEE 802.1x Authentication Configuration Table 10-2 shows the default IEEE 802.1x authentication configuration. Table 10-2 Default IEEE 802.1x Authentication Configuration Feature Default Setting Switch IEEE 802.1x enable state Disabled. Per-port IEEE 802.1x enable state Disabled (force-authorized). The port sends and receives normal traffic without IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Table 10-2 Default IEEE 802.1x Authentication Configuration (continued) Feature Default Setting Authenticator (switch) mode None specified. MAC authentication bypass Disabled. IEEE 802.1x Authentication Configuration Guidelines These section has configuration guidelines for these features: • IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication – EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x authentication on an EtherChannel port, an error message appears, and IEEE 802.1x authentication is not enabled. – Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication – You can configure the inaccessible authentication bypass feature and the restricted VLAN on an IEEE 802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN and all the RADIUS servers are unavailable, switch changes the port state to the critical authentication state and remains in the restricted VLAN.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure IEEE 802.1x port-based authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication dot1x {default} method1 Create an IEEE 802.1x authentication method list.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on the switch. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Configure the RADIUS server parameters.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring the Host Mode Beginning in privileged EXEC mode, follow these steps to allow multiple hosts (clients) on an IEEE 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring Periodic Re-Authentication You can enable periodic IEEE 802.1x client re-authentication and specify how often it occurs. If you do not specify a time period before enabling re-authentication, the number of seconds between attempts is 3600.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Changing the Quiet Period When the switch cannot authenticate the client, the switch remains idle for a set period of time and then tries again. The dot1x timeout quiet-period interface configuration command controls the idle period. A failed authentication of the client might occur because the client provided an invalid password.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show dot1xinterface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default retransmission time, use the no dot1x timeout tx-period interface configuration command.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Setting the Re-Authentication Number You can also change the number of times that the switch restarts the authentication process before the port changes to the unauthorized state. Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Note You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and interim-update messages and time stamps. To turn on these functions, enable logging of “Update/Watchdog packets from this AAA client” in your RADIUS server Network Configuration tab. Next, enable “CVS RADIUS Accounting” in your RADIUS server System Configuration tab.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose switchport mode access Set the port to access mode, or or switchport mode private-vlan host Configure the Layer 2 port as a private-VLAN host port. Step 4 dot1x port-control auto Enable IEEE 802.1x authentication on the port. Step 5 dot1x guest-vlan vlan-id Specify an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to 4094.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 4 dot1x port-control auto Enable IEEE 802.1x authentication on the port. Step 5 dot1x auth-fail vlan vlan-id Specify an active VLAN as an IEEE 802.1x restricted VLAN. The range is 1 to 4094. You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x restricted VLAN.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication To return to the default value, use the no dot1x auth-fail max-attempts interface configuration command.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 4 Command Purpose radius-server host ip-address [acct-port udp-port] [auth-port udp-port][test username name [idle-time time] [ignore-acct-port] [ignore-auth-port]] [key string] (Optional) Configure the RADIUS server parameters by using these keywords: • acct-port udp-port—Specify the UDP port for the RADIUS accounting server. The range for the UDP port number is from 0 to 65536.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 6 interface interface-id Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the “IEEE 802.1x Authentication Configuration Guidelines” section on page 10-23.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 3 Command Purpose dot1x control-direction {both | in} Enable IEEE 802.1x authentication with WoL on the port, and use these keywords to configure the port as bidirectional or unidirectional. • both—Sets the port as bidirectional. The port cannot receive packets from or send packets to the host. By default, the port is bidirectional. • in—Sets the port as unidirectional.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring NAC Layer 2 IEEE 802.1x Validation You can configure NAC Layer 2 IEEE 802.1x validation, which is also referred to as IEEE 802.1x authentication with a RADIUS server. Beginning in privileged EXEC mode, follow these steps to configure NAC Layer 2 IEEE 802.1x validation. The procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring Web Authentication Beginning in privileged EXEC mode, follow these steps to configure authentication, authorization, accounting (AAA) and RADIUS on a switch before configuring web authentication. The steps enable AAA by using RADIUS authentication and enable device tracking. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure a port to use web authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip admission name rule proxy http Define a web authentication rule. Note The same rule cannot be used for both web authentication and NAC Layer 2 IP validation.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 10 Command Purpose dot1x fallback fallback-profile Configure the port to authenticate a client by using web authentication when no IEEE 802.1x supplicant is detected on the port. Any change to the fallback-profile global configuration takes effect the next time IEEE 802.1x fallback is invoked on the interface. Note Web authorization cannot be used as a fallback method for IEEE 802.
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Displaying IEEE 802.1x Statistics and Status This example shows how to disable IEEE 802.1x authentication on the port: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# no dot1x pae authenticator Resetting the IEEE 802.1x Authentication Configuration to the Default Values Beginning in privileged EXEC mode, follow these steps to reset the IEEE 802.1x authentication configuration to the default values. This procedure is optional.
C H A P T E R 11 Configuring Interface Characteristics This chapter defines the types of interfaces on the Catalyst 3750-E or 3560-E switch and describes how to configure them. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types • EtherChannel Port Groups, page 11-5 • 10-Gigabit Ethernet Interfaces, page 11-6 • Power over Ethernet Ports, page 11-6 • Connecting Interfaces, page 11-11 • Ethernet Management Port, page 11-12 Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types Configure switch ports by using the switchport interface configuration commands. Use the switchport command with no keywords to put an interface that is in Layer 3 mode into Layer 2 mode. Note When you put an interface that is in Layer 3 mode into Layer 2 mode, the previous configuration information related to the affected interface might be lost, and the interface is returned to its default configuration.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types is in the allowed list for a trunk port, the trunk port automatically becomes a member of that VLAN and traffic is forwarded to and from the trunk port for that VLAN. If VTP learns of a new, enabled VLAN that is not in the allowed list for a trunk port, the port does not become a member of the VLAN, and no traffic for the VLAN is forwarded to or from the port.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types Switch Virtual Interfaces A switch virtual interface (SVI) represents a VLAN of switch ports as one interface to the routing or bridging function in the system. Only one SVI can be associated with a VLAN, but you need to configure an SVI for a VLAN only when you wish to route between VLANs, to fallback-bridge nonroutable protocols between VLANs, or to provide IP host connectivity to the switch.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types When you configure an EtherChannel, you create a port-channel logical interface and assign an interface to the EtherChannel. For Layer 3 interfaces, you manually create the logical interface by using the interface port-channel global configuration command. Then you manually assign an interface to the EtherChannel by using the channel-group interface configuration command.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types power mode. The powered device first boots up in low-power mode, consumes less than 7 W, and negotiates to obtain enough power to operate in high-power mode. The device changes to high-power mode only when it receives confirmation from the switch. High-power devices can operate in low-power mode on switches that do not support power-negotiation CDP.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types the request is granted, the switch updates the power budget. If the request is denied, the switch ensures that power to the port is turned off, generates a syslog message, and updates the LEDs. Powered devices can also negotiate with the switch for more power.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types However, if the powered-device IEEE class is greater than the maximum wattage, the switch does not supply power to it. If the switch learns through CDP messages that the powered device needs more than the maximum wattage, the switch shuts down the powered device. If you do not specify a wattage, the switch pre-allocates the maximum value. The switch powers the port only if it discovers a powered device.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types Maximum Power Allocation (Cutoff Power) on a PoE Port When power policing is enabled, the switch determines one of the these values as the cutoff power on the PoE port in this order: 1. Manually when you set the user-defined power level that the switch budgets for the port by using the power inline consumption default wattage global or interface configuration command 2.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types Because the switch supports internal power supplies and the Cisco Redundant Power System 2300 (also referred to as the RPS 2300), the total amount of power available for the powered devices varies depending on the power supply configuration.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types • The routing function can be enabled on all SVIs and routed ports. The switch routes only IP traffic. When IP routing protocol parameters and address configuration are added to an SVI or routed port, any IP traffic received from these ports is routed. For more information, see Chapter 38, “Configuring IP Unicast Routing,” Chapter 42, “Configuring IP Multicast Routing,” and Chapter 43, “Configuring MSDP.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types Figure 11-3 Connecting a Switch Stack to a PC Catalyst 3750-E-only switch stack Stack member 1 Stack member 2 Stack member 3 Hub PC Hub PC Stack member 4 Stack member 5 Stack member 6 Stack member 7 Ethernet management ports Mixed switch stack with Catalyst 3750-E and 3750 switches Catalyst 3750-E member 1 Catalyst 3750 member 2 Catalyst 3750 member 3 Catalyst 3750-E member 4 Catalyst 3750-E member 5 Catalyst 3750-E mem
Chapter 11 Configuring Interface Characteristics Understanding Interface Types In Figure 11-4, if the Ethernet management port and the network ports are associated with the same routing process, the routes are propagated as follows: • The routes from the Ethernet management port are propagated through the network ports to the network. • The routes from the network ports are propagated through the Ethernet management port to the network.
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode Use the commands in Table 11-2 when using TFTP to download or upload a configuration file to the boot loader. Table 11-2 Boot Loader Commands Command Description ARP [ip_address] Displays the currently cached ARP1 table when this command is entered without the ip_address parameter. Enables ARP to associate a MAC address with the specified IP address when this command is entered with the ip_address parameter.
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode • Port number—The interface number on the switch. The 10/100/1000 port numbers always begin at 1, starting with the far left port when facing the front of the switch, for example, gigabitethernet1/0/1 or gigabitethernet1/0/8. On a switch with 10/100/1000 ports and Cisco TwinGig Converter Modules in the 10-Gigabit Ethernet module slots, the port numbers restart with the 10-Gigabit Ethernet ports: tengigabitethernet1/0/1.
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode Step 3 Follow each interface command with the interface configuration commands that the interface requires. The commands that you enter define the protocols and applications that will run on the interface. The commands are collected and applied to the interface when you enter another interface command or enter end to return to privileged EXEC mode.
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode When using the interface range global configuration command, note these guidelines: • Valid entries for port-range: – vlan vlan-ID - vlan-ID, where the VLAN ID is 1 to 4094 – gigabitethernet module/{first port} - {last port}, where the module is always 0 (for Catalyst 3560-E switches) gigabitethernet stack member/module/{first port} - {last port}, where the module is always 0 (for Catalyst 3750-E switches) – tengigabite
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode Configuring and Using Interface Range Macros You can create an interface range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface range macro global configuration command string, you must use the define interface-range global configuration command to define the macro.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces • The VLAN interfaces must have been configured with the interface vlan command. The show running-config privileged EXEC command displays the configured VLAN interfaces. VLAN interfaces not displayed by the show running-config command cannot be used as interface-ranges.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Default Ethernet Interface Configuration Table 11-3 shows the Ethernet interface default configuration, including some features that apply only to Layer 2 interfaces. For more details on the VLAN parameters listed in the table, see Chapter 13, “Configuring VLANs.” For details on controlling traffic to the port, see Chapter 26, “Configuring Port-Based Traffic Control.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Table 11-3 Default Layer 2 Ethernet Interface Configuration (continued) Feature Default Setting Auto-MDIX Enabled. Note Power over Ethernet (PoE) The switch might not support a pre-standard powered device—such as Cisco IP phones and access points that do not fully support IEEE 802.3af—if that powered device is connected to the switch through a crossover cable.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Caution • If one interface supports autonegotiation and the other end does not, configure duplex and speed on both interfaces; do not use the auto setting on the supported side. • When STP is enabled and a port is reconfigured, the switch can take up to 30 seconds to check for loops. The port LED is amber while STP reconfigures.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Use the no speed and no duplex interface configuration commands to return the interface to the default speed and duplex settings (autonegotiate). To return all interface settings to the defaults, use the default interface interface-id interface configuration command.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Command Purpose Step 5 show interfaces interface-id Verify the interface flow control settings. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable flow control, use the flowcontrol receive off interface configuration command.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 show controllers ethernet-controller Verify the operational state of the auto-MDIX feature on the interface. interface-id phy Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable auto-MDIX, use the no mdix auto interface configuration command.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Step 3 Command Purpose power inline {auto [max max-wattage] | never | static [max max-wattage]} Configure the PoE mode on the port. The keywords have these meanings: • auto—Enable powered-device detection. If enough power is available, automatically allocate power to the PoE port after device detection. This is the default setting. • (Optional) max max-wattage—Limit the power allowed on the port.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Caution Note You should carefully plan your switch power budget, enable the power monitoring feature, and make certain not to oversubscribe the power supply. When you manually configure the power budget, you must also consider the power loss over the cable between the switch and the powered device.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show power inline consumption default Display the power consumption data. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no power inline consumption default interface configuration command.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Step 5 Command Purpose errdisable detect cause inline-power (Optional) Enable error recovery from the PoE error-disabled state, and configure the PoE recover mechanism variables. and errdisable recovery cause inline-power By default, the recovery interval is 300 seconds. For interval interval, specify the time in seconds to recover from the error-disabled state. The range is 30 to 86400.
Chapter 11 Configuring Interface Characteristics Configuring Layer 3 Interfaces Switch# show interfaces gigabitethernet1/0/2 description Interface Status Protocol Description Gi1/0/2 admin down down Connects to Marketing Configuring Ethernet Management Ports To specify the Ethernet management port in the CLI, enter fastethernet0. To disable the port, use the shutdown interface configuration command. To enable the port, use the no shutdown interface configuration command.
Chapter 11 Configuring Interface Characteristics Configuring Layer 3 Interfaces • If the switch is notified by VLAN Trunking Protocol (VTP) of a new VLAN, it sends a message that there are not enough hardware resources available and shuts down the VLAN. The output of the show vlan user EXEC command shows the VLAN in a suspended state.
Chapter 11 Configuring Interface Characteristics Configuring the System MTU Configuring the System MTU The default maximum transmission unit (MTU) size for frames received and sent on all interfaces on the switch or switch stack is 1500 bytes. You can change the MTU size to support switched jumbo frames on all Gigabit Ethernet and 10-Gigabit Ethernet interfaces and to support routed frames on all routed ports.
Chapter 11 Configuring Interface Characteristics Configuring the System MTU Table 11-5 System MTU Values Configuration System MTU System Jumbo MTU System Routing MTU Catalyst 3750-Eonly stack The system MTU value does not take effect on a Catalyst 3750-E or 3560-E switch, but you can enter the command on the switch. 1 Use the system mtu jumbo bytes command. Use the system mtu routing bytes command. The range is from 1500 to 9198 bytes.
Chapter 11 Configuring Interface Characteristics Configuring the Cisco Redundant Power System 2300 Step 4 Command Purpose system mtu bytes (Optional) In a mixed hardware stack, change the MTU size for all Fast Ethernet interfaces on the Catalyst 3750 members. The range is 1500 to 1998 bytes; the default is 1500 bytes. Note This command does not apply to Catalyst 3560-E switches. Step 5 end Return to privileged EXEC mode.
Chapter 11 Configuring Interface Characteristics Configuring the Cisco Redundant Power System 2300 • You can configure the priority of an RPS 2300 port from 1 to 6. Specifying a value of 1 assigns the port and its connected devices the highest priority and specifying a value of 6 assigns the port and its connected devices the lowest priority. If multiple switches connected to the RPS 2300 need power, the RPS 2300 provides power to the switches with the highest priority.
Chapter 11 Configuring Interface Characteristics Configuring the Power Supplies Step 3 Command Purpose power rps switch-number priority priority Set the priority of the RPS 2300 port. The range is from 1 to 6, where 1 is the highest priority and 6 is the lowest priority. The default port priority is 6. Step 4 show env rps Verify your settings. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces For more information about using the power supply user EXEC command, see the command reference for this release.
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Table 11-6 Show Commands for Interfaces (continued) Command Purpose show interfaces [interface-id] description Display the description configured on an interface or all interfaces and the interface status. show ip interface [interface-id] Display the usability status of all interfaces configured for IP routing or the specified interface.
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Shutting Down and Restarting the Interface Shutting down an interface disables all functions on the specified interface and marks the interface as unavailable on all monitoring command displays. This information is communicated to other network servers through all dynamic routing protocols. The interface is not mentioned in any routing updates.
C H A P T E R 12 Configuring Smartports Macros This chapter describes how to configure and apply Smartports macros on the Catalyst 3750-E or 3560-E switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Table 12-1 Cisco-Default Smartports Macros (continued) Macro Name1 Description cisco-phone Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Smartports Macro Configuration Guidelines Follow these guidelines when configuring macros on your switch: • When creating a macro, do not use the exit or end commands or change the command mode by using interface interface-id. This could cause commands that follow exit, end, or interface interface-id to execute in a different command mode. • When creating a macro, all CLI commands should be in the same configuration mode.
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Follow these guidelines when you apply a Cisco-default Smartports macro on an interface: • Display all macros on the switch by using the show parser macro user EXEC command. Display the contents of a specific macro by using the show parser macro macro-name user EXEC command. • Keywords that begin with $ mean that a unique parameter value is required.
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Applying Smartports Macros Beginning in privileged EXEC mode, follow these steps to apply a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro global {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Apply each individual command defined in the macro to the switch by entering macro global apply macro-name.
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros This example shows how to apply the user-created macro called snmp, to set the hostname address to test-server, and to set the IP precedence value to 7: Switch(config)# macro global apply snmp ADDRESS test-server VALUE 7 This example shows how to debug the user-created macro called snmp by using the macro global trace global configuration command to find any syntax or configuration errors in the macro when it is applied to the switch
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Step 7 Command Purpose macro {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Append the Cisco-default macro with the required values by using the parameter value keywords, and apply the macro to the interface. Keywords that begin with $ mean that a unique parameter value is required. You can use the macro apply macro-name ? command to display a list of any required values in the macro.
Chapter 12 Configuring Smartports Macros Displaying Smartports Macros Displaying Smartports Macros To display the Smartports macros, use one or more of the privileged EXEC commands in Table 12-2. Table 12-2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros. show parser macro name macro-name Displays a specific macro. show parser macro brief Displays the configured macro names.
C H A P T E R 13 Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 3750-E and 3560-E switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS). Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Chapter 13 Configuring VLANs Understanding VLANs Note Before you create VLANs, you must decide whether to use VLAN Trunking Protocol (VTP) to maintain global VLAN configuration for your network. For more information on VTP, see Chapter 14, “Configuring VTP.” Figure 13-1 shows an example of VLANs segmented into logically defined networks.
Chapter 13 Configuring VLANs Understanding VLANs Supported VLANs The switch supports VLANs in VTP client, server, and transparent modes. VLANs are identified by a number from 1 to 4094. VLAN IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs. VTP only learns normal-range VLANs, with VLAN IDs 1 to 1005; VLAN IDs greater than 1005 are extended-range VLANs and are not stored in the VLAN database. The switch must be in VTP transparent mode when you create VLAN IDs from 1006 to 4094.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Table 13-1 Port Membership Modes and Characteristics (continued) Membership Mode VLAN Membership Characteristics VTP Characteristics Dynamic access A dynamic-access port can belong to one VLAN (VLAN ID 1 to 4094) and is dynamically assigned by a VMPS. The VMPS can be a Catalyst 5000 or Catalyst 6500 series switch, for example, but never a Catalyst 3750-E or 3560-E switch. The Catalyst 3750-E or 3560-E switch is a VMPS client.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Caution You can cause inconsistency in the VLAN database if you attempt to manually delete the vlan.dat file. If you want to modify the VLAN configuration, use the commands described in these sections and in the command reference for this release. To change the VTP configuration, see Chapter 14, “Configuring VTP.” You use the interface configuration mode to define the port membership mode and to add and remove ports from VLANs.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Token Ring VLANs Although the switch does not support Token Ring connections, a remote device such as a Catalyst 5000 series switch with Token Ring connections could be managed from one of the supported switches.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs VLAN Configuration Mode Options You can configure normal-range VLANs (with VLAN IDs 1 to 1005) by using these two configuration modes: • VLAN Configuration in config-vlan Mode, page 13-7 You access config-vlan mode by entering the vlan vlan-id global configuration command. • VLAN Configuration in VLAN Database Configuration Mode, page 13-7 You access VLAN database configuration mode by entering the vlan database privileged EXEC command.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs When you save VLAN and VTP information (including extended-range VLAN configuration information) in the startup configuration file and reboot the switch, the switch configuration is selected as follows: Caution • If the VTP mode is transparent in the startup configuration, and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file, the VLAN database is ignored (cleared), and the VTP and
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Creating or Modifying an Ethernet VLAN Each Ethernet VLAN in the VLAN database has a unique, 4-digit ID that can be a number from 1 to 1001. VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs. To create a normal-range VLAN to be added to the VLAN database, assign a number and name to the VLAN. Note When the switch is in VTP transparent mode, you can assign VLAN IDs greater than 1006, but they are not added to the VLAN database.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs You can also create or modify Ethernet VLANs by using the VLAN database configuration mode. Note VLAN database configuration mode does not support RSPAN VLAN configuration or extended-range VLANs. Beginning in privileged EXEC mode, follow these steps to use VLAN database configuration mode to create or modify an Ethernet VLAN: Command Purpose Step 1 vlan database Enter VLAN database configuration mode.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Caution When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN. Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no vlan vlan-id Remove the VLAN by entering the VLAN ID.
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Command Purpose Step 7 show interfaces interface-id switchport Verify your entries in the Administrative Mode and the Access Mode VLAN fields of the display. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return an interface to its default configuration, use the default interface interface-id interface configuration command.
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Extended-Range VLAN Configuration Guidelines Follow these guidelines when creating extended-range VLANs: • To add an extended-range VLAN, you must use the vlan vlan-id global configuration command and access config-vlan mode. You cannot add extended-range VLANs in VLAN database configuration mode (accessed by entering the vlan database privileged EXEC command).
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Creating an Extended-Range VLAN You create an extended-range VLAN in global configuration mode by entering the vlan global configuration command with a VLAN ID from 1006 to 4094. This command accesses the config-vlan mode. The extended-range VLAN has the default Ethernet VLAN characteristics (see Table 13-2) and the MTU size, private VLAN, and RSPAN configuration are the only parameters you can change.
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs This example shows how to create a new extended-range VLAN with all default characteristics, enter config-vlan mode, and save the new VLAN in the switch startup configuration file: Switch(config)# vtp mode transparent Switch(config)# vlan 2000 Switch(config-vlan)# end Switch# copy running-config startup config Creating an Extended-Range VLAN with an Internal VLAN ID If you enter an extended-range VLAN ID that is already assigned to an internal
Chapter 13 Configuring VLANs Displaying VLANs Displaying VLANs Use the show vlan privileged EXEC command to display a list of all VLANs on the switch, including extended-range VLANs. The display includes VLAN status, ports, and configuration information. To view normal-range VLANs in the VLAN database (1 to 1005), use the show VLAN database configuration command (accessed by entering the vlan database privileged EXEC command). Table 13-3 lists the commands for monitoring VLANs.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Figure 13-2 shows a network of switches that are connected by ISL trunks. Figure 13-2 Switches in an ISL Trunking Environment Catalyst 6500 series switch ISL trunk ISL trunk ISL trunk ISL trunk Switch Switch Switch VLAN1 Switch VLAN3 VLAN1 VLAN3 45828 VLAN2 VLAN2 You can configure a trunk on a single Ethernet interface or on an EtherChannel bundle.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Table 13-4 Layer 2 Interface Modes Mode Function switchport mode access Puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface regardless of whether or not the neighboring interface is a trunk interface. switchport mode dynamic auto Makes the interface able to convert the link to a trunk link.
Chapter 13 Configuring VLANs Configuring VLAN Trunks IEEE 802.1Q Configuration Considerations The IEEE 802.1Q trunks impose these limitations on the trunking strategy for a network: • In a network of Cisco switches connected through IEEE 802.1Q trunks, the switches maintain one spanning-tree instance for each VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Note • Changing the Pruning-Eligible List, page 13-22 • Configuring the Native VLAN for Untagged Traffic, page 13-23 By default, an interface is in Layer 2 mode. The default mode for Layer 2 interfaces is switchport mode dynamic auto.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Step 4 Command Purpose switchport mode {dynamic {auto | desirable} | trunk} Configure the interface as a Layer 2 trunk (required only if the interface is a Layer 2 access port or tunnel port or to specify the trunking mode). • dynamic auto—Set the interface to a trunk link if the neighboring interface is set to trunk or desirable mode. This is the default.
Chapter 13 Configuring VLANs Configuring VLAN Trunks To reduce the risk of spanning-tree loops or storms, you can disable VLAN 1 on any individual VLAN trunk port by removing VLAN 1 from the allowed list. When you remove VLAN 1 from a trunk port, the interface continues to sent and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), DTP, and VTP in VLAN 1.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to remove VLANs from the pruning-eligible list on a trunk port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Select the trunk port for which VLANs should be pruned, and enter interface configuration mode.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Step 3 Command Purpose switchport trunk native vlan vlan-id Configure the VLAN that is sending and receiving untagged traffic on the trunk port. For vlan-id, the range is 1 to 4094. Step 4 end Return to privileged EXEC mode. Step 5 show interfaces interface-id switchport Verify your entries in the Trunking Native Mode VLAN field. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 13 Configuring VLANs Configuring VLAN Trunks In this way, Trunk 1 carries traffic for VLANs 8 through 10, and Trunk 2 carries traffic for VLANs 3 through 6. If the active trunk fails, the trunk with the lower priority takes over and carries the traffic for all of the VLANs. No duplication of traffic occurs over any trunk port.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 13 Repeat Steps 7 through 11on Switch A for a second port in the switch or switch stack. Step 14 Repeat Steps 7 through 11on Switch B to configure the trunk ports that connect to the trunk ports configured on Switch A. Step 15 show vlan When the trunk links come up, VTP passes the VTP and VLAN information to Switch B. Verify that Switch B has learned the VLAN configuration.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Figure 13-4 Load-Sharing Trunks with Traffic Distributed by Path Cost Switch A Trunk port 2 VLANs 8 – 10 (path cost 30) VLANs 2 – 4 (path cost 19) 90573 Trunk port 1 VLANs 2 – 4 (path cost 30) VLANs 8 – 10 (path cost 19) Switch B Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 13-4: Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A.
Chapter 13 Configuring VLANs Configuring VMPS Configuring VMPS The VLAN Query Protocol (VQP) is used to support dynamic-access ports, which are not permanently assigned to a VLAN, but give VLAN assignments based on the MAC source addresses seen on the port. Each time an unknown MAC address is seen, the switch sends a VQP query to a remote VMPS; the query includes the newly seen MAC address and the port on which it was seen. The VMPS responds with a VLAN assignment for the port.
Chapter 13 Configuring VLANs Configuring VMPS Dynamic-Access Port VLAN Membership A dynamic-access port can belong to only one VLAN with an ID from 1 to 4094. When the link comes up, the switch does not forward traffic to or from this port until the VMPS provides the VLAN assignment. The VMPS receives the source MAC address from the first packet of a new host connected to the dynamic-access port and attempts to match the MAC address to a VLAN in the VMPS database.
Chapter 13 Configuring VLANs Configuring VMPS • IEEE 802.1x ports cannot be configured as dynamic-access ports. If you try to enable IEEE 802.1x on a dynamic-access (VQP) port, an error message appears, and IEEE 802.1x is not enabled. If you try to change an IEEE 802.1x-enabled port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed.
Chapter 13 Configuring VLANs Configuring VMPS Note You must have IP connectivity to the VMPS for dynamic-access ports to work. You can test for IP connectivity by pinging the IP address of the VMPS and verifying that you get a response. Configuring Dynamic-Access Ports on VMPS Clients If you are configuring a port on a cluster member switch as a dynamic-access port, first use the rcommand privileged EXEC command to log in to the cluster member switch.
Chapter 13 Configuring VLANs Configuring VMPS Changing the Reconfirmation Interval VMPS clients periodically reconfirm the VLAN membership information received from the VMPS.You can set the number of minutes after which reconfirmation occurs. If you are configuring a member switch in a cluster, this parameter must be equal to or greater than the reconfirmation setting on the command switch. You must also first use the rcommand privileged EXEC command to log in to the member switch.
Chapter 13 Configuring VLANs Configuring VMPS Monitoring the VMPS You can display information about the VMPS by using the show vmps privileged EXEC command. The switch displays this information about the VMPS: • VMPS VQP Version—the version of VQP used to communicate with the VMPS. The switch queries the VMPS that is using VQP Version 1. • Reconfirm Interval—the number of minutes the switch waits before reconfirming the VLAN-to-MAC-address assignments.
Chapter 13 Configuring VLANs Configuring VMPS • End stations are connected to the clients, Switch B and Switch I. • The database configuration file is stored on the TFTP server with the IP address 172.20.22.7. Figure 13-5 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6500 series switch A Primary VMPS Server 1 Router 172.20.26.150 172.20.22.7 Client switch B End station 1 Dynamic-access port 172.20.26.151 Trunk port Switch C 172.20.26.152 Switch D 172.20.26.
C H A P T E R 14 Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 14 Configuring VTP Understanding VTP The switch supports 1005 VLANs, but the number of routed ports, SVIs, and other configured features affects the usage of the switch hardware. If the switch is notified by VTP of a new VLAN and the switch is already using the maximum available hardware resources, it sends a message that there are not enough hardware resources available and shuts down the VLAN. The output of the show vlan user EXEC command shows the VLAN in a suspended state.
Chapter 14 Configuring VTP Understanding VTP For domain name and password configuration guidelines, see the “VTP Configuration Guidelines” section on page 14-8. VTP Modes You can configure a supported switch or switch stack to be in one of the VTP modes listed in Table 14-1. Table 14-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
Chapter 14 Configuring VTP Understanding VTP VTP advertisements distribute this global domain information: • VTP domain name • VTP configuration revision number • Update identity and update timestamp • MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN. • Frame format VTP advertisements distribute this VLAN information for each configured VLAN: • VLAN IDs (ISL and IEEE 802.
Chapter 14 Configuring VTP Understanding VTP VTP pruning blocks unneeded flooded traffic to VLANs on trunk ports that are included in the pruning-eligible list. Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning eligible switch trunk ports. If the VLANs are configured as pruning-ineligible, the flooding continues. VTP pruning is supported with VTP Version 1 and Version 2. Figure 14-1 shows a switched network without VTP pruning enabled.
Chapter 14 Configuring VTP Configuring VTP Enabling VTP pruning on a VTP server enables pruning for the entire management domain. Making VLANs pruning-eligible or pruning-ineligible affects pruning eligibility for those VLANs on that trunk only (not on all switches in the VTP domain). See the “Enabling VTP Pruning” section on page 14-14. VTP pruning takes effect several seconds after you enable it. VTP pruning does not prune traffic from VLANs that are pruning-ineligible.
Chapter 14 Configuring VTP Configuring VTP Default VTP Configuration Table 14-2 shows the default VTP configuration. Table 14-2 Default VTP Configuration Feature Default Setting VTP domain name Null. VTP mode Server. VTP version Version 1 (Version 2 is disabled). VTP password None. VTP pruning Disabled. VTP Configuration Options You can configure VTP by using these configuration modes.
Chapter 14 Configuring VTP Configuring VTP VTP Configuration in VLAN Database Configuration Mode You can configure all VTP parameters in VLAN database configuration mode, which you access by entering the vlan database privileged EXEC command. For more information about available keywords, see the vtp VLAN database configuration command description in the command reference for this release.
Chapter 14 Configuring VTP Configuring VTP VTP Version Follow these guidelines when deciding which VTP version to implement: • All switches in a VTP domain must run the same VTP version. • A VTP Version 2-capable switch can operate in the same VTP domain as a switch running VTP Version 1 if Version 2 is disabled on the Version 2-capable switch (Version 2 is disabled by default). • Do not enable VTP Version 2 on a switch unless all of the switches in the same VTP domain are Version-2-capable.
Chapter 14 Configuring VTP Configuring VTP Step 4 Command Purpose vtp password password (Optional) Set the password for the VTP domain. The password can be 8 to 64 characters. If you configure a VTP password, the VTP domain does not function properly if you do not assign the same password to each switch in the domain. Step 5 end Return to privileged EXEC mode. Step 6 show vtp status Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display.
Chapter 14 Configuring VTP Configuring VTP This example shows how to use VLAN database configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# vlan database Switch(vlan)# vtp server Switch(vlan)# vtp domain eng_group Switch(vlan)# vtp password mypassword Switch(vlan)# exit APPLY completed. Exiting.... Switch# Configuring a VTP Client When a switch is in VTP client mode, you cannot change its VLAN configuration.
Chapter 14 Configuring VTP Configuring VTP Use the no vtp mode global configuration command to return the switch to VTP server mode. To return the switch to a no-password state, use the no vtp password privileged EXEC command. When you configure a domain name, it cannot be removed; you can only reassign a switch to a different domain.
Chapter 14 Configuring VTP Configuring VTP Note You can also configure VTP transparent mode by using the vlan database privileged EXEC command to enter VLAN database configuration mode and by entering the vtp transparent command, similar to the second procedure under the “Configuring a VTP Server” section on page 14-9. Use the no vtp transparent VLAN database configuration command to return the switch to VTP server mode.
