Catalyst 3550 Multilayer Switch Software Configuration Guide Cisco IOS Release 12.1(8)EA1 February 2002 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C ON T E NT S Preface xxvii Audience Purpose xxvii xxvii Organization xxviii Conventions xxx Related Publications xxxi Obtaining Documentation xxxi World Wide Web xxxi Documentation CD-ROM xxxi Ordering Documentation xxxii Documentation Feedback xxxii Obtaining Technical Assistance xxxii Cisco.
Contents Understanding CLI Messages 2-4 Using Command History 2-5 Changing the Command History Buffer Size 2-5 Recalling Commands 2-5 Disabling the Command History Feature 2-5 Using Editing Features 2-6 Enabling and Disabling Editing Features 2-6 Editing Commands through Keystrokes 2-6 Editing Command Lines that Wrap 2-8 Searching and Filtering Output of show and more Commands Accessing the CLI CHAPTER 3 2-9 Getting Started with CMS Features 2-8 3-1 3-2 Front Panel View 3-4 Cluster Tree 3-5 Front
Contents Tool Tips Online Help 3-27 3-27 CMS Window Components 3-28 Host Name List 3-28 Tabs, Lists, and Tables 3-29 Icons Used in Windows 3-29 Buttons 3-29 Accessing CMS 3-30 Access Modes in CMS 3-31 HTTP Access to CMS 3-31 Verifying Your Changes 3-32 Change Notification 3-32 Error Checking 3-32 Saving Your Changes 3-32 Using Different Versions of CMS Where to Go Next CHAPTER 4 3-33 3-33 Assigning the Switch IP Address and Default Gateway Understanding the Boot Process 4-1 4-1 Assigning Switch
Contents Scheduling a Reload of the Software Image 4-17 Configuring a Scheduled Reload 4-17 Displaying Scheduled Reload Information 4-18 CHAPTER 5 Clustering Switches 5-1 Understanding Switch Clusters 5-2 Command Switch Characteristics 5-2 Standby Command Switch Characteristics 5-3 Candidate and Member Switches Characteristics 5-3 Planning a Switch Cluster 5-4 Automatic Discovery of Cluster Candidates and Members 5-4 Discovery through CDP Hops 5-5 Discovery through Non-CDP-Capable and Noncluster-Cap
Contents CHAPTER 6 Administering the Switch 6-1 Preventing Unauthorized Access to Your Switch 6-1 Protecting Access to Privileged EXEC Commands 6-2 Default Password and Privilege Level Configuration 6-3 Setting or Changing a Static Enable Password 6-3 Protecting Enable and Enable Secret Passwords with Encryption Disabling Password Recovery 6-5 Setting a Telnet Password for a Terminal Line 6-6 Configuring Username and Password Pairs 6-7 Configuring Multiple Privilege Levels 6-8 Setting the Privilege L
Contents Managing the System Time and Date 6-32 Understanding the System Clock 6-32 Understanding Network Time Protocol 6-32 Configuring NTP 6-34 Default NTP Configuration 6-35 Configuring NTP Authentication 6-35 Configuring NTP Associations 6-36 Configuring NTP Broadcast Service 6-37 Configuring NTP Access Restrictions 6-38 Configuring the Source IP Address for NTP Packets 6-40 Displaying the NTP Configuration 6-41 Configuring Time and Date Manually 6-41 Setting the System Clock 6-42 Displaying the Time a
Contents CHAPTER 7 Configuring 802.1X Port-Based Authentication 7-1 Understanding 802.1X Port-Based Authentication 7-1 Device Roles 7-2 Authentication Initiation and Message Exchange 7-3 Ports in Authorized and Unauthorized States 7-4 Supported Topologies 7-4 Configuring 802.1X Authentication 7-5 Default 802.1X Configuration 7-6 802.1X Configuration Guidelines 7-7 Enabling 802.
Contents Configuring IEEE 802.
Contents 802.
Contents Learning State 10-7 Forwarding State 10-8 Disabled State 10-8 STP Address Management 10-8 STP and IEEE 802.
Contents Configuring Root Guard 10-36 Enabling EtherChannel Guard 10-37 CHAPTER 11 Configuring IGMP Snooping and MVR 11-1 Understanding IGMP Snooping 11-1 Joining a Multicast Group 11-2 Leaving a Multicast Group 11-4 Immediate-Leave Processing 11-4 Configuring IGMP Snooping 11-5 Default IGMP Snooping Configuration 11-5 Enabling or Disabling IGMP Snooping 11-5 Setting the Snooping Method 11-6 Configuring a Multicast Router Port 11-7 Configuring a Host Statically to Join a Group 11-8 Enabling IGMP Immed
Contents Configuring Port Blocking 12-6 Blocking Flooded Traffic on an Interface 12-6 Resuming Normal Forwarding on a Port 12-7 Configuring Port Security 12-8 Understanding Port Security 12-8 Default Port Security Configuration 12-9 Configuration Guidelines 12-9 Enabling and Configuring Port Security 12-9 Displaying Port-Based Traffic Control Settings CHAPTER 13 Configuring CDP 12-11 13-1 Understanding CDP 13-1 Configuring CDP 13-2 Default CDP Configuration 13-2 Configuring the CDP Characteristics
Contents Configuring SPAN 15-6 Default SPAN Configuration 15-7 SPAN Configuration Guidelines 15-7 Creating a SPAN Session and Specifying Ports to Monitor Removing Ports from a SPAN Session 15-10 Specifying VLANs to Monitor 15-11 Specifying VLANs to Filter 15-12 Displaying SPAN Status CHAPTER 16 Configuring RMON 15-13 16-1 Understanding RMON 16-1 Configuring RMON 16-2 Default RMON Configuration 16-3 Configuring RMON Alarms and Events 16-3 Configuring RMON Collection on an Interface Displaying RMON S
Contents CHAPTER 18 Configuring SNMP 18-1 Understanding SNMP 18-1 SNMP Versions 18-2 SNMP Manager Functions 18-2 SNMP Agent Functions 18-3 SNMP Community Strings 18-3 Using SNMP to Access MIB Variables 18-3 Configuring SNMP 18-4 Default SNMP Configuration 18-4 Disabling the SNMP Agent 18-5 Configuring Community Strings 18-5 Configuring Trap Managers and Enabling Traps 18-7 Setting the Agent Contact and Location Information 18-9 Limiting TFTP Servers Used Through SNMP 18-9 SNMP Examples 18-10 Displayi
Contents Time Range Applied to an IP ACL 19-25 Commented IP ACL Entries 19-25 ACL Logging 19-26 Configuring VLAN Maps 19-27 VLAN Map Configuration Guidelines 19-28 Creating Named MAC Extended ACLs 19-28 Creating a VLAN Map 19-30 Examples of ACLs and VLAN Maps 19-30 Applying a VLAN Map to a VLAN 19-32 Displaying VLAN Map Information 19-33 Using VLAN Maps in Your Network 19-33 Wiring Closet Configuration 19-34 Denying Access to a Server on Another VLAN 19-35 Using VLAN Maps with Router ACLs 19-36 Guideline
Contents Configuring the Trust State on Ports within the QoS Domain 20-22 Configuring the CoS Value for an Interface 20-24 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain 20-25 Configuring a QoS Policy 20-26 Classifying Traffic by Using ACLs 20-27 Classifying Traffic by Using Class Maps 20-30 Classifying, Policing, and Marking Traffic by Using Policy Maps 20-32 Classifying, Policing, and Marking Traffic by Using Aggregate Policers 20-37 Configuring DSCP Maps 20-39 Configuring the Co
Contents Understanding Load Balancing and Forwarding Methods 21-5 Configuring EtherChannel 21-7 Default EtherChannel Configuration 21-7 EtherChannel Configuration Guidelines 21-8 Configuring Layer 2 EtherChannels 21-9 Configuring Layer 3 EtherChannels 21-11 Creating Port-Channel Logical Interfaces 21-11 Configuring the Physical Interfaces 21-12 Configuring EtherChannel Load Balancing 21-13 Configuring the PAgP Learn Method and Priority 21-14 Displaying EtherChannel and PAgP Status CHAPTER 22 Configuri
Contents Configuring IGRP 22-30 Load Balancing and Traffic Distribution Control Split Horizon 22-34 22-31 Configuring OSPF 22-35 OSPF Interface Parameters 22-38 OSPF Area Parameters 22-39 Other OSPF Behavior Parameters 22-41 Change LSA Group Pacing 22-43 Loopback Interface 22-43 Monitoring OSPF 22-44 Configuring EIGRP 22-46 EIGRP Router Mode Commands 22-48 EIGRP Interface Mode Commands 22-49 Configure EIGRP Route Authentication Monitoring and Maintaining EIGRP 22-51 22-50 Configuring Protocol-Independe
Contents CHAPTER 24 Configuring IP Multicast Routing 24-1 Cisco Implementation of IP Multicast Routing 24-2 Understanding IGMP 24-3 IGMP Version 1 24-3 IGMP Version 2 24-4 Understanding PIM 24-5 PIM Versions 24-5 PIM Modes 24-5 Auto-RP 24-8 Bootstrap Router 24-8 Multicast Forwarding and Reverse Path Check Neighbor Discovery 24-10 Understanding DVMRP 24-11 DVMRP Neighbor Discovery 24-11 DVMRP Route Table 24-11 DVMRP Source Distribution Tree 24-11 Understanding CGMP 24-11 Joining a Group with CGMP 24-12
Contents Changing the IGMP Query Timeout for IGMPv2 24-32 Changing the Maximum Query Response Time for IGMPv2 24-33 Configuring the Multilayer Switch as a Member of a Group 24-34 Controlling Access to IP Multicast Groups 24-35 Modifying the IGMP Host-Query Message Interval 24-36 Configuring the Multilayer Switch as a Statically Connected Member 24-36 Configuring Optional Multicast Routing Features 24-37 Enabling CGMP Server Support 24-38 Configuring sdr Listener Support 24-39 Enabling sdr Listener Suppor
Contents Configuring a Default MSDP Peer 25-4 Caching Source-Active State 25-6 Requesting Source Information from an MSDP Peer 25-8 Controlling Source Information that Your Switch Originates 25-8 Redistributing Sources 25-9 Filtering Source-Active Request Messages 25-11 Controlling Source Information that Your Switch Forwards 25-12 Using a Filter 25-12 Using TTL to Limit the Multicast Data Sent in SA Messages 25-14 Controlling Source Information that Your Switch Receives 25-14 Configuring an MSDP Mesh Grou
Contents Recovering from a Command Switch Failure 27-7 Replacing a Failed Command Switch with a Cluster Member 27-7 Replacing a Failed Command Switch with Another Switch 27-9 Recovering from Lost Member Connectivity 27-10 Preventing Autonegotiation Mismatches 27-10 Diagnosing Connectivity Problems 27-11 Understanding Ping 27-11 Executing Ping 27-11 Understanding IP Traceroute 27-12 Executing IP Traceroute 27-13 Using Debug Commands 27-14 Enabling Debugging on a Specific Feature 27-14 Enabling All-System
Contents Creating a Configuration File By Using a Text Editor B-10 Copying Configuration Files By Using TFTP B-10 Preparing to Download or Upload a Configuration File By Using TFTP B-10 Downloading the Configuration File By Using TFTP B-11 Uploading the Configuration File By Using TFTP B-12 Copying Configuration Files By Using FTP B-12 Preparing to Download or Upload a Configuration File By Using FTP B-13 Downloading a Configuration File By Using FTP B-13 Uploading a Configuration File By Using FTP B-15 Co
Contents FallBack Bridging C-2 Unsupported Privileged EXEC Commands C-2 Unsupported Global Configuration Commands C-2 Unsupported Interface Configuration Commands C-2 HSRP C-3 Unsupported Global Configuration Commands C-3 Unsupported Interface Configuration Commands C-3 Interface Configuration Commands C-4 IP Multicast Routing C-4 Unsupported Privileged EXEC Commands C-4 Unsupported Global Configuration Commands C-4 Unsupported Interface Configuration Commands C-5 IP Unicast Routing C-5 Unsupported Privi
Preface Audience This guide is for the networking professional managing the Catalyst 3550 switch, hereafter referred to as the switch or the multilayer switch. Before using this guide, you should have experience working with the Cisco IOS and be familiar with the concepts and terminology of Ethernet and local area networking. Purpose This guide provides the information you need to configure Layer 2 and Layer 3 software features on your switch.
Preface Organization Organization This guide is organized into these chapters: Chapter 1, “Overview,” lists the software features of this release and provides examples of how the switch can be deployed in a network. Chapter 2, “Using the Command-Line Interface,” describes how to access the command modes, use the command-line interface (CLI), and describes CLI messages that you might receive.
Preface Organization Chapter 14, “Configuring UDLD,” describes how to configure the UniDirectional Link Detection (UDLD) feature. UDLD enables devices connected through fiber-optic or twisted-pair Ethernet cables to monitor the physical configuration of the cables and detect when a unidirectional link exists.
Preface Conventions Appendix A, “Supported MIBs,” lists the supported MIBs for this release and how to use FTP to access the MIB files. Appendix B, “Working with the IOS File System, Configuration Files, and Software Images,” describes how to manipulate the Flash file system, how to copy configuration files, and how to archive (upload and download) software images.
Preface Related Publications Related Publications These documents provide complete information about the switch and are available from this Cisco.com site: http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/index.htm You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Ordering Documentation” section on page xxxii. • Note Release Notes for the Catalyst 3550 Multilayer Switch (not orderable but available on Cisco.
Preface Obtaining Technical Assistance Ordering Documentation Cisco documentation is available in the following ways: • Registered Cisco Direct Customers can order Cisco product documentation from the Networking Products MarketPlace: http://www.cisco.com/cgi-bin/order/order_root.pl • Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store: http://www.cisco.com/go/subscription • Nonregistered Cisco.
Preface Obtaining Technical Assistance Cisco.com Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world. Cisco.
Preface Obtaining Technical Assistance If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.com registered user, you can open a case online by using the TAC Case Open tool at the following URL: http://www.cisco.com/tac/caseopen If you have Internet access, it is recommended that you open P3 and P4 cases through the Cisco TAC Web Site.
C H A P T E R 1 Overview This chapter provides these topics about the Catalyst 3550 multilayer switch software: • Features, page 1-1 • Management Options, page 1-5 • Network Configuration Examples, page 1-7 Features The Catalyst 3550 software supports the hardware listed in the release notes. These sections describe the features supported in this release. Note Table 1-1 Layer 3 (routing) features require that you have the enhanced multilayer software image installed on your switch.
Chapter 1 Overview Features Table 1-1 Features (continued) Performance • Autosensing of port speed and autonegotiation of duplex mode on all switch ports for optimizing bandwidth • IEEE 802.
Chapter 1 Overview Features Table 1-1 Features (continued) Redundancy • Hot Standby Router Protocol (HSRP) for command switch and Layer 3 router redundancy • UniDirectional Link Detection (UDLD) on all Ethernet ports for detecting and disabling unidirectional links on fiber-optic interfaces caused by incorrect fiber-optic wiring or port faults • IEEE 802.1D Spanning Tree Protocol (STP) for redundant backbone connections and loop-free networks.
Chapter 1 Overview Features Table 1-1 Features (continued) • Terminal Access Controller Access Control System Plus (TACACS+), a proprietary feature for managing network security through a TACACS server • Remote Authentication Dial-In User Service (RADIUS), which provides detailed accounting information and flexible administrative control over authentication and authorization processes Quality of Service and Class of Service Classification • IP type-of-service/Differentiated Services Code Point (IP
Chapter 1 Overview Management Options Table 1-1 Features (continued) • Internet Control Message Protocol (ICMP) and ICMP Router Discovery Protocol (IRDP) for using router advertisement and router solicitation messages to discover the addresses of routers on directly attached subnets • Protocol-Independent Multicast (PIM) for multicast routing within the network, allowing for devices in the network to receive the multicast feed requested and for switches not participating in the multicast to be pruned
Chapter 1 Overview Management Options • SNMP—SNMP provides a means to monitor and control the switch and switch cluster members. You can manage switch configuration settings, performance, security, and collect statistics by using SNMP management applications such as CiscoWorks2000 LAN Management Suite (LMS) and HP OpenView. You can manage the switch from an SNMP-compatible management station that is running platforms such as HP OpenView or SunNet Manager.
Chapter 1 Overview Network Configuration Examples Network Configuration Examples This section provides network configuration concepts and includes examples of using the switch in different network topologies. Design Concepts As your network users compete for network bandwidth, it takes longer to send and receive data. When you configure your network, consider the bandwidth required by your network users and the relative priority of the network applications they use.
Chapter 1 Overview Network Configuration Examples Bandwidth alone is not the only consideration when designing your network. As your network traffic profiles evolve, consider providing network services that can support applications for voice and data integration, multimedia integration, application prioritization, and security. Table 1-3 describes some network demands and how you can meet those demands.
Chapter 1 Overview Network Configuration Examples Figure 1-1 shows three configuration examples of using Catalyst switches to create the following: • Cost-effective wiring closet—A cost-effective way to connect many users to the wiring closet is to connect a Catalyst switch cluster of up to nine Catalyst 3550 XL switches (or with a mix of Catalyst 3550, Catalyst 2950, Catalyst 3500 XL, and Catalyst 2900 XL switches) through GigaStack GBIC connections.
Chapter 1 Overview Network Configuration Examples Figure 1-1 Gigabit server Example Configurations Catalyst 3550-12T or Catalyst 3550-12G switch Si Catalyst 3550 GigaStack cluster Cost-Effective Wiring Closet Catalyst 3550 switch Si High-Performance Workgroup Catalyst 3550 cluster Catalyst 3550 switch Catalyst 3550 switch 1-Gbps HSRP Si Si Catalyst switches 50830 Redundant Gigabit Backbone Catalyst 3550 Multilayer Switch Software Configuration Guide 1-10 78-11194-03
Chapter 1 Overview Network Configuration Examples Small to Medium-Sized Network Using Mixed Switches Figure 1-2 shows a configuration for a network of up to 500 employees. This network uses Catalyst 3550 multilayer switches to aggregate up to ten wiring closets through high-speed uplinks. For network reliability and load balancing, this network includes two routers and two Catalyst 3550 multilayer switches, all with HSRP enabled.
Chapter 1 Overview Network Configuration Examples Figure 1-2 Catalyst 3550 Switches in a Collapsed Backbone Configuration Internet Cisco 2600 or 3600 routers Catalyst 3550 multilayer switches Si Catalyst GigaStack cluster Si Gigabit servers Catalyst GigaStack cluster IP Cisco IP Phones IP IP Cisco IP Phones AC power source Workstations running Cisco SoftPhone software 50831 IP Catalyst 3550 Multilayer Switch Software Configuration Guide 1-12 78-11194-03
Chapter 1 Overview Network Configuration Examples Large Network Using Only Catalyst 3550 Switches Switches in the wiring closet have traditionally been Layer 2-only devices, but as network traffic profiles evolve, switches in the wiring closet are increasingly employing multilayer services such as multicast management and traffic classification.
Chapter 1 Overview Network Configuration Examples Figure 1-3 Catalyst 3550 Switches in Wiring Closets in a Backbone Configuration WAN Cisco 7500 routers Catalyst 6000 multilayer switches Catalyst 3550 cluster Si Si Catalyst 3550 cluster Si Gigabit servers Si Cisco IP Phones IP IP IP IP IP AC power source Cisco IP Phones 50832 IP Multidwelling Network Using Catalyst 3550 Switches A growing segment of residential and commercial customers are requiring high-speed access to Ethernet metrop
Chapter 1 Overview Network Configuration Examples unauthorized devices from becoming the STP root switch. All ports have IGMP snooping or CGMP enabled for multicast traffic management. ACLs on the uplink ports to the aggregating Catalyst 3550 multilayer switches provide security and bandwidth management.
Chapter 1 Overview Network Configuration Examples Catalyst 3550 Multilayer Switch Software Configuration Guide 1-16 78-11194-03
C H A P T E R 2 Using the Command-Line Interface This chapter describes the IOS command-line interface (CLI) that you can use to configure your switches.
Chapter 2 Using the Command-Line Interface IOS Command Modes Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with your switch. Switch> Enter logout or quit. Use this mode to • Change terminal settings. • Perform basic tests. • Display system information. Privileged EXEC While in user EXEC mode, enter the enable command. Switch# Enter disable to exit. Use this mode to verify commands that you have entered.
Chapter 2 Using the Command-Line Interface Getting Help Getting Help You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table 2-2. Table 2-2 Help Summary Command Purpose help Obtain a brief description of the help system in any command mode. abbreviated-command-entry? Obtain a list of commands that begin with a particular character string.
Chapter 2 Using the Command-Line Interface Using no and default Forms of Commands Using no and default Forms of Commands Almost every configuration command also has a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface. Use the command without the keyword no to re-enable a disabled feature or to enable a feature that is disabled by default.
Chapter 2 Using the Command-Line Interface Using Command History Using Command History The IOS provides a history or record of commands that you have entered. This feature is particularly useful for recalling long or complex commands or entries, including access lists.