Chapter 14 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode. Beginning in privileged EXEC mode, follow these steps to enable VTP pruning in the VTP domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 14 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to verify and reset the VTP configuration revision number on a switch before adding it to a VTP domain: Step 1 Command Purpose show vtp status Check the VTP configuration revision number. If the number is 0, add the switch to the VTP domain. If the number is greater than 0, follow these steps: a. Write down the domain name. b. Write down the configuration revision number. c.
Chapter 14 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 14-3 shows the privileged EXEC commands for monitoring VTP activity. Table 14-3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information.
C H A P T E R 15 Configuring Voice VLAN This chapter describes how to configure the voice VLAN feature on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. Voice VLAN is referred to as an auxiliary VLAN in some Catalyst 6500 family switch documentation. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 15 Configuring Voice VLAN Understanding Voice VLAN Figure 15-1 shows one way to connect a Cisco 7960 IP Phone. Figure 15-1 Cisco 7960 IP Phone Connected to a Switch Cisco IP Phone 7960 Phone ASIC P2 3-port switch P3 Access port 101351 P1 PC Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN Note Untagged traffic from the device attached to the Cisco IP Phone passes through the phone unchanged, regardless of the trust state of the access port on the phone.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN • The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice VLAN, the Port Fast feature is not automatically disabled. • If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the same IP subnet. These conditions indicate that they are in the same VLAN: – They both use IEEE 802.1p or untagged frames. – The Cisco IP Phone uses IEEE 802.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN Configuring Cisco IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value. It can use IEEE 802.1p priority tagging to give voice traffic a higher priority and forward all voice traffic through the native (access) VLAN.
Chapter 15 Configuring Voice VLAN Configuring Voice VLAN This example shows how to configure a port connected to a Cisco IP Phone to use the CoS value to classify incoming traffic, to use IEEE 802.1p priority tagging for voice traffic, and to use the default native VLAN (VLAN 0) to carry all traffic: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 15 Configuring Voice VLAN Displaying Voice VLAN Step 3 Command Purpose switchport priority extend {cos value | trust} Set the priority of data traffic received from the Cisco IP Phone access port: • cos value—Configure the phone to override the priority received from the PC or the attached device with the specified CoS value. The value is a number from 0 to 7, with 7 as the highest priority. The default priority is cos 0.
Chapter 15 Configuring Voice VLAN Displaying Voice VLAN Catalyst 3750-E and 3560-E Switch Software Configuration Guide 15-8 OL-9775-02
C H A P T E R 16 Configuring Private VLANs This chapter describes how to configure private VLANs on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 16 Configuring Private VLANs Understanding Private VLANs Figure 16-1 Private-VLAN Domain Private VLAN domain Subdomain Subdomain Secondary isolated VLAN 116083 Secondary community VLAN Primary VLAN There are two types of secondary VLANs: • Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.
Chapter 16 Configuring Private VLANs Understanding Private VLANs Primary and secondary VLANs have these characteristics: • Primary VLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports. • Isolated VLAN —A private VLAN has only one isolated VLAN.
Chapter 16 Configuring Private VLANs Understanding Private VLANs Private VLANs across Multiple Switches As with regular VLANs, private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. The trunk port treats the private VLAN as any other VLAN. A feature of private VLANs across multiple switches is that traffic from an isolated port in switch A does not reach an isolated port on Switch B. See Figure 16-2.
Chapter 16 Configuring Private VLANs Understanding Private VLANs You should also see the “Secondary and Primary VLAN Configuration” section on page 16-7 under the “Private-VLAN Configuration Guidelines” section. Private VLANs and Unicast, Broadcast, and Multicast Traffic In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but devices connected to interfaces in different VLANs must communicate at the Layer 3 level.
Chapter 16 Configuring Private VLANs Configuring Private VLANs Private VLANs and Switch Stacks Private VLANs can operate within the switch stack, and private-VLAN ports can reside on different stack members. However, some changes to the switch stack can impact private-VLAN operation: • If a stack contains only one private-VLAN promiscuous port and the stack member that contains that port is removed from the stack, host ports in that private VLAN lose connectivity outside the private VLAN.
Chapter 16 Configuring Private VLANs Configuring Private VLANs Step 5 If inter-VLAN routing will be used, configure the primary SVI, and map secondary VLANs to the primary. See the “Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface” section on page 16-14. Step 6 Verify private-VLAN configuration. Default Private-VLAN Configuration No private VLANs are configured.
Chapter 16 Configuring Private VLANs Configuring Private VLANs • We recommend that you prune the private VLANs from the trunks on devices that carry no traffic in the private VLANs. • You can apply different quality of service (QoS) configurations to primary, isolated, and community VLANs. • When you configure private VLANs, sticky Address Resolution Protocol (ARP) is enabled by default, and ARP entries learned on Layer 3 private VLAN interfaces are sticky ARP entries.
Chapter 16 Configuring Private VLANs Configuring Private VLANs • Do not configure ports that belong to a PAgP or LACP EtherChannel as private-VLAN ports. While a port is part of the private-VLAN configuration, any EtherChannel configuration for it is inactive. • Enable Port Fast and BPDU guard on isolated and community host ports to prevent STP loops due to misconfigurations and to speed up STP convergence (see Chapter 20, “Configuring Optional Spanning-Tree Features”).
Chapter 16 Configuring Private VLANs Configuring Private VLANs Note • Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the associated VLANs. For example, a MAC address learned in a secondary VLAN is replicated in the primary VLAN. When the original dynamic MAC address is deleted or aged out, the replicated addresses are removed from the MAC address table. Configure Layer 3 VLAN interfaces (SVIs) only for primary VLANs.
Chapter 16 Configuring Private VLANs Configuring Private VLANs Command Purpose Step 15 show vlan private-vlan [type] Verify the configuration. or show interfaces status Step 16 copy running-config startup config Save your entries in the switch startup configuration file. To save the private-VLAN configuration, you need to save the VTP transparent mode configuration and private-VLAN configuration in the switch startup configuration file.
Chapter 16 Configuring Private VLANs Configuring Private VLANs Configuring a Layer 2 Interface as a Private-VLAN Host Port Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN host port and to associate it with primary and secondary VLANs: Note Isolated and community VLANs are both secondary VLANs. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 16 Configuring Private VLANs Configuring Private VLANs Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN promiscuous port and map it to primary and secondary VLANs: Note Isolated and community VLANs are both secondary VLANs. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 16 Configuring Private VLANs Configuring Private VLANs Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface If the private VLAN will be used for inter-VLAN routing, you configure an SVI for the primary VLAN and map secondary VLANs to the SVI. Note Isolated and community VLANs are both secondary VLANs.
Chapter 16 Configuring Private VLANs Monitoring Private VLANs Monitoring Private VLANs Table 16-1 shows the privileged EXEC commands for monitoring private-VLAN activity. Table 16-1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces, including the VLANs to which they belongs. show vlan private-vlan [type] Display the private-VLAN information for the switch or switch stack.
Chapter 16 Configuring Private VLANs Monitoring Private VLANs Catalyst 3750-E and 3560-E Switch Software Configuration Guide 16-16 OL-9775-02
C H A P T E R 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Virtual private networks (VPNs) provide enterprise-scale connectivity on a shared infrastructure, often Ethernet-based, with the same security, prioritization, reliability, and manageability requirements of private networks.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling tagged packets. A port configured to support IEEE 802.1Q tunneling is called a tunnel port. When you configure tunneling, you assign a tunnel port to a VLAN ID that is dedicated to tunneling. Each customer requires a separate service-provider VLAN ID, but that VLAN ID supports all of the customer’s VLANs. Customer traffic tagged in the normal way with appropriate VLAN IDs comes from an IEEE 802.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling Original (Normal), IEEE 802.1Q, and Double-Tagged Ethernet Packet Formats Source address Destination Length/ address EtherType DA SA Len/Etype DA SA Etype DA SA Etype Frame Check Sequence Data Tag Tag FCS Len/Etype Etype Tag Original Ethernet frame Data Len/Etype FCS IEE 802.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling These sections contain this configuration information: • Default IEEE 802.1Q Tunneling Configuration, page 17-4 • IEEE 802.1Q Tunneling Configuration Guidelines, page 17-4 • IEEE 802.1Q Tunneling and Other Features, page 17-6 • Configuring an IEEE 802.1Q Tunneling Port, page 17-7 Default IEEE 802.1Q Tunneling Configuration By default, IEEE 802.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling These are some ways to solve this problem: • Use ISL trunks between core switches in the service-provider network. Although customer interfaces connected to edge switches must be IEEE 802.1Q trunks, we recommend using ISL trunks for connecting switches in the core layer. • Use the vlan dot1q tag native global configuration command to configure the edge switch so that all packets going out an IEEE 802.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling For example, the switch supports a maximum frame size of 1496 bytes with one of these configurations: • The switch has a system jumbo MTU value of 1500 bytes, and the switchport mode dot1q tunnel interface configuration command is configured on a 10-Gigabit or Gigabit Ethernet switch port.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling Configuring an IEEE 802.1Q Tunneling Port Beginning in privileged EXEC mode, follow these steps to configure a port as an IEEE 802.1Q tunnel port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode for the interface to be configured as a tunnel port.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling Customers at different sites connected across a service-provider network need to use various Layer 2 protocols to scale their topologies to include all remote sites, as well as the local sites. STP must run properly, and every VLAN should build a proper spanning tree that includes the local site and all remote sites across the service-provider network.
Chapter 17 Configuring IEEE 802.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling For example, in Figure 17-6, Customer A has two switches in the same VLAN that are connected through the SP network. When the network tunnels PDUs, switches on the far ends of the network can negotiate the automatic creation of EtherChannels without needing dedicated lines. See the “Configuring Layer 2 Tunneling for EtherChannels” section on page 17-14 for instructions.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling See Figure 17-4, with Customer X and Customer Y in access VLANs 30 and 40, respectively. Asymmetric links connect the customers in Site 1 to edge switches in the service-provider network. The Layer 2 PDUs (for example, BPDUs) coming into Switch 2 from Customer Y in Site 1 are forwarded to the infrastructure as double-tagged packets with the well-known MAC address as the destination MAC address.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Layer 2 Protocol Tunneling Configuration Guidelines These are some configuration guidelines and operating characteristics of Layer 2 protocol tunneling: • The switch supports tunneling of CDP, STP, including multiple STP (MSTP), and VTP. Protocol tunneling is disabled by default but can be enabled for the individual protocols on IEEE 802.1Q tunnel ports or access ports.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Beginning in privileged EXEC mode, follow these steps to configure a port for Layer 2 protocol tunneling: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the interface to be configured as a tunnel port.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Use the no l2protocol-tunnel [cdp | stp | vtp] interface configuration command to disable protocol tunneling for one of the Layer 2 protocols or for all three. Use the no l2protocol-tunnel shutdown-threshold [cdp | stp | vtp] and the no l2protocol-tunnel drop-threshold [cdp | stp | vtp] commands to return the shutdown and drop thresholds to the default settings.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Step 5 Command Purpose l2protocol-tunnel shutdown-threshold [point-to-point [pagp | lacp | udld]] value (Optional) Configure the threshold for packets-per-second accepted for encapsulation. The interface is disabled if the configured threshold is exceeded. If no protocol option is specified, the threshold applies to each of the tunneled Layer 2 protocol types. The range is 1 to 4096.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Configuring the Customer Switch After configuring the SP edge switch, begin in privileged EXEC mode and follow these steps to configure a customer switch for Layer 2 protocol tunneling for EtherChannels: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter the interface configuration mode. This should be the customer switch port.
Chapter 17 Configuring IEEE 802.
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status Monitoring and Maintaining Tunneling Status Table 17-2 shows the privileged EXEC commands for monitoring and maintaining IEEE 802.1Q and Layer 2 protocol tunneling. Table 17-2 Commands for Monitoring and Maintaining Tunneling Command Purpose clear l2protocol-tunnel counters Clear the protocol counters on Layer 2 protocol tunneling ports. show dot1q-tunnel Display IEEE 802.
C H A P T E R 18 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the Catalyst 3750-E or 3560-E switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.
Chapter 18 Configuring STP Understanding Spanning-Tree Features • Spanning-Tree Modes and Protocols, page 18-10 • Supported Spanning-Tree Instances, page 18-10 • Spanning-Tree Interoperability and Backward Compatibility, page 18-11 • STP and IEEE 802.1Q Trunks, page 18-11 • VLAN-Bridge Spanning Tree, page 18-11 • Spanning Tree and Switch Stacks, page 18-12 For configuration information, see the “Configuring Spanning-Tree Features” section on page 18-12.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch. In a switch stack, all switches use the same bridge ID for a given spanning-tree instance. • The spanning-tree path cost to the root switch.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Only one outgoing port on the stack root switch is selected as the root port. The remaining switches in the stack become its designated switches (Switch 2 and Switch 3) as shown in Figure 18-1 on page 18-4. • The shortest distance to the root switch is calculated for each switch based on the path cost. • A designated switch for each LAN segment is selected.
Chapter 18 Configuring STP Understanding Spanning-Tree Features The switch supports the IEEE 802.1t spanning-tree extensions, and some of the bits previously used for the switch priority are now used as the VLAN identifier. The result is that fewer MAC addresses are reserved for the switch, and a larger range of VLAN IDs can be supported, all while maintaining the uniqueness of the bridge ID.
Chapter 18 Configuring STP Understanding Spanning-Tree Features • From learning to forwarding or to disabled • From forwarding to disabled Figure 18-2 illustrates how an interface moves through the states.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each switch interface. A switch initially functions as the root until it exchanges BPDUs with other switches. This exchange establishes which switch in the network is the root or root switch.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices, as shown in Figure 18-4. Spanning tree automatically disables one interface but enables it if the other one fails. If one link is high-speed and the other is low-speed, the low-speed link is always disabled.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Because each VLAN is a separate spanning-tree instance, the switch accelerates aging on a per-VLAN basis. A spanning-tree reconfiguration on one VLAN can cause the dynamic addresses learned on that VLAN to be subject to accelerated aging. Dynamic addresses on other VLANs can be unaffected and remain subject to the aging interval entered for the switch.
Chapter 18 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Interoperability and Backward Compatibility Table 18-2 lists the interoperability and compatibility among the supported spanning-tree modes in a network.
Chapter 18 Configuring STP Configuring Spanning-Tree Features individual VLAN spanning trees to prevent loops from forming if there are multiple connections among VLANs. It also prevents the individual spanning trees from the VLANs being bridged from collapsing into a single spanning tree. To support VLAN-bridge spanning tree, some of the spanning-tree timers are increased. To use the fallback bridging feature, you must have the IP services feature set enabled on your switch.
Chapter 18 Configuring STP Configuring Spanning-Tree Features • Configuring the Switch Priority of a VLAN, page 18-21 (optional) • Configuring Spanning-Tree Timers, page 18-22 (optional) Default Spanning-Tree Configuration Table 18-3 shows the default spanning-tree configuration. Table 18-3 Default Spanning-Tree Configuration Feature Default Setting Enable state Enabled on VLAN 1. For more information, see the “Supported Spanning-Tree Instances” section on page 18-10. Spanning-tree mode PVST+.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Caution Switches that are not running spanning tree still forward BPDUs that they receive so that the other switches on the VLAN that have a running spanning-tree instance can break loops. Therefore, spanning tree must be running on enough switches to break all the loops in the network; for example, at least one switch on each loop in the VLAN must be running spanning tree.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Changing the Spanning-Tree Mode. The switch supports three spanning-tree modes: PVST+, rapid PVST+, or MSTP. By default, the switch runs the PVST+ protocol. Beginning in privileged EXEC mode, follow these steps to change the spanning-tree mode. If you want to enable a mode that is different from the default mode, this procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Disabling Spanning Tree Spanning tree is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit specified in the “Supported Spanning-Tree Instances” section on page 18-10. Disable spanning tree only if you are sure there are no loops in the network topology.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Note The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not configure an access switch as the spanning-tree primary root. Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).
Chapter 18 Configuring STP Configuring Spanning-Tree Features Configuring a Secondary Root Switch When you configure a switch as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified VLAN if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Note If your switch is a member of a switch stack, you must use the spanning-tree [vlan vlan-id] cost cost interface configuration command instead of the spanning-tree [vlan vlan-id] port-priority priority interface configuration command to select an interface to put in the forwarding state. Assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 18 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree [vlan vlan-id] port-priority interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree port priorities, see the “Configuring Trunk Ports for Load Sharing” section on page 13-24. Configuring Path Cost The spanning-tree path cost default value is derived from the media speed of an interface.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Note The show spanning-tree interface interface-id privileged EXEC command displays information only for ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. To return to the default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 18-4 describes the timers that affect the entire spanning-tree performance. Table 18-4 Spanning-Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches. Forward-delay timer Controls how long each of the listening and learning states last before the interface begins forwarding.
Chapter 18 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id forward-time seconds Configure the forward time of a VLAN.
Chapter 18 Configuring STP Displaying the Spanning-Tree Status Configuring the Transmit Hold-Count You can configure the BPDU burst size by changing the transmit hold count value. Note Changing this parameter to a higher value can have a significant impact on CPU utilization, especially in Rapid-PVST mode. Lowering this value can slow down convergence in certain scenarios. We recommend that you maintain the default setting.
C H A P T E R 19 Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Catalyst 3750-E or 3560-E switch. Note The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard. The MSTP enables multiple VLANs to be mapped to the same spanning-tree instance, reducing the number of spanning-tree instances needed to support a large number of VLANs.
Chapter 19 Configuring MSTP Understanding MSTP • Configuring MSTP Features, page 19-14 • Displaying the MST Configuration and Status, page 19-26 Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances.
Chapter 19 Configuring MSTP Understanding MSTP IST, CIST, and CST Unlike PVST+ and rapid PVST+ in which all the spanning-tree instances are independent, the MSTP establishes and maintains two types of spanning trees: • An internal spanning tree (IST), which is the spanning tree that runs in an MST region. Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance for a region, known as the internal spanning tree (IST).
Chapter 19 Configuring MSTP Understanding MSTP For correct operation, all switches in the MST region must agree on the same CIST regional root. Therefore, any two switches in the region only synchronize their port roles for an MST instance if they converge to a common CIST regional root. Operations Between MST Regions If there are multiple regions or legacy IEEE 802.
Chapter 19 Configuring MSTP Understanding MSTP MSTP switches use Version 3 RSTP BPDUs or IEEE 802.1D STP BPDUs to communicate with legacy IEEE 802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches. IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters.
Chapter 19 Configuring MSTP Understanding MSTP The message-age and maximum-age information in the RSTP portion of the BPDU remain the same throughout the region, and the same values are propagated by the region designated ports at the boundary.
Chapter 19 Configuring MSTP Understanding MSTP Port Role Naming Change The boundary role is no longer in the final MST standard, but this boundary concept is maintained in Cisco’s implementation. However, an MST instance port at a boundary of the region might not follow the state of the corresponding CIST port.
Chapter 19 Configuring MSTP Understanding MSTP Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
Chapter 19 Configuring MSTP Understanding RSTP Interoperability with IEEE 802.1D STP A switch running MSTP supports a built-in protocol migration mechanism that enables it to interoperate with legacy IEEE 802.1D switches. If this switch receives a legacy IEEE 802.1D configuration BPDU (a BPDU with the protocol version set to 0), it sends only IEEE 802.1D BPDUs on that port.
Chapter 19 Configuring MSTP Understanding RSTP • Backup port—Acts as a backup for the path provided by a designated port toward the leaves of the spanning tree. A backup port can exist only when two ports are connected in a loopback by a point-to-point link or when a switch has two or more connections to a shared LAN segment. • Disabled port—Has no role within the operation of the spanning tree. A port with the root or a designated port role is included in the active topology.
Chapter 19 Configuring MSTP Understanding RSTP After receiving Switch B’s agreement message, Switch A also immediately transitions its designated port to the forwarding state. No loops in the network are formed because Switch B blocked all of its nonedge ports and because there is a point-to-point link between Switches A and B. When Switch C is connected to Switch B, a similar set of handshaking messages are exchanged.
Chapter 19 Configuring MSTP Understanding RSTP If a designated port is in the forwarding state and is not configured as an edge port, it transitions to the blocking state when the RSTP forces it to synchronize with new root information. In general, when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions, its port state is set to blocking.
Chapter 19 Configuring MSTP Understanding RSTP Table 19-3 RSTP BPDU Flags (continued) Bit Function 5 Forwarding 6 Agreement 7 Topology change acknowledgement (TCA) The sending switch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN. The port role in the proposal message is always set to the designated port. The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal.
Chapter 19 Configuring MSTP Configuring MSTP Features • Notification—Unlike IEEE 802.1D, which uses TCN BPDUs, the RSTP does not use them. However, for IEEE 802.1D interoperability, an RSTP switch processes and generates TCN BPDUs. • Acknowledgement—When an RSTP switch receives a TCN message on a designated port from an IEEE 802.1D switch, it replies with an IEEE 802.1D configuration BPDU with the TCA bit set. However, if the TC-while timer (the same as the topology-change timer in IEEE 802.
Chapter 19 Configuring MSTP Configuring MSTP Features Default MSTP Configuration Table 19-4 shows the default MSTP configuration. Table 19-4 Default MSTP Configuration Feature Default Setting Spanning-tree mode PVST+ (Rapid PVST+ and MSTP are disabled). Switch priority (configurable on a per-CIST port basis) 32768. Spanning-tree port priority (configurable on a per-CIST port basis) 128. Spanning-tree port cost (configurable on a per-CIST port basis) 1000 Mb/s: 4. 100 Mb/s: 19. 10 Mb/s: 100.
Chapter 19 Configuring MSTP Configuring MSTP Features • VTP propagation of the MST configuration is not supported. However, you can manually configure the MST configuration (region name, revision number, and VLAN-to-instance mapping) on each switch within the MST region by using the command-line interface (CLI) or through the SNMP support.
Chapter 19 Configuring MSTP Configuring MSTP Features Command Purpose Step 5 revision version Specify the configuration revision number. The range is 0 to 65535. Step 6 show pending Verify your configuration by displaying the pending configuration. Step 7 exit Apply all changes, and return to global configuration mode. Step 8 spanning-tree mode mst Enable MSTP. RSTP is also enabled.
Chapter 19 Configuring MSTP Configuring MSTP Features To configure a switch to become the root, use the spanning-tree mst instance-id root global configuration command to modify the switch priority from the default value (32768) to a significantly lower value so that the switch becomes the root switch for the specified spanning-tree instance. When you enter this command, the switch checks the switch priorities of the root switches.
Chapter 19 Configuring MSTP Configuring MSTP Features Command Purpose Step 4 show spanning-tree mst instance-id Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst instance-id root global configuration command.
Chapter 19 Configuring MSTP Configuring MSTP Features Configuring Port Priority If a loop occurs, the MSTP uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last.
Chapter 19 Configuring MSTP Configuring MSTP Features To return the interface to its default setting, use the no spanning-tree mst instance-id port-priority interface configuration command. Configuring Path Cost The MSTP path cost default value is derived from the media speed of an interface. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state.
Chapter 19 Configuring MSTP Configuring MSTP Features Configuring the Switch Priority You can configure the switch priority and make it more likely that a standalone switch or a switch in the stack will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority.
Chapter 19 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the hello time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst hello-time seconds Configure the hello time for all MST instances. The hello time is the interval between the generation of configuration messages by the root switch. These messages mean that the switch is alive.
Chapter 19 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Aging Time Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-age seconds Configure the maximum-aging time for all MST instances.
Chapter 19 Configuring MSTP Configuring MSTP Features By default, the link type is controlled from the duplex mode of the interface: a full-duplex port is considered to have a point-to-point connection; a half-duplex port is considered to have a shared connection. If you have a half-duplex link physically connected point-to-point to a single port on a remote switch running MSTP, you can override the default setting of the link type and enable rapid transitions to the forwarding state.
Chapter 19 Configuring MSTP Displaying the MST Configuration and Status Restarting the Protocol Migration Process A switch running MSTP supports a built-in protocol migration mechanism that enables it to interoperate with legacy IEEE 802.1D switches. If this switch receives a legacy IEEE 802.1D configuration BPDU (a BPDU with the protocol version set to 0), it sends only IEEE 802.1D BPDUs on that port.
C H A P T E R 20 Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Catalyst 3750-E or 3560-E switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+). You can configure only the noted features when your switch or switch stack is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features At the interface level, you enable BPDU guard on any port by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature. When the port receives a BPDU, it is put in the error-disabled state. The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 20-2 Switches in a Hierarchical Network Backbone switches Root bridge 101231 Distribution switches Active link Blocked link Access switches If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 20-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B L1 L2 L3 43575 Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root. As shown in Figure 20-5, the stack-root port on Switch 1 provides the path to the root of the spanning tree. The alternate stack-root ports on Switches 2 and 3 can provide an alternate path to the spanning-tree root if the current stack-root switch fails or if its link to the spanning-tree root fails.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Each switch in the stack decides if the sending switch is a better choice than itself to be the stack root of this spanning-tree instance by comparing the root, cost, and bridge ID. If the sending switch is the best choice as the stack root, each switch in the stack returns an acknowledgement; otherwise, it sends a fast-transition request.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features BackboneFast, which is enabled by using the spanning-tree backbonefast global configuration command, starts when a root port or blocked interface on a switch receives inferior BPDUs from its designated switch. An inferior BPDU identifies a switch that declares itself as both the root bridge and the designated switch.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If link L1 fails as shown in Figure 20-7, Switch C cannot detect this failure because it is not connected directly to link L1. However, because Switch B is directly connected to the root switch over L1, it detects the failure, elects itself the root, and begins sending BPDUs to Switch C, identifying itself as the root.
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding EtherChannel Guard You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device. A misconfiguration can occur if the switch interfaces are configured in an EtherChannel, but the interfaces on the other device are not. A misconfiguration can also occur if the channel parameters are not the same at both ends of the EtherChannel.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Figure 20-9 Root Guard in a Service-Provider Network Service-provider network Customer network Potential spanning-tree root without root guard enabled Desired root switch 101232 Enable the root-guard feature on these interfaces to prevent switches in the customer network from becoming the root switch or being in the path to the root.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features • Enabling BackboneFast, page 20-16 (optional) • Enabling EtherChannel Guard, page 20-17 (optional) • Enabling Root Guard, page 20-18 (optional) • Enabling Loop Guard, page 20-18 (optional) Default Optional Spanning-Tree Configuration Table 20-1 shows the default optional spanning-tree configuration.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP. Beginning in privileged EXEC mode, follow these steps to enable Port Fast. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features The BPDU guard feature provides a secure response to invalid configurations because you must manually put the port back in service. Use the BPDU guard feature in a service-provider network to prevent an access port from participating in the spanning tree.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU filtering on any interface without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs. Caution Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to enable UplinkFast and CSUF. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree uplinkfast [max-update-rate Enable UplinkFast. pkts-per-second] (Optional) For pkts-per-second, the range is 0 to 32000 packets per second; the default is 150.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Note If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not supported on Token Ring VLANs. This feature is supported for use with third-party switches. You can configure the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Root Guard Root guard enabled on an interface applies to all the VLANs to which the interface belongs. Do not enable the root guard on interfaces to be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in the blocked state) replace the root port in the case of a failure.
Chapter 20 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Step 3 Command Purpose spanning-tree loopguard default Enable loop guard. By default, loop guard is disabled. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To globally disable loop guard, use the no spanning-tree loopguard default global configuration command.
Chapter 20 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Catalyst 3750-E and 3560-E Switch Software Configuration Guide 20-20 OL-9775-02
C H A P T E R 21 Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the Catalyst 3750-E or 3560-E switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature.
Chapter 21 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature You configure Flex Links on one Layer 2 interface (the active link) by assigning another Layer 2 interface as the Flex Link or backup link. On Catalyst 3750-E switches, the Flex Link can be on the same switch or on another switch in the stack.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Figure 21-2 VLAN Flex Links Load Balancing Configuration Example Uplink switch B Uplink switch C Forwarding Not Forwarding gi2/0/8 Switch A 201398 gi2/0/6 MAC Address-Table Move Update The MAC address-table move update feature allows the switch to provide rapid bidirectional convergence when a primary (forwarding) link goes down and the standby link begins f
Chapter 21 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature switch C learns the MAC address of the PC on port 4. Switch C updates the MAC address table, including the forwarding table entry for the PC. The switch then starts forwarding traffic from the server to the PC through port 4, which reduces the loss of traffic from the server to the PC.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links and MAC Address-Table Move Update These sections contain this information: • Configuration Guidelines, page 21-5 • Default Configuration, page 21-5 Configuration Guidelines Follow these guidelines to configure Flex Links: • You can configure only one Flex Link backup link for any active link, and it must be a different interface from the activ
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links and MAC Address-Table Move Update This section contains this information: • Configuring Flex Links, page 21-6 • Configuring VLAN Load Balancing on Flex Links, page 21-8 • Configuring the MAC Address-Table Move Update Feature, page 21-9 Configuring Flex Links Beginning in privileged EXEC mode, follow these steps to configure a pair of Flex Li
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Beginning in interface configuration mode, follow these steps to configure a preemption scheme for a pair of Flex Links: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface, and enter interface configuration mode.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring VLAN Load Balancing on Flex Links Beginning in privileged EXEC mode, follow these steps to configure VLAN load balancing on Flex Links: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface, and enter interface configuration mode.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update When a Flex Link interface comes up, VLANs preferred on this interface are blocked on the peer interface and moved to the forwarding state on the interface that has just come up. In this example, if interface Gi2/0/6 comes up, VLANs preferred on this interface are blocked on the peer interface Gi2/0/8 and forwarded on Gi2/0/6.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Command Purpose Step 4 end Return to global configuration mode. Step 5 mac address-table move update transmit Enable the access switch to send MAC address-table move updates to other switches in the network if the primary link goes down and the switch starts forwarding traffic through the standby link. Step 6 end Return to privileged EXEC mode.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Monitoring Flex Links and the MAC Address-Table Move Update Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show mac address-table move update Verify the configuration. Step 5 copy running-config startup config (Optional) Save your entries in the switch startup configuration file.
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Monitoring Flex Links and the MAC Address-Table Move Update Catalyst 3750-E and 3560-E Switch Software Configuration Guide 21-12 OL-9775-02
C H A P T E R 22 Configuring DHCP Features and IP Source Guard This chapter describes how to configure DHCP snooping and the option-82 data insertion features on the Catalyst 3750-E or 3560-E switch. It also describes how to configure the IP source guard feature. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Chapter 22 Configuring DHCP Features and IP Source Guard Understanding DHCP Features For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them.
Chapter 22 Configuring DHCP Features and IP Source Guard Understanding DHCP Features The switch drops a DHCP packet when one of these situations occurs: • A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received from outside the network or firewall. • A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match.
Chapter 22 Configuring DHCP Features and IP Source Guard Understanding DHCP Features Figure 22-1 is an example of a metropolitan Ethernet network in which a centralized DHCP server assigns IP addresses to subscribers connected to the switch at the access layer.
Chapter 22 Configuring DHCP Features and IP Source Guard Understanding DHCP Features • Remote-ID suboption fields – Suboption type – Length of the suboption type – Remote-ID type – Length of the remote-ID type In the port field of the circuit ID suboption, the port numbers start at 3.
Chapter 22 Configuring DHCP Features and IP Source Guard Understanding DHCP Features The values for these fields in the packets change from the default values when you configure the remote-ID and circuit-ID suboptions: • Circuit-ID suboption fields – The circuit-ID type is 1. – The length values are variable, depending on the length of the string that you configure. • Remote-ID suboption fields – The remote-ID type is 1.
Chapter 22 Configuring DHCP Features and IP Source Guard Understanding DHCP Features Each database entry (binding) has an IP address, an associated MAC address, the lease time (in hexadecimal format), the interface to which the binding applies, and the VLAN to which the interface belongs. The database agent stores the bindings in a file at a configured location.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Features DHCP Snooping and Switch Stacks DHCP snooping is managed on the stack master. When a new switch joins the stack, the switch receives the DHCP snooping configuration from the stack master. When a member leaves the stack, all DHCP snooping address bindings associated with the switch age out. All snooping statistics are generated on the stack master. If a new stack master is elected, the statistics counters reset.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Table 22-1 Default DHCP Configuration (continued) Feature Default Setting DHCP snooping option to accept packets on untrusted input interfaces3 Disabled DHCP snooping limit rate None configured DHCP snooping trust Untrusted DHCP snooping VLAN Disabled DHCP snooping MAC address verification Enabled Cisco IOS DHCP server binding database Enabled in Cisco IOS software, requires configuration.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Features • Before configuring the DHCP relay agent on your switch, make sure to configure the device that is acting as the DHCP server. For example, you must specify the IP addresses that the DHCP server can assign or exclude, configure DHCP options for devices, or set up the DHCP database agent. • If the DHCP relay agent is enabled but DHCP snooping is disabled, the DHCP option-82 data insertion feature is not supported.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Configuring the DHCP Relay Agent Beginning in privileged EXEC mode, follow these steps to enable the DHCP relay agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service dhcp Enable the DHCP server and relay agent on your switch. By default, this feature is enabled. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Command Purpose interface range port-range Configure multiple physical ports that are connected to the DHCP clients, and enter interface range configuration mode. or or interface interface-id Configure a single physical port that is connected to the DHCP client, and enter interface configuration mode. Step 7 switchport mode access Define the VLAN membership mode for the port.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Step 6 Command Purpose ip dhcp snooping information option allow-untrusted (Optional) If the switch is an aggregation switch connected to an edge switch, enable the switch to accept incoming DHCP snooping packets with option-82 information from the edge switch. The default setting is disabled. Note Enter this command only on aggregation switches that are connected to trusted devices.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# ip dhcp snooping limit rate 100 Enabling DHCP Snooping on Private VLANs You can enable DHCP snooping on private VLANs. If DHCP snooping is enabled, the configuration is propagated to both a primary VLAN and its associated secondary VLANs. If DHCP snooping is enabled on the primary VLAN, it is also configured on the secondary VLANs.
Chapter 22 Configuring DHCP Features and IP Source Guard Displaying DHCP Snooping Information Step 3 Command Purpose ip dhcp snooping database timeout seconds Specify (in seconds) how long to wait for the database transfer process to finish before stopping the process. The default is 300 seconds. The range is 0 to 86400. Use 0 to define an infinite duration, which means to continue trying the transfer indefinitely.
Chapter 22 Configuring DHCP Features and IP Source Guard Understanding IP Source Guard Note If DHCP snooping is enabled and an interface changes to the down state, the switch does not delete the statically configured bindings. Understanding IP Source Guard IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Source IP and MAC Address Filtering When IP source guard is enabled with this option, IP traffic is filtered based on the source IP and MAC addresses. The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table. When IP source guard with source IP and MAC address filtering is enabled, the switch filters IP and non-IP traffic.
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard • When configuring IP source guard on interfaces on which a private VLAN is configured, port security is not supported. • IP source guard is not supported on EtherChannels. • You can enable this feature when IEEE 802.1x port-based authentication is enabled. • If the number of hardware entries exceeds the maximum available, the CPU usage increases.
Chapter 22 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information This example shows how to enable IP source guard with source IP and MAC filtering on VLANs 10 and 11: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip verify source port-security Switch(config-if)# exit Switch(config)# ip source binding 0100.0022.0010 vlan 10 10.0.0.
Chapter 22 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information Catalyst 3750-E and 3560-E Switch Software Configuration Guide 22-20 OL-9775-02
C H A P T E R 23 Configuring Dynamic ARP Inspection This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 3750-E or 3560-E switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Chapter 23 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Figure 23-1 Host A (IA, MA) ARP Cache Poisoning A B Host B (IB, MB) Host C (man-in-the-middle) (IC, MC) 111750 C Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA.
Chapter 23 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header. Use the ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command. For more information, see the “Performing Validation Checks” section on page 23-11.
Chapter 23 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a switch running dynamic ARP inspection.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Logging of Dropped Packets When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Table 23-1 Default Dynamic ARP Inspection Configuration (continued) Feature Default Setting Log buffer When dynamic ARP inspection is enabled, all denied or dropped ARP packets are logged. The number of entries in the log is 32. The number of system messages is limited to 5 per second. The logging-rate interval is 1 second. Per-VLAN logging All denied or dropped ARP packets are logged.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection • The operating rate for the port channel is cumulative across all the physical ports within the channel. For example, if you configure the port channel with an ARP rate-limit of 400 pps, all the interfaces combined on the channel receive an aggregate 400 pps. The rate of incoming ARP packets on EtherChannel ports is equal to the sum of the incoming rate of packets from all the channel members.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Command Purpose Step 4 interface interface-id Specify the interface connected to the other switch, and enter interface configuration mode. Step 5 ip arp inspection trust Configure the connection between the switches as trusted. By default, all interfaces are untrusted. The switch does not check ARP packets that it receives from the other switch on the trusted interface. It simply forwards the packets.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Beginning in privileged EXEC mode, follow these steps to configure an ARP ACL on Switch A. This procedure is required in non-DHCP environments. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 arp access-list acl-name Define an ARP ACL, and enter ARP access-list configuration mode. By default, no ARP access lists are defined.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 7 Command Purpose no ip arp inspection trust Configure the Switch A interface that is connected to Switch B as untrusted. By default, all interfaces are untrusted. For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection For configuration guidelines for rate limiting trunk ports and EtherChannel ports, see the “Dynamic ARP Inspection Configuration Guidelines” section on page 23-6. Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip arp inspection validate {[src-mac] [dst-mac] [ip]} Perform a specific check on incoming ARP packets. By default, no checks are performed.
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer or increase the logging rate.
Chapter 23 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Step 3 Command Purpose ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {all | none | permit}} Control the type of packets that are logged per VLAN. By default, all denied or all dropped packets are logged. The term logged means the entry is placed in the log buffer and a system message is generated.
Chapter 23 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information To clear or display dynamic ARP inspection statistics, use the privileged EXEC commands in Table 23-3: Table 23-3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics.
Chapter 23 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Catalyst 3750-E and 3560-E Switch Software Configuration Guide 23-16 OL-9775-02
C H A P T E R 24 Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on the Catalyst 3750-E or 3560-E switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action.
Chapter 24 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Understanding IGMP Snooping Layer 2 switches can use IGMP snooping to constrain the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with IP multicast devices.
Chapter 24 Configuring IGMP Snooping and MVR Understanding IGMP Snooping IGMP Versions The switch supports IGMP Version 1, IGMP Version 2, and IGMP Version 3. These versions are interoperable on the switch. For example, if IGMP snooping is enabled on an IGMPv2 switch and the switch receives an IGMPv3 report from a host, the switch can forward the IGMPv3 report to the multicast router. Note The switch supports IGMPv3 snooping based only on the destination multicast MAC address.
Chapter 24 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 24-1 Initial IGMP Join Message Router A 1 IGMP report 224.1.2.3 VLAN PFC CPU 0 45750 Forwarding table 2 3 4 5 Host 1 Host 2 Host 3 Host 4 Router A sends a general query to the switch, which forwards the query to ports 2 through 5, which are all members of the same VLAN. Host 1 wants to join multicast group 224.1.2.3 and multicasts an IGMP membership report (IGMP join message) to the group.
Chapter 24 Configuring IGMP Snooping and MVR Understanding IGMP Snooping If another host (for example, Host 4) sends an unsolicited IGMP join message for the same group (Figure 24-2), the CPU receives that message and adds the port number of Host 4 to the forwarding table as shown in Table 24-2. Note that because the forwarding table directs IGMP messages only to the CPU, the message is not flooded to other ports on the switch. Any known multicast traffic is forwarded to the group and not to the CPU.
Chapter 24 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Immediate Leave Immediate Leave is only supported on IGMP Version 2 hosts. The switch uses IGMP snooping Immediate Leave to remove from the forwarding table an interface that sends a leave message without the switch sending group-specific queries to the interface. The VLAN interface is pruned from the multicast tree for the multicast group specified in the original leave message.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping IGMP Snooping and Switch Stacks IGMP snooping functions across the switch stack; that is, IGMP control information from one switch is distributed to all switches in the stack. (See Chapter 5, “Managing Switch Stacks,” for more information about switch stacks.) Regardless of the stack member through which IGMP multicast data enters the stack, the data reaches the hosts that have registered for that group.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Table 24-3 Default IGMP Snooping Configuration (continued) Feature Default Setting IGMP snooping querier Disabled IGMP report suppression Enabled 1. TCN = Topology Change Notification Enabling or Disabling IGMP Snooping By default, IGMP snooping is globally enabled on the switch. When globally enabled or disabled, it is also enabled or disabled in all existing VLAN interfaces.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Setting the Snooping Method Multicast-capable router ports are added to the forwarding table for every Layer 2 multicast entry.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping This example shows how to configure IGMP snooping to use CGMP packets as the learning method: Switch# configure terminal Switch(config)# ip igmp snooping vlan 1 mrouter learn cgmp Switch(config)# end Configuring a Multicast Router Port To add a multicast router port (add a static connection to a multicast router), use the ip igmp snooping vlan mrouter global configuration command on the switch.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring a Host Statically to Join a Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure a host on an interface. Beginning in privileged EXEC mode, follow these steps to add a Layer 2 port as a member of a multicast group: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 4 show ip igmp snooping vlan vlan-id Verify that Immediate Leave is enabled on the VLAN interface. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable IGMP Immediate Leave on a VLAN, use the no ip igmp snooping vlan vlan-id immediate-leave global configuration command.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring TCN-Related Commands These sections describe how to control flooded multicast traffic during a TCN event: • Controlling the Multicast Flooding Time After a TCN Event, page 24-13 • Recovering from Flood Mode, page 24-13 • Disabling Multicast Flooding During a TCN Event, page 24-14 Controlling the Multicast Flooding Time After a TCN Event You can control the time that multicast traffic is flooded after a TCN event by us
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to enable the switch to send the global leave message whether or not it is the spanning-tree root: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping tcn query solicit Send an IGMP leave message (global leave) to speed the process of recovering from the flood mode caused during a TCN event.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring the IGMP Snooping Querier Follow these guidelines when configuring the IGMP snooping querier: • Configure the VLAN in global configuration mode. • Configure an IP address on the VLAN interface. When enabled, the IGMP snooping querier uses the IP address as the query source address.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping This example shows how to set the IGMP snooping querier source address to 10.0.0.64: Switch# configure terminal Switch(config)# ip igmp snooping querier 10.0.0.
Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Displaying IGMP Snooping Information You can display IGMP snooping information for dynamically learned and statically configured router ports and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for IGMP snooping. To display IGMP snooping information, use one or more of the privileged EXEC commands in Table 24-4.
Chapter 24 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration For more information about the keywords and options in these commands, see the command reference for this release. Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service-provider network (for example, the broadcast of multiple television channels over a service-provider network).
Chapter 24 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Using MVR in a Multicast Television Application In a multicast television application, a PC or a television with a set-top box can receive the multicast stream. Multiple set-top boxes or PCs can be connected to one subscriber port, which is a switch port configured as an MVR receiver port. Figure 24-3 is an example configuration. DHCP assigns an IP address to the set-top box or the PC.
Chapter 24 Configuring IGMP Snooping and MVR Configuring MVR When a subscriber changes channels or turns off the television, the set-top box sends an IGMP leave message for the multicast stream. The switch CPU sends a MAC-based general query through the receiver port VLAN. If there is another set-top box in the VLAN still subscribing to this group, that set-top box must respond within the maximum response time specified in the query.
Chapter 24 Configuring IGMP Snooping and MVR Configuring MVR Table 24-5 Default MVR Configuration (continued) Feature Default Setting Interface (per port) default Neither a receiver nor a source port Immediate Leave Disabled on all ports MVR Configuration Guidelines and Limitations Follow these guidelines when configuring MVR: • Receiver ports can only be access ports; they cannot be trunk ports. Receiver ports on a switch can be in different VLANs, but should not belong to the multicast VLAN.
Chapter 24 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 3 mvr group ip-address [count] Configure an IP multicast address on the switch or use the count parameter to configure a contiguous series of MVR group addresses (the range for count is 1 to 256; the default is 1). Any multicast data sent to this address is sent to all source ports on the switch and all receiver ports that have elected to receive data on that multicast address.
Chapter 24 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 3 interface interface-id Specify the Layer 2 port to configure, and enter interface configuration mode. Step 4 mvr type {source | receiver} Configure an MVR port as one of these: • source—Configure uplink ports that receive and send multicast data as source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN.
Chapter 24 Configuring IGMP Snooping and MVR Displaying MVR Information Displaying MVR Information You can display MVR information for the switch or for a specified interface.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling IGMP filtering is applicable only to the dynamic learning of IP multicast group addresses, not static configuration. With the IGMP throttling feature, you can set the maximum number of IGMP groups that a Layer 2 interface can join.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling • permit: Specifies that matching addresses are permitted. • range: Specifies a range of IP addresses for the profile. You can enter a single IP address or a range with a start and an end address. The default is for the switch to have no IGMP profiles configured. When a profile is configured, if neither the permit nor deny keyword is included, the default is to deny access to the range of IP addresses.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Switch# show ip igmp profile 4 IGMP Profile 4 permit range 229.9.9.0 229.9.9.0 Applying IGMP Profiles To control access as defined in an IGMP profile, use the ip igmp filter interface configuration command to apply the profile to the appropriate interfaces. You can apply IGMP profiles only to Layer 2 access ports; you cannot apply IGMP profiles to routed ports or SVIs.
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Beginning in privileged EXEC mode, follow these steps to set the maximum number of IGMP groups in the forwarding table: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode. The interface can be a Layer 2 port that does not belong to an EtherChannel group or a EtherChannel interface.
Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Beginning in privileged EXEC mode, follow these steps to configure the throttling action when the maximum number of entries is in the forwarding table: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the physical interface to be configured, and enter interface configuration mode.
Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Catalyst 3750-E and 3560-E Switch Software Configuration Guide 24-30 OL-9775-02
C H A P T E R 25 Configuring IPv6 MLD Snooping You can use Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP Version 6 (IPv6) multicast data to clients and routers in a switched network on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Chapter 25 Configuring IPv6 MLD Snooping Understanding MLD Snooping MLD is a protocol used by IPv6 multicast routers to discover the presence of multicast listeners (nodes wishing to receive IPv6 multicast packets) on the links that are directly attached to the routers and to discover which multicast packets are of interest to neighboring nodes. MLD is derived from IGMP; MLD Version 1 (MLDv1) is equivalent to IGMPv2, and MLD Version 2 (MLDv2) is equivalent to IGMPv3.
Chapter 25 Configuring IPv6 MLD Snooping Understanding MLD Snooping MLD Messages MLDv1 supports three types of messages: • Listener Queries are the equivalent of IGMPv2 queries and are either General Queries or Multicast-Address-Specific Queries (MASQs). • Multicast Listener Reports are the equivalent of IGMPv2 reports • Multicast Listener Done messages are the equivalent of IGMPv2 leave messages. MLDv2 supports MLDv2 queries and reports, as well as MLDv1 Report and Done messages.
Chapter 25 Configuring IPv6 MLD Snooping Understanding MLD Snooping Multicast Router Discovery Like IGMP snooping, MLD snooping performs multicast router discovery, with these characteristics: • Ports configured by a user never age out. • Dynamic port learning results from MLDv1 snooping queries and IPv6 PIMv2 packets. • If there are multiple routers on the same Layer 2 interface, MLD snooping tracks a single multicast router on the port (the router that most recently sent a router control packet).
Chapter 25 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping The number of MASQs generated is configured by using the ipv6 mld snooping last-listener-query count global configuration command. The default number is 2. The MASQ is sent to the IPv6 multicast address for which the Done message was sent.
Chapter 25 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Default MLD Snooping Configuration Table 25-1 shows the default MLD snooping configuration. Table 25-1 Default MLD Snooping Configuration Feature Default Setting MLD snooping (Global) Disabled. MLD snooping (per VLAN) Enabled. MLD snooping must be globally enabled for VLAN MLD snooping to take place. IPv6 Multicast addresses None configured. IPv6 Multicast router ports None configured.
Chapter 25 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Enabling or Disabling MLD Snooping By default, IPv6 MLD snooping is globally disabled on the switch and enabled on all VLANs. When MLD snooping is globally disabled, it is also disabled on all VLANs. When you globally enable MLD snooping, the VLAN configuration overrides the global configuration. That is, MLD snooping is enabled only on VLAN interfaces in the default state (enabled).
Chapter 25 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Configuring a Static Multicast Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure an IPv6 multicast address and member ports for a VLAN.
Chapter 25 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Beginning in privileged EXEC mode, follow these steps to add a multicast router port to a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 mld snooping vlan vlan-id mrouter interface interface-id Specify the multicast router VLAN ID, and specify the interface to the multicast router. • The VLAN ID range is 1 to 1001 and 1006 to 4094.
Chapter 25 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Configuring MLD Snooping Queries When Immediate Leave is not enabled and a port receives an MLD Done message, the switch generates MASQs on the port and sends them to the IPv6 multicast address for which the Done message was sent. You can optionally configure the number of MASQs that are sent and the length of time the switch waits for a response before deleting the port from the multicast group.
Chapter 25 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information This example shows how to set the MLD snooping global robustness variable to 3: Switch# configure terminal Switch(config)# ipv6 mld snooping robustness-variable 3 Switch(config)# exit This example shows how to set the MLD snooping last-listener query count for a VLAN to 3: Switch# configure terminal Switch(config)# ipv6 mld snooping vlan 200 last-listener-query-count 3 Switch(config)# exit This example shows how to set the MLD
Chapter 25 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information Table 25-2 Commands for Displaying MLD Snooping Information Command Purpose show ipv6 mld snooping [vlan vlan-id] Display the MLD snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094.
C H A P T E R 26 Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 26 Configuring Port-Based Traffic Control Configuring Storm Control Storm control uses one of these methods to measure traffic activity: • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received • Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received With each method, the p
Chapter 26 Configuring Port-Based Traffic Control Configuring Storm Control You use the storm-control interface configuration commands to set the threshold value for each traffic type. Default Storm Control Configuration By default, unicast, broadcast, and multicast storm control are disabled on the switch interfaces; that is, the suppression level is 100 percent.
Chapter 26 Configuring Port-Based Traffic Control Configuring Storm Control Step 3 Command Purpose storm-control {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]} Configure broadcast, multicast, or unicast storm control. By default, storm control is disabled. The keywords have these meanings: • For level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage (up to two decimal places) of the bandwidth.
Chapter 26 Configuring Port-Based Traffic Control Configuring Protected Ports Command Purpose Step 6 show storm-control [interface-id] [broadcast | Verify the storm control suppression levels set on the interface for multicast | unicast] the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Blocking Protected Port Configuration Guidelines You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group. Do not configure a private-VLAN port as a protected port. Do not configure a protected port as a private-VLAN port.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security Default Port Blocking Configuration The default is to not block flooding of unknown multicast and unicast traffic out of a port, but to flood these packets to all ports. Blocking Flooded Traffic on an Interface Note The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security These sections contain this conceptual and configuration information: • Understanding Port Security, page 26-8 • Default Port Security Configuration, page 26-10 • Port Security Configuration Guidelines, page 26-10 • Enabling and Configuring Port Security, page 26-12 • Enabling and Configuring Port Security Aging, page 26-16 • Port Security and Switch Stacks, page 26-17 • Port Security and Private VLANs, page 26-17 U
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration. The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum number of available MAC addresses allowed in the system. This number is determined by the active Switch Database Management (SDM) template.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security Table 26-1 Security Violation Mode Actions Violation Mode Traffic is forwarded1 Sends SNMP trap Sends syslog message Displays error message2 Violation counter increments Shuts down port protect No No No No No No restrict No Yes Yes No Yes No shutdown No Yes Yes No Yes Yes shutdown vlan No Yes Yes No Yes No 3 1.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security • A secure port cannot be a private-VLAN port. • When you enable port security on an interface that is also configured with a voice VLAN, set the maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security Enabling and Configuring Port Security Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security Step 7 Command Purpose switchport port-security violation {protect | restrict | shutdown | shutdown vlan} (Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these: • Note protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security Step 8 Command Purpose switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}] (Optional) Enter a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table. All addresses are now dynamically learned.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# switchport switchport switchport switchport switchport port-security port-security port-security port-security port-security mac-address 0000.0000.0003 mac-address sticky 0000.0000.0001 vlan voice mac-address 0000.0000.
Chapter 26 Configuring Port-Based Traffic Control Configuring Port Security To disable port security aging for all secure addresses on a port, use the no switchport port-security aging time interface configuration command. To disable aging for only statically configured secure addresses, use the no switchport port-security aging static interface configuration command.
Chapter 26 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# Note switchport switchport switchport switchport mode private-vlan promiscuous port-security maximum 288 port-security port-security violation restrict Ports that have both port security and private VLANs configured can be labeled secure PVLAN ports.
C H A P T E R 27 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Chapter 27 Configuring CDP Configuring CDP CDP and Switch Stacks A switch stack appears as a single switch in the network. Therefore, CDP discovers the switch stack, not the individual stack members. The switch stack sends CDP messages to neighboring network devices when there are changes to the switch stack membership, such as stack members being added or removed.
Chapter 27 Configuring CDP Configuring CDP Step 3 Command Purpose cdp holdtime seconds (Optional) Specify the amount of time a receiving device should hold the information sent by your device before discarding it. The range is 10 to 255 seconds; the default is 180 seconds. Step 4 cdp advertise-v2 (Optional) Configure CDP to send Version-2 advertisements. This is the default state. Step 5 end Return to privileged EXEC mode. Step 6 show cdp Verify your settings.
Chapter 27 Configuring CDP Configuring CDP This example shows how to enable CDP if it has been disabled. Switch# configure terminal Switch(config)# cdp run Switch(config)# end Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and to receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on a port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors. show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent.
Chapter 27 Configuring CDP Monitoring and Maintaining CDP Catalyst 3750-E and 3560-E Switch Software Configuration Guide 27-6 OL-9775-02
CH A P T E R 28 Configuring LLDP and LLDP-MED This chapter describes how to configure the Link Layer Discovery Protocol (LLDP) and LLDP Media Endpoint Discovery (LLDP-MED) on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Chapter 28 Configuring LLDP and LLDP-MED Understanding LLDP and LLDP-MED LLDP supports a set of attributes that it uses to discover neighbor devices. These attributes contain type, length, and value descriptions and are referred to as TLVs. LLDP supported devices can use TLVs to receive and send information to their neighbors. Details such as configuration information, device capabilities, and device identity can be advertised using this protocol. The switch supports these basic management TLVs.
Chapter 28 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Note LLDP and LLDP-MED cannot operate simultaneously in a network. By default, a network device sends only LLDP packets until it receives LLDP-MED packets from an endpoint device. The network device then sends out LLDP-MED packets until it receives LLDP-only packets.
Chapter 28 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 lldp holdtime seconds (Optional) Specify the amount of time a receiving device should hold the information sent by your device before discarding it. The range is 0 to 65535 seconds; the default is 120 seconds. Step 3 lldp reinit (Optional) Specify the delay time in seconds for LLDP to initialize on any interface.
Chapter 28 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED This example shows how to disable LLDP. Switch# configure terminal Switch(config)# no lldp run Switch(config)# end This example shows how to enable LLDP. Switch# configure terminal Switch(config)# lldp run Switch(config)# end Disabling and Enabling LLDP on an Interface LLDP is enabled by default on all supported interfaces to send and to receive LLDP information.
Chapter 28 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Configuring LLDP-MED TLVs By default, the switch only sends LLDP packets until it receives LLDP-MED packets from the end device. The device continues to send LLDP-MED packets until it receives LLDP packets only.
Chapter 28 Configuring LLDP and LLDP-MED Monitoring and Maintaining LLDP and LLDP-MED Monitoring and Maintaining LLDP and LLDP-MED To monitor and maintain LLDP and LLDP-MED on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear lldp counters Reset the traffic counters to zero. clear lldp table Delete the LLDP table of information about neighbors.
Chapter 28 Configuring LLDP and LLDP-MED Monitoring and Maintaining LLDP and LLDP-MED Catalyst 3750-E and 3560-E Switch Software Configuration Guide 28-8 OL-9775-02
C H A P T E R 29 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 29 Configuring UDLD Understanding UDLD A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection.
Chapter 29 Configuring UDLD Configuring UDLD • Event-driven detection and echoing UDLD relies on echoing as its detection mechanism. Whenever a UDLD device learns about a new neighbor or receives a resynchronization request from an out-of-sync neighbor, it restarts the detection window on its side of the connection and sends echo messages in reply. Because this behavior is the same on all UDLD neighbors, the sender of the echoes expects to receive an echo in reply.
Chapter 29 Configuring UDLD Configuring UDLD • Enabling UDLD on an Interface, page 29-6 • Resetting an Interface Disabled by UDLD, page 29-6 Default UDLD Configuration Table 29-1 shows the default UDLD configuration.
Chapter 29 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch and all members in the switch stack: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 29 Configuring UDLD Configuring UDLD Enabling UDLD on an Interface Beginning in privileged EXEC mode, follow these steps either to enable UDLD in the aggressive or normal mode or to disable UDLD on a port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be enabled for UDLD, and enter interface configuration mode. Step 3 udld port [aggressive] UDLD is disabled by default.
Chapter 29 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release.
Chapter 29 Configuring UDLD Displaying UDLD Status Catalyst 3750-E and 3560-E Switch Software Configuration Guide 29-8 OL-9775-02
C H A P T E R 30 Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 30 Configuring SPAN and RSPAN Understanding SPAN and RSPAN These sections contain this conceptual information: • Local SPAN, page 30-2 • Remote SPAN, page 30-3 • SPAN and RSPAN Concepts and Terminology, page 30-4 • SPAN and RSPAN Interaction with Other Features, page 30-9 • SPAN and RSPAN and Switch Stacks, page 30-10 Local SPAN Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and destination ports are in the same switch or switch stack.
Chapter 30 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 30-2 Example of Local SPAN Configuration on a Switch Stack Catalyst 3750-E switch stack Switch 1 1/0/4 Port 4 on switch 1 in the stack mirrored on port 15 on switch 2 2/0/15 Network analyzer Switch 2 Switch 3 159892 Stackwise Plus port connections Remote SPAN RSPAN supports source ports, source VLANs, and destination ports on different switches (or different switch stacks), enabling remote monitoring of multiple switches a
Chapter 30 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 30-3 Example of RSPAN Configuration RSPAN destination ports RSPAN destination session Switch C Intermediate switches must support RSPAN VLAN RSPAN VLAN RSPAN source session A Switch B RSPAN source ports RSPAN source session B RSPAN source ports 101366 Switch A SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration.
Chapter 30 Configuring SPAN and RSPAN Understanding SPAN and RSPAN An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed over normal trunk ports to the destination switch. An RSPAN destination session takes all packets received on the RSPAN VLAN, strips off the VLAN tagging, and presents them on the destination port.
Chapter 30 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • Transmit (Tx) SPAN—The goal of transmit (or egress) SPAN is to monitor as much as possible all the packets sent by the source interface after all modification and processing is performed by the switch. A copy of each packet sent by the source is sent to the destination port for that SPAN session. The copy is provided after the packet is modified.
Chapter 30 Configuring SPAN and RSPAN Understanding SPAN and RSPAN A source port has these characteristics: • It can be monitored in multiple SPAN sessions. • Each source port can be configured with a direction (ingress, egress, or both) to monitor. • It can be any port type (for example, EtherChannel, Gigabit Ethernet, and so forth). • For EtherChannel sources, you can monitor traffic for the entire EtherChannel or individually on a physical port as it participates in the port channel.
Chapter 30 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Destination Port Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user, usually a network analyzer. A destination port has these characteristics: • For a local SPAN session, the destination port must reside on the same switch or switch stack as the source port.
Chapter 30 Configuring SPAN and RSPAN Understanding SPAN and RSPAN RSPAN VLAN The RSPAN VLAN carries SPAN traffic between RSPAN source and destination sessions. It has these special characteristics: • All traffic in the RSPAN VLAN is always flooded. • No MAC address learning occurs on the RSPAN VLAN. • RSPAN VLAN traffic only flows on trunk ports. • RSPAN VLANs must be configured in VLAN configuration mode by using the remote-span VLAN configuration mode command.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN A physical port that belongs to an EtherChannel group can be configured as a SPAN source port and still be a part of the EtherChannel. In this case, data from the physical port is monitored as it participates in the EtherChannel. However, if a physical port that belongs to an EtherChannel group is configured as a SPAN destination, it is removed from the group.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Default SPAN and RSPAN Configuration Table 30-1 shows the default SPAN and RSPAN configuration. Table 30-1 Default SPAN and RSPAN Configuration Feature Default Setting SPAN state (SPAN and RSPAN) Disabled. Source port traffic to monitor Both received and sent traffic (both). Encapsulation type (destination port) Native form (untagged packets).
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • You can limit SPAN traffic to specific VLANs by using the filter vlan keyword. If a trunk port is being monitored, only traffic on the VLANs specified with this keyword is monitored. By default, all VLANs are monitored on a trunk port. • You cannot mix source VLANs and filter VLANs within a single SPAN session.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 4 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]} Specify the SPAN session and the destination port (monitoring port). For session_number, specify the session number entered in step 3. Note For local SPAN, you must use the same session number for the source and destination interfaces. For interface-id, specify the destination port.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination Gigabit Ethernet port 2. The configuration is then modified to also monitor all traffic on all ports belonging to VLAN 10.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 5 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]} Specify the SPAN session and the destination port (monitoring port). For session_number, specify the session number entered in Step 3. For interface-id, specify the destination port. The destination interface must be a physical port; it cannot be an EtherChannel, and it cannot be a VLAN.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets. Specify these ACLs on the RSPAN VLAN in the RSPAN source switches. • For RSPAN configuration, you can distribute the source ports and the destination ports across multiple switches in your network. • RSPAN does not support BPDU packet monitoring or other Layer 2 switch protocols.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN To remove the remote SPAN characteristic from a VLAN and convert it back to a normal VLAN, use the no remote-span VLAN configuration command. This example shows how to create RSPAN VLAN 901.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 6 Command Purpose show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 7 Command Purpose monitor session session_number destination interface interface-id Specify the RSPAN session and the destination interface. For session_number, enter the number defined in Step 6. In an RSPAN destination session, you must use the same session number for the source RSPAN VLAN and the destination port. For interface-id, specify the destination interface. The destination interface must be a physical interface.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Step 4 Purpose Specify the SPAN session, the destination port, the packet monitor session session_number encapsulation, and the incoming VLAN and encapsulation. destination {interface interface-id [, | -] [ingress {dot1q vlan vlan-id | isl | untagged For session_number, enter the number defined in Step 4.
Chapter 30 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to configure the RSPAN source session to limit RSPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Remove any existing SPAN configuration for the session. For session_number, the range is 1 to 66.
Chapter 30 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions.
Chapter 30 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Catalyst 3750-E and 3560-E Switch Software Configuration Guide 30-24 OL-9775-02
C H A P T E R 31 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes.
Chapter 31 Configuring RMON Configuring RMON Figure 31-1 Remote Monitoring Example Network management station with generic RMON console application RMON alarms and events configured. SNMP configured. Workstations Workstations 101233 RMON history and statistic collection enabled.
Chapter 31 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station. We recommend that you use a generic RMON console application on the network management station (NMS) to take advantage of the RMON network management capabilities.
Chapter 31 Configuring RMON Configuring RMON Command Step 3 Purpose rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535. • (Optional) For description string, specify a description of the event. • (Optional) Use the log keyword to generate an RMON log entry when the event is triggered.
Chapter 31 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 31 Configuring RMON Displaying RMON Status Command Step 3 Purpose rmon collection stats index [owner ownername] Enable RMON statistic collection on the interface. • For index, specify the RMON group of statistics. The range is from 1 to 65535. • (Optional) For owner ownername, enter the name of the owner of the RMON group of statistics. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries.
C H A P T E R 32 Configuring System Message Logging This chapter describes how to configure system message logging on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 32 Configuring System Message Logging Configuring System Message Logging You can access logged system messages by using the switch command-line interface (CLI) or by saving them to a properly configured syslog server. The switch software saves syslog messages in an internal buffer on a standalone switch, and in the case of a switch stack, on the stack master. If a standalone switch or the stack master fails, the log is lost unless you had saved it to flash memory.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Table 32-1 describes the elements of syslog messages. Table 32-1 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages” section on page 32-8. Date and time of the message or event.
Chapter 32 Configuring System Message Logging Configuring System Message Logging *Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) 18:47:02: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) *Mar 1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Default System Message Logging Configuration Table 32-2 shows the default system message logging configuration.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Disabling the logging process can slow down the switch because a process must wait until the messages are written to the console before continuing. When the logging process is disabled, messages appear on the console as soon as they are produced, often appearing in the middle of command output. The logging synchronous global configuration command also affects the display of messages to the console.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Step 4 Command Purpose logging file flash:filename [max-file-size [min-file-size]] [severity-level-number | type] Store log messages in a file in flash memory on a standalone switch or, in the case of a switch stack, on the stack master. • For filename, enter the log message filename. • (Optional) For max-file-size, specify the maximum logging file size. The range is 4096 to 2147483647. The default is 4096 bytes.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to configure synchronous logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line [console | vty] line-number [ending-line-number] Specify the line to be configured for synchronous logging of messages.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Time Stamps on Log Messages By default, log messages are not time-stamped. Beginning in privileged EXEC mode, follow these steps to enable time-stamping of log messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log time stamps.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable sequence numbers, use the no service sequence-numbers global configuration command. This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Table 32-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to change the level and history table size defaults. This procedure is optional. Command Step 1 Step 2 Purpose configure terminal logging history level Enter global configuration mode. 1 Change the default level of syslog messages stored in the history file and sent to the SNMP server. See Table 32-3 on page 32-10 for a list of level keywords.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to enable configuration logging: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 archive Enter archive configuration mode. Step 3 log config Enter configuration-change logger configuration mode. Step 4 logging enable Enable configuration change logging.