Chapter 2 Using the Command-Line Interface Using Editing Features To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command. Using Editing Features This section describes the editing features that can help you manipulate the command line.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Press Ctrl-Y. Recall commands from the buffer and paste them in the command line. The switch provides a buffer with the last ten items that you deleted. Recall the most recent entry in the buffer. Press Esc Y. Recall the next buffer entry. The buffer contains only the last 10 items that you have deleted or cut.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Editing Command Lines that Wrap You can use a wraparound feature for commands that extend beyond a single line on the screen. When the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten characters of the line, but you can scroll back and check the syntax at the beginning of the command.
Chapter 2 Using the Command-Line Interface Accessing the CLI Accessing the CLI Before you can access the CLI, you need to connect a terminal or PC to the switch console port and power on the switch as described in the hardware installation guide that shipped with your switch. Then, to understand the boot process and the options available for assigning IP information, see Chapter 4, “Assigning the Switch IP Address and Default Gateway.
Chapter 2 Using the Command-Line Interface Accessing the CLI Catalyst 3550 Multilayer Switch Software Configuration Guide 2-10 78-11194-03
C H A P T E R 3 Getting Started with CMS This chapter provides these topics about the Cluster Management Suite (CMS) software: Note Note • Features, page 3-2 • Front Panel View, page 3-4 • Topology View, page 3-10 • Menus and Toolbar, page 3-15 • Interaction Modes, page 3-26 • Wizards, page 3-26 • Online Help, page 3-27 • CMS Window Components, page 3-28 • Accessing CMS, page 3-30 • Verifying Your Changes, page 3-32 • Saving Your Changes, page 3-32 • Using Different Versions of C
Chapter 3 Getting Started with CMS Features Features CMS provides these features (Figure 3-1) for managing switch clusters and individual switches from Web browsers such as Netscape Communicator or Microsoft Internet Explorer: • Two views of your network that can be displayed at the same time: – The Front Panel view displays the front-panel image of a specific switch or the front-panel images of all switches in a cluster.
Chapter 3 Getting Started with CMS Features • Two levels of access to the configuration options: read-write access for users allowed to change switch settings; read-only access for users allowed to only view switch settings • Consistent set of GUI components (such as tabs, buttons, drop-down lists, tables, and so on) for a consistent approach to setting configuration parameters CMS Features Toolbar Move the cursor over the icon to display the tool tip.
Chapter 3 Getting Started with CMS Front Panel View Front Panel View When CMS is launched from a command switch, the Front Panel view displays the front-panel images of all switches in the cluster (Figure 3-2). When CMS is launched from a standalone or non-command member switch, the Front Panel view displays only the front panel of the specific switch (Figure 3-3).
Chapter 3 Getting Started with CMS Front Panel View Cluster Tree The cluster tree (Figure 3-3) appears in the left frame of the Front Panel view and shows the name of the cluster and a list of its members. The sequence of the cluster-tree icons (Figure 3-4) mirror the sequence of the front-panel images. You can change the sequence by selecting View > Arrange Front Panel. The colors of the devices in the cluster tree reflect the status of the devices (Table 3-1).
Chapter 3 Getting Started with CMS Front Panel View Front-Panel Images You can manage the switch from a remote station by using the front-panel images. The front-panel images are updated based on the network polling interval that you set from CMS > Preferences. Note The Preferences window is not available if your switch access level is read-only. For more information about the read-only access mode, see the “Access Modes in CMS” section on page 3-31.
Chapter 3 Getting Started with CMS Front Panel View Redundant Power System LED The Redundant Power System (RPS) LED shows the RPS status (Table 3-2).
Chapter 3 Getting Started with CMS Front Panel View Port Modes and LEDs The port modes (Table 3-3) determine the type of information displayed through the port LEDs. When you change port modes, the meanings of the port LED colors (Table 3-4) also change. Note The bandwidth utilization mode (UTL LED) does not appear on the front-panel images. Select Reports > Bandwidth Graphs to display the total bandwidth in use by the switch.
Chapter 3 Getting Started with CMS Front Panel View VLAN Membership Modes Ports in the Front Panel view are outlined by colors (Table 3-5) when you click Highlight VLAN Port Membership Modes on the Configure VLANs tab on the VLAN window (VLAN > VLAN > Configure VLANs). The colors show the VLAN membership mode of each port. The VLAN membership mode determines the kind of traffic the port carries and the number of VLANs it can belong to.
Chapter 3 Getting Started with CMS Topology View Topology View The Topology view displays how the devices within a switch cluster are connected and how the switch cluster is connected to other clusters and devices. From this view, you can add and remove cluster members. This view provides two levels of detail of the network topology: Note • When you right-click a cluster icon and select Expand Cluster, the Topology view displays the switch cluster in detail.
Chapter 3 Getting Started with CMS Topology View Figure 3-6 Expand Cluster View Cluster members of cluster1 and other devices connected to cluster1. Figure 3-7 Right-click a device icon to display a device popup menu. 65722 Right-click a link icon to display a link popup menu. Collapse Cluster View Neighboring cluster connected to cluster1. cluster1 65723 Devices connected to cluster1 that are not eligible to join the cluster.
Chapter 3 Getting Started with CMS Topology View Topology Icons The Topology view and the cluster tree use the same set of device icons to represent clusters, command and standby command switches, and member switches (Figure 3-8).
Chapter 3 Getting Started with CMS Topology View Figure 3-9 Topology-View Link Icons Device and Link Labels The Topology view displays device and link information by using these labels: • Cluster and switch names • Switch MAC and IP addresses • Link type between the devices • Link speed and IDs of the interfaces on both ends of the link When using these labels, keep these considerations in mind: • The IP address displays only in the labels for the command switch and member switches.
Chapter 3 Getting Started with CMS Topology View Colors in the Topology View The colors of the Topology view icons reflect the status of the devices and links (Table 3-6, Table 3-7, and Table 3-8). Table 3-6 Device Icon Colors Icon Color Color Meaning Green Yellow The device is operating. 1 Red1 The internal fan of the switch is not operating, or the switch is receiving power from an RPS. The device is not operating. 1. Available only on the cluster members.
Chapter 3 Getting Started with CMS Menus and Toolbar Menus and Toolbar The configuration and monitoring options for configuring switches and switch clusters are available from the menu bar, toolbar, and the Front-Panel and Topology view popup menus. Menu Bar The menu bar provides the complete list of options for managing a single switch and switch cluster. The menu bar is the same whether or not the Front-Panel or Topology views are displayed.
Chapter 3 Getting Started with CMS Menus and Toolbar • If your cluster has these member switches running earlier software releases and if you have read-only access to these member switches, some configuration windows for those switches display incomplete information: – Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS Release 12.0(5)WC2 or earlier – Catalyst 2950 member switches running Cisco IOS Release 12.
Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-10 Menu Bar (continued) Menu-Bar Options Task Cluster Cluster Manager3 Launch a CMS session from the command switch. Create Cluster 14 Designate a command switch, and name a cluster. Delete Cluster 15 Delete a cluster. Add to Cluster1 5 Remove from Cluster Add a candidate to a cluster. 15 Standby Command Switches Remove a member from the cluster.
Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-10 Menu Bar (continued) Menu-Bar Options Task 26 Router Redundancy (guide mode available1) Add a switch to or remove a switch from an HSRP group. Fallback Bridging2 6 Create a fallback bridging group, modify a group, delete a group, or view its details. 802.1X1 Configure 802.1X authentication of devices as they are attached to LAN ports in a point-to-point infrastructure.
Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-10 Menu Bar (continued) Menu-Bar Options Task Reports Inventory Display the device type, software version, IP address, and other information about a switch. Port Statistics Display port statistics. Bandwidth Graphs Display graphs that plot the total bandwidth in use by the switch. Link Graphs Display a graph showing the bandwidth being used for the selected link. Link Reports Display the link report for two connected devices.
Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-10 Menu Bar (continued) Menu-Bar Options Task Help Overview Obtain an overview of the CMS interface. What’s New Obtain a description of the new CMS features. Help For Active Window Display the help for the active open window. This is the same as clicking Help from the active window. Contents List all of the available online help topics. Legend Display the legend that describes the icons, labels, and links.
Chapter 3 Getting Started with CMS Menus and Toolbar Toolbar The toolbar buttons display commonly used switch and cluster configuration options and information windows such as legends and online help. Hover the cursor over an icon to display the feature. Table 3-11 describes the toolbar options, from left to right on the toolbar. Table 3-11 Toolbar Buttons Toolbar Option Keyboard Shortcut Task Print Ctrl-P Print a CMS window or help file.
Chapter 3 Getting Started with CMS Menus and Toolbar Front Panel View Popup Menus These popup menus are available in the Front Panel view. Device Popup Menu You can display all switch and cluster configuration windows from the menu bar, or you can display commonly used configuration windows from the device popup menu (Table 3-12). To display the device popup menu, click the switch icon from the cluster tree or the front-panel image itself, and right-click.
Chapter 3 Getting Started with CMS Menus and Toolbar Topology View Popup Menus These popup menus are available in the Topology view. Link Popup Menu You can display reports and graphs for a specific link displayed in the Topology view (Table 3-14). To display the link popup menu, click the link icon, and right-click. Table 3-14 Link Popup Menu Popup Menu Option Task Link Report Display the link report for two connected devices.
Chapter 3 Getting Started with CMS Menus and Toolbar Device Popup Menus Specific devices in the Topology view display a specific popup menu: Note • Cluster (Table 3-15) • Command switch (Table 3-16) • Member or standby command switch (Table 3-17) • Candidate switch with an IP address (Table 3-18) • Candidate switch without an IP address (Table 3-19) • Neighboring devices (Table 3-20) The Device Manager option in these popup menus is available in read-only mode on Catalyst 2900 XL and Cataly
Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-18 Device Popup Menu of a Candidate-Switch Icon (When the Candidate Switch Has an IP Address) Popup Menu Option Add to Cluster 1 Device Manager Task Add a candidate to a cluster. 2 Properties Launch Device Manager for a switch. Display information about the device and port on either end of the link and the state of the link. 1. Not available in read-only mode.
Chapter 3 Getting Started with CMS Interaction Modes Interaction Modes You can change the interaction mode of CMS to either guide or expert mode. Guide mode steps you through each feature option and provides information about the parameter. Expert mode displays a configuration window in which you configure the feature options. Guide Mode Note Guide mode is not available if your switch access level is read-only.
Chapter 3 Getting Started with CMS Tool Tips Tool Tips CMS displays a popup message when you move your mouse over these devices: • A yellow device icon in the cluster tree or in Topology view—A popup displays a fault message, such as that the RPS is faulty or that the switch is unavailable because you are in read-only mode. • A red device icon in the cluster tree or in Topology view—A popup displays a message that the switch is down. • A table column heading—A popup displays the full heading.
Chapter 3 Getting Started with CMS CMS Window Components CMS Window Components CMS windows consistently present configuration information. Figure 3-12 shows the components of a typical CMS window. 65580 Figure 3-12 CMS Window Components OK saves your changes and closes the window. Modify displays a secondary window from which you can change settings. Click a row to select it. Press Shift, and left-click another row to select contiguous multiple rows.
Chapter 3 Getting Started with CMS CMS Window Components Tabs, Lists, and Tables Some CMS windows have tabs that present different sets of information. Tabs are arranged like folder headings across the top of the window. Click the tab to display its information. Listed information can often be changed by selecting an item from a list. To change the information, select one or more items, and click Modify. Changing multiple items is limited to those items that apply to at least one of the selections.
Chapter 3 Getting Started with CMS Accessing CMS Accessing CMS This section assumes the following: • You know the IP address and password of the command switch or a specific switch. This information is either: – Assigned to the switch by following the setup program, as described in the release notes. – Changed on the switch by following the information in the “Assigning Switch Information” section on page 4-2 and “Preventing Unauthorized Access to Your Switch” section on page 6-1.
Chapter 3 Getting Started with CMS Accessing CMS Access Modes in CMS CMS provides two levels of access to the configuration options: read-write access and read-only access. Privilege levels 0 to 15 are supported. • Privilege level 15 provides you with read-write access to CMS. • Privilege levels 1 to 14 provide you with read-only access to CMS. Any options in the CMS windows, menu bar, toolbar, and popup menus that change the switch or cluster configuration are not shown in read-only mode.
Chapter 3 Getting Started with CMS Verifying Your Changes Verifying Your Changes CMS provides notification cues to help you track and confirm the changes you make. Change Notification A green border around a field or table cell means that you made an unsaved change to the field or table cell. Previous information in that field or table cell is displayed in the window status bar. When you save the changes or if you cancel the change, the green border disappears.
Chapter 3 Getting Started with CMS Using Different Versions of CMS Using Different Versions of CMS When managing switch clusters through CMS, remember that clusters can have a mix of switch models using different IOS releases and that CMS in earlier IOS releases and on different switch platforms might look and function differently from CMS in this IOS release. When you select Device > Device Manager for a cluster member, a new browser session is launched, and the CMS version for that switch is displayed.
Chapter 3 Getting Started with CMS Where to Go Next Catalyst 3550 Multilayer Switch Software Configuration Guide 3-34 78-11194-03
C H A P T E R 4 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assign the switch IP address and default gateway information) by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 3550 Multilayer Switch Command Reference for this release.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The boot loader provides access to the Flash file system before the operating system is loaded. Normally, the boot loader is used only to load, uncompress, and launch the operating system. After the boot loader gives the operating system control of the CPU, the boot loader is not active until the next system reset or power-on.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Default Switch Information Table 4-1 shows the default switch information. Table 4-1 Default Switch Information Feature Default Setting IP address and subnet mask No IP address or subnet mask are defined. Default gateway No default gateway is defined. Enable secret password No password is defined. Host name The factory-assigned default host name is Switch. Telnet password No password is defined.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DHCP Client Request Process When you boot your switch, the DHCP client is invoked and automatically requests configuration information from a DHCP server when the configuration file is not present on the switch. Figure 4-1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the DHCP Server You should configure the DHCP server with reserved leases that are bound to each switch by the switch hardware address.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information For the switch to successfully download a configuration file, the TFTP server must contain one or more configuration files in its base directory. The files can include these files: • The configuration file named in the DHCP reply (the actual switch configuration file). • The network-confg or the cisconet.cfg file (known as the default configuration files). • The router-confg or the ciscortr.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Figure 4-2 Relay Device Used in Autoconfiguration Switch (DHCP client) Cisco router (Relay) 10.0.0.2 10.0.0.1 DHCP server 20.0.0.3 TFTP server 20.0.0.4 DNS server 49068 20.0.0.2 20.0.0.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Note The switch broadcasts TFTP server requests if the TFTP server is not obtained from the DHCP replies, if all attempts to read the configuration file through unicast transmissions fail, or if the TFTP server name cannot be resolved to an IP address. Example Configuration Figure 4-3 shows a sample network for retrieving IP information by using DHCP-based autoconfiguration.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DNS Server Configuration The DNS server maps the TFTP server name maritsu to IP address 10.0.0.3. TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method. This file contains the host name to be assigned to the switch based on its IP address.
Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs) or ports: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface vlan vlan-id Enter interface configuration mode, and enter the VLAN to which the IP information is assigned.
Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration ! interface GigabitEthernet0/1 no switchport ip address 172.20.137.50 255.255.255.
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Modifying the Startup Configuration This section describes how to modify the switch startup configuration.
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Specifying the Filename to Read and Write the System Configuration By default, the IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot cycle.
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Step 4 Command Purpose show boot Verify your entries. The boot manual global command changes the setting of the MANUAL_BOOT environment variable. The next time you reboot the system, the switch is in boot loader mode, shown by the switch: prompt. To boot the system, use the boot filesystem:/file-url boot loader command. • For filesystem:, use flash: for the system board Flash device.
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Controlling Environment Variables With a normally operating switch, you enter the boot loader mode only through a switch console connection configured for 9600 bps. Unplug the switch power cord and press the switch Mode button while reconnecting the power cord. You can release the Mode button a second or two after the LED above port 1X goes off. Then the boot loader switch: prompt is displayed.
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Table 4-5 describes the function of the most common environment variables. Table 4-5 Environment Variables Variable Boot Loader Command IOS Global Configuration Command MANUAL_BOOT set MANUAL_BOOT yes boot manual Determines whether the switch automatically or manually boots.
Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Scheduling a Reload of the Software Image You can schedule a reload of the software image to occur on the switch at a later time (for example, late at night or during the weekend when the switch is used less), or you can synchronize a reload network-wide (for example, to perform a software upgrade on all switches in the network). Note A scheduled reload must take place within approximately 24 days.
Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image This example shows how to reload the software on the switch at a future time: Switch# reload at 02:00 jun 20 Reload scheduled for 02:00:00 UTC Thu Jun 20 1996 (in 344 hours and 53 minutes) Proceed with reload? [confirm] To cancel a previously scheduled reload, use the reload cancel privileged EXEC command.
C H A P T E R 5 Clustering Switches This chapter provides these topics to help you get started with switch clustering: • Understanding Switch Clusters, page 5-2 • Planning a Switch Cluster, page 5-4 • Creating a Switch Cluster, page 5-18 • Using the CLI to Manage Switch Clusters, page 5-25 • Using SNMP to Manage Switch Clusters, page 5-26 Configuring switch clusters is more easily done from the Cluster Management Suite (CMS) web-based interface than through the command-line interface (CLI).
Chapter 5 Clustering Switches Understanding Switch Clusters Understanding Switch Clusters A switch cluster is a group of connected Catalyst switches that are managed as a single entity. In a switch cluster, 1 switch must be the command switch and up to 15 switches can be member switches. The total number of switches in a cluster cannot exceed 16 switches. The command switch is the single point of access used to configure, manage, and monitor the member switches.
Chapter 5 Clustering Switches Understanding Switch Clusters Standby Command Switch Characteristics A Catalyst 3550 standby command switch must meet these requirements: Note • It is running 12.1(4)EA1 or later. • It has an IP address. • It has CDP version 2 enabled. • It is connected to the command switch and all other standby command switches through at least one common VLAN. • It is redundantly connected to the cluster so that connectivity to member switches is maintained.
Chapter 5 Clustering Switches Planning a Switch Cluster Planning a Switch Cluster Anticipating conflicts and compatibility issues is a high priority when you manage several switches through a cluster.
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery through CDP Hops By using CDP, a command switch can discover switches up to seven CDP hops away (the default is three hops) from the edge of the cluster. The edge of the cluster is where the last member switches are connected to the cluster (for example, the command switch and member switches 8, 9, and 10 in Figure 5-1 are at the edge of the cluster).
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery through Non-CDP-Capable and Noncluster-Capable Devices If a command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery through Different VLANs A cluster can have Catalyst 3550 member switches configured with different VLANs. However, each member switch must be connected through at least one VLAN in common with the command switch. The command switch in Figure 5-3 has ports assigned to VLANs 9, 16, and 62 and therefore discovers the switches in those VLANs. It does not discover the switch in VLAN 50.
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery through the Same Management VLAN When the cluster has a Catalyst 2900 XL, Catalyst 2950, or Catalyst 3500 XL command switch, all cluster members must connect to it through the command-switch management VLAN, which is VLAN 1 by default. If the cluster members include Catalyst 3550 switches, these member switches must also be connected to the command-switch management VLAN.
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery through Different Management VLANs We strongly recommend that a Catalyst 3550 switch be the command switch when the cluster has Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL member switches. These member switches must connect to each other and to a Catalyst 3550 command switch through their management VLAN, which is VLAN 1 by default.
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery through Routed Ports If the command switch has a routed port (RP) configured, it discovers only candidate and member switches in the same VLAN as the routed port. For more information about routed ports, see the “Routed Ports” section on page 8-4. The command switch in Figure 5-6 can discover the switches in VLANs 9 and 62 but not the switch in VLAN 4.
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery of Newly Installed Switches A new, out-of-the-box switch is set with the default VLAN, VLAN 1. By default, all access ports on the new switch are assigned to VLAN 1. To add a new switch to a cluster, it must be connected to the cluster through an access port. When the new switch joins a cluster, its default VLAN changes to the VLAN of the immediately upstream neighbor.
Chapter 5 Clustering Switches Planning a Switch Cluster HSRP and Standby Command Switches The switch supports Hot Standby Router Protocol (HSRP) so that you can configure a group of standby command switches. Because a command switch manages the forwarding of all communication and configuration information to all the member switches, we strongly recommend that you configure a cluster standby command switch to take over if the primary command switch fails.
Chapter 5 Clustering Switches Planning a Switch Cluster Virtual IP Addresses You need to assign a unique virtual IP address and group number and name to the cluster standby group. This information must be configured on a specificVLAN or routed port on the active command switch. The active command switch receives traffic destined for the virtual IP address. To manage the cluster, you must access the active command switch through the virtual IP address, not through the command-switch IP address.
Chapter 5 Clustering Switches Planning a Switch Cluster Considerations for Cluster Standby Groups In addition to providing a virtual IP address to the cluster standby group, these requirements apply: • When the command switch is a Catalyst 3550 switch, all standby command switches must be Catalyst 3550 switches or Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later. When the command switch is a Catalyst 2950 switch running Cisco IOS Release 12.
Chapter 5 Clustering Switches Planning a Switch Cluster Figure 5-8 VLAN Connectivity between Standby-Group Members and Cluster Members Catalyst 3550 primary command switch VLAN 9 Catalyst 3550 switch Management VLAN 9 Si Management VLAN 16 VLAN 9 Catalyst 2900 XL or Catalyst 3500 XL switch VLAN 9 Management VLAN 16 Catalyst 2950 switch VLAN 16 Si Catalyst 3550 multilayer switch Member switches 65280 Si Catalyst 3550 standby Catalyst 2950 passive command switch command switch VLANs 9,16 VL
Chapter 5 Clustering Switches Planning a Switch Cluster Host Names You do not need to assign a host name to either a command switch or an eligible cluster member. However, a host name assigned to the command switch can help to more easily identify the switch cluster. The default host name for the switch is Switch.