Chapter 32 Configuring System Message Logging Configuring System Message Logging Log in as root, and perform these steps: Note Step 1 Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network. If this is the case with your system, use the UNIX man syslogd command to decide what options must be added to or removed from the syslog command line to enable logging of remote syslog messages. Add a line such as the following to the file /etc/syslog.conf: local7.
Chapter 32 Configuring System Message Logging Displaying the Logging Configuration Command Purpose Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a syslog server, use the no logging host global configuration command, and specify the syslog server IP address. To disable logging to syslog servers, enter the no logging trap global configuration command.
C H A P T E R 33 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 33 Configuring SNMP Understanding SNMP These sections contain this conceptual information: • SNMP Versions, page 33-2 • SNMP Manager Functions, page 33-3 • SNMP Agent Functions, page 33-4 • SNMP Community Strings, page 33-4 • Using SNMP to Access MIB Variables, page 33-4 • SNMP Notifications, page 33-5 • SNMP ifIndex MIB Object Values, page 33-6 SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standar
Chapter 33 Configuring SNMP Understanding SNMP Table 33-1 identifies the characteristics of the different combinations of security models and levels. Table 33-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication.
Chapter 33 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. • Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Chapter 33 Configuring SNMP Understanding SNMP As shown in Figure 33-1, the SNMP agent gathers data from the MIB. The agent can send traps, or notification of certain events, to the SNMP manager, which receives and processes the traps. Traps alert the SNMP manager to a condition on the network such as improper user authentication, restarts, link status (up or down), MAC address tracking, and so forth.
Chapter 33 Configuring SNMP Configuring SNMP SNMP ifIndex MIB Object Values In an NMS, the IF-MIB generates and assigns an interface index (ifIndex) object value that is a unique number greater than zero to identify a physical or a logical interface. When the switch reboots or the switch software is upgraded, the switch uses this same value for the interface. For example, if the switch assigns a port 2 an ifIndex value of 10003, this value is the same after the switch reboots.
Chapter 33 Configuring SNMP Configuring SNMP Default SNMP Configuration Table 33-4 shows the default SNMP configuration. Table 33-4 Default SNMP Configuration Feature Default Setting SNMP agent Disabled1. SNMP trap receiver None configured. SNMP traps None enabled except the trap for TCP connections (tty). SNMP version If no version keyword is present, the default is Version 1. SNMPv3 authentication If no keyword is entered, the default is the noauth (noAuthNoPriv) security level.
Chapter 33 Configuring SNMP Configuring SNMP invalid, and you need to reconfigure SNMP users by using the snmp-server user username global configuration command. Similar restrictions require the reconfiguration of community strings when the engine ID changes. Disabling the SNMP Agent Beginning in privileged EXEC mode, follow these steps to disable the SNMP agent: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no snmp-server Disable the SNMP agent operation.
Chapter 33 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure a community string on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server community string [view view-name] [ro | rw] [access-list-number] Configure the community string.
Chapter 33 Configuring SNMP Configuring SNMP This example shows how to assign the string comaccess to SNMP, to allow read-only access, and to specify that IP access list 4 can use the community string to gain access to the switch SNMP agent: Switch(config)# snmp-server community comaccess ro 4 Configuring SNMP Groups and Users You can specify an identification name (engine ID) for the local or remote SNMP server engine on the switch.
Chapter 33 Configuring SNMP Configuring SNMP Command Step 3 Purpose snmp-server group groupname {v1 | v2c | v3 Configure a new SNMP group on the remote device. {auth | noauth | priv}} [read readview] • For groupname, specify the name of the group. [write writeview] [notify notifyview] [access • Specify a security model: access-list] – v1 is the least secure of the possible security models. – v2c is the second least secure model. It allows transmission of informs and integers twice the normal width.
Chapter 33 Configuring SNMP Configuring SNMP Command Step 4 Purpose Add a new user for an SNMP group. snmp-server user username groupname {remote host [udp-port port]} {v1 [access • The username is the name of the user on the host that connects access-list] | v2c [access access-list] | v3 to the agent. [encrypted] [access access-list] [auth {md5 | • The groupname is the name of the group to which the user is sha} auth-password]} associated.
Chapter 33 Configuring SNMP Configuring SNMP Table 33-5 Switch Notification Types (continued) Notification Type Keyword Description cluster Generates a trap when the cluster configuration changes. config Generates a trap for SNMP configuration changes. copy-config Generates a trap for SNMP copy configuration changes. entity Generates a trap for SNMP entity changes. envmon Generates environmental monitor traps.
Chapter 33 Configuring SNMP Configuring SNMP Note Though visible in the command-line help strings, the cpu [threshold] keyword is not supported on the Catalyst 3750-E switch. Though visible in the command-line help strings, the cpu [threshold], fru-ctrl, insertion, and removal keywords are not supported on the Catalyst 3560-E switch.
Chapter 33 Configuring SNMP Configuring SNMP Step 6 Command Purpose snmp-server enable traps notification-types Enable the switch to send traps or informs and specify the type of notifications to be sent. For a list of notification types, see Table 33-5 on page 33-12, or enter snmp-server enable traps ? To enable multiple types of traps, you must enter a separate snmp-server enable traps command for each trap type.
Chapter 33 Configuring SNMP Configuring SNMP Limiting TFTP Servers Used Through SNMP Beginning in privileged EXEC mode, follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP to the servers specified in an access list: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server tftp-server-list access-list-number Limit TFTP servers used for configuration file copies through SNMP to the servers in the access list.
Chapter 33 Configuring SNMP Displaying SNMP Status This example shows how to allow read-only access for all objects to members of access list 4 that use the comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco.com using the community string public. Switch(config)# snmp-server community comaccess ro 4 Switch(config)# snmp-server enable traps snmp authentication Switch(config)# snmp-server host cisco.
Chapter 33 Configuring SNMP Displaying SNMP Status Catalyst 3750-E and 3560-E Switch Software Configuration Guide 33-18 OL-9775-02
C H A P T E R 34 Configuring Network Security with ACLs This chapter describes how to configure network security on the Catalyst 3750-E or 3560-E switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. Note Information in this chapter about IP ACLs is specific to IP Version 4 (IPv4).
Chapter 34 Configuring Network Security with ACLs Understanding ACLs You configure access lists on a router or Layer 3 switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use ACLs to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked at router interfaces.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs • When an output router ACL and input port ACL exist in an SVI, incoming packets received on the ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are filtered by the router ACL. Other packets are not filtered. • When a VLAN map, input router ACL, and input port ACL exist in an SVI, incoming packets received on the ports to which a port ACL is applied are only filtered by the port ACL.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs Figure 34-1 Using ACLs to Control Traffic to a Network Host A Host B Research & Development network = ACL denying traffic from Host B and permitting traffic from Host A = Packet 101365 Human Resources network When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs As with port ACLs, the switch examines ACLs associated with features configured on a given interface. However, router ACLs are supported in both directions. As packets enter the switch on an interface, ACLs associated with all inbound features configured on that interface are examined.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs • Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer 4 information. Consider access list 102, configured with these commands, applied to three fragmented packets: Switch(config)# Switch(config)# Switch(config)# Switch(config)# Note access-list access-list access-list access-list 102 102 102 102 permit tcp any host 10.1.1.1 eq smtp deny tcp any host 10.1.1.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Stack members perform these ACL functions: • They receive the ACL information from the master switch and program their hardware. • They act as standby switches, ready to take over the role of the stack master if the existing master were to fail and they were to be elected as the new stack master. When a stack master fails and a new stack master is elected, the newly elected master reparses the backed up running configuration.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Creating Standard and Extended IPv4 ACLs This section describes IP ACLs. An ACL is a sequential collection of permit and deny conditions. One by one, the switch tests packets against the conditions in an access list. The first match determines whether the switch accepts or rejects the packet. Because the switch stops testing after the first match, the order of the conditions is critical.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Table 34-1 Note Access List Numbers (continued) Access List Number Type Supported 1200–1299 IPX summary address access list No 1300–1999 IP standard access list (expanded range) Yes 2000–2699 IP extended access list (expanded range) Yes In addition to numbered standard and extended ACLs, you can also create standard and extended named IP ACLs by using the supported numbers.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Creating a Numbered Standard ACL Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} Define a standard IPv4 access list by using a source address and source [source-wildcard] [log] wildcard. The access-list-number is a decimal number from 1 to 99 or 1300 to 1999.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs The switch always rewrites the order of standard access lists so that entries with host matches and entries with matches having a don’t care mask of 0.0.0.0 are moved to the top of the list, above any entries with non-zero don’t care masks. Therefore, in show command output and in the configuration file, the ACEs do not necessarily appear in the order in which they were entered.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs or or Step 2b Command Purpose access-list access-list-number {deny | permit} protocol any any [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] In access-list configuration mode, define an extended IP access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and an abbreviation for a destination and destination wildcard of 0.0.0.0 255.255.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Step 2d Command Purpose access-list access-list-number {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] (Optional) Define an extended ICMP access list and the access conditions. Enter icmp for Internet Control Message Protocol.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs After creating a numbered extended ACL, you can apply it to terminal lines (see the “Applying an IPv4 ACL to a Terminal Line” section on page 34-19), to interfaces (see the “Applying an IPv4 ACL to an Interface” section on page 34-20), or to VLANs (see the “Configuring VLAN Maps” section on page 34-29).
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create a standard ACL using names: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip access-list standard name Define a standard IPv4 access list using a name, and enter access-list configuration mode. The name can be a number from 1 to 99.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs When you are creating standard extended ACLs, remember that, by default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end. For standard ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask. After you create an ACL, any additions are placed at the end of the list.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to configure a time-range parameter for an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 time-range time-range-name Assign a meaningful name (for example, workhours) to the time range to be created, and enter time-range configuration mode. The name cannot contain a space or quotation mark and must begin with a letter.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs This example uses named ACLs to permit and deny the same traffic.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line [console | vty] line-number Identify a specific line to configure, and enter in-line configuration mode. • console—Specify the console terminal line. The console port is DCE.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to control access to an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Identify a specific interface for configuration, and enter interface configuration mode. The interface can be a Layer 2 interface (port ACL), or a Layer 3 interface (router ACL).
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Hardware and Software Treatment of IP ACLs ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to the CPU for software processing. If the hardware reaches its capacity to store ACL configurations, packets are sent to the CPU for forwarding. The forwarding rate for software-forwarded traffic is substantially less than for hardware-forwarded traffic.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Use router ACLs to do this in one of two ways: • Create a standard ACL, and filter traffic coming to the server from Port 1. • Create an extended ACL, and filter traffic coming from the server into Port 1. Figure 34-3 Using Router ACLs to Control Traffic Server B Payroll Port 2 Port 1 Accounting 172.20.128.64-95 101354 Human Resources 172.20.128.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Numbered ACLs In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host. Using access list 2, the switch accepts one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the switch accepts addresses on all other network 36.0.0.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Named ACLs This example creates a standard ACL named internet_filter and an extended ACL named marketing_group. The internet_filter ACL allows all traffic from the source address 1.2.3.4. Switch(config)# ip access-list standard Internet_filter Switch(config-ext-nacl)# permit 1.2.3.4 Switch(config-ext-nacl)# exit The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs In this example of a numbered ACL, the Winter and Smith workstations are not allowed to browse the web: Switch(config)# Switch(config)# Switch(config)# Switch(config)# access-list access-list access-list access-list 100 100 100 100 remark Do deny host remark Do deny host not allow Winter to browse the web 171.69.3.85 any eq www not allow Smith to browse the web 171.69.3.
Chapter 34 Configuring Network Security with ACLs Creating Named MAC Extended ACLs This is a an example of a log for an extended ACL: 01:24:23:%SEC-6-IPACCESSLOGDP:list ext1 permitted packet 01:25:14:%SEC-6-IPACCESSLOGDP:list ext1 permitted packets 01:26:12:%SEC-6-IPACCESSLOGP:list ext1 denied udp packet 01:31:33:%SEC-6-IPACCESSLOGP:list ext1 denied udp packets icmp 10.1.1.15 -> 10.1.1.61 (0/0), 1 icmp 10.1.1.15 -> 10.1.1.61 (0/0), 7 0.0.0.0(0) -> 255.255.255.255(0), 1 0.0.0.0(0) -> 255.255.255.
Chapter 34 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Step 3 Command Purpose {deny | permit} {any | host source MAC address | source MAC address mask} {any | host destination MAC address | destination MAC address mask} [type mask | lsap lsap mask | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump | msdos | mumps | netbios | vines-echo |vines-ip | xns-idp | 0-65535] [cos cos] In extended MAC acce
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps • A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one. Beginning in privileged EXEC mode, follow these steps to apply a MAC access list to control access to a Layer 2 interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps To create a VLAN map and apply it to one or more VLANs, perform these steps: Step 1 Create the standard or extended IPv4 ACLs or named MAC extended ACLs that you want to apply to the VLAN. See the “Creating Standard and Extended IPv4 ACLs” section on page 34-8 and the “Creating a VLAN Map” section on page 34-31. Step 2 Enter the vlan access-map global configuration command to create a VLAN ACL map entry.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps • When a frame is Layer-2 forwarded within a private VLAN, the same VLAN map is applied at the ingress side and at the egress side. When a frame is routed from inside a private VLAN to an external port, the private-VLAN map is applied at the ingress side. – For frames going upstream from a host port to a promiscuous port, the VLAN map configured on the secondary VLAN is applied.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps Examples of ACLs and VLAN Maps These examples show how to create ACLs and VLAN maps that for specific purposes. Example 1 This example shows how to create an ACL and a VLAN map to deny a packet. In the first map, any packets that match the ip1 ACL (TCP packets) would be dropped. You first create the ip1ACL to permit any TCP packet and no other packets.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps Example 3 In this example, the VLAN map has a default action of drop for MAC packets and a default action of forward for IP packets. Used with MAC extended access lists good-hosts and good-protocols, the map will have the following results: • Forward MAC packets from hosts 0000.0c00.0111 and 0000.0c00.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps Applying a VLAN Map to a VLAN Beginning in privileged EXEC mode, follow these steps to apply a VLAN map to one or more VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan filter mapname vlan-list list Apply the VLAN map to one or more VLAN IDs. The list can be a single VLAN ID (22), a consecutive list (10-22), or a string of VLAN IDs (12, 22, 30).
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps Figure 34-4 Wiring Closet Configuration Switch B Switch A Switch C VLAN map: Deny HTTP from X to Y. HTTP is dropped at entry point. Host Y 10.1.1.34 101355 VLAN 1 VLAN 2 Packet Host X 10.1.1.32 If you do not want HTTP traffic switched from Host X to Host Y, you can configure a VLAN map on Switch A to drop all HTTP traffic from Host X (IP address 10.1.1.32) to Host Y (IP address 10.1.1.
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 34-5 Deny Access to a Server on Another a VLAN VLAN map 10.1.1.100 Subnet 10.1.2.0/8 Server (VLAN 10) 10.1.1.4 Host (VLAN 10) Layer 3 switch Host (VLAN 20) Host (VLAN 10) Packet 101356 10.1.1.8 This example shows how to deny access to a server on another VLAN by creating the VLAN map SERVER 1 that denies access to hosts in subnet 10.1.2.0.8, host 10.1.1.4, and host 10.1.1.8 and permits other IP traffic.
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Note When you use router ACLs with VLAN maps, packets that require logging on the router ACLs are not logged if they are denied by a VLAN map. If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match the type, the default is to drop the packet. If there is no match clause in the VLAN map, and no action specified, the packet is forwarded if it does not match any VLAN map entry.
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Examples of Router ACLs and VLAN Maps Applied to VLANs This section gives examples of applying router ACLs and VLAN maps to a VLAN for switched, bridged, routed, and multicast packets. Although the following illustrations show packets being forwarded to their destination, each time the packet’s path crosses a line indicating a VLAN map or an ACL, it is also possible that the packet might be dropped, rather than forwarded.
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 34-7 Applying ACLs on Bridged Packets VLAN 10 map VLAN 20 map Frame Host B (VLAN 20) Host A (VLAN 10) VLAN 10 101358 Fallback bridge VLAN 20 Packet ACLs and Routed Packets Figure 34-8 shows how ACLs are applied on routed packets. For routed packets, the ACLs are applied in this order: 1. VLAN map for input VLAN 2. Input router ACL 3. Output router ACL 4.
Chapter 34 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration ACLs and Multicast Packets Figure 34-9 shows how ACLs are applied on packets that are replicated for IP multicasting. A multicast packet being routed has two different kinds of filters applied: one for destinations that are other ports in the input VLAN and another for each of the destinations that are in other VLANs to which the packet has been routed.
Chapter 34 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Table 34-2 Commands for Displaying Access Lists and Access Groups (continued) Command Purpose show ip interface interface-id Display detailed configuration and status of an interface. If IP is enabled on the interface and ACLs have been applied by using the ip access-group interface configuration command, the access groups are included in the display.
Chapter 34 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Catalyst 3750-E and 3560-E Switch Software Configuration Guide 34-42 OL-9775-02
C H A P T E R 35 Configuring IPv6 ACLs When the switch is running the advanced IP services feature set, you can filter IP Version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces similarly to the way that you create and apply IP Version 4 (IPv4) named ACLs. You can also create and apply input router ACLs to filter Layer 3 management traffic when the switch is running the IP services or IP base feature set.
Chapter 35 Configuring IPv6 ACLs Understanding IPv6 ACLs Understanding IPv6 ACLs A switch running the advanced IP services feature set supports two types of IPv6 ACLs: • IPv6 router ACLs are supported on outbound or inbound traffic on Layer 3 interfaces, which can be routed ports, switch virtual interfaces (SVIs), or Layer 3 EtherChannels. IPv6 router ACLs apply only to IPv6 packets that are routed. • IPv6 port ACLs are supported on inbound traffic on Layer 2 interfaces only.
Chapter 35 Configuring IPv6 ACLs Understanding IPv6 ACLs Supported ACL Features IPv6 ACLs on the switch have these characteristics: • Fragmented frames (the fragments keyword as in IPv4) are supported. • The same statistics supported in IPv4 are supported for IPv6 ACLs. • If the switch runs out of hardware space, packets associated with the ACL are forwarded to the CPU, and the ACLs are applied in software. • Routed or bridged packets with hop-by-hop options have IPv6 ACLs applied in software.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs If a new switch takes over as stack master, it distributes the ACL configuration to all stack members. The member switches sync up the configuration distributed by the new stack master and flush out entries that are not required. When an ACL is modified, attached to, or detached from an interface, the stack master distributes the change to all stack members.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs • If the hardware memory is full, for any additional configured ACLs, packets are forwarded to the CPU, and the ACLs are applied in software. • The implementation of IPv6 ACLs on Catalyst 3750-E and 3560-E switches is the same as that on Catalyst 3750 and 3560 switches except for the differences summarized in the Cisco Software Activation and Compatibility Document on Cisco.com.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs Command Step 3a Purpose Enter deny or permit to specify whether to deny or permit the packet if {deny | permit} protocol {source-ipv6-prefix/prefix-length | conditions are matched.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs Command Step 3b Step 3c Step 3d Purpose (Optional) Define a TCP access list and the access conditions. {deny | permit} tcp {source-ipv6-prefix/prefix-length | Enter tcp for Transmission Control Protocol. The parameters are the same as any | host source-ipv6-address} those described in Step 3a, with these additional optional parameters: [operator [port-number]] • ack—Acknowledgment bit set.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs Use the no {deny | permit} IPv6 access-list configuration commands with keywords to remove the deny or permit conditions from the specified access list. This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000.
Chapter 35 Configuring IPv6 ACLs Displaying IPv6 ACLs Use the no ipv6 traffic-filter access-list-name interface configuration command to remove an access list from an interface.
Chapter 35 Configuring IPv6 ACLs Displaying IPv6 ACLs Catalyst 3750-E and 3560-E Switch Software Configuration Guide 35-10 OL-9775-02
C H A P T E R 36 Configuring QoS This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the Catalyst 3750-E or 3560-E switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size.
Chapter 36 Configuring QoS Understanding QoS Understanding QoS Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Chapter 36 Configuring QoS Understanding QoS Figure 36-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 header IP header Data Layer 2 ISL Frame ISL header (26 bytes) Encapsulated frame 1... (24.5 KB) FCS (4 bytes) 3 bits used for CoS Layer 2 802.1Q and 802.
Chapter 36 Configuring QoS Understanding QoS Figure 36-2 shows the basic QoS model. Actions at the ingress port include classifying traffic, policing, marking, queueing, and scheduling: • Classifying a distinct path for a packet by associating it with a QoS label. The switch maps the CoS or DSCP in the packet to a QoS label to distinguish one kind of traffic from another. The QoS label that is generated identifies all future QoS actions to be performed on this packet.
Chapter 36 Configuring QoS Understanding QoS Classification Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification is enabled only if QoS is globally enabled on the switch. By default, QoS is globally disabled, so no classification occurs. During classification, the switch performs a lookup and assigns a QoS label to the packet.
Chapter 36 Configuring QoS Understanding QoS After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Figure 36-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface configuration for classification. Trust DSCP (IP traffic). IP and non-IP traffic Trust DSCP or IP precedence (non-IP traffic). Trust IP precedence (IP traffic). Assign DSCP identical to DSCP in packet.
Chapter 36 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: Note • If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken.
Chapter 36 Configuring QoS Understanding QoS The policy map can contain the police and police aggregate policy-map class configuration commands, which define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded. To enable the policy map, you attach it to a port by using the service-policy interface configuration command. You can apply a nonhierarchical policy map to a physical port or an SVI.
Chapter 36 Configuring QoS Understanding QoS Policing on Physical Ports In policy maps on physical ports, you can create these types of policers: • Individual—QoS applies the bandwidth limits specified in the policer separately to each matched traffic class. You configure this type of policer within a policy map by using the police policy-map class configuration command. • Aggregate—QoS applies the bandwidth limits specified in an aggregate policer cumulatively to all matched traffic flows.
Chapter 36 Configuring QoS Understanding QoS Figure 36-4 Policing and Marking Flowchart on Physical Ports Start Get the clasification result for the packet. No Is a policer configured for this packet? Yes Check if the packet is in profile by querying the policer. No Yes Pass through Check out-of-profile action configured for this policer. Drop Drop packet. Mark Done 86835 Modify DSCP according to the policed-DSCP map. Generate a new QoS label.
Chapter 36 Configuring QoS Understanding QoS When configuring policing on an SVI, you can create and configure a hierarchical policy map with these two levels: • VLAN level—Create this primary level by configuring class maps and classes that specify the port trust state or set a new DSCP or IP precedence value in the packet. The VLAN-level policy map applies only to the VLAN in an SVI and does not support policers.
Chapter 36 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an QoS label based on the DSCP or CoS value from the classification stage: • During classification, QoS uses configurable mapping tables to derive a corresponding DSCP or CoS value from a received CoS, DSCP, or IP precedence value. These maps include the CoS-to-DSCP map and the IP-precedence-to-DSCP map.
Chapter 36 Configuring QoS Understanding QoS Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 36-6 and Figure 36-7.
Chapter 36 Configuring QoS Understanding QoS Weighted Tail Drop Both the ingress and egress queues use an enhanced version of the tail-drop congestion-avoidance mechanism called weighted tail drop (WTD). WTD is implemented on queues to manage the queue lengths and to provide drop precedences for different traffic classifications. As a frame is enqueued to a particular queue, WTD uses the frame’s assigned QoS label to subject it to different thresholds.
Chapter 36 Configuring QoS Understanding QoS In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue is empty and no longer requires a share of the link, the remaining queues can expand into the unused bandwidth and share it among them. With sharing, the ratio of the weights controls the frequency of dequeuing; the absolute values are meaningless.
Chapter 36 Configuring QoS Understanding QoS Figure 36-10 Queueing and Scheduling Flowchart for Ingress Ports on Catalyst 3560-E Switches Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds. Are thresholds being exceeded? Yes No Drop packet. Send packet to the internal ring. Note 90564 Queue the packet. Service the queue according to the SRR weights.
Chapter 36 Configuring QoS Understanding QoS dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command. You can display the DSCP input queue threshold map and the CoS input queue threshold map by using the show mls qos maps privileged EXEC command. WTD Thresholds The queues use WTD to support distinct drop percentages for different traffic classes.
Chapter 36 Configuring QoS Understanding QoS Queueing and Scheduling on Egress Queues Figure 36-11 and Figure 36-12 show the queueing and scheduling flowcharts for egress ports. Note If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Figure 36-11 Queueing and Scheduling Flowchart for Egress Ports on Catalyst 3750-E Switches Start Receive packet from the stack ring. Read QoS label (DSCP or CoS value).
Chapter 36 Configuring QoS Understanding QoS Figure 36-12 Queueing and Scheduling Flowchart for Egress Ports on Catalyst 3560-E Switches Start Receive packet from the internal ring. Read QoS label (DSCP or CoS value). Determine egress queue number and threshold based on the label. Are thresholds being exceeded? No Yes Drop packet. Queue the packet. Service the queue according to the SRR weights. Rewrite DSCP and/or CoS value as appropriate. Done 90565 Send the packet out the port.
Chapter 36 Configuring QoS Understanding QoS buffers) or not empty (free buffers). If the queue is not over-limit, the switch can allocate buffer space from the reserved pool or from the common pool (if it is not empty). If there are no free buffers in the common pool or if the queue is over-limit, the switch drops the frame.
Chapter 36 Configuring QoS Understanding QoS WTD Thresholds You can assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an egress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue output dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue output cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Chapter 36 Configuring QoS Configuring Auto-QoS • During policing, IP and non-IP packets can have another DSCP assigned to them (if they are out of profile and the policer specifies a markdown DSCP). Once again, the DSCP in the packet is not modified, but an indication of the marked-down value is carried along. For IP packets, the packet modification occurs at a later stage; for non-IP packets the DSCP is converted to CoS and used for queueing and scheduling decisions.
Chapter 36 Configuring QoS Configuring Auto-QoS Generated Auto-QoS Configuration By default, auto-QoS is disabled on all ports. When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress and egress queues as shown in Table 36-2.
Chapter 36 Configuring QoS Configuring Auto-QoS trust the QoS label received in the packet. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet. The switch configures ingress and egress queues on the port according to the settings in Table 36-3 and Table 36-4.
Chapter 36 Configuring QoS Configuring Auto-QoS Table 36-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically maps DSCP values to an ingress queue and to a threshold ID.
Chapter 36 Configuring QoS Configuring Auto-QoS Table 36-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically configures the egress queue buffer sizes. It configures the bandwidth and the SRR mode (shaped or shared) on the egress queues mapped to the port.
Chapter 36 Configuring QoS Configuring Auto-QoS Table 36-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and policy maps.
Chapter 36 Configuring QoS Configuring Auto-QoS • To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other QoS commands. If necessary, you can fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoS configuration is completed. For more information, see the “Effects of Auto-QoS on the Configuration” section on page 36-27.
Chapter 36 Configuring QoS Configuring Auto-QoS To display the QoS commands that are automatically generated when auto-QoS is enabled or disabled, enter the debug auto qos privileged EXEC command before enabling auto-QoS. For more information, see the debug autoqos command in the command reference for this release. To disable auto-QoS on a port, use the no auto qos voip interface configuration command. Only the auto-QoS-generated interface configuration commands for this port are removed.
Chapter 36 Configuring QoS Configuring Auto-QoS Auto-QoS Configuration Example This section describes how you could implement auto-QoS in a network, as shown in Figure 36-14. For optimum QoS performance, enable auto-QoS on all the devices in the network. Figure 36-14 Auto-QoS Configuration Example Network Cisco router To Internet Trunk link Trunk link Video server 172.20.10.
Chapter 36 Configuring QoS Configuring Auto-QoS Note You should not configure any standard QoS commands before entering the auto-QoS commands. You can fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoS configuration is completed. Beginning in privileged EXEC mode, follow these steps to configure the switch at the edge of the QoS domain to prioritize the VoIP traffic over all other traffic: Command Purpose Step 1 debug auto qos Enable debugging for auto-QoS.
Chapter 36 Configuring QoS Displaying Auto-QoS Information Displaying Auto-QoS Information To display the initial auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings.
Chapter 36 Configuring QoS Configuring Standard QoS Default Standard QoS Configuration QoS is disabled. There is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
Chapter 36 Configuring QoS Configuring Standard QoS Default Egress Queue Configuration Table 36-9 shows the default egress queue configuration for each queue-set when QoS is enabled. All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited.
Chapter 36 Configuring QoS Configuring Standard QoS Default Mapping Table Configuration The default CoS-to-DSCP map is shown in Table 36-12 on page 36-63. The default IP-precedence-to-DSCP map is shown in Table 36-13 on page 36-64. The default DSCP-to-CoS map is shown in Table 36-14 on page 36-66. The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value.
Chapter 36 Configuring QoS Configuring Standard QoS • Follow these guidelines when configuring policy maps on physical ports or SVIs: – You cannot apply the same policy map to a physical port and to an SVI. – If VLAN-based QoS is configured on a physical port, the switch removes all the port-based policy maps on the port. The traffic on this physical port is now affected by the policy map attached to the SVI to which the physical port belongs.
Chapter 36 Configuring QoS Configuring Standard QoS • A switch that is running the IP services feature set supports QoS DSCP and IP precedence matching in policy-based routing (PBR) route maps with these limitations: – You cannot apply QoS DSCP mutation maps and PBR route maps to the same interface. – You cannot configure DSCP transparency and PBR DSCP route maps on the same switch. Enabling QoS Globally By default, QoS is disabled on the switch.
Chapter 36 Configuring QoS Configuring Standard QoS Use the no mls qos vlan-based interface configuration command to disable VLAN-based QoS on the physical port. Configuring Classification Using Port Trust States These sections describe how to classify incoming traffic by using port trust states.
Chapter 36 Configuring QoS Configuring Standard QoS Figure 36-15 Port Trusted States within the QoS Domain Trusted interface Trunk Traffic classification performed here P1 101236 P3 IP Trusted boundary Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 36 Configuring QoS Configuring Standard QoS Step 3 Command Purpose mls qos trust [cos | dscp | ip-precedence] Configure the port trust state. By default, the port is not trusted. If no keyword is specified, the default is dscp. The keywords have these meanings: • cos—Classifies an ingress packet by using the packet CoS value. For an untagged packet, the port default CoS value is used. The default port CoS value is 0. • dscp—Classifies an ingress packet by using the packet DSCP value.
Chapter 36 Configuring QoS Configuring Standard QoS Step 3 Command Purpose mls qos cos {default-cos | override} Configure the default CoS value for the port. • For default-cos, specify a default CoS value to be assigned to a port. If the packet is untagged, the default CoS value becomes the packet CoS value. The CoS range is 0 to 7. The default is 0.
Chapter 36 Configuring QoS Configuring Standard QoS With the trusted setting, you also can use the trusted boundary feature to prevent misuse of a high-priority queue if a user bypasses the telephone and connects the PC directly to the switch. Without trusted boundary, the CoS labels generated by the PC are trusted by the switch (because of the trusted CoS setting).
Chapter 36 Configuring QoS Configuring Standard QoS If DSCP transparency is enabled by using the no mls qos rewrite ip dscp command, the switch does not modify the DSCP field in the incoming packet, and the DSCP field in the outgoing packet is the same as that in the incoming packet. Note Enabling DSCP transparency does not affect the port trust settings on IEEE 802.1Q tunneling ports.
Chapter 36 Configuring QoS Configuring Standard QoS Figure 36-16 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. 101235 IP traffic Beginning in privileged EXEC mode, follow these steps to configure the DSCP-trusted state on a port and modify the DSCP-to-DSCP-mutation map.
Chapter 36 Configuring QoS Configuring Standard QoS To return a port to its non-trusted state, use the no mls qos trust interface configuration command. To return to the default DSCP-to-DSCP-mutation map values, use the no mls qos map dscp-mutation dscp-mutation-name global configuration command.
Chapter 36 Configuring QoS Configuring Standard QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify non-IP traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended ACL, repeating the command as many times as necessary. • For access-list-number, enter the access list number.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Create a Layer 2 MAC ACL by specifying the name of the list. After entering this command, the mode changes to extended MAC ACL configuration.
Chapter 36 Configuring QoS Configuring Standard QoS Classifying Traffic by Using Class Maps You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. The class map defines the criteria to use to match against a specific traffic flow to further classify it. Match statements can include criteria such as an ACL, IP precedence values, or DSCP values.
Chapter 36 Configuring QoS Configuring Standard QoS Command Step 4 Purpose match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported. • For access-group acl-index-or-name, specify the number or name of the ACL created in Step 2.
Chapter 36 Configuring QoS Configuring Standard QoS Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps You can configure a nonhierarchical policy map on a physical port that specifies which traffic class to act on.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a nonhierarchical policy map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 class-map [match-all | match-any] class-map-name Create a class map, and enter class-map configuration mode. By default, no class maps are defined. • (Optional) Use the match-all keyword to perform a logical-AND of all matching statements under this class map.
Chapter 36 Configuring QoS Configuring Standard QoS Step 5 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, go to Step 6. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 36 Configuring QoS Configuring Standard QoS Command Purpose Step 8 exit Return to policy map configuration mode. Step 9 exit Return to global configuration mode. Step 10 interface interface-id Specify the port to attach to the policy map, and enter interface configuration mode. Valid interfaces include physical ports. Step 11 service-policy input policy-map-name Specify the policy-map name, and apply it to an ingress port. Only one policy map per ingress port is supported.
Chapter 36 Configuring QoS Configuring Standard QoS Switch(config-ext-mac)# exit Switch(config)# class-map macclass1 Switch(config-cmap)# match access-group maclist1 Switch(config-cmap)# exit Switch(config)# policy-map macpolicy1 Switch(config-pmap)# class macclass1 Switch(config-pmap-c)# set dscp 63 Switch(config-pmap-c)# exit Switch(config-pmap)# class macclass2 maclist2 Switch(config-pmap-c)# set dscp 45 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet1/0/
Chapter 36 Configuring QoS Configuring Standard QoS • The hierarchical policy map is attached to the SVI and affects all traffic belonging to the VLAN. The actions specified in the VLAN-level policy map affect the traffic belonging to the SVI. The police action on the port-level policy map affects the ingress traffic on the affected physical interfaces. • When configuring a hierarchical policy map on trunk ports, the VLAN ranges must not overlap.
Chapter 36 Configuring QoS Configuring Standard QoS Command Step 3 Purpose match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported. • For access-group acl-index-or-name, specify the number or name of the ACL.
Chapter 36 Configuring QoS Configuring Standard QoS Step 10 Command Purpose policy-map policy-map-name Create an interface-level policy map by entering the policy-map name, and enter policy-map configuration mode. By default, no policy maps are defined, and no policing is performed. Step 11 class-map class-map-name Define an interface-level traffic classification, and enter policy-map configuration mode. By default, no policy-map class-maps are defined.
Chapter 36 Configuring QoS Configuring Standard QoS Step 17 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, omit Step 18. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 36 Configuring QoS Configuring Standard QoS Step 23 Command Purpose service-policy input policy-map-name Specify the VLAN-level policy-map name, and apply it to the SVI. Repeat the previous step and this command to apply the policy map to other SVIs. If the hierarchical VLAN-level policy map has more than one interface-level policy map, all class maps must be configured to the same VLAN-level policy map specified in the service-policy policy-map-name command.
Chapter 36 Configuring QoS Configuring Standard QoS Switch(config-pmap-c)# exit Switch(config-pmap)# class-map cm-2 Switch(config-pmap-c)# match ip dscp 2 Switch(config-pmap-c)# service-policy port-plcmap-1 Switch(config-pmap)# exit Switch(config-pmap)# class-map cm-3 Switch(config-pmap-c)# match ip dscp 3 Switch(config-pmap-c)# service-policy port-plcmap-2 Switch(config-pmap)# exit Switch(config-pmap)# class-map cm-4 Switch(config-pmap-c)# trust dscp Switch(config-pmap)# exit Switch(config)# interface vl
Chapter 36 Configuring QoS Configuring Standard QoS Step 4 Command Purpose policy-map policy-map-name Create a policy map by entering the policy map name, and enter policy-map configuration mode. For more information, see the “Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps” section on page 36-51. Step 5 class class-map-name Define a traffic classification, and enter policy-map class configuration mode.
Chapter 36 Configuring QoS Configuring Standard QoS Switch(config-pmap-c)# trust dscp Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# class ipclass2 Switch(config-pmap-c)# set dscp 56 Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# service-policy input aggflow1 Switch(config-if)# exit Configuring DSCP Maps These sections contain this
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the CoS-to-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map cos-dscp dscp1...dscp8 Modify the CoS-to-DSCP map. For dscp1...dscp8, enter eight DSCP values that correspond to CoS values 0 to 7. Separate each DSCP value with a space. The DSCP range is 0 to 63. Step 3 end Return to privileged EXEC mode.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the IP-precedence-to-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map ip-prec-dscp dscp1...dscp8 Modify the IP-precedence-to-DSCP map. For dscp1...dscp8, enter eight DSCP values that correspond to the IP precedence values 0 to 7. Separate each DSCP value with a space. The DSCP range is 0 to 63.
Chapter 36 Configuring QoS Configuring Standard QoS To return to the default map, use the no mls qos policed-dscp global configuration command.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-CoS map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-cos dscp-list to cos Modify the DSCP-to-CoS map. • For dscp-list, enter up to eight DSCP values separated by spaces. Then enter the to keyword. • For cos, enter the CoS value to which the DSCP values correspond.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-DSCP-mutation map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-mutation dscp-mutation-name in-dscp to out-dscp Modify the DSCP-to-DSCP-mutation map. • For dscp-mutation-name, enter the mutation map name. You can create more than one map by specifying a new name.
Chapter 36 Configuring QoS Configuring Standard QoS Note In the above DSCP-to-DSCP-mutation map, the mutated values are shown in the body of the matrix. The d1 column specifies the most-significant digit of the original DSCP; the d2 row specifies the least-significant digit of the original DSCP. The intersection of the d1 and d2 values provides the mutated value. For example, a DSCP value of 12 corresponds to a mutated value of 10.
Chapter 36 Configuring QoS Configuring Standard QoS Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and to set WTD thresholds. This procedure is optional.
Chapter 36 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to allocate bandwidth between the ingress queues. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input bandwidth weight1 weight2 Assign shared round robin weights to the ingress queues. The default setting for weight1 and weight2 is 4 (1/2 of the bandwidth is equally shared between the two queues).
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the priority queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input priority-queue queue-id bandwidth weight Assign a queue as the priority queue and guarantee bandwidth on the stack or internal ring if the ring is congested.
Chapter 36 Configuring QoS Configuring Standard QoS These sections contain this configuration information: • Configuration Guidelines, page 36-74 • Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set, page 36-74 (optional) • Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID, page 36-76 (optional) • Configuring SRR Shaped Weights on Egress Queues, page 36-78 (optional) • Configuring SRR Shared Weights on Egress Queues, page 36-79 (optional) • Configur
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and to drop thresholds for a queue-set. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos queue-set output qset-id buffers allocation1 ... allocation4 Allocate buffers to a queue-set. By default, all allocation values are equally mapped among the four queues (25, 25, 25, 25).
Chapter 36 Configuring QoS Configuring Standard QoS Command Purpose Step 7 show mls qos interface [interface-id] buffers Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos queue-set output qset-id buffers global configuration command.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an egress queue and to a threshold ID. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue output dscp-map queue queue-id threshold threshold-id dscp1...dscp8 Map DSCP or CoS values to an egress queue and to a threshold ID.
Chapter 36 Configuring QoS Configuring Standard QoS Configuring SRR Shaped Weights on Egress Queues You can specify how much of the available bandwidth is allocated to each queue. The ratio of the weights is the ratio of frequency in which the SRR scheduler sends packets from each queue. You can configure the egress queues for shaped or shared weights, or both. Use shaping to smooth bursty traffic or to provide a smoother output over time.
Chapter 36 Configuring QoS Configuring Standard QoS Configuring SRR Shared Weights on Egress Queues In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue empties and does not require a share of the link, the remaining queues can expand into the unused bandwidth and share it among them.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on a switch. Step 3 interface interface-id Specify the egress port, and enter interface configuration mode. Step 4 priority-queue out Enable the egress expedite queue, which is disabled by default.
Chapter 36 Configuring QoS Displaying Standard QoS Information Command Purpose Step 5 show mls qos interface [interface-id] queueing Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no srr-queue bandwidth limit interface configuration command.
Chapter 36 Configuring QoS Displaying Standard QoS Information Table 36-15 Commands for Displaying Standard QoS Information (continued) Command Purpose show policy-map [policy-map-name [class class-map-name]] Display QoS policy maps, which define classification criteria for incoming traffic. Note show running-config | include rewrite Do not use the show policy-map interface privileged EXEC command to display classification information for incoming traffic.
C H A P T E R 37 Configuring EtherChannels and Link-State Tracking This chapter describes how to configure EtherChannels on Layer 2 and Layer 3 ports on the Catalyst 3750-E or 3560-E switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels • Load-Balancing and Forwarding Methods, page 37-8 • EtherChannel and Switch Stacks, page 37-10 EtherChannel Overview An EtherChannel consists of individual Gigabit Ethernet links bundled into a single logical link as shown in Figure 37-1.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels You can configure an EtherChannel in one of these modes: Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), or On. Configure both ends of the EtherChannel in the same mode: • When you configure one end of an EtherChannel in either PAgP or LACP mode, the system negotiates with the other end of the channel to determine which ports should become active.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Figure 37-3 Cross-Stack EtherChannel Catalyst 3750-E switch stack Switch 1 StackWise Plus port connections Switch A Switch 2 Switch 3 159894 Channel group 1 Port-Channel Interfaces When you create an EtherChannel, a port-channel logical interface is involved: • With Layer 2 ports, use the channel-group interface configuration command to dynamically create the port-channel logical interface.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Figure 37-4 Relationship of Physical Ports, Logical Port Channels, and Channel Groups Logical port-channel Physical ports 101238 Channel-group binding After you configure an EtherChannel, configuration changes applied to the port-channel interface apply to all the physical ports assigned to the port-channel interface.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels PAgP Modes Table 37-1 shows the user-configurable EtherChannel PAgP modes for the channel-group interface configuration command. Table 37-1 EtherChannel PAgP Modes Mode Description auto Places a port into a passive negotiating state, in which the port responds to PAgP packets it receives but does not start PAgP packet negotiation. This setting minimizes the transmission of PAgP packets.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels PAgP sends and receives PAgP PDUs only from ports that are up and have PAgP enabled for the auto or desirable mode. Link Aggregation Control Protocol The LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the IEEE 802.3ad protocol. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels In Layer 2 EtherChannels, the first port in the channel that comes up provides its MAC address to the EtherChannel. If this port is removed from the bundle, one of the remaining ports in the bundle provides its MAC address to the EtherChannel. For Layer 3 EtherChannels, the MAC address is allocated by the stack master as soon as the interface is created through the interface port-channel global configuration command.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels With source-IP address-based forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the EtherChannel based on the source-IP address of the incoming packet. Therefore, to provide load-balancing, packets from different IP addresses use different ports in the channel, but packets from the same IP address use the same port in the channel.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Figure 37-5 Load Distribution and Forwarding Methods Switch with source-based forwarding enabled EtherChannel 101239 Cisco router with destination-based forwarding enabled EtherChannel and Switch Stacks If a stack member that has ports participating in an EtherChannel fails or leaves the stack, the stack master removes the failed stack member switch ports from the EtherChannel.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels For more information about switch stacks, see Chapter 5, “Managing Switch Stacks.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels EtherChannel Configuration Guidelines If improperly configured, some EtherChannel ports are automatically disabled to avoid network loops and other problems. Follow these guidelines to avoid configuration problems: • Do not try to configure more than 48 EtherChannels on the switch or switch stack. • Configure a PAgP EtherChannel with up to eight Ethernet ports of the same type.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels – An EtherChannel supports the same allowed range of VLANs on all the ports in a trunking Layer 2 EtherChannel. If the allowed range of VLANs is not the same, the ports do not form an EtherChannel even when PAgP is set to the auto or desirable mode. – Ports with different spanning-tree path costs can form an EtherChannel if they are otherwise compatibly configured.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Step 4 Command Purpose channel-group channel-group-number mode {auto [non-silent] | desirable [non-silent] | on} | {active | passive} Assign the port to a channel group, and specify the PAgP or the LACP mode. For channel-group-number, the range is 1 to 48. For mode, select one of these keywords: • auto—Enables PAgP only if a PAgP device is detected.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels This example shows how to configure an EtherChannel on a single switch in the stack.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to create a port-channel interface for a Layer 3 EtherChannel. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface port-channel port-channel-number Specify the port-channel logical interface, and enter interface configuration mode. For port-channel-number, the range is 1 to 48.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Step 5 Command Purpose channel-group channel-group-number mode {auto [non-silent] | desirable [non-silent] | on} | {active | passive} Assign the port to a channel group, and specify the PAgP or the LACP mode. For channel-group-number, the range is 1 to 48. This number must be the same as the port-channel-number (logical port) configured in the “Creating Port-Channel Logical Interfaces” section on page 37-15.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels This example shows how to configure an EtherChannel. It assigns two ports to channel 5 with the LACP mode active: Switch# configure terminal Switch(config)# interface range gigabitethernet2/0/1 -2 Switch(config-if-range)# no ip address Switch(config-if-range)# no switchport Switch(config-if-range)# channel-group 5 mode active Switch(config-if-range)# end This example shows how to configure a cross-stack EtherChannel.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load-balancing to the default configuration, use the no port-channel load-balance global configuration command.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to configure your switch as a PAgP physical-port learner and to adjust the priority so that the same port in the bundle is selected for sending packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port for transmission, and enter interface configuration mode.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels If you configure more than eight links for an EtherChannel group, the software automatically decides which of the hot-standby ports to make active based on the LACP priority.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Configuring the LACP Port Priority By default, all ports use the same port priority. If the local system has a lower value for the system priority and the system ID than the remote system, you can affect which of the hot-standby links become active first by changing the port priority of LACP EtherChannel ports to a lower value than the default.
Chapter 37 Configuring EtherChannels and Link-State Tracking Displaying EtherChannel, PAgP, and LACP Status Displaying EtherChannel, PAgP, and LACP Status To display EtherChannel, PAgP, and LACP status information, use the privileged EXEC commands described in Table 37-4: Table 37-4 Commands for Displaying EtherChannel, PAgP, and LACP Status Command Description show etherchannel [channel-group-number {detail | port | port-channel | protocol | summary}] {detail | load-balance | port | port-channel | pr
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding Link-State Tracking When you enable link-state tracking on the switch, the link states of the downstream ports are bound to the link state of one or more of the upstream ports. After you associate a set of downstream ports to a set of upstream ports, if all of the upstream ports become unavailable, link-state tracking automatically puts The associated downstream ports in an error-disabled state.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Figure 37-6 Typical Link-State Tracking Configuration Network Layer 3 link Distribution switch 1 Link-state group 1 Link-state group 1 Port 5 Link-state group 2 Port Port 6 7 Port 7 Port 8 Port 8 Switch A Port Port 1 2 Distribution switch 2 Port 3 Port 1 Port 4 Link-state group 2 Port 6 Port 5 Switch B Port 2 Port Port 3 4 Linkstate group 2 Linkstate group 1 Linkstate group 1 Linkstate group
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Default Link-State Tracking Configuration There are no link-state groups defined, and link-state tracking is not enabled for any group. Link-State Tracking Configuration Guidelines Follow these guidelines to avoid configuration problems: • An interface that is defined as an upstream interface cannot also be defined as a downstream interface in the same or a different link-state group. The reverse is also true.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# interface gigabitethernet1/0/3 link state group 1 downstream interface gigabitethernet1/0/5 link state group 1 downstream end To disable a link-state group, use the no link state track number global configuration command.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Catalyst 3750-E and 3560-E Switch Software Configuration Guide 37-28 OL-9775-02
C H A P T E R 38 Configuring IP Unicast Routing This chapter describes how to configure IP Version 4 (IPv4) unicast routing on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack. A switch stack operates and appears as a single router to the rest of the routers in the network.
Chapter 38 Configuring IP Unicast Routing Understanding IP Routing Note When configuring routing parameters on the switch and to allocate system resources to maximize the number of unicast routes allowed, you can use the sdm prefer routing global configuration command to set the Switch Database Management (sdm) feature to the routing template. For more information on the SDM templates, see Chapter 8, “Configuring SDM Templates” or see the sdm prefer command in the command reference for this release.
Chapter 38 Configuring IP Unicast Routing Understanding IP Routing Default routing refers to sending traffic with a destination unknown to the router to a default outlet or destination. Static unicast routing forwards packets from predetermined ports through a single path into and out of a network. Static routing is secure and uses little bandwidth, but does not automatically respond to changes in the network, such as link failures, and therefore, might result in unreachable destinations.
Chapter 38 Configuring IP Unicast Routing Understanding IP Routing Stack members perform these functions: • They act as routing standby switches, ready to take over in case they are elected as the new stack master if the stack master fails. • They program the routes into hardware. The routes programmed by the stack members are the same that are downloaded by the stack master as part of the dCEF database.
Chapter 38 Configuring IP Unicast Routing Steps for Configuring Routing Steps for Configuring Routing By default, IP routing is disabled on the switch, and you must enable it before routing can take place. For detailed IP routing configuration information, see the Cisco IOS IP Configuration Guide, Release 12.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing • Configuring Address Resolution Methods, page 38-9 • Routing Assistance When IP Routing is Disabled, page 38-12 • Configuring Broadcast Packet Handling, page 38-14 • Monitoring and Maintaining IP Addressing, page 38-18 Default Addressing Configuration Table 38-1 shows the default addressing configuration. Table 38-1 Default Addressing Configuration Feature Default Setting IP address None defined.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Assigning IP Addresses to Network Interfaces An IP address identifies a location to which IP packets can be sent. Some IP addresses are reserved for special uses and cannot be used for host, subnet, or network addresses. RFC 1166, “Internet Numbers,” contains the official description of IP addresses. An interface can have one primary IP address. A mask identifies the bits that denote the network number in an IP address.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Classless Routing By default, classless routing behavior is enabled on the switch when it is configured to route. With classless routing, if a router receives packets for a subnet of a network with no default route, the router forwards the packet to the best supernet route.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Figure 38-3 No IP Classless Routing 128.0.0.0/8 128.20.4.1 128.20.0.0 Bit bucket 128.20.1.0 128.20.3.0 128.20.4.1 Host 45748 128.20.2.0 To prevent the switch from forwarding packets destined for unrecognized subnets to the best supernet route possible, you can disable classless routing behavior.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing The switch can use these forms of address resolution: • Address Resolution Protocol (ARP) is used to associate IP address with MAC addresses. Taking an IP address as input, ARP learns the associated MAC address and then stores the IP address/MAC address association in an ARP cache for rapid retrieval. Then the IP datagram is encapsulated in a link-layer frame and sent over the network.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 3 arp ip-address hardware-address type [alias] (Optional) Specify that the switch respond to ARP requests as if it were the owner of the specified IP address. Step 4 interface interface-id Enter interface configuration mode, and specify the interface to configure. Step 5 arp timeout seconds (Optional) Set the length of time an ARP cache entry will stay in the cache. The default is 14400 seconds (4 hours).
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Enable Proxy ARP By default, the switch uses proxy ARP to help hosts learn MAC addresses of hosts on other networks or subnets. Beginning in privileged EXEC mode, follow these steps to enable proxy ARP if it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to define a default gateway (router) when IP routing is disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip default-gateway ip-address Set up a default gateway (router). Step 3 end Return to privileged EXEC mode. Step 4 show ip redirects Display the address of the default gateway router to verify the setting.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 6 ip irdp maxadvertinterval seconds (Optional) Set the IRDP maximum interval between advertisements. The default is 600 seconds. Step 7 ip irdp minadvertinterval seconds (Optional) Set the IRDP minimum interval between advertisements. The default is 0.75 times the maxadvertinterval. If you change the maxadvertinterval, this value changes to the new default (0.75 of maxadvertinterval).
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Enabling Directed Broadcast-to-Physical Broadcast Translation By default, IP directed broadcasts are dropped; they are not forwarded. Dropping IP-directed broadcasts makes routers less susceptible to denial-of-service attacks. You can enable forwarding of IP-directed broadcasts on an interface where the broadcast becomes a physical (MAC-layer) broadcast.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Forwarding UDP Broadcast Packets and Protocols User Datagram Protocol (UDP) is an IP host-to-host layer protocol, as is TCP. UDP provides a low-overhead, connectionless session between two end systems and does not provide for acknowledgment of received datagrams. Network hosts occasionally use UDP broadcasts to find address, configuration, and name information.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Establishing an IP Broadcast Address The most popular IP broadcast address (and the default) is an address consisting of all ones (255.255.255.255). However, the switch can be configured to generate any form of IP broadcast address. Beginning in privileged EXEC mode, follow these steps to set the IP broadcast address on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to use the bridging spanning-tree database to flood UDP datagrams: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip forward-protocol spanning-tree Use the bridging spanning-tree database to flood UDP datagrams. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entry.
Chapter 38 Configuring IP Unicast Routing Enabling IP Unicast Routing Table 38-3 Commands to Display Caches, Tables, and Databases Command Purpose show arp Display the entries in the ARP table. show hosts Display the default domain name, style of lookup service, name server hosts, and the cached list of hostnames and addresses. show ip aliases Display IP addresses mapped to TCP ports (aliases). show ip arp Display the IP ARP cache.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Switch(config-router)# network 10.0.0.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Default RIP Configuration Table 38-4 shows the default RIP configuration. Table 38-4 Default RIP Configuration Feature Default Setting Auto summary Enabled. Default-information originate Disabled. Default metric Built-in; automatic metric translations. IP RIP authentication key-chain No authentication. Authentication mode: clear text. IP RIP receive version According to the version router configuration command.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 5 neighbor ip-address (Optional) Define a neighboring router with which to exchange routing information. This step allows routing updates from RIP (normally a broadcast protocol) to reach nonbroadcast networks. Step 6 offset list [access-list number | name] {in | out} offset [type number] (Optional) Apply an offset list to routing metrics to increase incoming and outgoing metrics to routes learned through RIP.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Configuring RIP Authentication RIP Version 1 does not support authentication. If you are sending and receiving RIP Version 2 packets, you can enable RIP authentication on an interface. The key chain specifies \the set of keys that can be used on the interface. If a key chain is not configured, no authentication is performed, not even the default. Therefore, you must also perform the tasks in the “Managing Authentication Keys” section on page 38-89.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Beginning in privileged EXEC mode, follow these steps to set an interface to advertise a summarized local IP address and to disable split horizon on the interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure. Step 3 ip address ip-address subnet-mask Configure the IP address and IP subnet.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Beginning in privileged EXEC mode, follow these steps to disable split horizon on the interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to configure. Step 3 ip address ip-address subnet-mask Configure the IP address and IP subnet. Step 4 no ip split-horizon Disable split horizon on the interface.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF These sections contain this configuration information: Note • Default OSPF Configuration, page 38-26 • Configuring Basic OSPF Parameters, page 38-29 • Configuring OSPF Interfaces, page 38-29 • Configuring OSPF Area Parameters, page 38-31 • Configuring Other OSPF Parameters, page 38-32 • Changing LSA Group Pacing, page 38-34 • Configuring a Loopback Interface, page 38-34 • Monitoring OSPF, page 38-35 To enable OSPF, the switch or
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Table 38-5 Default OSPF Configuration (continued) Feature Default Setting Distance OSPF dist1 (all routes within an area): 110. dist2 (all routes from one area to another): 110. and dist3 (routes from other routing domains): 110. OSPF database filter Disabled. All outgoing link-state advertisements (LSAs) are flooded to the interface. IP OSPF name lookup Disabled. Log adjacency changes Enabled. Neighbor None specified.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF OSPF NSF Awareness The IP-services feature set supports OSPF NSF Awareness supported for IPv4. When the neighboring router is NSF-capable, the Layer 3 switch continues to forward packets from the neighboring router during the interval between the primary Route Processor (RP) in a router crashing and the backup RP taking over, or while the primary RP is manually reloaded for a non-disruptive software upgrade. This feature cannot be disabled.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Configuring Basic OSPF Parameters Enabling OSPF requires that you create an OSPF routing process, specify the range of IP addresses to be associated with the routing process, and assign area IDs to be associated with that range. Beginning in privileged EXEC mode, follow these steps to enable OSPF: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 3 ip ospf cost (Optional) Explicitly specify the cost of sending a packet on the interface. Step 4 ip ospf retransmit-interval seconds (Optional) Specify the number of seconds between link state advertisement transmissions. The range is 1 to 65535 seconds. The default is 5 seconds. Step 5 ip ospf transmit-delay seconds (Optional) Set the estimated number of seconds to wait before sending a link state update packet.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Configuring OSPF Area Parameters You can optionally configure several OSPF area parameters. These parameters include authentication for password-based protection against unauthorized access to an area, stub areas, and not-so-stubby-areas (NSSAs). Stub areas are areas into which information on external routes is not sent.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Use the no form of these commands to remove the configured parameter value or to return to the default value. Configuring Other OSPF Parameters You can optionally configure other OSPF parameters in router configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Beginning in privileged EXEC mode, follow these steps to configure these OSPF parameters: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router ospf process-id Enable OSPF routing, and enter router configuration mode. Step 3 summary-address address mask (Optional) Specify an address and IP subnet mask for redistributed routes so that only one summary route is advertised.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Changing LSA Group Pacing The OSPF LSA group pacing feature allows the router to group OSPF LSAs and pace the refreshing, check-summing, and aging functions for more efficient router use. This feature is enabled by default with a 4-minute default pacing interval, and you will not usually need to modify this parameter.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Monitoring OSPF You can display specific statistics such as the contents of IP routing tables, caches, and databases. Table 38-6 lists some of the privileged EXEC commands for displaying statistics. For more show ip ospf database privileged EXEC command options and for explanations of fields in the resulting display, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP EIGRP offers these features: • Fast convergence. • Incremental updates when the state of a destination changes, instead of sending the entire contents of the routing table, minimizing the bandwidth required for EIGRP packets. • Less CPU usage because full update packets need not be processed each time they are received. • Protocol-independent neighbor discovery mechanism to learn about neighboring routers.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Note • Configuring EIGRP Route Authentication, page 38-41 • EIGRP Stub Routing, page 38-42 • Monitoring and Maintaining EIGRP, page 38-43 To enable EIGRP, the switch or stack master must be running the IP services feature set. Default EIGRP Configuration Table 38-7 shows the default EIGRP configuration. Table 38-7 Default EIGRP Configuration Feature Default Setting Auto summary Enabled.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Table 38-7 Default EIGRP Configuration (continued) Feature 1 Default Setting NSF Awareness Enabled2. Allows Layer 3 switches to continue forwarding packets from a neighboring NSF-capable router during hardware or software changes. NSF capability Disabled. Note The Catalyst 3750-E switch supports EIGRP NSF-capable routing for IPv4. Offset-list Disabled. Router EIGRP Disabled. Set metric No metric set in the route map.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP EIGRP NSF Capability The Catalyst 3750-E IP-services feature set also supports EIGRP NSF-capable routing for IPv4 for better convergence and lower traffic loss following a stack master change. When an EIGRP NSF-capable stack master restarts or a new stack master starts up and NSF restarts, the switch has no neighbors, and the topology table is empty.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Step 6 Command Purpose metric weights tos k1 k2 k3 k4 k5 (Optional) Adjust the EIGRP metric. Although the defaults have been carefully set to provide excellent operation in most networks, you can adjust them. Caution Setting metrics is complex and is not recommended without guidance from an experienced network designer.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 5 ip hello-interval eigrp autonomous-system-number seconds (Optional) Change the hello time interval for an EIGRP routing process. The range is 1 to 65535 seconds. The default is 60 seconds for low-speed NBMA networks and 5 seconds for all other networks. Step 6 ip hold-time eigrp autonomous-system-number seconds (Optional) Change the hold time interval for an EIGRP routing process. The range is 1 to 65535 seconds.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Command Step 9 Purpose accept-lifetime start-time {infinite | end-time | duration (Optional) Specify the time period during which the key seconds} can be received. The start-time and end-time syntax can be either hh:mm:ss Month date year or hh:mm:ss date Month year. The default is forever with the default start-time and the earliest acceptable date as January 1, 1993. The default end-time and duration is infinite.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Figure 38-4 EIGRP Stub Router Configuration Routed to WAN Switch B Switch C 145776 Switch A Host A Host B Host C For more information about EIGRP stub routing, see “Configuring EIGRP Stub Routing” section of the Cisco IOS IP Configuration Guide, Volume 2 of 3: Routing Protocols, Release 12.2. Monitoring and Maintaining EIGRP You can delete neighbors from the neighbor table. You can also display various EIGRP routing statistics.
Chapter 38 Configuring IP Unicast Routing Configuring BGP For details about BGP commands and keywords, see the “IP Routing Protocols” part of the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. For a list of BGP commands that are visible but not supported by the switch, see Appendix C, “Unsupported Commands in Cisco IOS Release 12.2(37)SE.
Chapter 38 Configuring IP Unicast Routing Configuring BGP In BGP, each route consists of a network number, a list of autonomous systems that information has passed through (the autonomous system path), and a list of other path attributes. The primary function of a BGP system is to exchange network reachability information, including information about the list of AS paths, with other BGP systems.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Table 38-9 Default BGP Configuration Feature Default Setting Aggregate address Disabled: None defined. AS path access list None defined. Auto summary Enabled. Best path BGP community list BGP confederation identifier/peers • The router considers as-path in choosing a route and does not compare similar routes from external BGP peers. • Compare router ID: Disabled. • Number: None defined.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Table 38-9 Default BGP Configuration (continued) Feature Default Setting Neighbor • Advertisement interval: 30 seconds for external peers; 5 seconds for internal peers. • Change logging: Enabled. • Conditional advertisement: Disabled. • Default originate: No default route is sent to the neighbor. • Description: None. • Distribute list: None defined. • External BGP multihop: Only directly connected neighbors are allowed.
Chapter 38 Configuring IP Unicast Routing Configuring BGP neighboring router during the interval between the primary Route Processor (RP) in a router failing and the backup RP taking over, or while the primary RP is manually reloaded for a nondisruptive software upgrade. For more information, see the “BGP Nonstop Forwarding (NSF) Awareness” section of the Cisco IOS IP Routing Protocols Configuration Guide, Release 12.4 at this URL: http://www.cisco.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Step 5 Command Purpose neighbor {ip-address | peer-group-name} remote-as number Add an entry to the BGP neighbor table specifying that the neighbor identified by the IP address belongs to the specified AS. For EBGP, neighbors are usually directly connected, and the IP address is the address of the interface at the other end of the connection. For IBGP, the IP address can be the address of any of the router interfaces.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Router B: Switch(config)# router bgp 200 Switch(config-router)# neighbor 129.213.1.2 remote-as 100 Switch(config-router)# neighbor 175.220.1.2 remote-as 200 Router C: Switch(config)# router bgp 200 Switch(config-router)# neighbor 175.220.212.1 remote-as 200 Switch(config-router)# neighbor 192.208.10.1 remote-as 300 Router D: Switch(config)# router bgp 300 Switch(config-router)# neighbor 192.208.10.
Chapter 38 Configuring IP Unicast Routing Configuring BGP establish a TCP session. A soft reset allows the dynamic exchange of route refresh requests and routing information between BGP routers and the subsequent re-advertisement of the respective outbound routing table. • When soft reset generates inbound updates from a neighbor, it is called dynamic inbound soft reset. • When soft reset sends a set of updates to a neighbor, it is called outbound soft reset.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Configuring BGP Decision Attributes When a BGP speaker receives updates from multiple autonomous systems that describe different paths to the same destination, it must choose the single best path for reaching that destination. When chosen, the selected path is entered into the BGP routing table and propagated to its neighbors. The decision is based on the value of attributes that the update contains and other BGP-configurable factors.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, follow these steps to configure some decision attributes: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enable a BGP routing process, assign it an AS number, and enter router configuration mode. Step 3 bgp best-path as-path ignore (Optional) Configure the router to ignore AS path length in selecting a route.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 14 show ip bgp show ip bgp neighbors Verify the reset by checking information about the routing table and about BGP neighbors. Step 15 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of each command to return to the default state.
Chapter 38 Configuring IP Unicast Routing Configuring BGP path, community, and network numbers. Autonomous system path matching requires the match as-path access-list route-map command, community based matching requires the match community-list route-map command, and network-based matching requires the ip access-list global configuration command.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Configuring Prefix Lists for BGP Filtering You can use prefix lists as an alternative to access lists in many BGP route filtering commands, including the neighbor distribute-list router configuration command. The advantages of using prefix lists include performance improvements in loading and lookup of large lists, incremental update support, easier CLI configuration, and greater flexibility.
Chapter 38 Configuring IP Unicast Routing Configuring BGP sequence number command; to reenable automatic generation, use the ip prefix-list sequence number command. To clear the hit-count table of prefix list entries, use the clear ip prefix-list privileged EXEC command. Configuring BGP Community Filtering One way that BGP controls the distribution of routing information based on the value of the COMMUNITIES attribute.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 5 set comm-list list-num delete (Optional) Remove communities from the community attribute of an inbound or outbound update that match a standard or extended community list specified by a route map. Step 6 exit Return to global configuration mode. Step 7 ip bgp-community new-format (Optional) Display and parse BGP communities in the format AA:NN. A BGP community is displayed in a two-part format 2 bytes long.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 7 neighbor {ip-address | peer-group-name} default-originate [route-map map-name] (Optional) Allow a BGP speaker (the local router) to send the default route 0.0.0.0 to a neighbor for use as a default route. Step 8 neighbor {ip-address | peer-group-name} send-community (Optional) Specify that the COMMUNITIES attribute be sent to the neighbor at this IP address.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 23 neighbor {ip-address | peer-group-name} soft-reconfiguration inbound (Optional) Configure the software to start storing received updates. Step 24 end Return to privileged EXEC mode. Step 25 show ip bgp neighbors Verify the configuration. Step 26 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 38 Configuring IP Unicast Routing Configuring BGP To delete an aggregate entry, use the no aggregate-address address mask router configuration command. To return options to the default values, use the command with keywords. Configuring Routing Domain Confederations One way to reduce the IBGP mesh is to divide an autonomous system into multiple subautonomous systems and to group them into a single confederation that appears as a single autonomous system.