Chapter 5 Clustering Switches Planning a Switch Cluster TACACS+ If Terminal Access Controller Access Control System Plus (TACACS+) is configured on the command switch, TACACS+ must also be configured on all member switches to access the switch cluster from CMS. For more information about TACACS+, see the “Controlling Switch Access with TACACS+” section on page 6-10. Access Modes in CMS CMS provides two levels of access to the configuration options: read-write access and read-only access.
Chapter 5 Clustering Switches Creating a Switch Cluster Availability of Switch-Specific Features in Switch Clusters The menu bar on the command switch displays all options available from the switch cluster. Therefore, features specific to a member switch are available from the command-switch menu bar. For example, Device > LRE Profile appears in the command-switch menu bar when at least one Catalyst 2900 LRE XL switch is in the cluster.
Chapter 5 Clustering Switches Creating a Switch Cluster Enabling a Command Switch The switch you designate to be the command switch must meet the requirements described in the “Command Switch Characteristics” section on page 5-2, “Planning a Switch Cluster” section on page 5-4, and the release notes.
Chapter 5 Clustering Switches Creating a Switch Cluster Adding Member Switches As explained in the “Automatic Discovery of Cluster Candidates and Members” section on page 5-4, the command switch automatically discovers candidate switches. When you add new cluster-capable switches to the network, the command switch discovers and adds them to a list of candidate switches.
Chapter 5 Clustering Switches Creating a Switch Cluster Figure 5-10 Add to Cluster Window Select a switch, and click Add. Press Ctrl and leftclick to select more than one switch. 65724 2900-LRE-24-1 Enter the password of the candidate switch. If no password exists for the switch, leave this field blank. Thin line means a connection to a candidate switch. Right-click a candidate switch to display the pop-up menu, and select Add to Cluster to add the switch to the cluster.
Chapter 5 Clustering Switches Creating a Switch Cluster Creating a Cluster Standby Group The cluster standby group members must meet the requirements described in the “Standby Command Switch Characteristics” section on page 5-3 and “HSRP and Standby Command Switches” section on page 5-12. To create a cluster standby group, select Cluster > Standby Command Switches (Figure 5-12).
Chapter 5 Clustering Switches Creating a Switch Cluster Figure 5-12 Standby Command Configuration Window 2950C (cisco WS-C2950-C-24, HC, ... NMS-3550-12T-149 (cisco WS-C3550-1 3550-150 (cisco WS-C3550-12T, SC, ... Active command switch. Standby command switch. Must be a valid IP address in the same subnet as the active command switch. 65726 Once entered, this information cannot be changed.
Chapter 5 Clustering Switches Creating a Switch Cluster Verifying a Switch Cluster When you finish adding cluster members, follow these steps to verify the cluster: Step 1 Enter the command switch IP address in the browser Location field (Netscape Communicator) or Address field (Microsoft Internet Explorer) to access all switches in the cluster. Step 2 Enter the command-switch password.
Chapter 5 Clustering Switches Using the CLI to Manage Switch Clusters Using the CLI to Manage Switch Clusters You can configure member switches from the CLI by first logging into the command switch. Enter the rcommand user EXEC command and the member switch number to start a Telnet session (through a console or Telnet connection) and to access the member switch CLI. After this, the command mode changes, and the IOS commands operate as usual.
Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters Using SNMP to Manage Switch Clusters When you first power on the switch, SNMP is enabled if you enter the IP information by using the setup program and accept its proposed configuration. If you did not use the setup program to enter the IP information and SNMP was not enabled, you can enable it as described in the “Configuring SNMP” section on page 18-4. On Catalyst 1900 and Catalyst 2820 switches, SNMP is enabled by default.
C H A P T E R 6 Administering the Switch This chapter describes how to perform one-time operations to administer your switch.
Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands To prevent unauthorized access into your switch, you should configure one or more of these security features: • At a minimum, you should configure passwords and privileges at each switch port. These passwords are locally stored on the switch. When users attempt to access the switch through a port or line, they must enter the password specified for the port or line before they can access the switch.
Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands Default Password and Privilege Level Configuration Table 6-1 shows the default password and privilege level configuration. Table 6-1 Default Password and Privilege Levels Feature Default Setting Enable password and privilege level No password is defined. The default is level 15 (privileged EXEC level). The password is not encrypted in the configuration file.
Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands This example shows how to change the enable password to l1u2c3k4y5.
Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands Step 3 Command Purpose service password-encryption (Optional) Encrypt the password when the password is defined or when the current configuration is written. Encryption prevents the password from being readable in the configuration file. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to disable password recovery: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no service password-recovery Disable password recovery. This setting is saved in an area of the Flash memory that is accessible by the boot loader and the IOS image, but it is not part of the file system and is not accessible by any user.
Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands Step 7 Command Purpose show running-config Verify your entries. The password is listed under the command line vty 0 15. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the password, use the no password global configuration command.
Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command. Configuring Multiple Privilege Levels By default, the IOS software has two modes of password security: user EXEC and privileged EXEC.
Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands Step 5 Command Purpose show running-config Verify your entries. or The first command displays the password and access level configuration. The second command displays the privilege level configuration. show privilege Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 6 Administering the Switch Controlling Switch Access with TACACS+ Logging into and Exiting a Privilege Level Beginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit to a specified privilege level: Step 1 Command Purpose enable level Log in to a specified privilege level. For level, the range is 0 to 15. Step 2 disable level Exit to a specified privilege level. For level, the range is 0 to 15.
Chapter 6 Administering the Switch Controlling Switch Access with TACACS+ The goal of TACACS+ is to provide a method for managing multiple network access points from a single management service. Your switch can be a network access server along with other Cisco routers and access servers. A network access server provides connections to a single user, to a network or subnetwork, and to interconnected networks as shown in Figure 6-1.
Chapter 6 Administering the Switch Controlling Switch Access with TACACS+ You need a system running the TACACS+ daemon software to use TACACS+ on your switch. TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: 1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the user.
Chapter 6 Administering the Switch Controlling Switch Access with TACACS+ Configuring TACACS+ This section describes how to configure your switch to support TACACS+. At a minimum, you must identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+ authentication. You can optionally define method lists for TACACS+ authorization and accounting. A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a user.
Chapter 6 Administering the Switch Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to identify the IP host or host maintaining TACACS+ server and optionally set the encryption key: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 tacacs-server host hostname [port integer] [timeout integer] [key string] Identify the IP host or hosts maintaining a TACACS+ server.
Chapter 6 Administering the Switch Controlling Switch Access with TACACS+ A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list.
Chapter 6 Administering the Switch Controlling Switch Access with TACACS+ To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Starting TACACS+ Accounting The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Understanding RADIUS RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco routers and switches (including Catalyst 3550 multilayer switches and Catalyst 2950 series switches) and send authentication requests to a central RADIUS server, which contains all user authentication and network service access information.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Figure 6-2 Typical AAA Network Configuration R1 RADIUS server R2 RADIUS server T1 TACACS+ server T2 TACACS+ server Workstation 65409 Catalyst 3550 switch Remote PC RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: 1. The user is prompted to enter a username and password. 2.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS software uses the first method listed to authenticate, to authorize, or to keep accounts on users; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted. You should have access to and should configure a RADIUS server before configuring RADIUS features on your switch.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as a fail-over backup to the first one. Using this example, if the first host entry fails to provide accounting services, the switch tries the second host entry configured on the same device for accounting services.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting: Switch(config)# radius-server host host1 Note You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, refer to the RADIUS server documentation.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Server groups also can include multiple host entries for the same server if each entry has a unique identifier (the combination of the IP address and UDP port number), allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Step 4 Command Purpose aaa group server radius group-name Define the AAA server-group with a group name. This command puts the switch in a server group configuration mode. Step 5 server ip-address Associate a particular RADIUS server with the defined server group. Repeat this step for each RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network-related service requests.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the switch and all RADIUS servers.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS For example, the following AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP’s IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ The following example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“ Other vendors have their own unique vendor-IDs, options, and associated VSAs.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server host and a shared secret text string: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | ip-address} non-standard Specify the IP address or host name of the remote RADIUS server host and identify that it is using a vendor-proprietary implementation of RADIUS.
Chapter 6 Administering the Switch Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration.
Chapter 6 Administering the Switch Managing the System Time and Date Managing the System Time and Date You can manage the system time and date on your switch using automatic, such as the Network Time Protocol (NTP), or manual configuration methods. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 6 Administering the Switch Managing the System Time and Date running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP. This strategy effectively builds a self-organizing tree of NTP speakers. NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device that is not synchronized.
Chapter 6 Administering the Switch Managing the System Time and Date Figure 6-3 Typical NTP Network Configuration Catalyst 6500 series switch (NTP master) Local workgroup servers Catalyst 3550 switch Catalyst 3550 switch Catalyst 3550 switch These switches are configured in NTP server mode (server association) with the Catalyst 6500 series switch. Catalyst 3550 switch This switch is configured as an NTP peer to the upstream and downstream Catalyst 3550 switches.
Chapter 6 Administering the Switch Managing the System Time and Date Default NTP Configuration Table 6-2 shows the default NTP configuration. Table 6-2 Default NTP Configuration Feature Default Setting NTP authentication Disabled. No authentication key is specified. NTP peer or server associations None configured. NTP broadcast service Disabled; no interface sends or receives NTP broadcast packets. NTP access restrictions No access control is specified.
Chapter 6 Administering the Switch Managing the System Time and Date Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable NTP authentication, use the no ntp authenticate global configuration command. To remove an authentication key, use the no ntp authentication-key number global configuration command.
Chapter 6 Administering the Switch Managing the System Time and Date Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. You need to configure only one end of an association; the other device can automatically establish the association.
Chapter 6 Administering the Switch Managing the System Time and Date Step 6 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 7 Configure the connected peers to receive NTP broadcast packets as described in the next procedure. To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface configuration command.
Chapter 6 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp access-group {query-only | serve-only | serve | peer} access-list-number Create an access group, and apply a basic IP access list.
Chapter 6 Administering the Switch Managing the System Time and Date If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted. To remove access control to the switch NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command.
Chapter 6 Administering the Switch Managing the System Time and Date Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. The specified interface is used for the source address for all packets sent to all destinations.
Chapter 6 Administering the Switch Managing the System Time and Date Setting the System Clock If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock. Beginning in privileged EXEC mode, follow these steps to set the system clock: Step 1 Command Purpose clock set hh:mm:ss day month year Manually set the system clock using one of these formats.
Chapter 6 Administering the Switch Managing the System Time and Date Configuring the Time Zone Beginning in privileged EXEC mode, follow these steps to manually configure the time zone: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock timezone zone hours-offset [minutes-offset] Set the time zone. The switch keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set.
Chapter 6 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 6 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 Configure summer time to start on the first date and end on the second clock summer-time zone date [month date year hh:mm month date year hh:mm date.
Chapter 6 Administering the Switch Configuring a System Name and Prompt Configuring a System Name and Prompt You configure the system name on the switch to identify it. By default, the system name and prompt are Switch. If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt. A greater-than symbol [>] is appended.
Chapter 6 Administering the Switch Configuring a System Name and Prompt Configuring a System Prompt Beginning in privileged EXEC mode, follow these steps to manually configure a system prompt: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 prompt string Configure the command-line prompt to override the setting from the hostname command.
Chapter 6 Administering the Switch Configuring a System Name and Prompt Default DNS Configuration Table 6-3 shows the default DNS configuration. Table 6-3 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
Chapter 6 Administering the Switch Creating a Banner domain name is the value set by the ip domain-name global configuration command. If there is a period (.) in the hostname, the IOS software looks up the IP address without appending any default domain name to the hostname. To remove a domain name, use the no ip domain-name name global configuration command. To remove a name server address, use the no ip name-server server-address global configuration command.
Chapter 6 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day.
Chapter 6 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner is displayed after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message.
Chapter 6 Administering the Switch Managing the MAC Address Table This section contains this configuration information: • Building the Address Table, page 6-52 • MAC Addresses and VLANs, page 6-52 • Default MAC Address Table Configuration, page 6-53 • Changing the Address Aging Time, page 6-53 • Removing Dynamic Address Entries, page 6-54 • Configuring MAC Address Notification Traps, page 6-54 • Adding and Removing Static Address Entries, page 6-56 • Displaying Address Table Entries, page
Chapter 6 Administering the Switch Managing the MAC Address Table Default MAC Address Table Configuration Table 6-4 shows the default MAC address table configuration. Table 6-4 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned Static addresses None configured Changing the Address Aging Time Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use.
Chapter 6 Administering the Switch Managing the MAC Address Table Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac-address-table dynamic command in privileged EXEC mode.
Chapter 6 Administering the Switch Managing the MAC Address Table Command Purpose Step 3 snmp-server enable traps mac-notification Enable the switch to send MAC address traps to the NMS. Step 4 mac-address-table notification Enable the MAC address notification feature. Step 5 mac-address-table notification [interval value] | [history-size value] Enter the trap interval time and the history table size.
Chapter 6 Administering the Switch Managing the MAC Address Table Adding and Removing Static Address Entries A static address has these characteristics: • It is manually entered in the address table and must be manually removed. • It can be a unicast or multicast address. • It does not age and is retained when the switch restarts. You can add and remove static addresses and define the forwarding behavior for them.
Chapter 6 Administering the Switch Optimizing System Resources for User-Selected Features Displaying Address Table Entries You can display the MAC address table by using one or more of the privileged EXEC commands described in Table 6-5: Table 6-5 Commands for Displaying the MAC Address Table Command Description show mac-address-table address Displays MAC address table information for the specified MAC address.
Chapter 6 Administering the Switch Optimizing System Resources for User-Selected Features The number of subnet VLANs (routed ports and SVIs) are not limited by software and can be set to a number higher than indicated in the tables. If the number of subnet VLANs configured is lower or equal to the number in the tables, the number of entries in each category (unicast addresses, IGMP groups, and so on) for each template will be as shown.
Chapter 6 Administering the Switch Optimizing System Resources for User-Selected Features Using the Templates Follow these guidelines when using the SDM templates: • The maximum number of resources allowed in each template is an approximation and depends upon the actual number of other features configured.
Chapter 6 Administering the Switch Optimizing System Resources for User-Selected Features This example shows how to configure a switch with the routing template and verify the configuration: Switch(config)# sdm prefer routing Switch(config)# end Switch# copy running-config startup-config Switch# reload Proceed with reload? [confirm] Switch# show sdm prefer The current template is routing template.
C H A P T E R 7 Configuring 802.1X Port-Based Authentication This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. As LANs extend to hotels, airports, and corporate lobbies, insecure environments could be created. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 3550 Multilayer Switch Command Reference for this release.
Chapter 7 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Device Roles With 802.1X port-based authentication, the devices in the network have specific roles as shown in Figure 7-1. Figure 7-1 802.1X Device Roles Catalyst 3550 (switch) Authentication server (RADIUS) 65408 Workstations (clients) • Client—the device (workstation) that requests access to the LAN and switch services and responds to requests from the switch.The workstation must be running 802.
Chapter 7 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Authentication Initiation and Message Exchange The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the port link state transitions from down to up.
Chapter 7 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Ports in Authorized and Unauthorized States The switch port state determines whether or not the client is granted access to the network. The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1X protocol packets.
Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication In a point-to-point configuration (see Figure 7-1 on page 7-2), only one client can be connected to the 802.1X-enabled switch port. The switch detects the client when the port link state changes to the up state. If a client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state. Figure 7-3 shows 802.
Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Default 802.1X Configuration Table 7-1 shows the default 802.1X configuration. Table 7-1 Default 802.1X Configuration Feature Default Setting Authentication, authorization, and accounting (AAA) Disabled. RADIUS server • IP address • None specified. • UDP authentication port • 1812. • Key • None specified. Per-interface 802.1X protocol enable state Disabled (force-authorized).
Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication 802.1X Configuration Guidelines These are the 802.1X authentication configuration guidelines: • When 802.1X is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are enabled. • The 802.1X protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports, but it is not supported on these port types: – Trunk port—If you try to enable 802.
Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Enabling 802.1X Authentication To enable 802.1X port-based authentication, you must enable AAA and specify the authentication method list. A method list describes the sequence and authentication methods to be queried to authenticate a user. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list.
Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication This example shows how to enable AAA and 802.
Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server: Switch(config)# radius-server host 172.l20.39.
Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Manually Re-Authenticating a Client Connected to a Port You can manually re-authenticate the client connected to a specific port at any time by entering the dot1x re-authenticate interface interface-id privileged EXEC command. If you want to enable or disable periodic re-authentication, see the “Enabling Periodic Re-Authentication” section on page 7-10.
Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Changing the Switch-to-Client Retransmission Time The client responds to the EAP-request/identity frame from the switch with an EAP-response/identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time) and then retransmits the frame.
Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Setting the Switch-to-Client Frame-Retransmission Number In addition to changing the switch-to-client retransmission time, you can change the number of times that the switch sends an EAP-request/identity frame (assuming no response is received) to the client before restarting the authentication process.
Chapter 7 Configuring 802.1X Port-Based Authentication Displaying 802.1X Statistics and Status Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show dot1x interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable multiple hosts on the port, use the no dot1x multiple-hosts interface configuration command. This example shows how to enable 802.
C H A P T E R 8 Configuring Interface Characteristics This chapter defines the types of interfaces on the switch and describes how to configure them.
Chapter 8 Configuring Interface Characteristics Understanding Interface Types Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 9, “Creating and Maintaining VLANs.” Packets received on a port are forwarded only to ports that belong to the same VLAN as the receiving port.
Chapter 8 Configuring Interface Characteristics Understanding Interface Types Trunk Ports A trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN database. Two types of trunk ports are supported: • In an ISL trunk port, all received packets are expected to be encapsulated with an ISL header, and all transmitted packets are sent with an ISL header. Native (non-tagged) frames received from an ISL trunk port are dropped. • An IEEE 802.
Chapter 8 Configuring Interface Characteristics Understanding Interface Types Switch Virtual Interfaces A switch virtual interface (SVI) represents a VLAN of switch ports as one interface to the routing or bridging function in the system. Only one SVI can be associated with a VLAN, but you need to configure an SVI for a VLAN only when you wish to route between VLANs, fallback-bridge nonroutable protocols between VLANs, or to provide IP host connectivity to the switch.
Chapter 8 Configuring Interface Characteristics Understanding Interface Types For more information about IP unicast and multicast routing and routing protocols, see Chapter 22, “Configuring IP Unicast Routing” and Chapter 24, “Configuring IP Multicast Routing.” Connecting Interfaces Devices within a single VLAN can communicate directly through any switch. Ports in different VLANs cannot exchange data without going through a routing device or interface.
Chapter 8 Configuring Interface Characteristics Using the Interface Command Figure 8-2 Connecting VLANs with the Catalyst 3550 Multilayer Switch Catalyst 3550 switch with enhanced multilayer software image Si SVI 1 SVI 2 Host A 172.20.129.1 Host B VLAN 20 VLAN 30 46648 172.20.128.1 The Catalyst 3550 switch with the enhanced multilayer software image supports two methods of forwarding traffic between interfaces: routing and fallback bridging.
Chapter 8 Configuring Interface Characteristics Using the Interface Command To configure a physical interface (port), enter interface configuration mode, and specify the interface type, slot, and number. • Type—Fast Ethernet (fastethernet or fa) for 10/100 Ethernet or Gigabit Ethernet (gigabitethernet or gi) • Slot—The slot number on the switch. On the Catalyst 3550 switch, the slot number is 0. • Port number—The interface number on the switch.
Chapter 8 Configuring Interface Characteristics Using the Interface Command Enter the show interfaces privileged EXEC command to see a list of all interfaces on or configured for the switch. A report is provided for each interface that the device supports or for the specified interface: Switch# show interfaces Vlan1 is up, line protocol is up Hardware is EtherSVI, address is 0000.0000.0000 (bia 0000.0000.00 Internet address is 10.1.1.
Chapter 8 Configuring Interface Characteristics Using the Interface Command 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output b
Chapter 8 Configuring Interface Characteristics Using the Interface Command • You must add a space between the interface numbers and the hyphen when using the interface range command. For example, the command interface range gigabitethernet 0/1 - 5 is a valid range; the command interface range gigabitethernet 0/1-5 is not a valid range.
Chapter 8 Configuring Interface Characteristics Using the Interface Command Configuring and Using Interface Range Macros You can create an interface range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface range macro global configuration command string, you must use the define interface-range global configuration command to define the macro.
Chapter 8 Configuring Interface Characteristics Configuring Layer 2 Interfaces This example shows how to define an interface-range macro named enet_list to select Gigabit Ethernet ports 1 to 4 and to verify the macro configuration: Switch# configure terminal Switch(config)# define interface-range enet_list gigabitethernet0/1 - 4 Switch(config)# end Switch# show running-config | include define define interface-range enet_list GigabitEthernet0/1 - 4 Switch# This example shows how to create a multiple-inte
Chapter 8 Configuring Interface Characteristics Configuring Layer 2 Interfaces Default Layer 2 Ethernet Interface Configuration Table 8-1 shows the Layer 2 Ethernet interface default configuration. For more details on the VLAN parameters listed in the table, see Chapter 9, “Creating and Maintaining VLANs.” For details on controlling traffic to the port, see Chapter 12, “Configuring Port-Based Traffic Control.