Chapter 38 Configuring IP Unicast Routing Configuring BGP When the route reflector receives an advertised route, it takes one of these actions, depending on the neighbor: • A route from an external BGP speaker is advertised to all clients and nonclient peers. • A route from a nonclient peer is advertised to all clients. • A route from a client is advertised to all clients and nonclient peers. Hence, the clients need not be fully meshed.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, use these commands to configure BGP route dampening: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enter BGP router configuration mode. Step 3 bgp dampening Enable BGP route dampening. Step 4 bgp dampening half-life reuse suppress max-suppress [route-map map] (Optional) Change the default values of route dampening factors.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Table 38-11 IP BGP Clear and Show Commands (continued) Command Purpose show ip bgp prefix Display peer groups and peers not in peer groups to which the prefix has been advertised. Also display prefix attributes such as the next hop and the local prefix. show ip bgp cidr-only Display all BGP routes that contain subnet and supernet network masks.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE These sections contain this information: • Understanding Multi-VRF CE, page 38-65 • Default Multi-VRF CE Configuration, page 38-67 • Multi-VRF CE Configuration Guidelines, page 38-67 • Configuring VRFs, page 38-68 • Configuring a VPN Routing Session, page 38-69 • Configuring BGP PE to CE Routing Sessions, page 38-70 • Multi-VRF CE Configuration Example, page 38-70 • Displaying Multi-VRF CE Status, page 38-75 Understanding M
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Figure 38-6 Catalyst 3750-E or 3560-E Switches Acting as Multiple Virtual CEs VPN 1 VPN 1 CE1 PE1 PE2 CE2 Service provider VPN 2 CE = Customer-edge device PE = Provider-edge device 101385 VPN 2 When the CE switch receives a command to add a Layer 3 interface to a VRF, it sets up the appropriate mapping between the VLAN ID and the policy label (PL) in multi-VRF-CE-related data structures and adds the VLAN ID and PL to the VLAN d
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE To configure VRF, you create a VRF table and specify the Layer 3 interface associated with the VRF. Then configure the routing protocols in the VPN and between the CE and the PE. BGP is the preferred routing protocol used to distribute VPN routing information across the provider’s backbone. The multi-VRF CE network has three major components: • VPN route target communities—lists of all other members of a VPN community.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE • A customer can use multiple VLANs as long as they do not overlap with those of other customers. A customer’s VLANs are mapped to a specific routing table ID that is used to identify the appropriate routing tables stored on the switch. • A Catalyst 3750-E or 3560-E switch supports one global network and up to 26 VRFs. • Most routing protocols (BGP, OSPF, RIP, and static routing) can be used between the CE and the PE.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 9 end Return to privileged EXEC mode. Step 10 show ip vrf [brief | detail | interfaces] [vrf-name] Verify the configuration. Display information about the configured VRFs. Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no ip vrf vrf-name global configuration command to delete a VRF and to remove all interfaces from it.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Configuring BGP PE to CE Routing Sessions Beginning in privileged EXEC mode, follow these steps to configure a BGP PE to CE routing session: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system-number Configure the BGP routing process with the AS number passed to other BGP routers, and enter router configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Figure 38-7 Multi-VRF CE Configuration Example Switch A Switch B Switch C VPN1 Switch D VPN1 208.0.0.0 Fast Ethernet 8 Switch H Switch E 108.0.0.0 VPN2 Fast Ethernet 7 CE1 Switch F 118.0.0.0 Fast Ethernet 11 VPN2 PE CE2 Switch J Gigabit Ethernet 1 Global network Switch K Global network 168.0.0.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Configuring Switch A On Switch A, enable routing and configure VRF. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Switch(config)# interface vlan118 Switch(config-if)# ip vrf forwarding v12 Switch(config-if)# ip address 118.0.0.8 255.255.255.0 Switch(config-if)# exit Switch(config)# interface vlan208 Switch(config-if)# ip vrf forwarding v11 Switch(config-if)# ip address 208.0.0.8 255.255.255.0 Switch(config-if)# exit Configure OSPF routing in VPN1 and VPN2.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Configuring Switch F Switch F belongs to VPN 2. Configure the connection to Switch A by using these commands. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 38 Configuring IP Unicast Routing Configuring Unicast Reverse Path Forwarding Router(config)# router bgp 100 Router(config-router)# address-family ipv4 vrf v2 Router(config-router-af)# neighbor 83.0.0.8 remote-as 800 Router(config-router-af)# neighbor 83.0.0.8 activate Router(config-router-af)# network 3.3.2.0 mask 255.255.255.0 Router(config-router-af)# exit Router(config-router)# address-family ipv4 vrf vl Router(config-router-af)# neighbor 38.0.0.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Configuring Protocol-Independent Features This section describes how to configure IP routing protocol-independent features. These features are available on switches running the IP base or the IP services feature set; except that with the IP base feature set, protocol-related features are available only for RIP.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features The default configuration is CEF or dCEF enabled on all Layer 3 interfaces. Entering the no ip route-cache cef interface configuration command disables CEF for traffic that is being forwarded by software. This command does not affect the hardware forwarding path. Disabling CEF and using the debug ip packet detail privileged EXEC command can be useful to debug software-forwarded traffic.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Even though the router automatically learns about and configures equal-cost routes, you can control the maximum number of parallel paths supported by an IP routing protocol in its routing table. Although the switch software allows a maximum of 32 equal-cost routes, the switch hardware will never use more than 16 paths per route.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Table 38-14 Dynamic Routing Protocol Default Administrative Distances Route Source Default Distance Connected interface 0 Static route 1 Enhanced IRGP summary route 5 External BGP 20 Internal Enhanced IGRP 90 IGRP 100 OSPF 110 Internal BGP 200 Unknown 225 Static routes that point to an interface are advertised through RIP, IGRP, and other dynamic routing protocols, whether or not static redistribute r
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show ip route Display the selected default route in the gateway of last resort display. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no ip default-network network number global configuration command to remove the route.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Note Although each of Steps 3 through 14 in the following section is optional, you must enter at least one match route-map configuration command and one set route-map configuration command. Beginning in privileged EXEC mode, follow these steps to configure a route map for redistribution: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 12 set dampening halflife reuse suppress max-suppress-time Set BGP route dampening factors. Step 13 set local-preference value Assign a value to a local BGP path. Step 14 set origin {igp | egp as | incomplete} Set the BGP origin code. Step 15 set as-path {tag | prepend as-path-string} Modify the BGP autonomous system path.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to control route redistribution. Note that the keywords are the same as defined in the previous procedure. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router {bgp | rip | ospf | eigrp} Enter router configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features With PBR, you classify traffic using access control lists (ACLs) and then make traffic go through a different path. PBR is applied to incoming packets. All packets received on an interface with PBR enabled are passed through route maps. Based on the criteria defined in the route maps, packets are forwarded (routed) to the appropriate next hop.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features • To use PBR, you must first enable the routing template by using the sdm prefer routing global configuration command. PBR is not supported with the VLAN or default template. For more information on the SDM templates, see Chapter 8, “Configuring SDM Templates.” • VRF and PBR are mutually exclusive on a switch interface. You cannot enable VRF when PBR is enabled on an interface.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to configure PBR: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 route-map map-tag [permit] [sequence number] Define any route maps used to control where packets are output, and enter route-map configuration mode. • map-tag—A meaningful name for the route map.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 11 end Return to privileged EXEC mode. Step 12 show route-map [map-name] (Optional) Display all route maps configured or only the one specified to verify configuration. Step 13 show ip policy (Optional) Display policy route maps attached to interfaces. Step 14 show ip local policy (Optional) Display whether or not local policy routing is enabled and, if so, the route map being used.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 7 end Return to privileged EXEC mode. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Use a network monitoring privileged EXEC command such as show ip ospf interface to verify the interfaces that you enabled as passive, or use the show ip interface privileged EXEC command to verify the interfaces that you enabled as active.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features router to intelligently discriminate between sources of routing information. The router always picks the route whose routing protocol has the lowest administrative distance. Table 38-14 on page 38-79 shows the default administrative distances for various routing information sources. Because each network has its own requirements, there are no general guidelines for assigning administrative distances.
Chapter 38 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Beginning in privileged EXEC mode, follow these steps to manage authentication keys: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 key chain name-of-chain Identify a key chain, and enter key chain configuration mode. Step 3 key number Identify the key number. The range is 0 to 2147483647. Step 4 key-string text Identify the key string.
Chapter 38 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Table 38-15 Commands to Clear IP Routes or Display Route Status (continued) Command Purpose show ip route supernets-only Display supernets. show ip cache Display the routing table used to switch IP traffic. show route-map [map-name] Display all route maps configured or only the one specified.
Chapter 38 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Catalyst 3750-E and 3560-E Switch Software Configuration Guide 38-92 OL-9775-02
C H A P T E R 39 Configuring IPv6 Unicast Routing Internet Protocol Version 6 (IPv6) is the network-layer Internet Protocol intended to replace Version 4 (IPv4) in the TCP/IP suite of protocols. This chapter describes how to configure IPv6 unicast routing on the Catalyst 3750-E or 3560-E switch. For information about configuring IPv4 unicast routing, see Chapter 38, “Configuring IP Unicast Routing.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 The architecture of IPv6 allows existing IPv4 users to transition easily to IPv6, and provides services such as end-to-end security, quality of service (QoS), and globally unique addresses. The flexibility of the IPv6 address space reduces the need for private addresses and the use of Network Address Translation (NAT) processing by border routers at the edge of networks.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 For more information about IPv6 address formats, address types, and the IPv6 packet header, go to “Implementing Basic Connectivity for IPv6” chapter of the Cisco IOS IPv6 Configuration Library at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_configuration_guide_chapter0918 6a00801d65f5.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 These addresses are defined by a global routing prefix, a subnet ID, and an interface ID. Current global unicast address allocation uses the range of addresses that start with binary value 001 (2000::/3). Addresses with a prefix of 2000::/3(001) through E000::/3(111) must have 64-bit interface identifiers in the extended universal identifier (EUI)-64 format.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 A value of 135 in the Type field of the ICMP packet header identifies a neighbor solicitation message. These messages are sent on the local link when a node needs to determine the link-layer address of another node on the same local link. When a destination node receives a neighbor solicitation message, it replies by sending a neighbor advertisement message, which has a value of 136 in the ICMP packet header Type field.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 • DNS resolver for AAAA over IPv4 transport • Cisco Discovery Protocol (CDP) support for IPv6 addresses For more information about managing these applications with Cisco IOS, see the “Managing Cisco IOS Applications over IPv6” chapter in the Cisco IOS IPv6 Configuration Library at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_configuration_guide_chapter0918 6a00801d65f3.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 • Simple Network Management Protocol (SNMP) over IPv6 transport • IPv6 Hot Standby Router Protocol (HSRP) • DHCPv6 • IPv6 packets destined to site-local addresses • Tunneling protocols, such as IPv4-to-IPv6 or IPv6-to-IPv4 • The switch as a tunnel endpoint supporting IPv4-to-IPv6 or IPv6-to-IPv4 tunneling protocols • IPv6 unicast reverse-path forwarding • IPv6 general prefixes Limitations Because IPv6 is implemented in hardware
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 Note To route IPv6 packets in a stack, all switches in the stack should be running the advanced IP services feature set. If a new switch becomes the stack master, the new master recomputes the IPv6 routing tables and distributes them to the member switches. While the new stack master is elected and is resetting, the switch stack does not forward IPv6 packets. If a new switch becomes the stack master, the stack MAC address also changes.
Chapter 39 Configuring IPv6 Unicast Routing Understanding IPv6 SDM Templates To allocate system resources for unicast routes, MAC addresses, ACLs and other features, the switch SDM templates prioritize system resources to optimize support for certain features. You select the template that best suits the switch environment by entering the sdm prefer global configuration command. For more information about SDM templates, see Chapter 8, “Configuring SDM Templates.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Note An IPv4 route requires only one hardware entry. Because of the hardware compression scheme used for IPv6, an IPv6 route can take more than one hardware entry, reducing the number of entries forwarded in hardware. For example, for IPv6 directly connected IP addresses, the desktop template might allow less than two thousand entries. Table 39-1 defines the approximate feature resources allocated by each new template.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Default IPv6 Configuration Table 39-2 shows the default IPv6 configuration. Table 39-2 Default IPv6 Configuration Feature Default Setting SDM template Default IPv6 routing Disabled globally and on all interfaces CEFv6 or dCEFv6 Disabled (IPv4 CEF and dCEF are enabled by default) Note IPv6 addresses When IPv6 routing is enabled, CEFv6 and dCEF6 are automatically enabled.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these steps to assign an IPv6 address to a Layer 3 interface and enable IPv6 routing: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 sdm prefer dual-ipv4-and-ipv6 {default | routing | vlan} Select an SDM template that supports IPv4 and IPv6. • default—Set the switch to the default template to balance system resources.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 without arguments. To disable IPv6 processing on an interface that has not been explicitly configured with an IPv6 address, use the no ipv6 enable interface configuration command. To globally disable IPv6 routing, use the no ipv6 unicast-routing global configuration command. This example shows how to enable IPv6 with both a link-local address and a global address based on the IPv6 prefix 2001:0DB8:c18:1::/64.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Command Purpose Step 4 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure. Step 5 no switchport Remove the interface from Layer 2 configuration mode (if it is a physical interface). Step 6 ip address ip-address mask [secondary] Specify a primary or secondary IPv4 address for the interface.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Configuring IPv6 ICMP Rate Limiting IPv6 ICMP rate limiting uses a token-bucket algorithm for limiting the rate at which IPv6 ICMP error messages are sent to the network. The interval between error messages is specified in a time interval and a bucket size.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 To disable IPv6 CEF or distributed CEF, use the no ipv6 cef or no ipv6 cef distributed global configuration command. To reenable IPv6 CEF or dCEF if it has been disabled, use the ipv6 cef or ipv6 cef distributed global configuration command. You can verify the IPv6 state by entering the show ipv6 cef privileged EXEC command.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these steps to configure an IPv6 static route: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 route ipv6-prefix/prefix length {ipv6-address | interface-id [ipv6-address]} [administrative distance] Configure a static IPv6 route. • ipv6-prefix—The IPv6 network that is the destination of the static route.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Step 4 Command Purpose show ipv6 static [ipv6-address | ipv6-prefix/prefix length] [interface interface-id] [recursive] [detail] Verify your entries by displaying the contents of the IPv6 routing table. or • interface interface-id—(Optional) Display only those static routes with the specified interface as an egress interface. • recursive—(Optional) Display only recursive static routes.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these required and optional steps to configure IPv6 RIP: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 router rip name Configure an IPv6 RIP routing process, and enter router configuration mode for the process. Step 3 maximum-paths number-paths (Optional) Define the maximum number of equal-cost routes that IPv6 RIP can support.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Configuring OSPF for IPv6 Open Shortest Path First (OSPF) is a link-state protocol for IP, which means that routing decisions are based on the states of the links that connect the source and destination devices. The state of a link is a description of the interface and its relationship to its neighboring networking devices.
Chapter 39 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these required and optional steps to configure IPv6 OSPF: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 router ospf process-id Enable OSPF router configuration mode for the process. The process ID is the number assigned administratively when enabling the OSPF for IPv6 routing process. It is locally assigned and can be a positive integer from 1 to 65535.
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 To disable an OSPF routing process, use the no ipv6 router ospf process-id global configuration command. To disable the OSPF routing process for an interface, use the no ipv6 ospf process-id area area-id interface configuration command. For more information about configuring OSPF routing for IPv6, see the “Implementing OSPF for IPv6” chapter in the Cisco IOS IPv6 Configuration Library at this URL: http://www.cisco.
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 This is an example of the output from the show ipv6 neighbor privileged EXEC command: Switch# show ipv6 neighbors IPv6 Address 3FFE:C000:0:7::777 3FFE:C101:113:1::33 Age Link-layer Addr State Interface - 0007.0007.0007 REACH Vl7 - 0000.0000.
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 ICMP statistics: Rcvd: 1 input, 0 checksum errors, 0 too short 0 unknown info type, 0 unknown error type unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port parameter: 0 error, 0 header, 0 option 0 hopcount expired, 0 reassembly timeout,0 too big 0 echo request, 0 echo reply 0 group query, 0 group report, 0 group reduce 1 router solicit, 0 router advert, 0 redirects 0 neighbor solicit, 0 neighbor advert Sent: 10112 output, 0 rate-limited u
Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 Catalyst 3750-E and 3560-E Switch Software Configuration Guide 39-26 OL-9775-02
C H A P T E R 40 Configuring HSRP and Enhanced Object Tracking This chapter describes how to use Hot Standby Router Protocol (HSRP) on the Catalyst 3750-E or 3560-E switch to provide routing redundancy for routing IP traffic without being dependent on the availability of any single router. It also provides information about configuring enhanced object tracking, that enhances the HSRP tracking mechanism.
Chapter 40 Configuring HSRP and Enhanced Object Tracking Understanding HSRP Note Routers in an HSRP group can be any router interface that supports HSRP, including Catalyst 3750-E or 3560-E routed ports and switch virtual interfaces (SVIs). HSRP provides high network availability by providing redundancy for IP traffic from hosts on networks.
Chapter 40 Configuring HSRP and Enhanced Object Tracking Understanding HSRP Figure 40-1 Typical HSRP Configuration Host B 172.20.130.5 172.20.128.1 Router A Virtual router Standby router 172.20.128.3 172.20.128.2 Router B 172.20.128.55 172.20.128.32 Host C Host A 101361 Active router Multiple HSRP The switch supports Multiple HSRP (MHSRP), an extension of HSRP that allows load sharing between two or more HSRP groups.
Chapter 40 Configuring HSRP and Enhanced Object Tracking Configuring HSRP Figure 40-2 MHSRP Load Sharing Active router for group 1 Standby router for group 2 Active router for group 2 Standby router for group 1 Router A Router B 10.0.0.2 121235 10.0.0.1 Client 1 Client 2 Client 3 Client 4 HSRP and Switch Stacks HSRP hello messages are generated by the stack master. If an HSRP-active stack master fails, a flap in the HSRP active state might occur.
Chapter 40 Configuring HSRP and Enhanced Object Tracking Configuring HSRP Default HSRP Configuration Table 40-1 shows the default HSRP configuration. Table 40-1 Default HSRP Configuration Feature Default Setting HSRP groups None configured Standby group number 0 Standby MAC address System assigned as: 0000.0c07.
Chapter 40 Configuring HSRP and Enhanced Object Tracking Configuring HSRP When the standby ip command is enabled on an interface and proxy ARP is enabled, if the interface’s Hot Standby state is active, proxy ARP requests are answered using the Hot Standby group MAC address. If the interface is in a different state, proxy ARP responses are suppressed.
Chapter 40 Configuring HSRP and Enhanced Object Tracking Configuring HSRP Configuring HSRP Priority The standby priority, standby preempt, and standby track interface configuration commands are all used to set characteristics for finding active and standby routers and behavior regarding when a new active router takes over. When configuring HSRP priority, follow these guidelines: • Assigning priority helps select the active and standby routers.
Chapter 40 Configuring HSRP and Enhanced Object Tracking Configuring HSRP Step 3 Command Purpose standby [group-number] priority priority [preempt [delay delay]] Set a priority value used in choosing the active router. The range is 1 to 255; the default priority is 100. The highest number represents the highest priority. • (Optional) group-number—The group number to which the command applies.
Chapter 40 Configuring HSRP and Enhanced Object Tracking Configuring HSRP This example activates a port, sets an IP address and a priority of 120 (higher than the default value), and waits for 300 seconds (5 minutes) before attempting to become the active router: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# no switchport Switch(config-if)# standby ip 172.20.128.
Chapter 40 Configuring HSRP and Enhanced Object Tracking Configuring HSRP When configuring these attributes, follow these guidelines: • The authentication string is sent unencrypted in all HSRP messages. You must configure the same authentication string on all routers and access servers on a cable to ensure interoperation. Authentication mismatch prevents a device from learning the designated Hot Standby IP address and timer values from other routers configured with HSRP.
Chapter 40 Configuring HSRP and Enhanced Object Tracking Displaying HSRP Configurations This example shows how to set the timers on standby group 1 with the time between hello packets at 5 seconds and the time after which a router is considered down to be 15 seconds: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# no switchport Switch(config-if)# standby 1 ip Switch(config-if)# standby 1 timers 5 15 Switch(config-if)# end Enabling HSRP Support for ICMP Redirec
Chapter 40 Configuring HSRP and Enhanced Object Tracking Configuring Enhanced Object Tracking This is a an example of output from the show standby privileged EXEC command, displaying HSRP information for two standby groups (group 1 and group 100): Switch# show standby VLAN1 - Group 1 Local state is Standby, priority 105, may preempt Hellotime 3 holdtime 10 Next hello sent in 00:00:02.182 Hot standby IP address is 172.20.128.3 configured Active router is 172.20.128.
Chapter 40 Configuring HSRP and Enhanced Object Tracking Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features These sections describe configuring enhanced object tracking: • Tracking Interface Line-Protocol or IP Routing State, page 40-13 • Configuring a Tracked List, page 40-14 • Configuring HSRP Object Tracking, page 40-17 • Configuring Other Tracking Characteristics, page 40-18 Tracking Interface Line-Protocol or IP Routing State You can track either the interface
Chapter 40 Configuring HSRP and Enhanced Object Tracking Configuring Enhanced Object Tracking This example configures the tracking of an interface line-protocol state and verifies the configuration: Switch(config)# track 33 interface gigabitethernet 1/0/1 line-protocol Switch(config-track)# end Switch# show track 33 Track 33 Interface GigabitEthernet0/1 line-protocol Line protocol is Down (hw down) 1 change, last change 00:18:28 Configuring a Tracked List You can configure a tracked list of objects with
Chapter 40 Configuring HSRP and Enhanced Object Tracking Configuring Enhanced Object Tracking Command Purpose Step 4 delay {up seconds [down seconds] | [up seconds] down seconds} (Optional) Specify a period of time in seconds to delay communicating state changes of a tracked object. The range is from 1 to 180 seconds. Step 5 end Return to privileged EXEC mode. Step 6 show track object-number Verify that the specified objects are being tracked.
Chapter 40 Configuring HSRP and Enhanced Object Tracking Configuring Enhanced Object Tracking Use the no track track-number global configuration command to delete the tracked list. The example configures track list 4 to track by weight threshold. If object 1, and object 2 are down, then track list 4 is up, because object 3 satisfies the up threshold value of up 30. But, if object 3 is down, both objects 1 and 2 must be up in order to satisfy the threshold weight.
Chapter 40 Configuring HSRP and Enhanced Object Tracking Configuring Enhanced Object Tracking This example configures tracked list 4 with three objects and a specified percentages to measure the state of the list: Switch(config)# track Switch(config-track)# Switch(config-track)# Switch(config-track)# Switch(config-track)# Switch(config-track)# 4 list threshold percentage object 1 object 2 object 3 threshold percentage up 51 down 10 exit Configuring HSRP Object Tracking Beginning in privileged EXEC mode,
Chapter 40 Configuring HSRP and Enhanced Object Tracking Configuring Enhanced Object Tracking Step 5 Step 6 Command Purpose standby [group-number] ip [ip-address [secondary]] Create (or enable) the HSRP group by using its number and virtual IP address. standby [group-number] track object-number [decrement [priority-decrement]] • (Optional) group-number—The group number on the interface for which HSRP is being enabled. The range is 0 to 255; the default is 0.
C H A P T E R 41 Configuring Web Cache Services By Using WCCP This chapter describes how to configure your Catalyst 3750-E or 3560-E switch to redirect traffic to wide-area application engines (such as the Cisco Cache Engine 550) by using the Web Cache Communication Protocol (WCCP). This software release supports only WCCP version 2 (WCCPv2).
Chapter 41 Configuring Web Cache Services By Using WCCP Understanding WCCP WCCP enables supported Cisco routers and switches to transparently redirect content requests. With transparent redirection, users do not have to configure their browsers to use a web proxy. Instead, they can use the target URL to request content, and their requests are automatically redirected to an application engine.
Chapter 41 Configuring Web Cache Services By Using WCCP Understanding WCCP WCCP Negotiation In the exchange of WCCP protocol messages, the designated application engine and the WCCP-enabled switch negotiate these items: • Forwarding method (the method by which the switch forwards packets to the application engine). The switch rewrites the Layer 2 header by replacing the packet destination MAC address with the target application engine MAC address. It then forwards the packet to the application engine.
Chapter 41 Configuring Web Cache Services By Using WCCP Understanding WCCP You can configure up to 8 service groups on a switch or switch stack and up to 32 clients per service group. WCCP maintains the priority of the service group in the group definition. WCCP uses the priority to configure the service groups in the switch hardware.
Chapter 41 Configuring Web Cache Services By Using WCCP Configuring WCCP Unsupported WCCP Features These WCCP features are not supported in this software release: • Packet redirection on an outbound interface that is configured by using the ip wccp redirect out interface configuration command. This command is not supported. • The GRE forwarding method for packet redirection is not supported. • The hash assignment method for load balancing is not supported. • There is no SNMP support for WCCP.
Chapter 41 Configuring Web Cache Services By Using WCCP Configuring WCCP • The number of available policy-based routing (PBR) labels are reduced as more interfaces are enabled for WCCP ingress redirection. For every interface that supports service groups, one label is consumed. The WCCP labels are taken from the PBR labels. You need to monitor and manage the labels that are available between PBR and WCCP. When labels are not available, the switch cannot add service groups.
Chapter 41 Configuring Web Cache Services By Using WCCP Configuring WCCP Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip wccp {web-cache | service-number} [group-address groupaddress] [group-list access-list] [redirect-list access-list] [password encryption-number password] Enable the web cache service, and specify the service number which corresponds to a dynamic service that is defined by the application engine. By default, this feature is disabled.
Chapter 41 Configuring Web Cache Services By Using WCCP Configuring WCCP Step 16 Command Purpose show ip wccp web-cache Verify your entries. and show running-config Step 17 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the web cache service, use the no ip wccp web-cache global configuration command. To disable inbound packet redirection, use the no ip wccp web-cache redirect in interface configuration command.
Chapter 41 Configuring Web Cache Services By Using WCCP Monitoring and Maintaining WCCP This example shows how to configure SVIs and how to enable the web cache service with a multicast group list. VLAN 299 is created and configured with an IP address of 175.20.20.10. Gigabit Ethernet port 1 is connected through the Internet to the web server and is configured as an access port in VLAN 299. VLAN 300 is created and configured with an IP address of 172.20.10.30.
Chapter 41 Configuring Web Cache Services By Using WCCP Monitoring and Maintaining WCCP Table 41-2 Commands for Monitoring and Maintaining WCCP (continued) Command Purpose show ip interface Displays status about any IP WCCP redirection commands that are configured on an interface; for example, Web Cache Redirect is enabled / disabled. show ip wccp web-cache view Displays which other members have or have not been detected.
C H A P T E R 42 Configuring IP Multicast Routing This chapter describes how to configure IP multicast routing on the Catalyst 3750-E or 3560-E switch. IP multicasting is a more efficient way to use network resources, especially for bandwidth-intensive services such as audio and video. IP multicast routing enables a host (source) to send packets to a group of hosts (receivers) anywhere within the IP network by using a special form of IP address called the IP multicast group address.
Chapter 42 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing The Cisco IOS software supports these protocols to implement IP multicast routing: • Internet Group Management Protocol (IGMP) is used among hosts on a LAN and the routers (and multilayer switches) on that LAN to track the multicast groups of which hosts are members.
Chapter 42 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding IGMP To participate in IP multicasting, multicast hosts, routers, and multilayer switches must have the IGMP operating. This protocol defines the querier and host roles: • A querier is a network device that sends query messages to discover which network devices are members of a given multicast group.
Chapter 42 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding PIM PIM is called protocol-independent: regardless of the unicast routing protocols used to populate the unicast routing table, PIM uses this information to perform multicast forwarding instead of maintaining a separate multicast routing table. PIM is defined in RFC 2362, Protocol-Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification.
Chapter 42 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing When a new receiver on a previously pruned branch of the tree joins a multicast group, the PIM DM device detects the new receiver and immediately sends a graft message up the distribution tree toward the source.
Chapter 42 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing passive interfaces. Only the nonredundant access router topology is supported by the PIM stub feature. By using a nonredundant topology, the PIM passive interface assumes that it is the only interface and designated router on that access domain. The PIM stub feature is enforced in the IP base image.
Chapter 42 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Bootstrap Router PIMv2 BSR is another method to distribute group-to-RP mapping information to all PIM routers and multilayer switches in the network. It eliminates the need to manually configure RP information in every router and switch in the network.
Chapter 42 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Figure 42-3 RPF Check Multicast packet from source 151.10.3.21 is forwarded. Gigabit Ethernet 0/1 Multicast packet from source 151.10.3.21 packet is discarded. Gigabit Ethernet 0/2 Gigabit Ethernet 0/3 Table 42-1 Gigabit Ethernet 0/4 101242 Layer 3 switch Routing Table Example for an RPF Check Network Port 151.10.0.0/16 Gigabit Ethernet 1/0/1 198.14.32.0/32 Gigabit Ethernet 1/0/3 204.
Chapter 42 Configuring IP Multicast Routing Multicast Routing and Switch Stacks DVMRP neighbors build a route table by periodically exchanging source network routing information in route-report messages. The routing information stored in the DVMRP routing table is separate from the unicast routing table and is used to build a source distribution tree and to perform multicast forward using RPF.
Chapter 42 Configuring IP Multicast Routing Configuring IP Multicast Routing • They do not build multicast routing tables. Instead, they use the multicast routing table that is distributed by the stack master.
Chapter 42 Configuring IP Multicast Routing Configuring IP Multicast Routing Note The PIM implementation of on Catalyst 3750-E and 3560-E switches is the same as that on Catalyst 3750 and 3560 switches except for the differences summarized in the Cisco Software Activation and Compatibility Document on Cisco.com. PIMv1 and PIMv2 Interoperability The Cisco PIMv2 implementation provides interoperability and transition between Version 1 and Version 2, although there might be some minor problems.
Chapter 42 Configuring IP Multicast Routing Configuring IP Multicast Routing • Because bootstrap messages are sent hop-by-hop, a PIMv1 device prevents these messages from reaching all routers and multilayer switches in your network. Therefore, if your network has a PIMv1 device in it and only Cisco routers and multilayer switches, it is best to use Auto-RP.
Chapter 42 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 4 Command Purpose ip pim version [1 | 2] Configure the PIM version on the interface. By default, Version 2 is enabled and is the recommended setting. An interface in PIMv2 mode automatically downgrades to PIMv1 mode if that interface has a PIMv1 neighbor. The interface returns to Version 2 mode after all Version 1 neighbors are shut down or upgraded.
Chapter 42 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you want to enable PIM stub routing, and enter interface configuration mode. For switches running the IP Base image, the specified interface must be an SVI that is a VLAN interface created by using the interface vlan vlan-id global configuration command.
Chapter 42 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip pim rp-address ip-address [access-list-number] [override] Configure the address of a PIM RP. By default, no PIM RP address is configured. You must configure the IP address of RPs on all routers and multilayer switches (including the RP).
Chapter 42 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Auto-RP Auto-RP uses IP multicast to automate the distribution of group-to-RP mappings to all Cisco routers and multilayer switches in a PIM network. It has these benefits: • It is easy to use multiple RPs within a network to serve different group ranges. • It provides load splitting among different RPs and arrangement of RPs according to the location of group participants.
Chapter 42 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 1 Command Purpose show running-config Verify that a default RP is already configured on all PIM devices and the RP in the sparse-mode network. It was previously configured with the ip pim rp-address global configuration command. This step is not required for spare-dense-mode environments. The selected RP should have good connectivity and be available across the network. Use this RP for the global groups (for example 224.
Chapter 42 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 5 Command Purpose ip pim send-rp-discovery scope ttl Find a switch whose connectivity is not likely to be interrupted, and assign it the role of RP-mapping agent. For scope ttl, specify the time-to-live value in hops to limit the RP discovery packets. All devices within the hop count from the source device receive the Auto-RP discovery messages.
Chapter 42 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip pim rp-announce-filter rp-list access-list-number group-list access-list-number Filter incoming RP announcement messages. Enter this command on each mapping agent in the network. Without this command, all incoming RP-announce messages are accepted by default.
Chapter 42 Configuring IP Multicast Routing Configuring IP Multicast Routing In this example, the mapping agent accepts candidate RP announcements from only two devices, 172.16.5.1 and 172.16.2.1. The mapping agent accepts candidate RP announcements from these two devices only for multicast groups that fall in the group range of 224.0.0.0 to 239.255.255.255. The mapping agent does not accept candidate RP announcements from any other devices in the network.
Chapter 42 Configuring IP Multicast Routing Configuring IP Multicast Routing Figure 42-4 Constraining PIMv2 BSR Messages PIMv2 sparse-mode network Configure the ip pim bsr-border command on this interface. BSR messages BSR messages Layer 3 switch BSR Layer 3 switch Neighboring PIMv2 domain 101243 Neighboring PIMv2 domain Configure the ip pim bsr-border command on this interface.
Chapter 42 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows a portion of an IP multicast boundary configuration that denies Auto-RP information: Switch(config)# access-list 1 deny 224.0.1.39 Switch(config)# access-list 1 deny 224.0.1.40 Switch(config)# access-list 1 permit all Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip multicast boundary 1 Configuring Candidate BSRs You can configure one or more candidate BSRs.
Chapter 42 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Candidate RPs You can configure one or more candidate RPs. Similar to BSRs, the RPs should also have good connectivity to other devices and be in the backbone portion of the network. An RP can serve the entire IP multicast address space or a portion of it. Candidate RPs send candidate RP advertisements to the BSR.
Chapter 42 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows how to configure the switch to advertise itself as a candidate RP to the BSR in its PIM domain. Standard access list number 4 specifies the group prefix associated with the RP that has the address identified by a port. That RP is responsible for the groups with the prefix 239. Switch(config)# ip pim rp-candidate gigabitethernet1/0/2 group-list 4 Switch(config)# access-list 4 permit 239.0.0.0 0.255.255.
Chapter 42 Configuring IP Multicast Routing Configuring Advanced PIM Features Monitoring the RP Mapping Information To monitor the RP mapping information, use these commands in privileged EXEC mode: • show ip pim bsr displays information about the elected BSR. • show ip pim rp-hash group displays the RP that was selected for the specified group. • show ip pim rp [group-name | group-address | mapping] displays how the switch learns of the RP (through the BSR or the Auto-RP mechanism).
Chapter 42 Configuring IP Multicast Routing Configuring Advanced PIM Features Figure 42-5 Shared Tree and Source Tree (Shortest-Path Tree) Source Source tree (shortest path tree) Router A Router B Shared tree from RP RP 44967 Router C Receiver If the data rate warrants, leaf routers (routers without any downstream connections) on the shared tree can use the data distribution tree rooted at the source. This type of distribution tree is called a shortest-path tree or source tree.
Chapter 42 Configuring IP Multicast Routing Configuring Advanced PIM Features Delaying the Use of PIM Shortest-Path Tree The change from shared to source tree happens when the first data packet arrives at the last-hop router (Router C in Figure 42-5). This change occurs because the ip pim spt-threshold global configuration command controls that timing. The shortest-path tree requires more memory than the shared tree but reduces delay. You might want to postpone its use.
Chapter 42 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip pim spt-threshold {kbps | infinity} global configuration command.
Chapter 42 Configuring IP Multicast Routing Configuring Optional IGMP Features • Modifying the IGMP Host-Query Message Interval, page 42-31 (optional) • Changing the IGMP Query Timeout for IGMPv2, page 42-32 (optional) • Changing the Maximum Query Response Time for IGMPv2, page 42-33 (optional) • Configuring the Switch as a Statically Connected Member, page 42-33 (optional) Default IGMP Configuration Table 42-3 shows the default IGMP configuration.
Chapter 42 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show ip igmp interface [interface-id] Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To cancel membership in a group, use the no ip igmp join-group group-address interface configuration command. This example shows how to enable the switch to join multicast group 255.2.2.
Chapter 42 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 7 show ip igmp interface [interface-id] Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable groups on an interface, use the no ip igmp access-group interface configuration command. This example shows how to configure hosts attached to a port as able to join only group 255.2.2.2: Switch(config)# access-list 1 255.2.2.2 0.0.
Chapter 42 Configuring IP Multicast Routing Configuring Optional IGMP Features The switch elects a PIM designated router (DR) for the LAN (subnet). The DR is the router or multilayer switch with the highest IP address for IGMPv2. For IGMPv1, the DR is elected according to the multicast routing protocol that runs on the LAN. The designated router is responsible for sending IGMP host-query messages to all hosts on the LAN.
Chapter 42 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 5 show ip igmp interface [interface-id] Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip igmp querier-timeout interface configuration command.
Chapter 42 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Beginning in privileged EXEC mode, follow these steps to configure the switch itself to be a statically connected member of a group (and enable fast switching). This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Chapter 42 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Step 3 Command Purpose ip cgmp [proxy] Enable CGMP on the interface. By default, CGMP is disabled on all interfaces. Enabling CGMP triggers a CGMP join message. Enable CGMP only on Layer 3 interfaces connected to Layer 2 Catalyst switches. (Optional) When you enter the proxy keyword, the CGMP proxy function is enabled.
Chapter 42 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Enabling sdr Listener Support By default, the switch does not listen to session directory advertisements. Beginning in privileged EXEC mode, follow these steps to enable the switch to join the default session directory group (224.2.127.254) on the interface and listen to session directory advertisements. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 42 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Configuring an IP Multicast Boundary Administratively-scoped boundaries can be used to limit the forwarding of multicast traffic outside of a domain or subdomain. This approach uses a special range of multicast addresses, called administratively-scoped addresses, as the boundary mechanism.
Chapter 42 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to set up an administratively-scoped boundary. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list, repeating the command as many times as necessary.
Chapter 42 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Configuring DVMRP Interoperability Cisco multicast routers and multilayer switches using PIM can interoperate with non-Cisco multicast routers that use the DVMRP. PIM devices dynamically discover DVMRP multicast routers on attached networks by listening to DVMR probe messages.
Chapter 42 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Command Step 4 Purpose ip dvmrp metric metric [list Configure the metric associated with a set of destinations for DVMRP access-list-number] [[protocol process-id] reports. | [dvmrp]] • For metric, the range is 0 to 32. A value of 0 means that the route is not advertised. A value of 32 is equivalent to infinity (unreachable).
Chapter 42 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Configuring a DVMRP Tunnel The software supports DVMRP tunnels to the MBONE. You can configure a DVMRP tunnel on a router or multilayer switch if the other end is running DVMRP. The software then sends and receives multicast packets through the tunnel. This strategy enables a PIM domain to connect to the DVMRP router when all routers on the path do not support multicast routing.
Chapter 42 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Step 9 Command Purpose ip dvmrp accept-filter access-list-number [distance] neighbor-list access-list-number Configure an acceptance filter for incoming DVMRP reports. By default, all destination reports are accepted with a distance of 0. Reports from all neighbors are accepted. • For access-list-number, specify the access list number created in Step 2.
Chapter 42 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to advertise network 0.0.0.0 to DVMRP neighbors on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface that is connected to the DVMRP router, and enter interface configuration mode.
Chapter 42 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features These sections contain this configuration information: • Enabling DVMRP Unicast Routing, page 42-44 (optional) • Rejecting a DVMRP Nonpruning Neighbor, page 42-45 (optional) • Controlling Route Exchanges, page 42-47 (optional) For information on basic DVMRP features, see the “Configuring Basic DVMRP Interoperability Features” section on page 42-38.
Chapter 42 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Rejecting a DVMRP Nonpruning Neighbor By default, Cisco devices accept all DVMRP neighbors as peers, regardless of their DVMRP capability. However, some non-Cisco devices run old versions of DVMRP that cannot prune, so they continuously receive forwarded packets, wasting bandwidth. Figure 42-7 shows this scenario.
Chapter 42 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 42-8 Router Rejects Nonpruning DVMRP Neighbor Source router or RP RP Router A Multicast traffic gets to receiver, not to leaf DVMRP device Router B Receiver Layer 3 switch Leaf nonpruning DVMRP device 101245 Configure the ip dvmrp reject-non-pruners command on this interface. Note that the ip dvmrp reject-non-pruners interface configuration command prevents peering with neighbors only.
Chapter 42 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Controlling Route Exchanges These sections describe how to tune the Cisco device advertisements of DVMRP routes: • Limiting the Number of DVMRP Routes Advertised, page 42-47 (optional) • Changing the DVMRP Route Threshold, page 42-47 (optional) • Configuring a DVMRP Summary Address, page 42-48 (optional) • Disabling DVMRP Autosummarization, page 42-50 (optional) • Adding a Metric Offset to the DVMRP R
Chapter 42 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to change the threshold number of routes that trigger the warning. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip dvmrp routehog-notification route-count Configure the number of routes that trigger a syslog message. Step 3 end Return to privileged EXEC mode.
Chapter 42 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 42-9 On Connected Unicast Routes Are Advertised by Default (Catalyst 3750-E Switches) interface tunnel 0 ip unnumbered gigabitethernet1/0/1 DVMRP Report 151.16.0.0/16 m = 39 172.34.15.0/24 m = 42 202.13.3.0/24 m = 40 176.32.10.0/24 m=1 176.32.15.0/24 m=1 interface gigabitethernet1/0/1 ip addr 176.32.10.1 255.255.255.0 ip pim dense-mode DVMRP router interface gigabitethernet1/0/2 ip addr 176.32.15.
Chapter 42 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to customize the summarization of DVMRP routes if the default classful autosummarization does not suit your needs. This procedure is optional. Note At least one more-specific route must be present in the unicast routing table before a configured summary address is advertised. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 42 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To re-enable auto summarization, use the ip dvmrp auto-summary interface configuration command.
Chapter 42 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Monitoring and Maintaining IP Multicast Routing These sections describe how to monitor and maintain IP multicast routing: • Clearing Caches, Tables, and Databases, page 42-52 • Displaying System and Network Statistics, page 42-52 • Monitoring IP Multicast Routing, page 42-53 Clearing Caches, Tables, and Databases You can remove all contents of a particular cache, table, or database.
Chapter 42 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Table 42-5 Commands for Displaying System and Network Statistics (continued) Command Purpose show ip igmp groups [group-name | group-address | type number] Display the multicast groups that are directly connected to the switch and that were learned through IGMP. show ip igmp interface [type number] Display multicast-related information about an interface.
Chapter 42 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Catalyst 3750-E and 3560-E Switch Software Configuration Guide 42-54 OL-9775-02
C H A P T E R 43 Configuring MSDP This chapter describes how to configure the Multicast Source Discovery Protocol (MSDP) on the Catalyst 3750-E or 3560-E switch. The MSDP connects multiple Protocol-Independent Multicast sparse-mode (PIM-SM) domains. MSDP is not fully supported in this software release because of a lack of support for Multicast Border Gateway Protocol (MBGP), which works closely with MSDP. However, it is possible to create default peers that MSDP can operate with if MBGP is not running.
Chapter 43 Configuring MSDP Understanding MSDP The purpose of this topology is to have domains discover multicast sources in other domains. If the multicast sources are of interest to a domain that has receivers, multicast data is delivered over the normal, source-tree building mechanism in PIM-SM. MSDP is also used to announce sources sending to a group. These announcements must originate at the domain’s RP. MSDP depends heavily on the Border Gateway Protocol (BGP) or MBGP for interdomain operation.
Chapter 43 Configuring MSDP Understanding MSDP Figure 43-1 MSDP Running Between RP Peers MSDP peer RP + MSDP peer MSDP SA MSDP SA TCP connection BGP M SD P SA Peer RPF flooding MSDP peer Receiver 49885 Register Multicast (S,G) Join PIM DR Source PIM sparse-mode domain MSDP Benefits MSDP has these benefits: • It breaks up the shared multicast distribution tree. You can make the shared tree local to your domain.
Chapter 43 Configuring MSDP Configuring MSDP Configuring MSDP These sections contain this configuration information: • Default MSDP Configuration, page 43-4 • Configuring a Default MSDP Peer, page 43-4 (required) • Caching Source-Active State, page 43-6 (optional) • Requesting Source Information from an MSDP Peer, page 43-8 (optional) • Controlling Source Information that Your Switch Originates, page 43-9 (optional) • Controlling Source Information that Your Switch Forwards, page 43-12 (option
Chapter 43 Configuring MSDP Configuring MSDP Figure 43-2 Default MSDP Peer Network Router C Default MSDP peer ISP C PIM domain SA SA SA 10.1.1.1 Default MSDP peer Default MSDP peer ISP A PIM domain Customer PIM domain 86515 Switch B Router A Beginning in privileged EXEC mode, follow these steps to specify a default MSDP peer. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 43 Configuring MSDP Configuring MSDP Step 3 Step 4 Command Purpose ip prefix-list name [description string] | seq number {permit | deny} network length (Optional) Create a prefix list using the name specified in Step 2. ip msdp description {peer-name | peer-address} text • (Optional) For description string, enter a description of up to 80 characters to describe this prefix list. • For seq number, enter the sequence number of the entry. The range is 1 to 4294967294.
Chapter 43 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to enable the caching of source/group pairs. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp cache-sa-state [list access-list-number] Enable the caching of source/group pairs (create an SA state). Those pairs that pass the access list are cached. For list access-list-number, the range is 100 to 199.
Chapter 43 Configuring MSDP Configuring MSDP Requesting Source Information from an MSDP Peer Local RPs can send SA requests and get immediate responses for all active sources for a given group. By default, the switch does not send any SA request messages to its MSDP peers when a new member joins a group and wants to receive multicast traffic. The new member waits to receive the next periodic SA message.
Chapter 43 Configuring MSDP Configuring MSDP Controlling Source Information that Your Switch Originates You can control the multicast source information that originates with your switch: • Sources you advertise (based on your sources) • Receivers of source information (based on knowing the requestor) For more information, see the “Redistributing Sources” section on page 43-9 and the “Filtering Source-Active Request Messages” section on page 43-11.
Chapter 43 Configuring MSDP Configuring MSDP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] Create an IP standard access list, repeating the command as many times as necessary. or or access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended access list, repeating the command as many times as necessary.
Chapter 43 Configuring MSDP Configuring MSDP Filtering Source-Active Request Messages By default, only switches that are caching SA information can respond to SA requests. By default, such a switch honors all SA request messages from its MSDP peers and supplies the IP addresses of the active sources. However, you can configure the switch to ignore all SA requests from an MSDP peer. You can also honor only those SA request messages from a peer for groups described by a standard access list.
Chapter 43 Configuring MSDP Configuring MSDP Controlling Source Information that Your Switch Forwards By default, the switch forwards all SA messages it receives to all its MSDP peers. However, you can prevent outgoing messages from being forwarded to a peer by using a filter or by setting a time-to-live (TTL) value. These methods are described in the next sections.
Chapter 43 Configuring MSDP Configuring MSDP Step 3 Command Purpose access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard (Optional) Create an IP extended access list, repeating the command as many times as necessary. • For access-list-number, enter the number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 43 Configuring MSDP Configuring MSDP Using TTL to Limit the Multicast Data Sent in SA Messages You can use a TTL value to control what data is encapsulated in the first SA message for every source. Only multicast packets with an IP-header TTL greater than or equal to the ttl argument are sent to the specified MSDP peer. For example, you can limit internal traffic to a TTL of 8. If you want other groups to go to external locations, you must send those packets with a TTL greater than 8.
Chapter 43 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to apply a filter. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp sa-filter in ip-address | name Filter all SA messages from the specified MSDP peer. or or ip msdp sa-filter in {ip-address | name} list access-list-number From the specified peer, pass only those SA messages that pass the IP extended access list.
Chapter 43 Configuring MSDP Configuring MSDP Configuring an MSDP Mesh Group An MSDP mesh group is a group of MSDP speakers that have fully meshed MSDP connectivity among one another. Any SA messages received from a peer in a mesh group are not forwarded to other peers in the same mesh group. Thus, you reduce SA message flooding and simplify peer-RPF flooding. Use the ip msdp mesh-group global configuration command when there are multiple RPs within a domain.
Chapter 43 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to shut down a peer. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp shutdown {peer-name | peer address} Administratively shut down the specified MSDP peer without losing configuration information. For peer-name | peer address, enter the IP address or name of the MSDP peer to shut down. Step 3 end Return to privileged EXEC mode.
Chapter 43 Configuring MSDP Configuring MSDP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note that the ip msdp originator-id global configuration command also identifies an interface to be used as the RP address.
Chapter 43 Configuring MSDP Monitoring and Maintaining MSDP Monitoring and Maintaining MSDP To monitor MSDP SA messages, peers, state, or peer status, use one or more of the privileged EXEC commands in Table 43-1: Table 43-1 Commands for Monitoring and Maintaining MSDP Command Purpose debug ip msdp [peer-address | name] [detail] [routes] Debugs an MSDP activity. debug ip msdp resets Debugs MSDP peer reset reasons.
Chapter 43 Configuring MSDP Monitoring and Maintaining MSDP Catalyst 3750-E and 3560-E Switch Software Configuration Guide 43-20 OL-9775-02
C H A P T E R 44 Configuring Fallback Bridging This chapter describes how to configure fallback bridging (VLAN bridging) on the Catalyst 3750-E or 3560-E switch. With fallback bridging, you can forward non-IP packets that the switch does not route between VLAN bridge domains and routed ports. To use this feature, the switch or stack master must be running the IP services feature set.
Chapter 44 Configuring Fallback Bridging Understanding Fallback Bridging A VLAN bridge domain is represented with switch virtual interfaces (SVIs). A set of SVIs and routed ports (which do not have any VLANs associated with them) can be configured (grouped together) to form a bridge group. Recall that an SVI represents a VLAN of switch ports as one interface to the routing or bridging function in the system.
Chapter 44 Configuring Fallback Bridging Configuring Fallback Bridging Figure 44-1 Fallback Bridging Network Example Layer 3 switch Routed port 172.20.130.1 Host C SVI 1 SVI 2 Host A 172.20.129.1 Host B VLAN 20 VLAN 30 101240 172.20.128.1 Fallback Bridging and Switch Stacks When the stack master fails, a stack member becomes the new stack master by using the election process described in Chapter 5, “Managing Switch Stacks.
Chapter 44 Configuring Fallback Bridging Configuring Fallback Bridging Default Fallback Bridging Configuration Table 44-1 shows the default fallback bridging configuration. Table 44-1 Default Fallback Bridging Configuration Feature Default Setting Bridge groups None are defined or assigned to a port. No VLAN-bridge STP is defined. Switch forwards frames for stations that it has dynamically learned Enabled. Spanning tree parameters: • Switch priority • 32768. • Port priority • 128.
Chapter 44 Configuring Fallback Bridging Configuring Fallback Bridging Beginning in privileged EXEC mode, follow these steps to create a bridge group and to assign an interface to it. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 bridge bridge-group protocol vlan-bridge Assign a bridge group number, and specify the VLAN-bridge spanning-tree protocol to run in the bridge group. The ibm and dec keywords are not supported.
Chapter 44 Configuring Fallback Bridging Configuring Fallback Bridging This example shows how to create bridge group 10 and to specify that the VLAN-bridge STP runs in the bridge group.
Chapter 44 Configuring Fallback Bridging Configuring Fallback Bridging Changing the VLAN-Bridge Spanning-Tree Priority You can globally configure the VLAN-bridge spanning-tree priority of a switch when it ties with another switch for the position as the root switch. You also can configure the likelihood that the switch will be selected as the root switch. Beginning in privileged EXEC mode, follow these steps to change the switch priority. This procedure is optional.
Chapter 44 Configuring Fallback Bridging Configuring Fallback Bridging Command Purpose Step 5 show running-config Verify your entry. Step 6 copy running-config startup-config (Optional) Save your entry in the configuration file. To return to the default setting, use the no bridge-group bridge-group priority interface configuration command.
Chapter 44 Configuring Fallback Bridging Configuring Fallback Bridging Adjusting BPDU Intervals You can adjust BPDU intervals as described in these sections: Note • Adjusting the Interval between Hello BPDUs, page 44-9 (optional) • Changing the Forward-Delay Interval, page 44-10 (optional) • Changing the Maximum-Idle Interval, page 44-10 (optional) Each switch in a spanning tree adopts the interval between hello BPDUs, the forward delay interval, and the maximum idle interval parameters of the roo
Chapter 44 Configuring Fallback Bridging Configuring Fallback Bridging Changing the Forward-Delay Interval The forward-delay interval is the amount of time spent listening for topology change information after a port has been activated for switching and before forwarding actually begins. Beginning in privileged EXEC mode, follow these steps to change the forward-delay interval. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 44 Configuring Fallback Bridging Monitoring and Maintaining Fallback Bridging Disabling the Spanning Tree on an Interface When a loop-free path exists between any two switched subnetworks, you can prevent BPDUs generated in one switching subnetwork from impacting devices in the other switching subnetwork, yet still permit switching throughout the network as a whole. For example, when switched LAN subnetworks are separated by a WAN, BPDUs can be prevented from traveling across the WAN link.
Chapter 44 Configuring Fallback Bridging Monitoring and Maintaining Fallback Bridging Catalyst 3750-E and 3560-E Switch Software Configuration Guide 44-12 OL-9775-02
C H A P T E R 45 Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the Catalyst 3750-E or 3560-E switch. Depending on the nature of the problem, you can use the command-line interface (CLI), the device manager, or Network Assistant to identify and solve problems. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Chapter 45 Troubleshooting Recovering from a Software Failure • Using the show platform forward Command, page 45-23 • Using the crashinfo Files, page 45-25 • Using On-Board Failure Logging, page 45-26 Recovering from a Software Failure Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity.
Chapter 45 Troubleshooting Recovering from a Lost or Forgotten Password load_helper boot Step 7 Initialize the flash file system: switch: flash_init Step 8 If you had set the console port speed to anything other than 9600, it has been reset to that particular speed. Change the emulation software line speed to match that of the switch console port. Step 9 Load any helper files: switch: load_helper Step 10 Start the file transfer by using the Xmodem Protocol.
Chapter 45 Troubleshooting Recovering from a Lost or Forgotten Password Follow the steps in this procedure if you have forgotten or lost the switch password. Step 1 Use one of these methods to connect a terminal or PC to the switch: • Connect a terminal or a PC with terminal-emulation software to the switch console port. If you are recovering the password for a switch stack, connect to the console port of the stack master. • Connect a PC to the Ethernet management port.
Chapter 45 Troubleshooting Recovering from a Lost or Forgotten Password Procedure with Password Recovery Enabled If the password-recovery mechanism is enabled, this message appears: The system has been interrupted prior to initializing the flash file system.
Chapter 45 Troubleshooting Recovering from a Lost or Forgotten Password Step 9 Copy the configuration file into memory: Switch# copy flash:config.text system:running-config Source filename [config.text]? Destination filename [running-config]? Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password.
Chapter 45 Troubleshooting Recovering from a Lost or Forgotten Password Procedure with Password Recovery Disabled If the password-recovery mechanism is disabled, this message appears: The password-recovery mechanism has been triggered, but is currently disabled. Access to the boot loader prompt through the password-recovery mechanism is disallowed at this point. However, if you agree to let the system be reset back to the default system configuration, access to the boot loader prompt can still be allowed.
Chapter 45 Troubleshooting Preventing Switch Stack Problems Step 7 Change the password: Switch (config)# enable secret password The secret password can be from 1 to 25 alphanumeric characters, can start with a number, is case sensitive, and allows spaces but ignores leading spaces. Step 8 Return to privileged EXEC mode: Switch (config)# exit Switch# Note Step 9 Before continuing to Step 9, power on any connected stack members and wait until they have completely initialized.
Chapter 45 Troubleshooting Recovering from a Command Switch Failure the switch current-stack-member-number renumber new-stack-member-number global configuration command to manually assign a stack member number. For more information about stack member numbers, see the “Stack Member Numbers” section on page 5-6. If you replace a stack member with an identical model, the new switch functions with the exact same configuration as the replaced switch.
Chapter 45 Troubleshooting Recovering from a Command Switch Failure Replacing a Failed Command Switch with a Cluster Member To replace a failed command switch with a command-capable member in the same cluster, follow these steps: Step 1 Disconnect the command switch from the member switches, and physically remove it from the cluster. Step 2 Insert the member switch in place of the failed command switch, and duplicate its connections to the cluster members.
Chapter 45 Troubleshooting Recovering from a Command Switch Failure If this prompt does not appear, enter enable, and press Return. Enter setup, and press Return to start the setup program. Step 11 Respond to the questions in the setup program. When prompted for the hostname, recall that on a command switch, the hostname is limited to 28 characters; on a member switch to 31 characters. Do not use -n, where n is a number, as the last characters in a hostname for any switch.
Chapter 45 Troubleshooting Recovering from a Command Switch Failure At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system Would you like to enter basic management setup? [yes/no]: Step 6 Enter Y at the first prompt.
Chapter 45 Troubleshooting Recovering from Lost Cluster Member Connectivity Recovering from Lost Cluster Member Connectivity Some configurations can prevent the command switch from maintaining contact with member switches.
Chapter 45 Troubleshooting SFP Module Security and Identification Disabled Port Caused by Power Loss If a powered device (such as a Cisco IP Phone 7910) that is connected to a PoE switch port and is powered by an AC power source loses power from the AC power source, the device might enter an error-disabled state. To recover from an error-disabled state, enter the shutdown interface configuration command, and then enter the no shutdown interface command.
Chapter 45 Troubleshooting Monitoring SFP Module Status If the module is identified as a Cisco SFP module, but the system is unable to read vendor-data information to verify its accuracy, an SFP module error message is generated. In this case, you should remove and re-insert the SFP module. If it continues to fail, the SFP module might be defective.
Chapter 45 Troubleshooting Using Ping Executing Ping If you attempt to ping a host in a different IP subnetwork, you must define a static route to the network or have IP routing configured to route between those subnets. For more information, see Chapter 38, “Configuring IP Unicast Routing.” IP routing is disabled by default on all switches. If you need to enable or configure IP routing, see Chapter 38, “Configuring IP Unicast Routing.
Chapter 45 Troubleshooting Using Layer 2 Traceroute Using Layer 2 Traceroute These sections contain this information: • Understanding Layer 2 Traceroute, page 45-17 • Usage Guidelines, page 45-17 • Displaying the Physical Path, page 45-18 Understanding Layer 2 Traceroute The Layer 2 traceroute feature allows the switch to identify the physical path that a packet takes from a source device to a destination device. Layer 2 traceroute supports only unicast source and destination MAC addresses.
Chapter 45 Troubleshooting Using IP Traceroute • The traceroute mac ip command output shows the Layer 2 path when the specified source and destination IP addresses belong to the same subnet. When you specify the IP addresses, the switch uses the Address Resolution Protocol (ARP) to associate the IP addresses with the corresponding MAC addresses and the VLAN IDs. – If an ARP entry exists for the specified IP address, the switch uses the associated MAC address and identifies the physical path.
Chapter 45 Troubleshooting Using IP Traceroute of 1 or 0, it drops the datagram and sends an Internet Control Message Protocol (ICMP) time-to-live-exceeded message to the sender. Traceroute finds the address of the first hop by examining the source address field of the ICMP time-to-live-exceeded message. To identify the next hop, traceroute sends a UDP packet with a TTL value of 2. The first router decrements the TTL field by 1 and sends the datagram to the next router.
Chapter 45 Troubleshooting Using TDR Table 45-2 Traceroute Output Display Characters Character Description * The probe timed out. ? Unknown packet type. A Administratively unreachable. Usually, this output means that an access list is blocking traffic. H Host unreachable. N Network unreachable. P Protocol unreachable. Q Source quench. U Port unreachable. To end a trace in progress, enter the escape sequence (Ctrl-^ X by default).
Chapter 45 Troubleshooting Using Debug Commands When you run TDR, the switch reports accurate information if • The cable for the Gigabit link is a solid-core cable. • The open-ended cable is not terminated. When you run TDR, the switch does not report accurate information if • The cable for the Gigabit link is a twisted-pair cable or is in series with a solid-core cable. • The link is a 10-Megabit or a 100-Megabit link. • The cable is a stranded cable. • The link partner is a Cisco IP Phone.
Chapter 45 Troubleshooting Using Debug Commands All debug commands are entered in privileged EXEC mode, and most debug commands take no arguments. For example, beginning in privileged EXEC mode, enter this command to enable the debugging for Switched Port Analyzer (SPAN): Switch# debug span-session The switch continues to generate output until you enter the no form of the command.
Chapter 45 Troubleshooting Using the show platform forward Command Note Be aware that the debugging destination you use affects system overhead. Logging messages to the console produces very high overhead, whereas logging messages to a virtual terminal produces less overhead. Logging messages to a syslog server produces even less, and logging to an internal buffer produces the least overhead of any method.
Chapter 45 Troubleshooting Using the show platform forward Command Gi1/0/1 0005 0001.0001.0001 0002.0002.0002 -----------------------------------------Packet 2 Lookup Key-Used OutptACL 50_0D020202_0D010101-00_40000014_000A0000 Port Gi1/0/2 Vlan SrcMac 0005 0001.0001.0001 DstMac Cos 0002.0002.
Chapter 45 Troubleshooting Using the crashinfo Files This is an example of the output when the packet coming in on port 1 in VLAN 5 has a destination MAC address set to the router MAC address in VLAN 5 and the destination IP address set to an IP address that is in the IP routing table. It should be forwarded as specified in the routing table. Switch# show platform forward gigabitethernet1/0/1 vlan 5 1.1.1 03.e319.ee44 ip 110.1.5.5 16.1.10.
Chapter 45 Troubleshooting Using On-Board Failure Logging file is created, you can use the rename privileged EXEC command to rename it, but the contents of the renamed file will not be displayed by the show stacks or the show tech-support privileged EXEC command. You can delete crashinfo files by using the delete privileged EXEC command.
Chapter 45 Troubleshooting Using On-Board Failure Logging • Power over Ethernet (PoE)—Record of the power consumption of PoE ports on a standalone switch or a stack member • Temperature—Temperature of a standalone switch or a switch stack member • Uptime data—Time when a standalone switch or stack member starts, the reason the switch restarts, and the length of time the switch has been running since it last restarted • Voltage—System voltages of a standalone switch or a stack member You should man
Chapter 45 Troubleshooting Using On-Board Failure Logging Displaying OBFL Information To display the OBFL information, use one or more of the privileged EXEC commands in Table 45-3: Table 45-3 Commands for Displaying OBFL Information Command Purpose show logging onboard [module [switch-number]] clilog Displays the OBFL CLI commands that were entered on a standalone switch or the specified stack members.
C H A P T E R 46 Configuring Online Diagnostics This chapter describes how to configure the online diagnostics on the Catalyst 3750-E or 3560-E switch: Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 46 Configuring Online Diagnostics Configuring Online Diagnostics Configuring Online Diagnostics You must configure the failure threshold and the interval between tests before enabling diagnostic monitoring. This section has this information: • Scheduling Online Diagnostics, page 46-2 • Configuring Health-Monitoring Diagnostics, page 46-3 Scheduling Online Diagnostics You can schedule online diagnostics to run at a designated time of day or on a daily, weekly, or monthly basis for a switch.
Chapter 46 Configuring Online Diagnostics Configuring Online Diagnostics This example shows how to schedule diagnostic testing to occur weekly at a specific time on member switch 6 when this command is entered on a Catalyst 3750-E stack master: Switch(config)# diagnostic schedule switch 6 test 1-4,7 weekly saturday 10:30 For more examples, see the “Examples” section of the diagnostic schedule command in the command reference for this release.
Chapter 46 Configuring Online Diagnostics Configuring Online Diagnostics Step 4 Command Purpose diagnostic monitor threshold switch number test {name | test-id | test-id-range | all} failure count count (Optional) Set the failure threshold for the health-monitoring tests. The switch number keyword is supported only on Catalyst 3750-E switches. The range is from 1 to 9.
Chapter 46 Configuring Online Diagnostics Running Online Diagnostic Tests • To configure the switch to not generate a syslog message when the health-monitoring test fails, use the no diagnostic monitor syslog global configuration command. • To return to the default failure threshold, use the no diagnostic monitor threshold switch number test {name | test-id | test-id-range | all} failure count count global configuration command.
Chapter 46 Configuring Online Diagnostics Running Online Diagnostic Tests This example shows how to start a diagnostic test by using the test name: Switch# diagnostic start switch 2 test TestInlinePwrCtlr This example shows how to start all of the basic diagnostic tests: Switch# diagnostic start switch 1 test all Displaying Online Diagnostic Tests and Test Results You can display the online diagnostic tests that are configured for the switch or switch stack and check the test results by using the privi
A P P E N D I X A Supported MIBs This appendix lists the supported management information base (MIBs) for this release on the Catalyst 3750-E or 3560-E switch. It contains these sections: • MIB List, page A-1 • Using FTP to Access the MIB Files, page A-4 • BRIDGE-MIB MIB List Note The BRIDGE-MIB supports the context of a single VLAN. By default, SNMP messages using the configured community string always provide information for VLAN 1.
Appendix A Supported MIBs MIB List • CISCO-IETF-IP-FORWARDING-MIB (Only with the advanced IP services feature set) • CISCO-IGMP-FILTER-MIB • CISCO-IMAGE-MIB (Only Catalyst 3750-E stack master feature set details are shown.) • CISCO IP-STAT-MIB • CISCO-L2L3-INTERFACE-CONFIG-MIB • CISCO-LAG-MIB • CISCO-MAC-NOTIFICATION-MIB • CISCO-MEMORY-POOL-MIB (Only Catalyst 3750-E stack master feature set details are shown.