Chapter 8 Configuring Interface Characteristics Configuring Layer 2 Interfaces Configuring Interface Speed and Duplex Mode These sections describe how to configure the interface speed and duplex mode: • Configuration Guidelines, page 8-14 • Setting the Interface Speed and Duplex Parameters, page 8-14 Configuration Guidelines When configuring an interface speed and duplex mode, note these guidelines: Note Caution • If both ends of the line support autonegotiation, we highly recommend the default a
Chapter 8 Configuring Interface Characteristics Configuring Layer 2 Interfaces Beginning in privileged EXEC mode, follow these steps to set the speed and duplex mode for a physical interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode and the physical interface identification.
Chapter 8 Configuring Interface Characteristics Configuring Layer 2 Interfaces Configuring IEEE 802.3X Flow Control Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. If one port experiences congestion and cannot receive any more traffic, it notifies the other port to stop sending until the condition clears.
Chapter 8 Configuring Interface Characteristics Configuring Layer 2 Interfaces Beginning in privileged EXEC mode, follow these steps to configure flow control on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no mls qos Disable QoS on the switch. Step 3 interface interface-id Enter interface configuration mode and the physical interface to be configured.
Chapter 8 Configuring Interface Characteristics Monitoring and Maintaining the Layer 2 Interface Command Step 5 Purpose show interfaces interface-id description Verify your entry. or show running-config Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no description interface configuration command to delete the description.
Chapter 8 Configuring Interface Characteristics Monitoring and Maintaining the Layer 2 Interface Table 8-2 Show Commands for Interfaces (continued) Command Purpose show running-config Display the running configuration in RAM. show version Display the hardware configuration, software version, the names and sources of configuration files, and the boot images.
Chapter 8 Configuring Interface Characteristics Monitoring and Maintaining the Layer 2 Interface This example shows how to display the status of switching ports: Switch# show interfaces switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabl
Chapter 8 Configuring Interface Characteristics Monitoring and Maintaining the Layer 2 Interface Note The clear counters privileged EXEC command does not clear counters retrieved by using Simple Network Management Protocol (SNMP), but only those seen with the show interface privileged EXEC command.
Chapter 8 Configuring Interface Characteristics Configuring Layer 3 Interfaces To verify that an interface is disabled, enter the show interfaces privileged EXEC command. A disabled interface is shown as administratively down in the show interface command display as with Gigabit Ethernet interface 0/1 in this example. Switch# show interfaces
Chapter 8 Configuring Interface Characteristics Configuring Layer 3 Interfaces Beginning in privileged EXEC mode, follow these steps to configure a Layer 3 interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface {{fastethernet | gigabitethernet} interface-id} Enter interface configuration mode, and enter the | {vlan vlan-id} | {port-channel port-channel-number} interface to be configured as a Layer 3 interface.
Chapter 8 Configuring Interface Characteristics Configuring Layer 3 Interfaces This is an example of output from the show ip interface privileged EXEC command for an interface: Switch# show ip interface gigabitethernet0/2 GigabitEthernet0/2 is up, line protocol is up Internet address is 192.20.135.21/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.
C H A P T E R 9 Creating and Maintaining VLANs This chapter describes how to create and maintain VLANs. It includes information about VLAN modes, the VLAN Trunking Protocol (VTP) database, and the VLAN Membership Policy Server (VMPS). Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 3550 Multilayer Switch Command Reference for this release.
Chapter 9 Creating and Maintaining VLANs Understanding VLANs Figure 9-1 VLANs as Logically Defined Networks Engineering VLAN Marketing VLAN Accounting VLAN Cisco router Floor 3 Fast Ethernet Floor 2 16751 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN. Interface VLAN membership on the switch is assigned manually on an interface-by-interface basis.
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol VLAN Port Membership Modes You configure a port to belong to a VLAN by assigning a membership mode that determines the kind of traffic the port carries and the number of VLANs to which it can belong. Table 9-1 lists the membership modes and characteristics.
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol The VTP Domain and VTP Modes A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name. A switch can be in only one VTP domain.
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol VTP Advertisements Each switch in the VTP domain sends periodic global configuration advertisements from each trunk port to a reserved multicast address. Neighboring switches receive these advertisements and update their VTP and VLAN configurations as necessary.
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol VTP Version 2 If you use VTP in your network, you must decide whether to use version 1 or version 2. VTP version 2 supports these features not supported in version 1: • Token Ring support—VTP version 2 supports Token Ring Bridge Relay Function (TrBRF) and Token Ring Concentrator Relay Function (TrCRF) VLANs. For more information about Token Ring VLANs, see the “VLANs in the VTP Database” section on page 9-15.
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol Figure 9-2 Flooding Traffic without VTP Pruning Switch 4 Port 2 Switch 5 Switch 2 Red VLAN Switch 6 Switch 3 45826 Port 1 Switch 1 Figure 9-3 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch 2 and Port 4 on Switch 4).
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol To configure VTP pruning on an interface, use the switchport trunk pruning vlan interface configuration command (see the “Changing the Pruning-Eligible List” section on page 9-28). VTP pruning operates when an interface is trunking. You can set VLAN pruning-eligibility, whether or not VTP pruning is enabled for the VTP domain, whether or not any given VLAN exists, and whether or not the interface is currently trunking.
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol Passwords You can configure a password for the VTP domain, but it is not required. If you do configure a domain password, all domain switches must share the same password and you must configure the password on each switch in the management domain. Switches without a password or with the wrong password reject VTP advertisements.
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol Configuring a VTP Server When a switch is in VTP server mode, you can change the VLAN configuration and have it propagated throughout the network. Beginning in privileged EXEC mode, follow these steps to configure the switch as a VTP server: Command Purpose Step 1 vlan database Enter VLAN configuration mode. Step 2 vtp server Configure the switch for VTP server mode (the default).
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol Configuring a VTP Client When a switch is in VTP client mode, you cannot change its VLAN configuration. The client switch receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly. Beginning in privileged EXEC mode, follow these steps to configure the switch for VTP client mode: Command Purpose Step 1 vlan database Enter VLAN configuration mode.
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol Command Purpose Step 3 exit Update the VLAN database, propagate it throughout the administrative domain, and return to privileged EXEC mode. Step 4 show vtp status Verify your entries in the VTP Operating Mode field of the display. To return the switch to VTP server mode, use the no vtp transparent VLAN configuration command. Enabling VTP Version 2 VTP version 2 is disabled by default on VTP version 2-capable switches.
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You enable VTP pruning on a switch in VTP server mode. Beginning in privileged EXEC mode, follow these steps to enable VTP pruning in the management domain: Command Purpose Step 1 vlan database Enter VLAN configuration mode.
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol This is an example of output from the show vtp status privileged EXEC command: Switch# show vtp status VTP Version : 2 Configuration Revision : 5 Maximum VLANs supported locally : 1005 Number of existing VLANs : 69 VTP Operating Mode : Server VTP Domain Name : test VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x59 0xBA 0x92 0xA4 0x74 0xD5 0x42 0x29 Configuration last modified by 0.
Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database VLANs in the VTP Database You can set these parameters when you create a new VLAN or modify an existing VLAN in the VTP database: • VLAN ID • VLAN name • VLAN type (Ethernet, Fiber Distributed Data Interface [FDDI], FDDI network entity title [NET], TrBRF, or TrCRF, Token Ring, Token Ring-Net) • VLAN state (active or suspended) • Maximum transmission unit (MTU) for the VLAN • Security Association Identifier (SAID) • Bridge iden
Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database Table 9-5 Ethernet VLAN Defaults and Ranges Parameter Default Range VLAN ID 1 1–1005 VLAN name default No range 802.
Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database Configuring VLANs in the VTP Database You can add, modify or remove VLAN configurations in the VTP database by using the CLI VLAN configuration mode. VTP globally propagates these VLAN changes throughout the VTP domain. In VTP server or transparent mode, commands to add, change, and delete VLANs are written to the file vlan.dat, and you can display them by entering the show vlan privileged EXEC command. The vlan.
Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database This example shows how to add Ethernet VLAN 20 to the VLAN database and name it test20: Switch# vlan database Switch(vlan)# vlan 20 name test20 Switch(vlan)# exit APPLY completed. Exiting....
Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database Caution When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN. Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch: Command Purpose Step 1 vlan database Enter VLAN configuration mode. Step 2 no vlan vlan-id Remove the VLAN by entering the VLAN ID.
Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database Command Purpose Step 6 show running-config interface interface-id Verify the VLAN membership mode of the interface. Step 7 show interfaces interface-id switchport Verify your entries in the Administrative Mode and the Access Mode VLAN fields of the display. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database Displaying VLANs in the VTP Database Use the show vlan privileged EXEC command to display a list of VLANs in the database, including status, ports, and configuration: Switch# show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------1 default active Gi0/1, Gi0/2, Gi0/3, Gi0/4 Gi0/7, Gi0/8, Gi0/9, Gi0/11 Gi0/12 20 VLAN0020 active 21 VLAN0021 active 22 VLAN0022 active 27 VLAN0027 active 31
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Understanding VLAN Trunks These sections describe how VLAN trunks function on the switch: • Trunking Overview, page 9-22 • Encapsulation Types, page 9-23 • Default Layer 2 Ethernet Interface VLAN Configuration, page 9-24 Trunking Overview A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch.
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Note Table 9-6 DTP is a point-to-point protocol. However, some internetworking devices might forward DTP frames improperly. To avoid this, ensure that interfaces connected to devices that do not support DTP are configured with the access keyword if you do not intend to trunk across those links.
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks 802.1Q Configuration Considerations 802.1Q trunks impose these limitations on the trunking strategy for a network: • In a network of Cisco switches connected through 802.1Q trunks, the switches maintain one instance of spanning tree for each VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an 802.
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Configuring an Ethernet Interface as a Trunk Port Because trunk ports send and receive VTP advertisements, you must ensure that at least one trunk port is configured on the switch and that this trunk port is connected to the trunk port of a second switch. Otherwise, the switch cannot receive any VTP advertisements.
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Command Purpose Step 8 show interfaces interface-id switchport Display the switchport configuration of the interface in the Administrative Mode and the Administrative Trunking Encapsulation fields of the display. Step 9 show interfaces interface-id trunk Display the trunk configuration of the interface. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks In this example, the encapsulation method is ISL: Switch# show interfaces gigabitethernet0/4 trunk Port Gi0/4 Mode desirable Encapsulation n-isl Status trunking Native vlan 1 Port Gi0/4 Vlans allowed on trunk 1-1005 Port Gi0/4 Vlans allowed and active in management domain 1,10-1000 Port Gi0/4 Vlans in spanning tree forwarding state and not pruned 1,10-1000 Defining the Allowed VLANs on a Trunk By default, a trunk port sends traf
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks To return to the default allowed VLAN list of all VLANs, use the no switchport trunk allowed vlan interface configuration command. This example shows how to remove VLAN 2 from the allowed VLAN list and verify the configuration.
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Command Purpose Step 5 show interfaces interface-id switchport Verify your entries in the Pruning VLANs Enabled field of the display. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default pruning-eligible list of all VLANs, use the no switchport trunk pruning vlan interface configuration command.
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Load Sharing Using STP Port Priorities When two ports on the same switch form a loop, the STP port priority setting determines which port is enabled and which port is in a blocking state. You can set the priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN. The trunk port with the higher priority (lower values) for a VLAN is forwarding traffic for that VLAN.
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Command Purpose Step 6 show vlan Verify that the VLANs exist in the database on Switch 1. Step 7 configure terminal Enter global configuration mode. Step 8 interface gigabitethernet 0/1 Enter interface configuration mode, and define Gigabit Ethernet port 0/1 as the interface to be configured as a trunk. Step 9 switchport trunk encapsulation {isl | dot1q | negotiate} Configure the port to support ISL or 802.
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Load Sharing Using STP Path Cost You can configure parallel trunks to share VLAN traffic by setting different path costs on a trunk and associating the path costs with different sets of VLANs. The VLANs keep the traffic separate. Because no loops exist, STP does not disable the ports, and redundancy is maintained in the event of a lost link. In Figure 9-6, Trunk ports 1 and 2 are 100BASE-T ports.
Chapter 9 Creating and Maintaining VLANs Understanding VMPS Step 8 Command Purpose show running-config Verify your entries. In the display, make sure that interfaces Fast Ethernet 0/1 and Fast Ethernet 0/2 are configured as trunk ports. Step 9 show vlan When the trunk links come up, Switch 1 receives the VTP information from the other switches. Verify that Switch 1 has learned the VLAN configuration. Step 10 configure terminal Enter global configuration mode.
Chapter 9 Creating and Maintaining VLANs Understanding VMPS If the switch receives an access-denied response from the VMPS, it continues to block traffic from the MAC address to or from the port. The switch continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new address. If the switch receives a port-shutdown response from the VMPS, it disables the port. The port must be manually re-enabled by using the CLI, CMS, or SNMP.
Chapter 9 Creating and Maintaining VLANs Understanding VMPS This example shows a example of a VMPS database configuration file as it appears on a Catalyst 6000 series switch. The file has these characteristics: • The security mode is open. • The default is used for the fallback VLAN. • MAC address-to-VLAN name mappings—The MAC address of each host and the VLAN to which each host belongs is defined. • Port groups are defined. • VLAN groups are defined.
Chapter 9 Creating and Maintaining VLANs Understanding VMPS ! vmps-vlan-group Engineering vlan-name hardware vlan-name software ! ! !VLAN port Policies ! !vmps-port-policies {vlan-name | vlan-group } ! { port-group | device port } ! vmps-port-policies vlan-group Engineering port-group WiringCloset1 vmps-port-policies vlan-name Green device 198.92.30.32 port 0/8 vmps-port-policies vlan-name Purple device 198.4.254.
Chapter 9 Creating and Maintaining VLANs Understanding VMPS Default VMPS Configuration Table 9-9 shows the default VMPS and dynamic port configuration on client switches. Table 9-9 Default VMPS Client and Dynamic Port Configuration Feature Default Setting VMPS domain server None VMPS reconfirm interval 60 minutes VMPS server retry count 3 Dynamic ports None configured Configuring an Interface as a Layer 2 Dynamic Access Port You configure dynamic VLANs by using the VMPS (server).
Chapter 9 Creating and Maintaining VLANs Understanding VMPS This is an example of output for the show vmps privileged EXEC command, used to verify the VMPS server IP address. Switch# show vmps VQP Client Status: -------------------VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.
Chapter 9 Creating and Maintaining VLANs Understanding VMPS Reconfirming VLAN Memberships Beginning in privileged EXEC mode, follow these steps to confirm the dynamic port VLAN membership assignments that the switch has received from the VMPS: Command Purpose Step 1 vmps reconfirm Reconfirm dynamic port VLAN membership. Step 2 show vmps Verify the dynamic VLAN reconfirmation status.
Chapter 9 Creating and Maintaining VLANs Understanding VMPS Administering and Monitoring the VMPS You can display information about the VMPS by using the show vmps privileged EXEC command. The switch displays this information about the VMPS: VMPS VQP Version The version of VQP used to communicate with the VMPS. The switch queries the VMPS that is using VQP version 1. Reconfirm Interval The number of minutes the switch waits before reconfirming the VLAN-to-MAC-address assignments.
Chapter 9 Creating and Maintaining VLANs Understanding VMPS Figure 9-7 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6000 series Primary VMPS Server 1 Switch 1 End station 1 Dynamic-access port Router 172.20.26.150 172.20.22.7 Catalyst 3550 switch client 172.20.26.151 Switch 2 Trunk port or static-access port Catalyst 6000 series Secondary VMPS Switch 3 Server 2 Switch 5 Switch 6 Switch 7 Switch 8 172.20.26.154 172.20.26.155 172.20.26.156 172.20.26.
Chapter 9 Creating and Maintaining VLANs Understanding VMPS Catalyst 3550 Multilayer Switch Software Configuration Guide 9-42 78-11194-03
C H A P T E R 10 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 3550 Multilayer Switch Command Reference for this release.
Chapter 10 Configuring STP Understanding Basic STP Features For information about advanced STP features, see the “Understanding Advanced STP Features” section on page 10-10 and the “Configuring Advanced STP Features” section on page 10-32. Supported STP Instances This software release supports the per-VLAN spanning tree (PVST) and a maximum of 128 spanning-tree instances. If more VLANs are defined in the VLAN Trunking Protocol (VTP) than spanning-tree instances, you can enable STP on only 128 VLANs.
Chapter 10 Configuring STP Understanding Basic STP Features Multiple active paths among end stations cause loops in the network. If a loop exists in the network, end stations might receive duplicate messages. Switches might also learn end-station MAC addresses on multiple Layer 2 interfaces. These conditions result in an unstable network. STP defines a tree with a root switch and a loop-free path from the root to all switches in the Layer 2 network.
Chapter 10 Configuring STP Understanding Basic STP Features • The removal of loops in the switched network by blocking Layer 2 interfaces connected to redundant links For each VLAN, the switch with the highest switch priority (the lowest numerical priority value) is elected as the root switch. If all switches are configured with the default priority (32768), the switch with the lowest MAC address in the VLAN becomes the root switch.
Chapter 10 Configuring STP Understanding Basic STP Features STP Timers Table 10-2 describes the STP timers that affect the entire spanning-tree performance. Table 10-2 Spanning Tree Protocol Timers Variable Description Hello timer Determines how often the switch broadcasts hello messages to other switches. Forward-delay timer Determines how long each of the listening and learning states last before the interface begins forwarding.
Chapter 10 Configuring STP Understanding Basic STP Features STP Interface States Propagation delays can occur when protocol information passes through a switched LAN. As a result, topology changes can take place at different times and at different places in a switched network. When a Layer 2 interface transitions directly from nonparticipation in the spanning-tree topology to the forwarding state, it can create temporary data loops.
Chapter 10 Configuring STP Understanding Basic STP Features When the spanning-tree algorithm places a Layer 2 interface in the forwarding state, this process occurs: 1. The Layer 2 interface is in the listening state while spanning tree waits for protocol information to transition the interface to the blocking state. 2. While spanning tree waits the forward-delay timer to expire, it moves the Layer 2 interface to the learning state and resets the forward-delay timer. 3.
Chapter 10 Configuring STP Understanding Basic STP Features • Learns addresses • Receives BPDUs Forwarding State A Layer 2 interface in the forwarding state forwards frames. The Layer 2 interface enters the forwarding state from the learning state.
Chapter 10 Configuring STP Understanding Basic STP Features However, all PVST+ information is maintained by Cisco switches separated by a cloud of non-Cisco 802.1Q switches. The non-Cisco 802.1Q cloud separating the Cisco switches is treated as a single trunk link between the switches. PVST+ is automatically enabled on 802.1Q trunks, and no user configuration is required. The external spanning-tree behavior on access ports and Inter-Switch Link (ISL) trunks is not affected by PVST+.
Chapter 10 Configuring STP Understanding Advanced STP Features Accelerated Aging to Retain Connectivity The default for aging dynamic addresses is 5 minutes, the default setting of the mac-address-table aging-time global configuration command. However, an STP reconfiguration can cause many station locations to change.
Chapter 10 Configuring STP Understanding Advanced STP Features Figure 10-4 Port Fast-Enabled Ports Catalyst 6000 series switch Catalyst 3550 switch Catalyst 3550 switch Port Fast-enabled port Port Fast-enabled ports Workstations Server Workstations 43265 Catalyst 3550 switch Understanding BPDU Guard When the BPDU guard feature is enabled on the switch, STP shuts down Port Fast-enabled interfaces that receive BPDUs rather than putting them into the blocking state.
Chapter 10 Configuring STP Understanding Advanced STP Features Understanding UplinkFast Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 10-5 shows a complex network where distribution switches and access switches each have at least one redundant link that STP blocks to prevent loops.
Chapter 10 Configuring STP Understanding Advanced STP Features Figure 10-6 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B L1 L2 L3 43575 Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked port on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure 10-7.
Chapter 10 Configuring STP Understanding Advanced STP Features How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root. As shown in Figure 10-8, Switches A, B, and C are cascaded through the GigaStack GBIC to form a multidrop backbone, which communicates control and data traffic across the switches at the access layer.
Chapter 10 Configuring STP Understanding Advanced STP Features The switch sending the fast-transition request needs to do a fast transition to the forwarding state of a port that it has chosen as the root port, and it must obtain an acknowledgement from each stack switch before performing the fast transition. Each switch in the stack determines if the sending switch is a better choice than itself to be the stack root of this spanning-tree instance by comparing STP root, cost, and bridge ID.
Chapter 10 Configuring STP Understanding Advanced STP Features Limitations These limitations apply to CSUF: • CSUF uses the GigaStack GBIC and runs on all Catalyst 3550 switches, all Catalyst 3500 XL switches, but only on modular Catalyst 2900 XL switches that have the 1000BASE-X module installed. • Up to nine stack switches can be connected through their stack ports to the multidrop backbone. Only one stack port per switch is supported.
Chapter 10 Configuring STP Understanding Advanced STP Features Figure 10-9 GigaStack GBIC Connections and STP Convergence GigaStack GBIC connection for fast convergence Catalyst 3550-12T Catalyst 3508G XL Catalyst 3500 Catalyst 3500 XL SYSTEM RPS UTIL 3 2 1 STATUS 5 4 7 6 8 SYSTEM DUPLX MODE 1 1 1 1 1 1 1 1 1 RPS 1 SPEED STATUS MODE UTIL 2 1 SPEED Catalyst 2924M XL Catalyst 3508G XL Catalyst 2900 Catalyst 3500 3 2 1 2 1 DUPLX 5 4 XL 7 6 2 1 8 SYSTEM R
Chapter 10 Configuring STP Understanding Advanced STP Features Understanding BackboneFast BackboneFast is started when a root port or blocked port on a switch receives inferior BPDUs from its designated bridge. An inferior BPDU identifies one switch as both the root bridge and the designated bridge.
Chapter 10 Configuring STP Understanding Advanced STP Features switchover takes approximately 30 seconds, twice the Forward Delay time if the default Forward Delay time of 15 seconds is set. Figure 10-11 shows how BackboneFast reconfigures the topology to account for the failure of link L1. Figure 10-11 BackboneFast Example After Indirect Link Failure Switch A (Root) Switch B L1 Link failure L3 BackboneFast transitions port through listening and learning states to forwarding state.
Chapter 10 Configuring STP Understanding Advanced STP Features Understanding Root Guard The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. In such a topology, STP can reconfigure itself and select a customer switch as the STP root switch, as shown in Figure 10-13. You can avoid this situation by configuring the root-guard feature on interfaces that connect to switches outside of your customer’s network.
Chapter 10 Configuring STP Configuring Basic STP Features Configuring Basic STP Features These sections include basic STP configuration information: • Default STP Configuration, page 10-21 • Disabling STP, page 10-22 • Configuring the Root Switch, page 10-22 • Configuring a Secondary Root Switch, page 10-24 • Configuring STP Port Priority, page 10-26 • Configuring STP Path Cost, page 10-27 • Configuring the Switch Priority of a VLAN, page 10-28 • Configuring the Hello Time, page 10-29 • C
Chapter 10 Configuring STP Configuring Basic STP Features Table 10-3 Default STP Configuration (continued) Feature Default Setting Forward-delay time 15 seconds. Maximum-aging time 20 seconds. Port Fast Disabled on all interfaces. BPDU guard Disabled on the switch. UplinkFast Disabled on the switch. BackboneFast Disabled on the switch. Root guard Disabled on all interfaces. EtherChannel guard Enabled on the switch.
Chapter 10 Configuring STP Configuring Basic STP Features To configure a switch to become the root, use the spanning-tree vlan vlan-id root global configuration command to modify the switch priority from the default value (32768) to a significantly lower value so that the switch becomes the root switch for the specified VLAN. When you enter this command, the switch checks the switch priority of the current root switches for each VLAN.
Chapter 10 Configuring STP Configuring Basic STP Features Beginning in privileged EXEC mode, follow these steps to configure a switch as the root switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root primary [diameter net-diameter [hello-time seconds]] Configure a switch as the root switch. • For vlan-id, the range is 1 to 1005. Do not enter leading zeros.
Chapter 10 Configuring STP Configuring Basic STP Features Beginning in privileged EXEC mode, follow these steps to configure a switch as the secondary root switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root secondary [diameter net-diameter [hello-time seconds]] Configure a switch as the secondary root switch. • For vlan-id, the range is 1 to 1005. Do not enter leading zeros.
Chapter 10 Configuring STP Configuring Basic STP Features Configuring STP Port Priority If a loop occurs, STP uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last.
Chapter 10 Configuring STP Configuring Basic STP Features Configuring STP Path Cost The STP path cost default value is derived from the media speed of an interface. If a loop occurs, STP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 10 Configuring STP Configuring Basic STP Features Configuring the Switch Priority of a VLAN You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands to modify the switch priority.
Chapter 10 Configuring STP Configuring Basic STP Features Configuring the Hello Time You can configure the interval between the generation of configuration messages by the root switch by changing the STP hello time. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands to modify the hello time.
Chapter 10 Configuring STP Configuring Basic STP Features To return the switch to its default setting, use the no spanning-tree vlan vlan-id forward-time global configuration command. Configuring the Maximum-Aging Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the STP maximum-aging time for a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 10 Configuring STP Configuring Basic STP Features Figure 10-14 Gigabit Ethernet Stack Catalyst 5000 series switch Catalyst 3550 switches Cisco 7000 router Catalyst 5000 series or 6000 series backbone Layer 3 backbone Catalyst 6000 switch Cisco 7000 router 43579 Catalyst 3550 switches Catalyst 3550 switches Option 1: standalone cascaded stack Option 2: cascaded stack connected to a Layer 2 backbone Option 3: cascaded stack connected to a Layer 3 backbone Displaying STP Status To displa
Chapter 10 Configuring STP Configuring Advanced STP Features Configuring Advanced STP Features These sections include advanced STP configuration information: • Configuring Port Fast, page 10-32 • Configuring BPDU Guard, page 10-33 • Configuring UplinkFast for Use with Redundant Links, page 10-34 • Configuring Cross-Stack UplinkFast, page 10-35 • Configuring BackboneFast, page 10-36 • Configuring Root Guard, page 10-36 • Enabling EtherChannel Guard, page 10-37 Configuring Port Fast A port wi
Chapter 10 Configuring STP Configuring Advanced STP Features Configuring BPDU Guard When the BPDU guard feature is enabled on the switch, STP shuts down Port Fast-enabled interfaces that receive BPDUs rather than putting them into the blocking state. Caution The BPDU guard feature works on Port Fast-enable interfaces. Configure Port Fast only on interfaces that connect to end stations; otherwise, an accidental topology loop could cause a data packet loop and disrupt switch and network operation.
Chapter 10 Configuring STP Configuring Advanced STP Features Configuring UplinkFast for Use with Redundant Links UplinkFast increases the switch priority to 49152 and adds 3000 to the STP path cost only if the port used the default path cost before you enabled UplinkFast, making it unlikely that the switch will become the root switch. The max-update-rate represents the number of multicast packets sent per second (the default is 150 packets per second).
Chapter 10 Configuring STP Configuring Advanced STP Features Configuring Cross-Stack UplinkFast Before enabling CSUF, make sure your stack switches are properly connected. For more information, see the “Connecting the Stack Ports” section on page 10-16. Beginning in privileged EXEC mode, follow these steps to enable CSUF: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree uplinkfast [max-update-rate Enable UplinkFast on the switch.
Chapter 10 Configuring STP Configuring Advanced STP Features Configuring BackboneFast You can enable BackboneFast to detect indirect link failures and to start the spanning-tree reconfiguration sooner. Note If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not supported on Token Ring VLANs. This feature is supported for use with third-party switches.
Chapter 10 Configuring STP Configuring Advanced STP Features Enabling EtherChannel Guard Use the EtherChannel guard feature to detect a misconfigured EtherChannel when Catalyst 3550 switch interfaces are configured as an EtherChannel while interfaces on the remote device are not, or not all the interfaces on the remote device are in the same EtherChannel.
Chapter 10 Configuring STP Configuring Advanced STP Features Catalyst 3550 Multilayer Switch Software Configuration Guide 10-38 78-11194-03
C H A P T E R 11 Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on your switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering.
Chapter 11 Configuring IGMP Snooping and MVR Understanding IGMP Snooping the switch adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients. Note For more information on IP multicast and IGMP, refer to RFC 1112 and RFC 2236.
Chapter 11 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 11-1 Initial IGMP Join Message Router A 1 IGMP report 224.1.2.3 VLAN Switching engine CPU 0 45750 Forwarding table 2 3 4 5 Host 1 Host 2 Host 3 Host 4 Router A sends a general query to the switch, which forwards the query to ports 2 through 5, all members of the same VLAN. Host 1 wants to join multicast group 224.1.2.
Chapter 11 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 11-2 Second Host Joining a Multicast Group Router A 1 VLAN Switching engine CPU 0 45751 Forwarding table 2 Host 1 Table 11-2 3 4 Host 2 Host 3 5 Host 4 Updated IGMP Snooping Forwarding Table Destination Address Type of Packet Ports 0100.5exx.xxxx IGMP 0 0100.5e01.
Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Note You should only use the Immediate-Leave processing feature on VLANs where a single host is connected to each port. If Immediate Leave is enabled in VLANs where more than one host is connected to a port, some hosts might be inadvertently dropped. Immediate Leave is supported with only IGMP version 2 hosts.
Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to globally enable IGMP snooping on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping Globally enable IGMP snooping in all existing VLAN interfaces. Step 3 end Return to privileged EXEC mode. Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to alter the method in which a VLAN interface dynamically accesses a multicast router: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id mrouter learn {cgmp | pim-dvmrp} Enable IGMP snooping on a VLAN. The VLAN ID range is 1 to 1001. Specify the multicast router learning method: • cgmp—Listen for CGMP packets.
Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 4 show ip igmp snooping mrouter [vlan vlan-id] Verify that IGMP snooping is enabled on the VLAN interface. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a multicast router port from the VLAN, use the no ip igmp snooping vlan vlan-id mrouter interface interface-id global configuration command.
Chapter 11 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Enabling IGMP Immediate-Leave Processing When you enable IGMP Immediate-Leave processing, the switch immediately removes a port when it detects an IGMP version 2 leave message on that port. You should use the Immediate-Leave feature only when there is a single receiver present on every port in the VLAN. Immediate Leave is supported with only IGMP version 2 hosts.
Chapter 11 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Table 11-4 Commands for Displaying IGMP Snooping Information Command Purpose show ip igmp snooping [vlan vlan-id] Display the snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.
Chapter 11 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information This is an example of output from the show ip igmp snooping privileged EXEC command for a specific VLAN interface: Switch# show ip vlan 1 ---------IGMP snooping IGMP snooping IGMP snooping IGMP snooping igmp snooping vlan 1 is globally enabled is disabled on this Vlan immediate-leave is disabled on this Vlan mrouter learn mode is pim-dvmrp on this Vlan This is an example of output from the show ip igmp snooping mrouter pr
Chapter 11 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service provider network (for example, the broadcast of multiple television channels over a service-provider network).
Chapter 11 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration When a subscriber changes channels or turns off the television, the set-top box sends an IGMP leave message for the multicast stream. The switch CPU sends an IGMP group-specific query through the receiver port VLAN. If there is another set-top box in the VLAN still subscribing to this group, that set-top box must respond within the maximum response time.
Chapter 11 Configuring IGMP Snooping and MVR Configuring MVR MVR eliminates the need to duplicate television-channel multicast traffic for subscribers in each VLAN. Multicast traffic for all channels is only sent around the VLAN trunk once—only on the multicast VLAN. Although the IGMP leave and join message in the VLAN to which the subscriber port is assigned. These messages dynamically register for streams of multicast traffic in the multicast VLAN on the Layer 3 device.
Chapter 11 Configuring IGMP Snooping and MVR Configuring MVR Default MVR Configuration Table 11-5 shows the default MVR configuration. Table 11-5 Default MVR Configuration Feature Default Setting MVR Disabled globally and per interface Multicast addresses None configured Query response time 0.
Chapter 11 Configuring IGMP Snooping and MVR Configuring MVR Command Step 6 Purpose mvr mode {dynamic | compatible} (Optional) Specify the MVR mode of operation: • dynamic—Allows dynamic MVR membership on source ports. • compatible—Is compatible with Catalyst 3500 XL and Catalyst 2900 XL switches and does not support IGMP dynamic joins on source ports. The default is compatible mode. Step 7 end Return to privileged EXEC mode. Step 8 show mvr Verify the configuration.
Chapter 11 Configuring IGMP Snooping and MVR Configuring MVR Step 4 Command Purpose mvr type {source | receiver} Configure an MVR port as one of these: • source—Configure uplink ports that receive and send multicast data as source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN. • receiver—Configure a port as a receiver port if it is a subscriber port and should only receive multicast data.
Chapter 11 Configuring IGMP Snooping and MVR Displaying MVR Information This is an example of output from the show mvr interface privileged EXEC command when the member keyword is included: Switch# show mvr interface gigabitethernet0/6 member 239.255.0.0 DYNAMIC ACTIVE 239.255.0.1 DYNAMIC ACTIVE 239.255.0.2 DYNAMIC ACTIVE 239.255.0.3 DYNAMIC ACTIVE 239.255.0.4 DYNAMIC ACTIVE 239.255.0.5 DYNAMIC ACTIVE 239.255.0.6 DYNAMIC ACTIVE 239.255.0.7 DYNAMIC ACTIVE 239.255.0.8 DYNAMIC ACTIVE 239.255.0.
Chapter 11 Configuring IGMP Snooping and MVR Displaying MVR Information This is an example of output from the show mvr interface privileged EXEC command: Switch# Port ---Gi0/1 Gi0/2 Gi0/3 Gi0/4 Gi0/5 Gi0/6 Gi0/7 Gi0/8 show mvr interface Type Status ---------SOURCE ACTIVE/UP SOURCE ACTIVE/UP RECEIVER ACTIVE/UP RECEIVER ACTIVE/UP RECEIVER ACTIVE/UP RECEIVER ACTIVE/UP RECEIVER ACTIVE/UP RECEIVER ACTIVE/UP Immediate Leave --------------DISABLED DISABLED DISABLED DISABLED ENABLED DISABLED ENABLED DISABLED T
Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Configuring IGMP Filtering In some environments, for example metropolitan or multiple-dwelling unit (MDU) installations, an administrator might want to control the set of multicast groups to which a user on a switch port can belong. This allows the administrator to control the distribution of multicast services, such as IP/TV, based on some type of subscription or service plan.
Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Beginning in privileged EXEC mode, follow these steps to create an IGMP profile: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp profile profile number Enter IGMP profile configuration mode, and assign a number to the profile you are configuring. The range is from 1 to 4294967295. Step 3 permit | deny (Optional) Set the action to permit or deny access to the IP multicast address.
Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Applying IGMP Profiles To control access as defined in an IGMP profile, use the ip igmp filter interface configuration command to apply the profile to the appropriate interfaces. You can apply IGMP profiles to Layer 2 ports only; you cannot apply IGMP profiles to routed ports or SVIs. You can apply a profile to multiple interfaces, but each interface can only have one profile applied to it.
Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Setting the Maximum Number of IGMP Groups You can set the maximum number of IGMP groups that a Layer 2 interface can join. Use the no form of this command to set the maximum back to the default, which is no limit. This restriction can be applied to Layer 2 ports only; you cannot set a maximum number of IGMP groups on routed ports or SVIs.
Chapter 11 Configuring IGMP Snooping and MVR Displaying IGMP Filtering Configuration Displaying IGMP Filtering Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface.
C H A P T E R 12 Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 3550 Multilayer Switch Command Reference for this release.
Chapter 12 Configuring Port-Based Traffic Control Configuring Storm Control Note When the rate of multicast traffic exceeds a set threshold, all incoming traffic (broadcast, multicast, and unicast) is dropped until the level drops below the threshold level. Only spanning-tree packets are forwarded. When broadcast and unicast thresholds are exceeded, traffic is blocked for only the type of traffic that exceeded the threshold.
Chapter 12 Configuring Port-Based Traffic Control Configuring Storm Control Note Before IOS Release 12.1(8)EA1, you set up storm control threshold values by using the switchport broadcast, switchport multicast, and switchport unicast interface configuration commands. These commands are now obsolete, replaced by the storm-control interface configuration commands.
Chapter 12 Configuring Port-Based Traffic Control Configuring Storm Control Command Purpose Step 7 show storm-control [interface-id] [broadcast | Verify the storm control suppression levels set on the interface for multicast | unicast] the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 12 Configuring Port-Based Traffic Control Configuring Protected Ports Configuring Protected Ports Some applications require that no traffic be forwarded between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.
Chapter 12 Configuring Port-Based Traffic Control Configuring Port Blocking This example shows how to configure Gigabit Ethernet interface 0/3 as a protected port and verify the configuration: Switch# configure terminal Switch(config)# interface gigabitethernet0/3 Switch(config-if)# switchport protected Switch(config-if)# end Switch# show interfaces gigabitethernet0/3 switchport Name: Gi0/3 Switchport: Enabled
Chapter 12 Configuring Port-Based Traffic Control Configuring Port Blocking To return the interface to the default condition where no traffic is blocked, use the no switchport block {multicast | unicast} interface configuration commands.
Chapter 12 Configuring Port-Based Traffic Control Configuring Port Security Configuring Port Security You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.
Chapter 12 Configuring Port-Based Traffic Control Configuring Port Security Default Port Security Configuration Table 12-1 shows the default port security configuration for an interface. Table 12-1 Default IGMP Snooping Configuration Feature Default Setting Port security Disabled on a port Maximum number of secure MAC addresses 128 Violation mode Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded, and an SNMP trap notification is sent.
Chapter 12 Configuring Port-Based Traffic Control Configuring Port Security Step 6 Command Purpose switchport port-security violation {protect | restrict | shutdown} (Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these: • shutdown—The interface shuts down immediately, and an SNMP trap notification is sent. When shut down, the interface must be manually re-enabled by using the no shutdown interface configuration command.
Chapter 12 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings This example shows how to configure a secure MAC address on Fast Ethernet port 12 and verify the configuration. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface fastethernet0/12 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security mac-address 1000.2000.
Chapter 12 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings This is a an example of output from the show interfaces switchport privileged EXEC command: Switch# show interfaces gigabitethernet0/1 switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Nati
Chapter 12 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings This is an example of output from the show storm-control command when no keywords are entered. Because no traffic type keyword was entered, the broadcast storm control settings are displayed. Switch# show storm-control Interface Filter State Level --------- ------------- ------Fa0/1 inactive 100.00% Fa0/2 inactive 100.00% Fa0/3 inactive 100.00% Fa0/4 inactive 100.00% Fa0/5 inactive 100.00% Fa0/6 inactive 100.
Chapter 12 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Catalyst 3550 Multilayer Switch Software Configuration Guide 12-14 78-11194-03
C H A P T E R 13 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 3550 Multilayer Switch Command Reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 13 Configuring CDP Configuring CDP Configuring CDP These sections include CDP configuration information and procedures: • Default CDP Configuration, page 13-2 • Configuring the CDP Characteristics, page 13-2 • Disabling and Enabling CDP, page 13-3 • Disabling and Enabling CDP on an Interface, page 13-4 Default CDP Configuration Table 13-1 shows the default CDP configuration.
Chapter 13 Configuring CDP Configuring CDP Command Purpose Step 6 show cdp Verify configuration by displaying global information about CDP on the device. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure and verify CDP characteristics.
Chapter 13 Configuring CDP Configuring CDP This example shows how to enable CDP if it has been disabled. Switch# configure terminal Switch(config)# cdp run Switch(config)# end Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 13 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors. show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent.
Chapter 13 Configuring CDP Monitoring and Maintaining CDP Switch# show cdp entry * ------------------------Device ID: Switch Entry address(es): IP address: 10.1.1.66 Platform: cisco WS-C3550-12T, Capabilities: Switch IGMP Interface: GigabitEthernet0/2, Port ID (outgoing port): GigabitEthernet0/2 Holdtime : 129 sec Version : Cisco Internetwork Operating System Software IOS (tm) C3550 Software (C3550-I5Q3L2-M), Experimental Version 12.
Chapter 13 Configuring CDP Monitoring and Maintaining CDP Switch# show cdp interface GigabitEthernet0/1 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds GigabitEthernet0/2 is up, line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds GigabitEthernet0/3 is administratively down, line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds GigabitEthernet0/4 is up
Chapter 13 Configuring CDP Monitoring and Maintaining CDP Catalyst 3550 Multilayer Switch Software Configuration Guide 13-8 78-11194-03
C H A P T E R 14 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 3550 Multilayer Switch Command Reference for this release.
Chapter 14 Configuring UDLD Understanding UDLD UDLD operates by using two mechanisms: • Neighbor database maintenance UDLD learns about other UDLD-capable neighbors by periodically sending a hello packet (also called an advertisement or probe) on every active interface to keep each device informed about its neighbors. When the switch receives a hello message, it caches the information until the age time (hold time or time-to-live) expires.
Chapter 14 Configuring UDLD Configuring UDLD Configuring UDLD This section describes how to configure UDLD on your switch. It contains this configuration information: • Default UDLD Configuration, page 14-3 • Enabling UDLD Globally, page 14-3 • Enabling UDLD on an Interface, page 14-4 • Resetting an Interface Shut Down by UDLD, page 14-4 Default UDLD Configuration Table 14-1 shows the default UDLD configuration.
Chapter 14 Configuring UDLD Configuring UDLD To disable UDLD globally on fiber-optic interfaces, use the no udld enable global configuration command. Enabling UDLD on an Interface Beginning in privileged EXEC mode, follow these steps to enable UDLD on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be enabled for UDLD.
Chapter 14 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified interface or for all interfaces, use the show udld [interface-id] privileged EXEC command.
Chapter 14 Configuring UDLD Displaying UDLD Status Catalyst 3550 Multilayer Switch Software Configuration Guide 14-6 78-11194-03
C H A P T E R 15 Configuring SPAN This chapter describes how to configure Switch Port Analyzer (SPAN) on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 3550 Multilayer Switch Command Reference for this release.