Appendix A Supported MIBs MIB List Note • OLD-CISCO-CHASSIS-MIB (Partial support on Catalyst 3750-E switches; some objects reflect only the stack master.) • OLD-CISCO-FLASH-MIB (Supports only the stack master in a Catalyst 3750-E switch stack. Use CISCO-FLASH_MIB.) • OLD-CISCO-INTERFACES-MIB • OLD-CISCO-IP-MIB • OLD-CISCO-SYS-MIB • OLD-CISCO-TCP-MIB • OLD-CISCO-TS-MIB • PIM-MIB • RFC1213-MIB (Functionality is as per the agent capabilities specified in the CISCO-RFC1213-CAPABILITY.my.
Appendix A Supported MIBs Using FTP to Access the MIB Files Using FTP to Access the MIB Files You can get each MIB file by using this procedure: Step 1 Make sure that your FTP client is in passive mode. Note Some FTP clients do not support passive mode. Step 2 Use FTP to access the server ftp.cisco.com. Step 3 Log in with the username anonymous. Step 4 Enter your e-mail username when prompted for the password. Step 5 At the ftp> prompt, change directories to /pub/mibs/v1 and /pub/mibs/v2.
A P P E N D I X B Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the Catalyst 3750-E or 3560-E switch flash file system, how to copy configuration files, and how to archive (upload and download) software images to a Catalyst 3750-E or 3560-E switch or to a Catalyst 3750-E switch stack. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System viewed from the stack master, refers to the same file system as does flash: on stack member 3. Use the show file systems privileged EXEC command to list all file systems, including the flash file systems in the switch stack. No more than one user at a time can manage the software images and configuration files for a switch stack.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System 57409536 Table B-1 27306496 flash rw flash5: show file systems Field Descriptions Field Value Size(b) Amount of memory in the file system in bytes. Free(b) Amount of free memory in the file system in bytes. Type Type of file system. flash—The file system is for a flash memory device. nvram—The file system is for a NVRAM device.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Information about Files on a File System You can view a list of the contents of a file system before manipulating its contents. For example, before copying a new configuration file to flash memory, you might want to verify that the file system does not already contain a configuration file with the same name.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Step 1 Command Purpose dir filesystem: Display the directories on the specified file system. For filesystem:, use flash: for the system board flash device. Step 2 mkdir old_configs Create a new directory.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Some invalid combinations of source and destination exist.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Beginning in privileged EXEC mode, follow these steps to create a file, display the contents, and extract it. Step 1 Command Purpose archive /create destination-url flash:/file-url Create a file and add files to it. For destination-url, specify the destination URL alias for the local or network file system and the name of the file to create. The -filename.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Step 3 Command Purpose archive /xtract source-url flash:/file-url [dir/file...] Extract a file into a directory on the flash file system. For source-url, specify the source URL alias for the local file system. The -filename. is the file from which to extract files.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files service service service !
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Guidelines for Creating and Using Configuration Files Creating configuration files can aid in your switch configuration. Configuration files can contain some or all of the commands needed to configure one or more switches. For example, you might want to download the same configuration file to several switches that have the same hardware configuration.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Creating a Configuration File By Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately. This is one method of creating a configuration file: Step 1 Copy an existing configuration from a switch to a server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation). • For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 3 Upload the switch configuration to the TFTP server. Specify the IP address or hostname of the TFTP server and the destination filename.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files These sections contain this configuration information: • Preparing to Download or Upload a Configuration File By Using FTP, page B-14 • Downloading a Configuration File By Using FTP, page B-14 • Uploading a Configuration File By Using FTP, page B-15 Preparing to Download or Upload a Configuration File By Using FTP Before you begin downloading or uploading a configuration file
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 Using FTP, copy the configuration file from a network server copy ftp:[[[//[username[:password]@]location]/directory] to the running configuration or to the startup configuration file.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 3 Command Purpose configure terminal Enter global configuration mode. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username. Step 5 ip ftp password password (Optional) Change the default password.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: • The username specified in the copy command if a username is specified.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using RCP” section on page B-17.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using RCP” section on page B-17.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Clearing the Startup Configuration File To clear the contents of your startup configuration, use the erase nvram: or the erase startup-config privileged EXEC command. Caution You cannot restore the startup configuration file after it has been deleted.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images You upload a switch image file to a TFTP, FTP, or RCP server for backup purposes. You can use this uploaded image for future downloads to the same switch or to another of the same type. The protocol that you use depends on which type of server you are using. The FTP and RCP transport mechanisms provide faster performance and more reliable delivery of data than TFTP.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images version_suffix:universal-mz.122-35.SE2 version_directory:c3750e-universal-mz.122-35.SE2 image_system_type_id:0x00000000 image_name:c3750e-universal-mz.122-35.SE2.bin ios_image_file_size:6398464 total_image_file_size:8133632 image_feature:IP|LAYER_3|PLUS|MIN_DRAM_MEG=128 image_family:C3750E stacking_number:1.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images These sections contain this configuration information: • Preparing to Download or Upload an Image File By Using TFTP, page B-23 • Downloading an Image File By Using TFTP, page B-23 • Uploading an Image File By Using TFTP, page B-25 Preparing to Download or Upload an Image File By Using TFTP Before you begin downloading or uploading an image file by using TFTP, do these tasks: • E
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Beginning in privileged EXEC mode, follow Steps 1 through 3 to download a new image from a TFTP server and to overwrite the existing image. To keep the current image, follow Steps 1, 2, and 4. Command Purpose Step 1 Copy the image to the appropriate TFTP directory on the workstation.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note If the flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option. If you specify the /leave-old-sw, the existing files are not removed.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Copying Image Files By Using FTP You can download a switch image from an FTP server or upload the image from the switch to an FTP server. You download a switch image file from a server to upgrade the switch software. You can overwrite the current image with the new one or keep the current image after a download. You upload a switch image file to a server for backup purposes.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Use the ip ftp username and ip ftp password commands to specify a username and password for all copies. Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify a username only for that operation.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 7 Step 8 Command Purpose archive download-sw /allow-feature-upgrade [/directory] /overwrite /reload tftp:[[//location]/directory]/image-name1.tar [image-name2.tar image-name3.tar image-name4.tar] (Optional) Download the image files from the FTP server to the switch, and overwrite the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note If the flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option. If you specify the /leave-old-sw, the existing files are not removed. If there is not enough space to install the new image and keep the running image, the download process stops, and an error message is displayed.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 archive upload-sw Upload the currently running switch image to the FTP server. ftp:[[//[username[:password]@]location]/directory]/ • For //username:password, specify the username and image-name.tar. password. These must be associated with an account on the FTP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Preparing to Download or Upload an Image File By Using RCP RCP provides another method of downloading and uploading image files between remote hosts and the switch. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection-oriented. To use RCP to copy files, the server from or to which you will be copying files must support RCP.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images If the switch IP address translates to Switch1.company.com, the .rhosts file for User0 on the RCP server should contain this line: Switch1.company.com Switch1 For more information, see the documentation for your RCP server. Downloading an Image File By Using RCP You can download a new image file and replace or keep the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 6 Step 7 Command Purpose archive download-sw /allow-feature-upgrade [/directory] /overwrite /reload tftp:[[//location]/directory]/image-name1.tar [image-name2.tar image-name3.tar image-name4.tar] Download the images file from the RCP server to the switch and overwrite the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The download algorithm verifies that the image is appropriate for the switch model and that enough DRAM is present, or it aborts the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the flash device whether or not it is the same as the new one, downloads the new image, and then reloads the software.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 archive upload-sw rcp:[[[//[username@]location]/directory]/image-na me.tar] Upload the currently running switch image to the RCP server. • For //username, specify the username; for the RCP copy request to execute, define an account on the network server for the remote username.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Beginning in privileged EXEC mode from the stack member that you want to upgrade, follow these steps to copy the running image file from the flash memory of a different stack member: Step 1 Command Purpose archive copy-sw /destination-system destination-stack-member-number /force-reload source-stack-member-number Copy the running image file from a stack member, and then unconditio
A P P E N D I X C Unsupported Commands in Cisco IOS Release 12.2(37)SE This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Catalyst 3750-E or 3560-E switch prompt but are not supported in this release, either because they are not tested or because of Catalyst 3750-E or 3560-E switch hardware limitations. This is not a complete list. The unsupported commands are listed by software feature and command mode.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(37)SE IP Multicast Routing The debug ip mpacket [detail] [access-list-number [group-name-or-address] command affects only packets received by the switch CPU. Because most multicast packets are hardware-switched, use this command only when you know that the route will forward the packet to the CPU.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(37)SE Network Address Translation (NAT) Commands Network Address Translation (NAT) Commands Unsupported Privileged EXEC Commands show ip nat statistics show ip nat translations QoS Unsupported Global Configuration Command priority-list Unsupported Interface Configuration Commands priority-group rate-limit Unsupported Policy-Map Configuration Command class class-default where class-default is the class-map-name.
Appendix C Unsupported Commands in Cisco IOS Release 12.
I N D EX accounting Numerics with 802.1x 10-Gigabit Ethernet interfaces 11-6 10-32 with IEEE 802.
Index ACLs (continued) ACLs (continued) IP precedence of creating QoS 34-8 fragments and QoS guidelines implicit deny 34-8 34-2, 35-2 36-46 standard IPv4 applying to interfaces creating named creating 34-20 support for 34-8 time ranges 34-8 terminal lines, setting on unsupported features 35-3 applying to interfaces configuring named 35-3 34-37 40-1 accelerated aging defined learning removing IPv6 35-3 18-9 7-21 18-9 7-19 7-20 7-22 MAC, discovering 7-27 multicast group addres
Index addresses (continued) ARP static configuring adding and removing defined defined 7-24 address resolution adjacency tables, with CEF managing 38-76 administrative distances ASBRs advanced IP services image vendor-proprietary 1-2 vendor-specific 39-1 audience HSRP 9-29 38-41 40-9 local mode with AAA 13-19, 14-3 aggregatable global unicast addresses aggregate addresses, BGP 39-3 NTP associations 9-36 7-4 RADIUS 38-60 key aggregated ports 9-21 login See EtherChannel 9-
Index automatic discovery B considerations beyond a noncandidate device brand new switches connectivity BackboneFast 6-8 6-10 6-5 different VLANs 6-7 management VLANs 20-17 enabling 20-16 1-7 See Flex Links 6-6 backup links 6-9 in switch clusters disabling backup interfaces 6-6 noncluster-capable devices routed ports 20-7 support for 6-8 non-CDP-capable devices described 21-2 banners 6-5 configuring See also CDP automatic extraction (auto-extract) in switch stacks login 5-1
Index BPDU BGP (continued) route reflectors error-disabled state 38-61 routing domain confederation filtering 38-61 routing session with multi-VRF CE show commands supernets BPDU filtering 38-63 described 20-3 1-11 disabling 20-15 38-45 enabling 20-14 binding cluster group and HSRP group support for 40-11 binding database See DHCP, Cisco IOS server database DHCP snooping See DHCP snooping binding database bindings DHCP snooping database IP source guard 20-2 disabling 20-14 enabling
Index CDP Cisco Group Management Protocol and trusted boundary See CGMP 36-42 automatic discovery in switch clusters configuring 6-5 default configuration See DHCP, Cisco IOS DHCP server 27-2 defined with LLDP Cisco IOS File System 28-1 See IFS 27-1 disabling for routing device Cisco Network Assistant 27-3 to 27-4 enabling and disabling on an interface on a switch See Network Assistant Cisco Redundant Power System 2300 27-4 configuring 27-3 Layer 2 protocol tunneling monitoring overv
Index CLI (continued) clusters, switch (continued) error messages passwords 2-5 filtering command output getting help 6-15 RADIUS 2-10 SNMP 2-3 history 6-17 6-15, 6-19 switch stacks changing the buffer size described 2-6 disabling 2-7 managing clusters 2-6 cluster standby group 6-18 and HSRP group no and default forms of commands 14-3 2-4 40-12 defined clock 6-2 xliv CNS 6-14 Configuration Engine automatic discovery 6-5 automatic recovery 6-11 configID, deviceID, hostnam
Index commands, setting privilege levels configuration conflicts, recovering from lost member connectivity 45-13 9-8 command switch accessing configuration examples, network 6-12 active (AC) configuration files 6-11 configuration conflicts defined clearing the startup configuration 45-13 creating using a text editor 6-2 passive (PC) default name 6-11 password privilege levels priority described 6-11 from lost member connectivity redundant 6-11, 45-9 45-13 6-11 replacing with another
Index console port, connecting to cryptographic software image 2-11 content-routing technology Kerberos See WCCP conventions command publication text SSH 9-37 SSL 9-42 switch stack considerations xliii for examples 9-32 customer edge devices xliv CWDM SFPs xliii 5-2, 5-17, 9-38 38-65 1-30 xliii corrupted software, recovery steps with Xmodem CoS in Layer 2 frames override priority trust priority 36-2 45-2 D daylight saving time 15-6 7-13 dCEF in the switch stack 15-6 38-76 deb
Index default configuration (continued) HSRP default configuration (continued) system name and prompt 40-5 IEEE 802.
Index DHCP DHCP option 82 (continued) Cisco IOS server database configuring helper address overview 22-14 default configuration described enabling server client request message exchange 22-5 3-4 22-14 See DHCP snooping binding database relay device 3-5 server-side 22-10 TFTP server configuration guidelines 3-7 server side default configuration 22-9 22-8 displaying binding tables 22-15 message exchange process 3-6 option 82 data insertion 3-8 trusted interface lease options for
Index DHCP snooping binding database (continued) described 22-6 displaying 22-15 binding entries entry 7-15 VTP 14-8 See DNS 22-15 displaying status and statistics enabling DNS Domain Name System 22-15 status and statistics domain names dot1q-tunnel switchport mode 22-15 13-18 double-tagged packets 22-14 IEEE 802.
Index dual protocol stacks configuring DVMRP (continued) tunnels 39-13 IPv4 and IPv6 configuring 39-9 SDM templates supporting displaying neighbor information 39-9 DVMRP characteristics configuring a summary address disabling configuring 42-48 defined 42-50 connecting PIM domain to DVMRP router enabling unicast routing 42-41 13-4 13-31 11-3 dynamic addresses See addresses 42-44 dynamic ARP inspection interoperability with Cisco devices ARP cache poisoning 42-39 with Cisco IOS sof
Index dynamic ARP inspection (continued) interface trust states EIGRP authentication 23-3 log buffer clearing 23-15 configuring logging of dropped packets, described man-in-the middle attack, described configuring 38-39 38-35 monitoring 23-2 23-3 priority of ARP ACLs and DHCP snooping entries 23-4 rate limiting of ARP packets 38-43 stub routing 38-42 support for 1-11 elections enable password 23-4 9-3 enable secret password 23-4 9-3 encryption, CipherSuite statistics 9-44 encrypti
Index EtherChannel (continued) EtherChannel guard configuring Layer 2 interfaces 37-13 Layer 3 physical interfaces 37-16 Layer 3 port-channel logical interfaces default configuration described 37-15 and routing processes 11-14 and routing protocols 11-13 described 37-12 LACP 11-12 11-31 2-11 11-13 11-12 for network management described specifying 37-7 displaying status interaction with other features adding Layer 3 interface load balancing 13-9 defaults and ranges 37-22 system
Index extended universal identifier fallback bridging (continued) See EUI STP Extensible Authentication Protocol over LAN disabling on an interface 10-1 external BGP forward-delay interval See EBGP hello BPDU interval external neighbors, BGP interface priority 38-48 44-11 44-10 44-9 44-7 keepalive messages 18-2 maximum-idle interval F path cost 44-10 44-8 VLAN-bridge spanning-tree priority Fa0 port VLAN-bridge STP See Ethernet management port failover support support for 1-7 f
Index file system Forwarding Information Base displaying available file systems displaying file information local file system names forwarding nonroutable protocols B-4 accessing MIB files B-5 A-4 configuration files B-3 downloading filtering B-14 in a VLAN 34-29 overview IPv6 traffic 35-4, 35-8 preparing the server non-IP traffic B-13 uploading 34-27 show and more command output B-14 B-15 image files 2-10 filtering show and more command output deleting old image 2-10 filters
Index HSRP (continued) H object tracking hardware limitations and Layer 3 interfaces 11-31 overview hello time priority MSTP STP 19-22 40-7 1-11 support for ICMP redirect messages help, for the command line hierarchical policy maps 2-3 switch stack considerations 36-8 timers configuration guidelines described 40-1 routing redundancy 18-22 configuring 40-17 36-35 40-4 40-10 tracking 36-55 40-11 40-7 See also clusters, cluster standby group, and standby command switch 36-11 HTT
Index IEEE 802.1D IGMP (continued) See STP IEEE 802.1p displaying groups fast switching 15-1 IEEE 802.1Q controlling the length of time 11-3 configuration limitations disabling on an interface 13-19 global leave 13-16 native VLAN for untagged traffic 13-23 tunneling described 17-6 query solicitation 24-13 host-query interval, modifying join messages 17-1 tunnel ports with other features 17-6 IEEE 802.1s leave processing, enabling overview See RSTP queries IEEE 802.
Index IGMP groups Immediate Leave, IGMP configuring filtering enabling 24-28 setting the maximum number 24-27 IGMP Immediate Leave 24-6 enabling 24-11 24-12 11-19 11-15 to 11-16 interface configuration mode 24-2 auto-MDIX, configuring 24-7 24-7, 25-6 global configuration Immediate Leave 24-8, 25-7 39-13 11-16 11-39 default configuration 24-6 in the switch stack procedure counters, clearing 24-8 described 24-7 11-21 11-30 descriptive name, adding 24-9 11-25 configuring IPv4
Index interfaces range macro command interface types 11-19 MAC address association 11-15 Interior Gateway Protocol monitoring 38-9 38-18 redundant clusters See IGP 6-12 standby command switch internal BGP 6-12, 6-14 See also IP information See IBGP internal neighbors, BGP 38-48 internal power supplies IP base feature set 1-1 IP broadcast address See power supplies 38-17 ip cef distributed command Internet Control Message Protocol See ICMP IP directed broadcasts See IGMP 38-76 38
Index IP multicast routing (continued) IP multicast routing (continued) bootstrap router reverse path check (RPF) configuration guidelines routing table 42-11 configuring candidate BSRs configuring candidate RPs deleting 42-22 defining the PIM domain border 42-52 displaying 42-23 defining the IP multicast boundary overview 42-7 42-21 42-53 RP assigning manually 42-20 42-14 configuring Auto-RP 42-7 using with Auto-RP Cisco implementation 42-16 configuring PIMv2 BSR 42-24 monitorin
Index IP source guard IP unicast routing and 802.
Index IP unicast routing (continued) passive interfaces IPv6 ACLs 38-87 protocols distance-vector dynamic 38-3 reverse address resolution static routing subnet mask UDP 39-3 39-2 and switch stacks applications 38-7 38-8 38-16 unicast reverse path forwarding with SVIs 39-2 advantages 38-5 38-7 subnet zero 35-3 address formats 38-3 steps to configure supernet addresses 38-5 35-2 35-2 supported 38-9 1-12, 38-75 39-7 39-5 assigning address 39-11 autoconfiguration 39-5 CEFv6
Index IRDP Kerberos (continued) configuring definition server 38-13 support for 38-13 support for 9-33 switch as trusted third party 1-12 ISL terms and IPv6 TGT 39-3 and trunk ports encapsulation 9-32 9-33 9-34 tickets 11-3 9-32 key distribution center 1-8, 13-16 trunking with IEEE 802.
Index Layer 3 features LLDP (continued) 1-11 Layer 3 interfaces monitoring and maintaining assigning IP addresses to overview 38-7 assigning IPv4 and IPv6 addresses to assigning IPv6 addresses to supported TLVs 28-2 28-3 LLDP-MED 38-5 36-2 configuring 28-3 configuring TLVs 4-2 LEDs, switch 28-6 monitoring and maintaining See hardware installation guide overview lightweight directory access protocol 28-7 28-1, 28-2 supported TLVs See LDAP 28-2 LLDP Media Endpoint Discovery line
Index magic packet M 10-17 manageability features MAC addresses management access aging time 7-21 in-band and VLAN association 7-20 building the address table default configuration discovering displaying browser session 7-20 CLI session 7-21 7-27 SNMP 7-27 22-19 7-20 1-6 7-22 CNS 1-4 4-1 Network Assistant IP address association 38-9 overview static allowing considerations in switch clusters characteristics of 7-26 removing 7-25 7-24 configuring configuration guidelines 1
Index MDA monitoring (continued) configuration guidelines described EIGRP 10-19 to 10-20 fallback bridging 1-9, 10-19 exceptions with authentication process membership mode, VLAN port 10-4 defined features HSRP 21-11 40-11 IEEE 802.
Index monitoring (continued) MSDP (continued) traffic suppression tunneling source-active messages 26-18 caching 17-18 VLAN clearing cache entries filters VLANs VMPS more defined 34-41 maps VTP 43-6 43-2 filtering from a peer 34-41 filtering incoming 13-16 filtering to a peer 13-33 43-19 43-11 43-14 43-12 limiting data with TTL 14-16 monitoring 10-43 MSDP 43-14 43-19 restricting advertised sources benefits of support for 43-3 clearing MSDP connections and statistics 43-
Index MSTP (continued) MSTP (continued) root switch mapping VLANs to MST instance 19-17 secondary root switch switch priority MST region 19-19 CIST 19-22 CST 19-3 configuring defined described 19-3 operations between regions default configuration IST 19-15 enabling 19-5 19-3 optional features supported overview 19-16 EtherChannel guard described 19-2 supported spanning-tree instances 20-12 19-26 enabling the mode 19-16 hop-count mechanism 19-4 default optional feature confi
Index multicast packets MVR (continued) ACLs on 34-40 default configuration blocking 26-7 described multicast router interfaces, monitoring multicast router ports, adding modes 24-24 multicast television application 26-1 multicast television application setting global parameters 26-4 support for 24-19 multidomain authentication 1-5 NAC See MDA AAA down policy Multiple HSRP multiple VPN routing/forwarding in customer edge devices See multi-VRF CE IEEE 802.
Index Network Assistant benefits non-IP traffic filtering nontrunking mode 1-2 described downloading image files guide mode configuration modes management options wizards configuring 1-3 managing switch stacks defined 5-2, 5-16 13-4 13-1 note, described B-20 not-so-stubby areas network configuration examples See NSSA NSM 1-18 high-performance wiring closet increasing network performance large network associations long-distance, high-bandwidth transport 1-30 redundant Gigabit backbo
Index O P OBFL packet modification, with QoS configuring PAgP 45-27 described Layer 2 protocol tunneling 45-26 displaying 17-9 See EtherChannel 45-28 object tracking, HSRP parallel paths, in routing tables 40-17 offline configuration for switch stacks 5-8 See OBFL OSPF online diagnostics 38-77 passive interfaces configuring on-board failure logging 38-87 38-32 passwords described 46-1 default configuration 9-2 overview 46-1 disabling recovery of 9-5 running tests 36-21
Index percentage thresholds in tracked lists performance, network design performance features PoE 40-16 auto mode 1-16 CDP with power consumption, described 1-4 persistent self-signed certificate CDP with power negotiation, described 9-43 per-VLAN spanning-tree plus Cisco intelligent power management configuring See PVST+ PE to CE routing, configuring physical ports default configuration monitoring RPF lookups enabling a mode policing power usage 42-8 displaying neighbors 11-29 policing
Index policy-based routing port-based authentication (continued) See PBR quiet period RADIUS server policy maps for QoS characteristics of described restricted VLAN 36-8 configuration guidelines described default configuration 36-35 described 36-55 nonhierarchical on physical ports configuration guidelines described POP 36-35 10-22 10-2 displaying statistics 10-44 EAPOL-start frame 10-5 EAP-request/identity frame 36-51 10-5 EAP-response/identity frame 36-9 encapsulation 1-29 10-
Index port-based authentication (continued) port security 10-Gigabit Ethernet and voice VLAN described access 10-17 multiple-hosts mode 10-8 resetting to default values stack changes, effects of statistics, displaying 10-44 10-7 10-3 RADIUS client 10-25 routed 11-4 secure 26-7 10-11 switch 11-2 trunks 13-3, 13-16 aging PVID 10-15 described VVID 10-15 displaying wake-on-LAN, described 10-17 1-4, 26-6 port-channel enabling 26-12 26-18 26-17 on trunk ports 26-13 sticky lea
Index prefix lists, BGP private VLANs (continued) 38-56 preventing unauthorized access primary links 9-1 21-2 primary VLANs promiscuous ports 16-2 secondary VLANs 16-2 subdomains 16-1, 16-3 priority traffic in HSRP 16-1 16-5 privileged EXEC mode 40-7 overriding CoS trusting CoS privilege levels 15-6 changing the default for lines 15-6 private VLAN edge ports command switch exiting See protected ports private VLANs across multiple switches and SDM template overview 16-4 and swi
Index pruning-eligible list changing QoS (continued) MAC ACLs, described 13-22 for VTP pruning VLANs options for IP traffic 14-5 36-5, 36-7 36-5 options for non-IP traffic 14-14 PVST+ policy maps, described described 18-10 IEEE 802.
Index QoS (continued) QoS (continued) egress queues limiting bandwidth on egress interface allocating buffer space mapping tables 36-74 buffer allocation scheme, described CoS-to-DSCP 36-19 configuring shaped weights for SRR 36-78 displaying configuring shared weights for SRR 36-79 DSCP-to-CoS described flowchart scheduling, described WTD, described types of 36-76 overview 36-21 flowcharts 36-4, 36-8 36-2 36-21 policers classification configuring 36-6 egress queueing and schedu
Index QoS (continued) rewrites range macro 36-21 support for 11-19 of interfaces 1-10 trust states 11-17 rapid convergence bordering another domain described 36-43 rapid per-VLAN spanning-tree plus See rapid PVST+ 36-5 trusted device 19-10 rapid PVST+ 36-41 within the domain described 36-38 quality of service 18-10 IEEE 802.
Index reliable transport protocol, EIGRP reloading software 38-36 RFC 1058, RIP 3-17 Remote Authentication Dial-In User Service 38-20 1112, IP multicast and IGMP 1157, SNMPv1 See RADIUS 1163, BGP Remote Copy Protocol 33-2 38-43 1166, IP addresses See RCP 1253, OSPF Remote Network Monitoring See RMON Remote SPAN See RSPAN remote SPAN 30-3 report suppression, IGMP 38-7 38-25 1267, BGP 38-43 1305, NTP 7-2 1587, NSSAs 38-25 1757, RMON 31-2 1771, BGP 38-43 described 24-6 1901, SN
Index root guard RPS described See Cisco Redundant Power System 2300 20-10 enabling RPS 2300 20-18 support for See Cisco Redundant Power System 2300 1-7 root switch RSPAN MSTP STP and stack changes 19-17 characteristics 18-16 route calculation timers, OSPF route dampening, BGP 34-39 38-5 30-16 30-11 destination ports 30-8 displaying status 30-23 in a switch stack 30-2 interaction with other features 11-4 in switch clusters IP addresses on monitored ports 6-9 overview 38-8
Index RSTP (continued) secure HTTP server interoperability with IEEE 802.
Index show and more command output, filtering show cdp traffic command authentication level 27-5 show cluster members command show configuration command show forward command SNMP (continued) 2-10 33-11 community strings 6-18 configuring 11-30 33-8 for cluster switches 45-23 show interfaces command 11-23, 11-30 show l2protocol command 17-13, 17-15, 17-16 configuration examples show lldp traffic command 28-7 default configuration show platform forward command overview engine ID 45-23
Index SNMP (continued) SPAN traps and stack changes described 30-10 configuration guidelines 33-3, 33-5 differences from informs default configuration 33-5 30-11 disabling 33-15 destination ports 30-8 enabling 33-12 displaying status 30-23 enabling MAC address notification overview types of users SNMPv1 SNMPv2C SNMPv3 interaction with other features 7-22 monitored ports 33-1, 33-5 overview 33-7, 33-10 1-13, 30-1 received traffic 33-2 session limits 33-2 26-11 30-5 30-11 se
Index SSH stack master configuring bridge ID (MAC address) 9-39 cryptographic software image described 9-37 1-6, 9-38 encryption methods defined 5-2 election 5-5 IPv6 9-38 switch stack considerations user authentication methods, supported 39-8 re-election 5-17, 9-38 9-39 SSL 5-6 5-5 See also stacks, switch stack member configuration guidelines accessing CLI of specific member 9-45 configuring a secure HTTP client 9-47 configuring a secure HTTP server 9-46 cryptographic softwa
Index stacks, switch (continued) stacks, switch (continued) copying an image file from one member to another B-35 default configuration description of effects of replacing a provisioned switch provisioned configuration, defined 5-20 5-1 displaying information of 5-24 enabling persistent MAC address timer in clusters 40-4 5-15, B-35 MAC address considerations MAC address of replacing 5-10 replacing a failed member bridge ID 5-15 5-10 5-10 5-11 18-3 instances supported See Catalyst 3750-
Index standby command switch statistics configuring 802.
Index STP (continued) STP (continued) BPDU message exchange instances supported 18-3 configuration guidelines interface state, blocking to forwarding 18-13, 20-12 configuring 20-2 interface states forward-delay time hello time 18-23 18-22 maximum aging time path cost 18-18 root switch 18-16 secondary root switch spanning-tree mode switch priority counters, clearing 18-15 enabling 20-16 learning 18-7 listening 18-7 overview 18-5 18-2 13-24 using path costs 13-26 using port pr
Index STP (continued) switched ports switchport block multicast command root switch configuring switchport block unicast command 18-16 effects of extended system ID election 18-4, 18-16 stack changes, effects of status, displaying 20-2 18-12 20-3 enabling 20-15 VLAN-bridge 18-21 synchronization, BGP 1-1 See system message logging 18-11 system clock configuring 38-31 stub routing, EIGRP daylight saving time 38-42 subdomains, private VLAN 16-1 manually time zones 38-7 success res
Index system message logging (continued) syslog facility tagged packets IEEE 802.1Q 1-13 time stamps, enabling and disabling 32-8 UNIX syslog servers Layer 2 protocol 17-8 tar files configuring the daemon creating 32-12 configuring the logging facility facilities supported 32-13 17-5 system name displaying the contents of B-7 B-8 image file format TDR default configuration B-7 extracting 32-14 system MTU and IEEE 802.
Index time stamps in log messages time zones traffic 32-8 blocking flooded 7-12 TLVs fragmented defined LLDP 34-5 fragmented IPv6 28-2 unfragmented 28-2 LLDP-MED traffic policing 28-2 1-11 traffic suppression support for transmit hold-count 13-6 VTP support 35-3 34-5 Token Ring VLANs ToS 26-7 26-1 see STP 14-4 transparent mode, VTP 1-10 traceroute, Layer 2 and ARP 45-18 and CDP 45-17 trap-door mechanism configuring MAC address notification configuring managers 45-17 d
Index trunks U allowed-VLAN list configuring ISL 13-21 UDLD 13-20, 13-25, 13-27 configuration guidelines 13-16 default configuration load sharing setting STP path costs parallel globally 13-24, 13-25 native VLAN for untagged traffic per interface to non-DTP device globally 36-41 neighbor database 36-41 overview support for 7-26 and broadcast MAC addresses 11-4, 17-2 and CPU packets 17-7 incompatibilities with other features twisted-pair Ethernet, detecting unidirectional links
Index universal software image cryptographic V 1-1 version-dependent transparent mode feature set advanced IP services IP base 14-4 version-mismatch (VM) mode 1-2 automatic upgrades with auto-upgrade 1-1 IP services described 1-2 noncryptographic 5-11 displaying 1-1 5-11 manual upgrades with auto-advise UNIX syslog servers daemon configuration facilities supported upgrades with auto-extract 32-12 5-12 5-12 virtual IP address 32-14 message logging configuration cluster standby gro
Index VLAN Management Policy Server VLANs (continued) See VMPS default configuration VLAN map entries, order of deleting 34-30 VLAN maps 13-10 described applying common uses for 13-16 extended-range 34-34 configuration guidelines configuring 11-2, 13-1 displaying 34-34 features 34-30 13-1, 13-12 1-8 illustrated 34-29 13-2 creating 34-31 internal defined 34-2 in the switch stack denying access to a server example denying and permitting packets displaying removing modifying m
Index VMPS (continued) VTP entering server address adding a client to a domain 13-30 mapping MAC addresses to VLANs monitoring reconfirming membership retry count, changing and normal-range VLANs 13-32 client mode, configuring 13-31 guidelines Cisco 7960 phone, port connections configuration guidelines saving 15-6 configuring ports for voice traffic in 802.
Index VTP (continued) monitoring WCCP (continued) Layer-2 header rewrite 14-16 passwords MD5 security 14-8 pruning 41-3 41-3 message exchange 41-2 disabling 14-14 monitoring and maintaining enabling 14-14 negotiation examples 14-5 packet redirection overview 14-4 packet-return method support for server mode, configuring 41-6 41-7 unsupported WCCPv2 features 14-9 configuring 1-8 described 14-4 transparent mode, configuring 41-5 10-41 to 10-43 1-8, 10-20 fallback for IEEE
Index Catalyst 3750-E and 3560-E Switch Software Configuration Guide IN-58 OL-9775-02