Chapter 15 Configuring SPAN Understanding SPAN Figure 15-1 Example SPAN Configuration 1 2 3 4 5 6 7 8 9 10 11 12 5 4 3 2 6 7 Port 5 traffic mirrored on Port 10 11 8 12 9 10 Network analyzer 43580 1 Only traffic that enters or leaves source ports or traffic that enters source VLANs can be monitored by using SPAN; traffic that gets routed to ingress source ports or source VLANs cannot be monitored.
Chapter 15 Configuring SPAN Understanding SPAN You can configure SPAN sessions on disabled ports; however, a SPAN session does not become active unless you enable the destination port and at least one source port or VLAN for that session. The show monitor session session_number privileged EXEC command displays the operational status of a SPAN session. A SPAN session remains inactive after system power-on until the destination port is operational.
Chapter 15 Configuring SPAN Understanding SPAN Source Port A source port (also called a monitored port) is a switched or routed port that you monitor for network traffic analysis. In a single SPAN session, you can monitor source port traffic such as received (Rx), transmitted (Tx), or bidirectional (both); however, on a VLAN, you can monitor only received traffic.
Chapter 15 Configuring SPAN Understanding SPAN VLAN-Based SPAN VLAN-based SPAN (VSPAN) is the analysis of the network traffic in one or more VLANs. You can configure VSPAN to monitor only received (Rx) traffic, which applies to all the ports for that VLAN. Use these guidelines for VSPAN sessions: • Trunk ports are included as source ports for VSPAN sessions. • Only traffic with the monitored VLAN number is sent to the destination port.
Chapter 15 Configuring SPAN Configuring SPAN • VLAN and trunking—You can modify VLAN membership or trunk settings for source and destination ports at any time. However, changes in VLAN membership or trunk settings for a destination port do not take effect until you disable the SPAN session. Changes in VLAN membership or trunk settings for a source port immediately take effect, and the respective SPAN sessions automatically adjust accordingly.
Chapter 15 Configuring SPAN Configuring SPAN Default SPAN Configuration Table 15-1 shows the default SPAN configuration. This release supports only local SPAN; remote SPAN (RSPAN) is not supported.
Chapter 15 Configuring SPAN Configuring SPAN • The no monitor session session_number global configuration command removes a source or destination port from the SPAN session or removes a source VLAN from the SPAN session. If you do not specify any options following the no monitor session session_number command, the entire SPAN session is removed. The no monitor global configuration command also clears all SPAN sessions. • A SPAN destination port never participates in any VLAN spanning tree.
Chapter 15 Configuring SPAN Configuring SPAN Step 4 Command Purpose monitor session session_number destination interface interface-id [encapsulation {dot1q | isl}] Specify the SPAN session and the destination port (monitoring port). For session_number, specify 1 or 2. For interface-id, specify the destination port. Valid interfaces include physical interfaces. (Optional) Specify the encapsulation header for outgoing packets. If not specified, packets are sent in native form.
Chapter 15 Configuring SPAN Configuring SPAN Removing Ports from a SPAN Session Beginning in privileged EXEC mode, follow these steps to remove a port as a SPAN source for a session: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session session_number source interface interface-id [, | -] [both | rx | tx] Specify the characteristics of the source port (monitored port) and SPAN session to remove. For session, specify 1 or 2.
Chapter 15 Configuring SPAN Configuring SPAN This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional monitoring: Switch(config)# no monitor session 1 source interface gigabitethernet0/1 rx The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored. Specifying VLANs to Monitor VLAN monitoring is similar to port monitoring.
Chapter 15 Configuring SPAN Configuring SPAN This example shows how to clear any existing configuration on SPAN session 2, configure SPAN session 2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination port 7. The configuration is then modified to also monitor received traffic on all ports belonging to VLAN 10.
Chapter 15 Configuring SPAN Displaying SPAN Status Command Purpose Step 7 show monitor [session session_number] Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To monitor all VLANs on the trunk port, use the no monitor session session_number filter global configuration command.
Chapter 15 Configuring SPAN Displaying SPAN Status Catalyst 3550 Multilayer Switch Software Configuration Guide 15-14 78-11194-03
C H A P T E R 16 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 16 Configuring RMON Configuring RMON Figure 16-1 Remote Monitoring Example Network management station with generic RMON console application Catalyst 3550 switch RMON alarms and events configured. SNMP configured. RMON history and statistic collection enabled.
Chapter 16 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station. We recommend that you use a generic RMON console application on the network management station (NMS) to take advantage of RMON’s network management capabilities.
Chapter 16 Configuring RMON Configuring RMON Step 3 Command Purpose rmon event number [log] [trap community] [description string] [owner string] Add an event in the RMON event table that is associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535. • (Optional) Use the log keyword to generate an RMON log entry when the event is triggered. • (Optional) For community, enter the SNMP community string used for this trap.
Chapter 16 Configuring RMON Configuring RMON Configuring RMON Collection on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface on which to collect history.
Chapter 16 Configuring RMON Displaying RMON Status Command Purpose Step 6 show rmon statistics Display the contents of the switch statistics table. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the collection of group Ethernet statistics, use the no rmon collection stats index interface configuration command.
C H A P T E R 17 Configuring System Message Logging This chapter describes how to configure system message logging on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 17 Configuring System Message Logging Configuring System Message Logging Configuring System Message Logging This section describes how to configure system message logging.
Chapter 17 Configuring System Message Logging Configuring System Message Logging Table 17-1 System Log Message Elements (continued) Element Description MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported.
Chapter 17 Configuring System Message Logging Configuring System Message Logging Disabling and Enabling Message Logging Message logging is enabled by default. It must be enabled to send messages to any destination other than the console. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages.
Chapter 17 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server. To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 17-10.
Chapter 17 Configuring System Message Logging Configuring System Message Logging Synchronizing Log Messages You can configure the system to synchronize unsolicited messages and debug privileged EXEC command output with solicited device output and prompts for a specific console port line or virtual terminal line. You can identify the types of messages to be output asynchronously based on the level of severity.
Chapter 17 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command.
Chapter 17 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Sequence Numbers in Log Messages Because there is a chance that more than one log message can have the same timestamp, you can display messages with sequence numbers so that you can unambiguously refer to a single message. By default, sequence numbers in log messages are not displayed.
Chapter 17 Configuring System Message Logging Configuring System Message Logging Step 6 Command Purpose show running-config Verify your entries. or show logging Step 7 copy running-config startup-config Note (Optional) Save your entries in the configuration file. Specifying a level causes messages at that level and numerically lower levels to be displayed at the destination. To disable logging to the console, use the no logging console global configuration command.
Chapter 17 Configuring System Message Logging Configuring System Message Logging Limiting Syslog Messages Sent to the History Table and to SNMP If you have enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the switch history table. You can also change the number of messages that are stored in the history table.
Chapter 17 Configuring System Message Logging Configuring System Message Logging Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. Log in as root, and perform these steps: Note Step 1 Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network.
Chapter 17 Configuring System Message Logging Displaying the Logging Configuration Step 4 Command Purpose logging facility facility-type Configure the syslog facility. See Table 17-4 on page 17-12 for facility-type keywords. The default is local7. Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
C H A P T E R 18 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 3550 Multilayer Switch Command Reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 18 Configuring SNMP Understanding SNMP SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157. • SNMPv2C, which has these features: – SNMPv2—Version 2 of the Simple Network Management Protocol, a Draft Internet Standard, defined in RFCs 1902 through 1907. – SNMPv2C—The Community-based Administrative Framework for SNMPv2, an Experimental Internet Protocol defined in RFC 1901.
Chapter 18 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. • Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Chapter 18 Configuring SNMP Configuring SNMP Figure 18-1 SNMP Network SNMP Manager Get-request, Get-next-request, Get-bulk, Set-request Get-response, traps Network device MIB SNMP Agent 43581 NMS For information on supported MIBs and how to access them, see Appendix A, “Supported MIBs.” Configuring SNMP This section describes how to configure SNMP on your switch.
Chapter 18 Configuring SNMP Configuring SNMP Disabling the SNMP Agent Beginning in privileged EXEC mode, follow these steps to disable the SNMP agent: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no snmp-server Disable the SNMP agent operation. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 18 Configuring SNMP Configuring SNMP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] (Optional) If you specified an IP standard access list number in Step 2, then create the list, repeating the command as many times as necessary. • For access-list-number, enter the access list number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 18 Configuring SNMP Configuring SNMP Configuring Trap Managers and Enabling Traps A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are issued. Switches running this IOS release can have an unlimited number of trap managers. Community strings can be any length. Table 18-3 describes the supported switch traps (notification types).
Chapter 18 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure the switch to send traps to a host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message. | 2c}} community-string notification-type • For host-addr, specify the name or address of the host (the targeted recipient).
Chapter 18 Configuring SNMP Configuring SNMP Setting the Agent Contact and Location Information Beginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server contact text Set the system contact string. For example: snmp-server contact Dial System Operator at beeper 21555.
Chapter 18 Configuring SNMP Displaying SNMP Status Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. SNMP Examples This example shows how to enable SNMPv1 and SNMPv2C. The configuration permits any SNMP manager to access all objects with read-only permissions using the community string public.
C H A P T E R 19 Configuring Network Security with ACLs This chapter describes how to configure network security on your switch by using access control lists (ACLs), which are also referred to in commands and tables as access lists. To take advantage of some of the features described in this chapter, you must have the enhanced multilayer software image installed on your switch.
Chapter 19 Configuring Network Security with ACLs Understanding ACLs Switches traditionally operate at Layer 2 only, switching traffic within a VLAN, whereas routers route traffic between VLANs. The Catalyst 3550 switch with the enhanced multilayer software image installed can accelerate packet routing between VLANs by using Layer 3 switching.
Chapter 19 Configuring Network Security with ACLs Understanding ACLs One ACL can be used with multiple features for a given interface, and one feature can use multiple ACLs. When a single router ACL is used by multiple features, it is examined multiple times. • Standard IP access lists use source addresses for matching operations. • Extended IP access lists use source and destination addresses and optional protocol type information for matching operations.
Chapter 19 Configuring Network Security with ACLs Understanding ACLs With VLAN maps, forwarding of packets is permitted or denied, based on the action specified in the map. Figure 19-2 illustrates how a VLAN map is applied to deny a specific type of traffic from Host A in VLAN 10 from being forwarded.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs • Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on the Telnet port. If this packet is fragmented, the first fragment matches the second ACE (a deny) because all Layer 3 and Layer 4 information is present. The remaining fragments in the packet do not match the second ACE because they are missing Layer 4 information. Instead, they match the third ACE (a permit). Because the first fragment was denied, host 10.1.1.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs These factors can cause packets to be sent to the CPU: • Using the log keyword • Enabling ICMP unreachables • Hardware reaching its capacity to store ACL configurations If ACLs cause large numbers of packets to be sent to the CPU, the switch performance can be negatively affected.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs These are the steps to use ACLs: Step 1 Create an ACL by specifying an access list number or name and access conditions. Step 2 Apply the ACL to interfaces or terminal lines. You can also apply standard and extended IP ACLs to VLAN maps. The software supports these styles of ACLs or access lists for IP: • Standard IP access lists use source addresses for matching operations.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Table 19-1 Access List Numbers (continued) Note Access List Number Type Supported 1300–1999 IP standard access list (expanded range) Yes 2000–2699 IP extended access list (expanded range) Yes In addition to numbered standard and extended ACLs, you can also create standard and extended named IP ACLs using the supported numbers.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Note When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny statement for all packets that it did not find a match for before reaching the end. With standard access lists, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed to be the mask. This example shows how to create a standard ACL to deny access to IP host 171.69.198.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Protocol (igrp), any Interior Protocol (ip), IP in IP tunneling (ipinip), KA9Q NOS-compatible IP over IP tunneling (nos), Open Shortest Path First routing (ospf), Payload Compression Protocol (pcp), Protocol Independent Multicast (pim), Transmission Control Protocol (tcp), or User Datagram Protocol (udp). Supported parameters can be grouped into these categories: TCP, UDP, ICMP, IGMP, or other IP.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs or or Step 2b Command Purpose access-list access-list-number {deny | permit} protocol any any [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] In access-list configuration mode, define an extended IP access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and an abbreviation for a destination and destination wildcard of 0.0.0.0 255.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Step 2d Step 2e Command Purpose access-list access-list-number {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] (Optional) Define an extended ICMP access list and the access conditions.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Creating Named Standard and Extended ACLs You can identify IP ACLs with an alphanumeric string (a name) rather than a number. You can use named ACLs to configure more IP access lists in a router than if you were to use numbered access lists. If you identify your access list with a name rather than a number, the mode and command syntax are slightly different.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL using names: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip access-list extended name Define an extended IP access list using a name and enter access-list configuration mode.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs and argument are referenced in the named and numbered extended ACL task tables in the previous sections, the “Creating Standard and Extended IP ACLs” section on page 19-6, and the “Creating Named Standard and Extended ACLs” section on page 19-14.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Switch(config-time-range)# exit Switch(config)# time-range thanksgiving_2000 Switch(config-time-range)# absolute start 00:00 22 Nov 2000 end 23:59 23 Nov 2000 Switch(config-time-range)# exit Switch(config)# time-range christmas_2000 Switch(config-time-range)# absolute start 00:00 24 Dec 2000 end 23:50 25 Dec 2000 Switch(config-time-range)# end Switch# show time-range time-range entry: christmas_2000 (inactive) absolute start 00:00 2
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Including Comments About Entries in ACLs You can use the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters. The remark can go before or after a permit or deny statement.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line [console | vty] line-number Identify a specific line for configuration, and enter in-line configuration mode. • console—Enter to specify the console terminal line.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Note The ip access-group interface configuration command is only valid when applied to a Layer 3 interface: an SVI, a Layer 3 EtherChannel, or a routed port. The interface must have been configured with an IP address. Layer 3 access groups filter packets that are routed or are received by Layer 3 processes on the CPU. They do not affect packets bridged within a VLAN.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs This is an example of output from the show access-lists privileged EXEC command, displaying all standard and extended ACLs: Switch# show access-lists Standard IP access list 1 permit 172.20.10.10 Standard IP access list 10 permit 12.12.12.12 Standard IP access list 12 deny 1.3.3.2 Standard IP access list 32 permit 172.20.20.20 Standard IP access list 34 permit 10.24.35.56 permit 23.45.56.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs This example shows how to use the show running-config interface privileged EXEC command to display the ACL configuration of Gigabit Ethernet interface 0/2: Switch# show running-config interface gigabitethernet0/2 Building configuration... Building configuration... Current configuration : 85 bytes ! interface GigabitEthernet0/2 ip address 10.20.30.1 255.255.0.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Figure 19-3 Using Router ACLs to Control Traffic Server A Benefits Server B Payroll Port 0/2 Catalyst 3550 switch with enhanced multilayer software image Si Accounting 172.20.128.64-95 46678 Human Resources 172.20.128.0-31 Port 0/3 This example uses a standard ACL to filter traffic coming into Server B from port 0/3, permitting traffic only from Accounting’s source addresses 172.20.128.64 to 172.20.128.95.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Numbered ACLs In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host. Using access list 2, the switch accepts one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the switch accepts addresses on all other network 36.0.0.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.255 and denies any other TCP traffic. It permits any ICMP traffic, denies UDP traffic from any source to the destination address range 171.69.0.0 through 179.69.255.255 with a destination port less than 1024, denies any other IP traffic, and provides a log of the result.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs In this example of a named ACL, the Jones subnet is not allowed access: Switch(config)# ip access-list standard prevention Switch(config-std-nacl)# remark Do not allow Jones subnet through Switch(config-std-nacl)# deny 171.69.0.0 0.0.255.
Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps This is a an example of a log for an extended ACL: 01:24:23:%SEC-6-IPACCESSLOGDP:list ext1 permitted packet 01:25:14:%SEC-6-IPACCESSLOGDP:list ext1 permitted packets 01:26:12:%SEC-6-IPACCESSLOGP:list ext1 denied udp packet 01:31:33:%SEC-6-IPACCESSLOGP:list ext1 denied udp packets icmp 10.1.1.15 -> 10.1.1.61 (0/0), 1 icmp 10.1.1.15 -> 10.1.1.61 (0/0), 7 0.0.0.0(0) -> 255.255.255.255(0), 1 0.0.0.0(0) -> 255.255.255.
Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Step 4 Use the vlan filter global configuration command to apply a VLAN map to one or more VLANs.
Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Define an extended MAC access list using a name.
Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Creating a VLAN Map Each VLAN map consists of an ordered series of entries. Beginning in privileged EXEC mode, follow these steps to create, add to, or delete a VLAN map entry: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan access-map name [number] Create a VLAN map, and give it a name and (optionally) a number. The number is the sequence number of the entry within the map.
Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps This example shows how to create a VLAN map to permit a packet. ACL ip2 permits UDP packets and any packets that match the ip2 ACL are forwarded.
Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Switch(config)# mac access-list extended good-hosts Switch(config-ext-macl)# permit host 000.0c00.0111 any Switch(config-ext-macl)# permit host 000.0c00.
Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Displaying VLAN Map Information You can display information about VLAN access maps or VLAN filters. Use the privileged EXEC commands in Table 19-4 to display VLAN map information. Table 19-4 Commands for Displaying VLAN Map Information Command Purpose show vlan access-map [mapname] Show information about all VLAN access-maps or the specified access map.
Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Wiring Closet Configuration In a wiring closet configuration, the Catalyst 3550 switch might not be running the enhanced multilayer software image. In this configuration, the switch can still support a VLAN map and a QoS classification ACL. In Figure 19-4, assume that Host X and Host Y are in different VLANs and are connected to wiring closet switches A and C.
Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Then, apply VLAN access map map2to VLAN 1. Switch(config)# vlan filter map2 vlan 1 Denying Access to a Server on Another VLAN You can restrict access to a server on another VLAN. For example, server 10.1.1.100 in VLAN 10 needs to have access restricted as follows (see Figure 19-5): • Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access. • Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access.
Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Using VLAN Maps with Router ACLs To access control both bridged and routed traffic, you can use VLAN maps only or a combination of router ACLs and VLAN maps. You can define router ACLs on both input and output routed VLAN interfaces, and you can define a VLAN map to access control the bridged traffic.
Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs • Avoid including Layer 4 information in an ACL; adding this information complicates the merging process. The best merge results are obtained if the ACLs are filtered based on IP addresses (source and destination) and not on the full flow (source IP address, destination IP address, protocol, and protocol ports). It is also helpful to use don’t care bits in the IP address, whenever possible.
Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs This output from the show fm label privileged EXEC command shows a merge failure on an input access group: Switch# show fm label 1 Unloaded due to merge failure or lack of space: InputAccessGroup Merge Fail:input Input Features: Interfaces or VLANs: Vl1 Priority:normal Vlan Map:(none) Access Group:131, 6788 VMRs Multicast Boundary:(none), 0 VMRs Output Features: Interfaces or VLANs: Priority:low Bridge Group Member:no Vlan
Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Note When configuring ACLs on the switch, to allocate maximum hardware resources for ACLs, you can use the sdm prefer access global configuration command to set the Switch Database Management feature to the access template. For more information on the SDM templates, see the “Optimizing System Resources for User-Selected Features” section on page 6-57.
Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs ACLs and Bridged Packets Figure 19-7 shows how an ACL is applied on fallback-bridged packets. For bridged packets, only Layer 2 ACLs are applied to the input VLAN. Only non-IP, non-ARP packets can be fallback-bridged.
Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs ACLs and Routed Packets Figure 19-8 shows how ACLs are applied on routed packets. For routed packets, the ACLs are applied in this order: 1. VLAN map for input VLAN 2. Input router ACL 3. Output router ACL 4.
Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs ACLs and Multicast Packets Figure 19-9 shows how ACLs are applied on packets that are replicated for IP multicasting. A multicast packet being routed has two different kinds of filters applied: one for destinations that are other ports in the input VLAN and another for each of the destinations that are in other VLANs to which the packet has been routed.
C H A P T E R 20 Configuring QoS This chapter describes how to configure quality of service (QoS) on your switch. With this feature, you can provide preferential treatment to certain traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 20 Configuring QoS Understanding QoS type of service (TOS) field to carry the classification (class) information. Classification can also be carried in the Layer 2 frame. These special bits in the Layer 2 frame or a Layer 3 packet are described here and shown in Figure 20-1: • Prioritization values in Layer 2 frames: Layer 2 Inter-Switch Link (ISL) frame headers have a 1-byte User field that carries an IEEE 802.1p class of service (CoS) value in the three least-significant bits.
Chapter 20 Configuring QoS Understanding QoS All switches and routers that access the Internet rely on the class information to provide the same forwarding treatment to packets with the same class information and different treatment to packets with different class information. The class information in the packet can be assigned by end hosts or by switches or routers along the way, based on a configured policy, detailed examination of the packet, or both.
Chapter 20 Configuring QoS Understanding QoS Figure 20-2 Basic QoS Model Classification Generate DSCP Policing In profile or out of profile Compare DSCP to the configured policer and determine if the packet is in profile or out of profile. Inspect packet and determine the DSCP based on ACLs or the configuration. Map the Layer 2 CoS value to a DSCP value.
Chapter 20 Configuring QoS Understanding QoS For IP traffic, you have these classification options as shown in Figure 20-3: • Trust the IP DSCP in the incoming packet (configure the port to trust DSCP), and assign the same DSCP to the packet for internal use. The IETF defines the 6 most-significant bits of the 1-byte Type of Service (ToS) field as the DSCP. The priority represented by a particular DSCP value is configurable. DSCP values range from 0 to 63.
Chapter 20 Configuring QoS Understanding QoS Figure 20-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface configuration for classification. Trust DSCP (IP traffic). IP and non-IP traffic Use port default (non-IP traffic). Trust IP precedence (IP traffic). Assign DSCP identical to DSCP in packet. Check if packet came with CoS label (tag). Yes No (Optional) Modify the DSCP by using the DSCP-to-DSCP-mutation map. Assign default port CoS. Use Cos from frame.
Chapter 20 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, and Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: Note • If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken.
Chapter 20 Configuring QoS Understanding QoS The policy map can also contain commands that define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded. For more information, see the “Policing and Marking” section on page 20-8. A policy map also has these characteristics: • A policy map can contain multiple class statements. • A separate policy-map class can exist for each type of traffic received through an interface.
Chapter 20 Configuring QoS Understanding QoS You configure the bucket depth (the maximum burst that is tolerated before the bucket overflows) by using the burst-byte option of the police policy-map class configuration command or the mls qos aggregate-policer global configuration command.
Chapter 20 Configuring QoS Understanding QoS Figure 20-4 Policing and Marking Flowchart Start Read the DSCP of the packet. No Is a policer configured for this DSCP? Yes Check if the packet is in profile by querying the policer. No Yes Pass through Check out-of-profile action configured for this policer. Drop Drop packet. Mark Done 46977 Modify DSCP according to the policed-DSCP map.
Chapter 20 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an internal DSCP value: • During classification, QoS uses configurable mapping tables to derive the internal DSCP (a 6-bit value) from received CoS or IP precedence (3-bit) values. These maps include the CoS-to-DSCP map and the IP-precedence-to-DSCP map.
Chapter 20 Configuring QoS Understanding QoS Queueing and Scheduling After a packet is policed and marked, the queueing and scheduling process begins as described in these sections: • Queueing and Scheduling on Gigabit-Capable Ports, page 20-12 • Queueing and Scheduling on 10/100 Ethernet Ports, page 20-15 Queueing and Scheduling on Gigabit-Capable Ports Figure 20-5 shows the queueing and scheduling flowchart for Gigabit-capable Ethernet ports.
Chapter 20 Configuring QoS Understanding QoS During the queueing and scheduling process, the switch uses egress queues and WRR for congestion management, and tail drop or WRED algorithms for congestion avoidance on Gigabit-capable Ethernet ports. Each Gigabit-capable Ethernet port has four egress queues, one of which can be the egress expedite queue.
Chapter 20 Configuring QoS Understanding QoS WRED Cisco’s implementation of Random Early Detection (RED), called Weighted Random Early Detection (WRED), differs from other congestion-avoidance techniques because it attempts to anticipate and avoid congestion, rather than controlling congestion once it occurs. WRED takes advantage of TCP congestion control to try to control the average queue size by indicating to end hosts when they should temporarily stop sending packets.
Chapter 20 Configuring QoS Understanding QoS Queueing and Scheduling on 10/100 Ethernet Ports Figure 20-6 shows the queueing and scheduling flowchart for 10/100 Ethernet ports. Figure 20-6 Queueing and Scheduling Flowchart for 10/100 Ethernet Ports Start Read the CoS value of CoS-to-queue map. Queue number Get minimum-reserve level and queue size. Is space available? No Yes Drop packets until space is available. Done Note 65128 Put packet into specified queue and service queue according to WRR.
Chapter 20 Configuring QoS Understanding QoS Each minimum-reserve level is configured with a buffer size. As shown in the figure, queue 4 of Fast Ethernet port 0/1 has a buffer size of 70 packets, queue 4 of Fast Ethernet port 0/2 has a buffer size of 80 packets, queue 4 of Fast Ethernet port 0/3 has a buffer size of 40 packets, and Fast Ethernet port 0/4 has a buffer size of 80 packets. You configure the buffer size by using the mls qos min-reserve global configuration command.
Chapter 20 Configuring QoS Understanding QoS Packet Modification A packet is classified, policed, and queued to provide QoS. Packet modifications can occur during this process: • For IP packets, classification involves assigning a DSCP to the packet. However, the packet is not modified at this stage; only an indication of the assigned DSCP is carried along.
Chapter 20 Configuring QoS Configuring QoS Configuring QoS Before configuring QoS, you must have a thorough understanding of these items: • The types of applications used and the traffic patterns on your network. • Traffic characteristics and needs of your network. Is the traffic bursty? Do you need to reserve bandwidth for voice and video streams? • Bandwidth requirements and speed of the network. • Location of congestion points in the network.
Chapter 20 Configuring QoS Configuring QoS Table 20-2 Default QoS Parameters when QoS is Enabled Port Type QoS State Egress traffic (DSCP and CoS Value) Queue Gigabit-capable Ethernet ports Enabled DSCP=0 (no policing) CoS=0 10/100 Ethernet ports Four queues are available (no expedite queue). Queue Weights Tail-drop Thresholds CoS Mapping to Queue Each queue has the same weight. 100%, 100% 0, 1: queue 1 WRED is disabled. 2, 3: queue 2 (0 means best-effort delivery.
Chapter 20 Configuring QoS Configuring QoS Configuration Guidelines Before beginning the QoS configuration, you should be aware of this information: • If you have EtherChannel ports configured on your switch, you must configure QoS classification, policing, mapping, and queueing on the individual physical ports that comprise the EtherChannel. You must decide whether the QoS configuration should match on all ports in the EtherChannel.
Chapter 20 Configuring QoS Configuring QoS Enabling QoS Globally By default, QoS is disabled on the switch, which means that the switch offers best-effort service to each packet regardless of the packet contents or size. All CoS values map to egress queue 1 with both tail-drop thresholds set to 100 percent of the total queue size for Gigabit-capable Ethernet ports. On 10/100 Ethernet ports, all CoS values map to egress queue 1, which uses minimum-reserve level 1 and can hold up to 100 packets.
Chapter 20 Configuring QoS Configuring QoS Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain. When the packets are classified at the edge, the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain. Figure 20-8 shows a sample network topology.
Chapter 20 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS globally. Step 3 interface interface-id Enter interface configuration mode, and specify the interface to be trusted. Valid interfaces include physical interfaces.
Chapter 20 Configuring QoS Configuring QoS Configuring the CoS Value for an Interface QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports. Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 20 Configuring QoS Configuring QoS Configuring the DSCP Trust State on a Port Bordering Another QoS Domain If you are administering two separate QoS domains between which you want to implement QoS features for IP traffic, you can configure the switch ports bordering the domains to a DSCP-trusted state as shown in Figure 20-9. Then the receiving port accepts the DSCP-trusted value and avoids the classification stage of QoS.
Chapter 20 Configuring QoS Configuring QoS Command Purpose mls qos dscp-mutation dscp-mutation-name Apply the map to the specified ingress DSCP-trusted port. Step 7 end Return to privileged EXEC mode. Step 8 show mls qos maps dscp-mutation Verify your entries. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 6 You can apply the map to different Gigabit-capable Ethernet ports.
Chapter 20 Configuring QoS Configuring QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify non-IP traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on the switch.
Chapter 20 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on the switch. Step 3 access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended ACL, repeating the command as many times as necessary.
Chapter 20 Configuring QoS Configuring QoS This example shows how to create an ACL that permits PIM traffic from any source to a destination group address of 224.0.0.2 with a DSCP set to 32: Switch(config)# access-list 102 permit pim any 224.0.0.2 dscp 32 Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on the switch.
Chapter 20 Configuring QoS Configuring QoS This example shows how to create a Layer 2 MAC ACL with two permit statements. The first statement allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001. The second statement allows only Ethertype XNS-IDP traffic from the host with MAC address 0001.0000.0002 to the host with MAC address 0002.0000.0002. Switch(config)# mac access-list extended maclist1 Switch(config-ext-macl)# permit 0001.0000.0001 0.0.0 0002.
Chapter 20 Configuring QoS Configuring QoS Step 4 Command Purpose class-map class-map-name [match-all | match-any] Create a class map, and enter class-map configuration mode. By default, no class maps are defined. • For class-map-name, specify the name of the class map. • (Optional) Use the match-all keyword to perform a logical-AND of all matching statements under this class map. All match criteria in the class map must be matched.
Chapter 20 Configuring QoS Configuring QoS This example shows how to create a class map called class2, which matches incoming traffic with DSCP values of 10, 11, and 12.
Chapter 20 Configuring QoS Configuring QoS Step 4 Command Purpose policy-map policy-map-name Create a policy map by entering the policy map name, and enter policy-map configuration mode. By default, no policy maps are defined. The default behavior of a policy map is to set the DSCP to 0 if the packet is an IP packet and to set the CoS to 0 if the packet is tagged. No policing is performed.
Chapter 20 Configuring QoS Configuring QoS Step 6 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which selects the value that QoS uses as the source of the internal DSCP value. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, then skip Step 7. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 20 Configuring QoS Configuring QoS Step 8 Command Purpose police rate-bps burst-byte [exceed-action {drop | policed-dscp-transmit}] Define a policer for the classified traffic. You can configure up to 128 policers on ingress Gigabit-capable Ethernet ports, up to 8 policers on ingress 10/100 Ethernet ports, and up to 8 policers on egress ports. • For rate-bps, specify average traffic rate in bits per second (bps). The range is 8000 to 2000000000.
Chapter 20 Configuring QoS Configuring QoS This example shows how to create a policy map and attach it to an ingress interface. In the configuration, the IP standard ACL permits traffic from network 10.1.0.0. For traffic matching this classification, the DSCP value in the incoming packet is trusted.
Chapter 20 Configuring QoS Configuring QoS Classifying, Policing, and Marking Traffic by Using Aggregate Policers By using an aggregate policer, you can create a policer that is shared by multiple traffic classes within the same policy map. However, you cannot use the aggregate policer across different policy maps or interfaces. Beginning in privileged EXEC mode, follow these steps to create an aggregate policer: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 20 Configuring QoS Configuring QoS Step 9 Command Purpose interface interface-id Enter interface configuration mode, and specify the interface to attach to the policy map. Valid interfaces include physical interfaces. Step 10 service-policy {input policy-map-name | output policy-map-name} Apply a policy map to the input or output of a particular interface. Only one policy map per interface per direction is supported.
Chapter 20 Configuring QoS Configuring QoS Configuring DSCP Maps This section describes how to configure the DSCP maps.
Chapter 20 Configuring QoS Configuring QoS This example shows how to modify and display the CoS-to-DSCP map: Switch# configure terminal Switch(config)# mls qos map cos-dscp 10 15 20 25 30 35 40 45 Switch(config)# end Switch# show mls qos maps cos-dscp Cos-dscp map: cos: 0 1 2 3 4 5 6 7 -------------------------------dscp: 10 15 20 25 30 35 40 45 Configuring the IP-Precedence-to-DSCP Map You use the IP-precedence-to-DSCP map to map IP precedence values in incoming packets to a DSCP value that QoS uses in
Chapter 20 Configuring QoS Configuring QoS Configuring the Policed-DSCP Map You use the policed-DSCP map to mark down a DSCP value to a new value as the result of a policing and marking action. The default policed-DSCP map is a null map, which maps an incoming DSCP value to the same DSCP value. Beginning in privileged EXEC mode, follow these steps to modify the policed-DSCP map: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 20 Configuring QoS Configuring QoS Configuring the DSCP-to-CoS Map You use the DSCP-to-CoS map to generate a CoS value, which is used to select one of the four egress queues. Table 20-5 shows the default DSCP-to-CoS map. Table 20-5 Default DSCP-to-CoS Map DSCP value 0–7 8–15 16–23 24–31 32–39 40–47 48–55 56–63 CoS value 0 1 2 3 4 5 6 7 If these values are not appropriate for your network, you need to modify them.
Chapter 20 Configuring QoS Configuring QoS Configuring the DSCP-to-DSCP-Mutation Map You apply the DSCP-to-DSCP-mutation map to a port at the boundary of a QoS administrative domain. If the two domains have different DSCP definitions between them, you use the DSCP-to-DSCP-mutation map to translate a set of DSCP values to match the definition of the other domain. The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value.
Chapter 20 Configuring QoS Configuring QoS This example shows how to define the DSCP-to-DSCP-mutation map.
Chapter 20 Configuring QoS Configuring QoS Mapping CoS Values to Select Egress Queues Beginning in privileged EXEC mode, follow these steps to map CoS ingress values to select one of the egress queues: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on the switch. Step 3 interface interface-id Enter interface configuration mode, and specify the egress Gigabit-capable Ethernet interface. Step 4 wrr-queue cos-map queue-id cos1 ...
Chapter 20 Configuring QoS Configuring QoS Configuring the Egress Queue Size Ratios Beginning in privileged EXEC mode, follow these steps to configure the egress queue size ratios: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on the switch. Step 3 interface interface-id Enter interface configuration mode, and specify the egress Gigabit-capable Ethernet interface.
Chapter 20 Configuring QoS Configuring QoS Configuring Tail-Drop Threshold Percentages Tail drop is the default congestion-avoidance technique on Gigabit-capable Ethernet ports. With tail drop, packets are queued until the thresholds are exceeded. For example, all packets with DSCPs assigned to the first threshold are dropped until the threshold is no longer exceeded. However, packets assigned to a second threshold continue to be queued and sent as long as the second threshold is not exceeded.
Chapter 20 Configuring QoS Configuring QoS To return to the default thresholds, use the no wrr-queue threshold queue-id interface configuration command. To return to the default DSCP-to-threshold map, use the no wrr-queue dscp-map [threshold-id] interface configuration command.
Chapter 20 Configuring QoS Configuring QoS Step 4 Command Purpose wrr-queue random-detect max-threshold queue-id threshold-percentage1 threshold-percentage2 Configure WRED drop threshold percentages on each egress queue. The default, WRED is disabled, and no thresholds are configured. • For queue-id, specify the ID of the egress queue. The range is 1 to 4, where queue 4 can be configured as the expedite queue.
Chapter 20 Configuring QoS Configuring QoS Configuring the Egress Expedite Queue You can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. This queue is serviced until it is empty and before the other queues are serviced. Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on the switch.
Chapter 20 Configuring QoS Configuring QoS Step 4 Command Purpose wrr-queue bandwidth weight1 weight2 weight3 weight4 Assign WRR weights to the egress queues. By default, all the weights are set to 25 (1/4 of the bandwidth is allocated to each queue). For weight1 weight2 weight3 weight4, enter the ratio, which determines the ratio of the frequency in which the WRR scheduler drops packets. Separate each value with a space. The range is 0 to 65536.
Chapter 20 Configuring QoS Configuring QoS This section contains this configuration information: • Mapping CoS Values to Select Egress Queues, page 20-52 • Configuring the Minimum-Reserve Levels, page 20-53 • Configuring the Egress Expedite Queue, page 20-54 • Allocating Bandwidth among Egress Queues, page 20-54 Mapping CoS Values to Select Egress Queues Beginning in privileged EXEC mode, follow these steps to map CoS ingress values to select one of the egress queues: Command Purpose Step 1 co
Chapter 20 Configuring QoS Configuring QoS Configuring the Minimum-Reserve Levels You can configure the buffer size of the minimum-reserve levels on all 10/100 ports and assign the minimum-reserve level to an egress queue on a 10/100 Ethernet port. Beginning in privileged EXEC mode, follow these steps to configure the egress queue sizes: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on the switch.
Chapter 20 Configuring QoS Configuring QoS Configuring the Egress Expedite Queue You can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. This queue is serviced until it is empty and before the other queues are serviced. Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on the switch.
Chapter 20 Configuring QoS Configuring QoS Step 4 Command Purpose wrr-queue bandwidth weight1 weight2 weight3 weight4 Assign WRR weights to the egress queues. By default, all the weights are set to 25 (1/4 of the bandwidth is allocated to each queue). For weight1 weight2 weight3 weight4, enter the ratio, which determines the ratio of the frequency in which the WRR scheduler drops packets. Separate each value with a space. The range is 0 to 65536.
Chapter 20 Configuring QoS Displaying QoS Information Displaying QoS Information To display the current QoS information, use one or more of the privileged EXEC commands in Table 20-6: Table 20-6 Commands for Displaying QoS Information Command Purpose show class-map [class-map-name] Display QoS class maps, which define the match criteria to classify traffic.
Chapter 20 Configuring QoS QoS Configuration Examples Figure 20-10 QoS Configuration Example Network Cisco router To Internet Gigabit Ethernet 0/5 Catalyst 3550-12G switch Gigabit Ethernet 0/2 Gigabit Ethernet 0/1 Existing wiring closet Catalyst 2900 and 3500 XL switches Intelligent wiring closet Catalyst 3550 switches Trunk link Trunk link Gigabit Ethernet 0/2 Gigabit Ethernet 0/1 51290 End stations Video server 172.20.10.
Chapter 20 Configuring QoS QoS Configuration Examples For the Catalyst 3500 XL and 2900 XL switches, CoS configures each egress port with a normal-priority transmit queue and a high-priority transmit queue, depending on the frame tag or the port information. Frames in the normal-priority queue are forwarded only after frames in the high-priority queue are forwarded. Frames that have 802.
Chapter 20 Configuring QoS QoS Configuration Examples Step 17 Command Purpose wrr-queue cos-map 4 6 7 Configure the CoS-to-egress-queue map so that CoS values 6 and 7 select queue 4 (this is the default setting). Because the default DSCP-to-CoS map has DSCP values 56 to 63 mapped to CoS value 7, the matched traffic that is set to DSCP 56 goes to the queue 4, the priority queue. Step 18 end Return to privileged EXEC mode. Step 19 show class-map videoclass Verify your entries.
Chapter 20 Configuring QoS QoS Configuration Examples Command Purpose Step 5 switchport mode trunk Configure this port as a trunk port. Step 6 exit Return to global configuration mode. Step 7 interface gigabitethernet0/2 Enter interface configuration mode, and specify the ingress interface connected to the intelligent wiring closet. Step 8 mls qos trust dscp Classify incoming packets on this port by using the packet DSCP value. Step 9 wrr-queue dscp-map threshold-id dscp1 ...
Chapter 20 Configuring QoS QoS Configuration Examples Command Purpose Step 17 end Return to privileged EXEC mode. Step 18 show mls qos interface Verify your entries. and show interfaces Step 19 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 20 Configuring QoS QoS Configuration Examples Catalyst 3550 Multilayer Switch Software Configuration Guide 20-62 78-11194-03
C H A P T E R 21 Configuring EtherChannel This chapter describes how to configure EtherChannel on Layer 2 and Layer 3 interfaces. To configure Layer 3 interfaces, you must have the enhanced multilayer software image (EMI) installed on your switch. All Catalyst 3550 Gigabit Ethernet switches ship with the EMI installed. Catalyst 3550 Fast Ethernet switches can be shipped with either the standard multilayer software image (SMI) or EMI pre-installed.
Chapter 21 Configuring EtherChannel Understanding EtherChannel Figure 21-1 Typical EtherChannel Configuration Catalyst 8500, 6000, 5500, or 4000 series switch Gigabit EtherChannel Catalyst 3550-12T switch 1000BASE-X Catalyst 3550-12T switch Catalyst 3550-12T switch 10/100 Switched links 10/100 Switched links Workstations Workstations 43267 1000BASE-X Understanding Port-Channel Interfaces You create an EtherChannel for Layer 2 interfaces differently from Layer 3 interfaces.
Chapter 21 Configuring EtherChannel Understanding EtherChannel Figure 21-2 Relationship of Physical Ports, Logical Port Channels, and Channel Groups Logical port-channel Logical port-channel Channel-group binding SYSTEM RPS STATUS UTIL DUPLX SPEED 1 2 3 4 Catalyst 5 6 3550 45144 MODE 7 8 9 10 1 2 10/100/1000 ports GBIC module slots Physical ports After you configure an EtherChannel, configuration changes applied to the port-channel interface apply to all the physical interfaces assigned to t
Chapter 21 Configuring EtherChannel Understanding EtherChannel PAgP Modes Table 21-1 shows the user-configurable EtherChannel modes for the channel-group interface configuration command: on, auto, and desirable. Switch interfaces exchange PAgP packets only with partner interfaces configured in the auto or desirable modes; interfaces configured in the on mode do not exchange PAgP packets.
Chapter 21 Configuring EtherChannel Understanding EtherChannel Physical Learners and Aggregate-Port Learners Network devices are classified as PAgP physical learners or aggregate-port learners. A device is a physical learner if it learns addresses by physical ports and directs transmissions based on that knowledge. A device is an aggregate-port learner if it learns addresses by aggregate (logical) ports.
Chapter 21 Configuring EtherChannel Understanding EtherChannel In Figure 21-3, an EtherChannel of four workstations communicates with a router. Because the router is a single-MAC-address device, source-based forwarding on the switch EtherChannel ensures that the switch uses all available bandwidth to the router. The router is configured for destination-based forwarding because the large number of workstations ensures that the traffic is evenly distributed from the router EtherChannel.
Chapter 21 Configuring EtherChannel Configuring EtherChannel Configuring EtherChannel This section describes these configurations for EtherChannel on Layer 2 and Layer 3 interfaces: • Default EtherChannel Configuration, page 21-7 • EtherChannel Configuration Guidelines, page 21-8 • Configuring Layer 2 EtherChannels, page 21-9 • Configuring Layer 3 EtherChannels, page 21-11 • Configuring EtherChannel Load Balancing, page 21-13 • Configuring the PAgP Learn Method and Priority, page 21-14 Note M
Chapter 21 Configuring EtherChannel Configuring EtherChannel EtherChannel Configuration Guidelines If improperly configured, some EtherChannel interfaces are automatically disabled to avoid network loops and other problems. Follow these guidelines to avoid configuration problems: • Each EtherChannel can have up to eight compatibly configured Ethernet interfaces. Note Do not configure a GigaStack GBIC port as part of an EtherChannel.
Chapter 21 Configuring EtherChannel Configuring EtherChannel Configuring Layer 2 EtherChannels You configure Layer 2 EtherChannels by configuring the Ethernet interfaces with the channel-group interface configuration command, which creates the port-channel logical interface. Note Layer 2 interfaces must be connected and functioning for IOS to create port-channel interfaces for Layer 2 EtherChannels.
Chapter 21 Configuring EtherChannel Configuring EtherChannel Step 4 Command Purpose channel-group channel-group-number mode {auto [non-silent] | desirable [non-silent] | on} Assign the interface to a channel group, and specify the PAgP mode. The default mode is auto silent. For channel-group-number, the range is 1 to 64. Each EtherChannel can have of up to eight compatibly configured Ethernet interfaces. For mode, select one of these keywords: • auto—Enables PAgP only if a PAgP device is detected.
Chapter 21 Configuring EtherChannel Configuring EtherChannel Configuring Layer 3 EtherChannels To configure Layer 3 EtherChannels, you create the port-channel logical interface and then put the Ethernet interfaces into the port-channel as described in the next two sections. Creating Port-Channel Logical Interfaces Note To move an IP address from a physical interface to an EtherChannel, you must delete the IP address from the physical interface before configuring it on the port-channel interface.
Chapter 21 Configuring EtherChannel Configuring EtherChannel Configuring the Physical Interfaces Beginning in privileged EXEC mode, follow these steps to assign an Ethernet interface to a Layer 3 EtherChannel: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify a physical interface to configure. Valid interfaces include physical interfaces.
Chapter 21 Configuring EtherChannel Configuring EtherChannel Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove an interface from the EtherChannel group, use the no channel-group interface configuration command.
Chapter 21 Configuring EtherChannel Configuring EtherChannel Beginning in privileged EXEC mode, follow these steps to configure EtherChannel load balancing: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 port-channel load-balance {dst-mac | src-mac} Configure an EtherChannel load-balancing method. The default is src-mac.
Chapter 21 Configuring EtherChannel Configuring EtherChannel Note The Catalyst 3550 supports address learning only on aggregate ports even though the physical-port keyword is provided in the CLI. The pagp learn-method command and the pagp port-priority command have no effect on the switch hardware, but they are required for PAgP interoperability with devices that only support address learning by physical ports, such as the Catalyst 1900 switch.
Chapter 21 Configuring EtherChannel Displaying EtherChannel and PAgP Status Displaying EtherChannel and PAgP Status You can use the privileged EXEC commands described in Table 21-3 to display EtherChannel and PAgP status information: Table 21-3 Commands for Displaying EtherChannel and PAgP Status Command Description show etherchannel [channel-group-number] {brief | Displays EtherChannel information in a brief, detailed, and detail | load-balance | port | port-channel | summary} one-line summary form.
C H A P T E R 22 Configuring IP Unicast Routing This chapter describes how to configure IP unicast routing on your multilayer switch. To use this feature, you must have the enhanced multilayer software image installed on your switch. All Catalyst 3550 Gigabit Ethernet switches ship with the enhanced multilayer software image (EMI) installed. Catalyst 3550 Fast Ethernet switches can be shipped with either the standard multilayer software image (SMI) or EMI pre-installed.
Chapter 22 Configuring IP Unicast Routing Understanding Routing Understanding Routing Network devices in different VLANs cannot communicate with one another without a Layer 3 device (router) to route traffic between the VLANs.
Chapter 22 Configuring IP Unicast Routing Steps for Configuring Routing When Host A in VLAN 10 needs to communicate with Host B in VLAN 10, it sends a packet addressed to that host. Switch A forwards the packet directly to Host B, without sending it to the router. When Host A sends a packet to Host C in VLAN 20, Switch A forwards the packet to the router, which receives the traffic on the VLAN 10 interface.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Configuring IP Addressing A required task for configuring IP routing is to assign IP addresses to Layer 3 network interfaces to enable the interfaces and allow communication with the hosts on those interfaces that use IP. These sections describe how to configure various IP addressing features. Assigning IP addresses to the interface is required; the other procedures are optional.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Table 22-1 Default Addressing Configuration (continued) Feature Default Setting IRDP Disabled. Defaults when enabled: • Broadcast IRDP advertisements. • Maximum interval between advertisements: 600 seconds. • Minimum interval between advertisements: 0.75 times max interval • Preference: 0. IP proxy ARP Enabled. IP routing Disabled. IP subnet-zero Disabled.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to assign an IP address and a network mask to a Layer 3 interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure. Step 3 no switchport Remove the interface from Layer 2 configuration mode (if it is a physical interface).
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing 0 0 0 0 0 0 input packets with dribble condition detected packets output, 0 bytes, 0 underruns output errors, 0 collisions, 2 interface resets babbles, 0 late collision, 0 deferred lost carrier, 0 no carrier output buffer failures, 0 output buffers swapped out This is an example of output from the show ip interface privileged EXEC command for Gigabit Ethernet interface 0/10, displaying the detailed IP configuration and status: Switch# s
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Use of Subnet Zero Subnetting with a subnet address of zero is strongly discouraged because of the problems that can arise if a network and a subnet have the same addresses. For example, if network 131.108.0.0 is subnetted as 255.255.255.0, subnet zero would be written as 131.108.0.0, which is the same as the network address. You can use the all ones subnet (131.108.255.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing In Figure 22-2, classless routing is enabled. When the host sends a packet to 120.20.4.1, instead of discarding the packet, the router forwards it to the best supernet route. If you disable classless routing and a router receives packets destined for a subnet of a network with no network default route, the router discards the packet. Figure 22-2 IP Classless Routing 128.0.0.0/8 128.20.4.1 IP classless 128.20.0.0 128.20.1.0 128.20.3.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to disable classless routing: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no ip classless Disable classless routing behavior. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entry. Step 5 copy running-config startup-config (Optional) Save your entry in the configuration file.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing You can perform these tasks to configure address resolution: • Define a Static ARP Cache, page 22-11 • Set ARP Encapsulation, page 22-12 • Enable Proxy ARP, page 22-13 Define a Static ARP Cache ARP and other address resolution protocols provide dynamic mapping between IP addresses and MAC addresses. Because most hosts support dynamic address resolution, you usually do not need to specify static ARP cache entries.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing This is an example of output from the show arp privileged EXEC command. Switch# show arp Protocol Address Internet 10.1.2.3 Internet 172.20.136.9 Internet 172.20.250.42 Internet 120.20.30.1 Internet 172.20.139.152 Internet 172.20.139.130 Internet 172.20.141.225 Internet 172.20.135.204 Internet 172.20.135.202 Internet 172.20.135.197 Internet 172.20.135.196 Note Age (min) 120 149 101 205 186 169 172 156 Hardware Addr 0002.4b29.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing This is an example of output from the show interfaces interface-id privileged EXEC command displaying ARP encapsulation. Switch# show interfaces gigabitethernet0/10 GigabitEthernet0/10 is up, line protocol is up Hardware is Gigabit Ethernet, address is 0002.4b29.2e00 (bia 0002 Internet address is 40.5.121.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing This is an example of output form the show ip interface privileged EXEC command for Gigabit Ethernet interface 0/3, where proxy ARP is enabled. Switch# show ip interface gigabitethernet0/3 GigabitEthernet0/3 is up, line protocol is down Internet address is 10.1.3.59/24 Broadcast address is 255.255.255.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Ethernet MAC address, and the host that sent the request sends the packet to the switch, which forwards it to the intended host. Proxy ARP treats all networks as if they are local and performs ARP requests for every IP address. Proxy ARP is enabled by default. To enable it after it has been disabled, see the “Enable Proxy ARP” section on page 22-13. Proxy ARP works as long as other routers support it.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing The only required task for IRDP routing on an interface is to enable IRDP processing on that interface. When enabled, the default parameters apply. You can optionally change any of these parameters. Beginning in privileged EXEC mode, follow these steps to enable and configure IRDP on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing GigabitEthernet0/3 has router discovery enabled Advertisements will occur between every 450 and 600 seconds. Advertisements are sent with broadcasts. Advertisements are valid for 1800 seconds. Default preference will be 0.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to enable forwarding of IP-directed broadcasts on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to configure. Step 3 ip directed-broadcast [access-list-number] Enable directed broadcast-to-physical broadcast translation on the interface.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing If you do not specify any UDP ports when you configure the forwarding of UDP broadcasts, you are configuring the router to act as a BOOTP forwarding agent. BOOTP packets carry Dynamic Host Configuration Protocol (DHCP) information.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Establishing an IP Broadcast Address The most popular IP broadcast address (and the default) is an address consisting of all ones (255.255.255.255). However, the switch can be configured to generate any form of IP broadcast address. Beginning in privileged EXEC mode, follow these steps to set the IP broadcast address on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to use the bridging spanning-tree database to flood UDP datagrams: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip forward-protocol spanning-tree Use the bridging spanning-tree database to flood UDP datagrams. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entry.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing You can display specific statistics, such as the contents of IP routing tables, caches, and databases; the reachability of nodes; and the routing path that packets are taking through the network. Table 22-4 lists the privileged EXEC commands for displaying IP statistics. Table 22-4 Commands to Display Caches, Tables, and Databases Command Purpose show arp Display the entries in the ARP table.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Switch# show ip redirects Default gateway is 172.20.135.
Chapter 22 Configuring IP Unicast Routing Enabling IP Routing GigabitEthernet0/1 is up, line Internet protocol processing GigabitEthernet0/2 is up, line Internet protocol processing protocol is up disabled protocol is down disabled Enabling IP Routing By default, the switch is in Layer 2 switching mode and IP routing is disabled. To use the Layer 3 capabilities of the switch, you must enable IP routing.
Chapter 22 Configuring IP Unicast Routing Configuring RIP Configuring RIP The Routing Information Protocol (RIP) is an interior gateway protocol (IGP) created for use in small, homogeneous networks. It is a distance-vector routing protocol that uses broadcast User Datagram Protocol (UDP) data packets to exchange routing information. The protocol is documented in RFC 1058. You can find detailed information about RIP in IP Routing Fundamentals, published by Cisco Press.
Chapter 22 Configuring IP Unicast Routing Configuring RIP Table 22-5 Default RIP Configuration (continued) Feature Default Setting Validate-update-source Enabled. Version Receives RIP version 1 and version 2 packets; sends version 1 packets. For protocol-independent features that also apply to RIP, see the “Configuring Protocol-Independent Features” section on page 22-53. To configure RIP, you enable RIP routing for a network and optionally configure other parameters.
Chapter 22 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 10 no validate-update-source (Optional) Disable validation of the source IP address of incoming RIP routing updates. By default, the switch validates the source IP address of incoming RIP routing updates and discards the update if the source address is not valid. Under normal circumstances, disabling this feature is not recommended.
Chapter 22 Configuring IP Unicast Routing Configuring RIP RIP Authentication RIP version 1 does not support authentication. If you are sending and receiving RIP Version 2 packets, you can enable RIP authentication on an interface. The key chain determines the set of keys that can be used on the interface. If a key chain is not configured, no authentication is performed, not even the default. Therefore, you must also perform the tasks in the “Managing Authentication Keys” section on page 22-63.
Chapter 22 Configuring IP Unicast Routing Configuring RIP Note In general, disabling split horizon is not recommended unless you are certain that your application requires it to properly advertise routes. If you want to configure an interface running RIP to advertise a summarized local IP address pool on a network access server for dial-up clients, use the ip summary-address rip interface configuration command.
Chapter 22 Configuring IP Unicast Routing Configuring IGRP Configuring IGRP Interior Gateway Routing Protocol (IGRP) is a dynamic, distance-vector routing, proprietary Cisco protocol for routing in an autonomous system that contains large, arbitrarily complex networks with diverse bandwidth and delay characteristics. IGRP uses a combination of user-configurable metrics, including internetwork delay, bandwidth, reliability, and load.
Chapter 22 Configuring IP Unicast Routing Configuring IGRP Table 22-6 Default IGRP Configuration (continued) Feature Default Setting Network None specified. Offset-list Disabled. Set metric None set in route map. Timers basic Update: 90 seconds. Invalid: 270 seconds. Hold-down: 280 seconds. Flush: 630 seconds. Sleeptime: 0 milliseconds. Traffic-share Distributed proportionately to the ratios of the metrics.
Chapter 22 Configuring IP Unicast Routing Configuring IGRP If variance is configured as described in the preceding section, IGRP or Enhanced IGRP distributes traffic among multiple routes of unequal cost to the same destination. If you want faster convergence to alternate routes, but you do not want to send traffic across inferior routes in the normal case, you might prefer to have no traffic flow along routes with higher metrics.
Chapter 22 Configuring IP Unicast Routing Configuring IGRP Step 8 Command Purpose no metric holddown (Optional) Disable the IGRP hold-down period. The route to a network is placed in holddown if the router learns that the network is farther away than previously known or is down. Holddown keeps new routing information from being used for a certain period of time. This can prevent routing loops caused by slow convergence.
Chapter 22 Configuring IP Unicast Routing Configuring IGRP This is an example of output from the show ip protocols privileged EXEC command that verifies the IGRP configuration.
Chapter 22 Configuring IP Unicast Routing Configuring OSPF Configuring OSPF This section briefly describes how to configure Open Shortest Path First (OSPF). For a complete description of the OSPF commands, refer to the “OSPF Commands” chapter of the Cisco IOS IP and IP Routing Command Reference for Release 12.1. Note OSPF classifies different media into broadcast, nonbroadcast, and point-to-point networks.
Chapter 22 Configuring IP Unicast Routing Configuring OSPF Table 22-7 Default OSPF Configuration Feature Default Setting Interface parameters Cost: No default cost predefined. Retransmit interval: 5 seconds. Transmit delay: 1 second. Priority: 1. Hello interval: 10 seconds. Dead interval: 4 times the hello interval. No authentication. No password specified. MD5 authentication disabled. Area Authentication type: 0 (no authentication). Default cost: 1. Range: Disabled. Stub: No stub area defined.
Chapter 22 Configuring IP Unicast Routing Configuring OSPF Table 22-7 Default OSPF Configuration (continued) Feature Default Setting Timers shortest path first (spf) spf delay: 5 seconds. spf-holdtime: 10 seconds. Virtual link No area ID or router ID defined. Hello interval: 10 seconds. Retransmit interval: 5 seconds. Transmit delay: 1 second. Dead interval: 40 seconds. Authentication key: no key predefined. Message-digest key (MD5): no key predefined.
Chapter 22 Configuring IP Unicast Routing Configuring OSPF This is an example of output from the show ip protocols privileged EXEC command that verifies the OSPF process ID. Switch# show ip protocols
Chapter 22 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 9 ip ospf authentication-key key (Optional) Assign a password to be used by neighboring OSPF routers. The password can be any string of keyboard-entered characters up to 8 bytes in length. All neighboring routers on the same network must have the same password to exchange OSPF information. Step 10 ip ospf message digest-key keyid md5 key (Optional) Enable MDS authentication. • keyid—An identifier from 1 to 255.
Chapter 22 Configuring IP Unicast Routing Configuring OSPF Note The OSPF area router configuration commands are all optional. Beginning in privileged EXEC mode, follow these steps to configure area parameters: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router ospf process-id Enable OSPF routing, and enter router configuration mode.
Chapter 22 Configuring IP Unicast Routing Configuring OSPF Switch# show ip ospf Routing Process "ospf 1" with ID 172.20.135.202 and Domain ID 0.0.0.1 Supports only single TOS(TOS0) routes Supports opaque LSA SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs Number of external LSA 0. Checksum Sum 0x0 Number of opaque AS LSA 0.
Chapter 22 Configuring IP Unicast Routing Configuring OSPF • Passive interfaces: Because interfaces between two devices on an Ethernet represent only one network segment, to prevent OSPF from sending hello packets for the sending interface, you must configure the sending device to be a passive interface. Both devices can identify each other through the hello packet for the receiving interface.
Chapter 22 Configuring IP Unicast Routing Configuring OSPF Change LSA Group Pacing The OSPF LSA group pacing feature allows the router to group OSPF LSAs and pace the refreshing, check-summing, and aging functions for more efficient router use. This feature is enabled by default with a 4-minute default pacing interval, and you will not usually need to modify this parameter. The optimum group pacing interval is inversely proportional to the number of LSAs the router is refreshing, check-summing, and aging.
Chapter 22 Configuring IP Unicast Routing Configuring OSPF Monitoring OSPF You can display specific statistics such as the contents of IP routing tables, caches, and databases. Table 22-8 lists some of the privileged EXEC commands for displaying statistics. For more show ip ospf database privileged EXEC command options and for explanations of fields in the resulting display, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1.
Chapter 22 Configuring IP Unicast Routing Configuring OSPF This is an example of output from the show ip ospf database privileged EXEC command when no arguments or keywords are used: Switch# show ip ospf database O OSPF Router with ID (172.20.135.202) (Process ID 1) Router Link States (Area 1) Link ID 172.20.135.202 ADV Router 172.20.135.
Chapter 22 Configuring IP Unicast Routing Configuring EIGRP Configuring EIGRP Enhanced IGRP (EIGRP) is a Cisco proprietary enhanced version of the IGRP. Enhanced IGRP uses the same distance vector algorithm and distance information as IGRP; however, the convergence properties and the operating efficiency of Enhanced IGRP are significantly improved.
Chapter 22 Configuring IP Unicast Routing Configuring EIGRP feasible successors, but there are neighbors advertising the destination, a recomputation must occur. This is the process whereby a new successor is determined. The amount of time it takes to recompute the route affects the convergence time. Recomputation is processor-intensive; it is advantageous to avoid recomputation if it is not necessary. When a topology change occurs, DUAL tests for feasible successors.
Chapter 22 Configuring IP Unicast Routing Configuring EIGRP Table 22-9 Default EIGRP Configuration (continued) Feature Default Setting Network None specified. Offset-list Disabled. Router EIGRP Disabled. Set metric No metric set in the route map. Traffic-share Distributed proportionately to the ratios of the metrics. Variance 1 (equal-cost load balancing). To create an EIGRP routing process, you must enable EIGRP and associate networks.
Chapter 22 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 6 offset list [access-list number | name] {in | out} (Optional) Apply an offset list to routing metrics to increase offset [type number] incoming and outgoing metrics to routes learned through EIGRP. You can limit the offset list with an access list or an interface. Step 7 no auto-summary (Optional) Disable automatic summarization of subnet routes into network-level routes.
Chapter 22 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 5 ip hello-interval eigrp autonomous-system-number seconds (Optional) Change the hello time interval for an EIGRP routing process. The range is 1 to 65535 seconds. The default is 60 seconds for low-speed NBMA networks and 5 seconds for all other networks. Step 6 ip hold-time eigrp autonomous-system-number seconds (Optional) Change the hold time interval for an EIGRP routing process. The range is 1 to 65535 seconds.
Chapter 22 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 7 key number In key-chain configuration mode, identify the key number. Step 8 key-string text In key-chain key configuration mode, identify the key string. Step 9 accept-lifetime start-time {infinite | end-time | duration (Optional) Specify the time period during which the key seconds} can be received. The start-time and end-time syntax can be either hh:mm:ss Month date year or hh:mm:ss date Month year.
Chapter 22 Configuring IP Unicast Routing Configuring EIGRP This is an example of output from the show ip eigrp interface privileged EXEC command: Switch# show ip eigrp interface IP EIGRP interfaces for process 109 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Gi0/1 0 0/0 0 11/434 0 Gi0/3 1 0/0 337 0/10 0 Gi0/4 1 0/0 10 1/63 103 Gi0/5 1 0/0 330 0/16 0 Routes 0 0 0 0 This is an example of output from the show ip eigrp neighbors privileged EXEC comm
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Configuring Protocol-Independent Features This section describes how to configure IP routing protocol-independent features. For a complete description of the IP routing protocol-independent commands in this chapter, refer to the “IP Routing Protocol-Independent Commands” chapter of the Cisco IOS IP and IP Routing Command Reference for Release 12.1.
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to enable CEF on an interface after it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure. Step 3 ip route-cache cef Enable CEF on the interface. Step 4 end Return to privileged EXEC mode.
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to change the maximum number of parallel paths installed in a routing table from the default: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router {rip | ospf | igrp | eigrp} Enter router configuration mode. Step 3 maximum-paths maximum Set the maximum number of parallel paths for the protocol routing table.
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features The switch retains static routes until you remove them (by using the no ip route global configuration command). However, you can override static routes with dynamic routing information by assigning administrative distance values. Each dynamic routing protocol has a default administrative distance, as listed in Table 22-11.
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to define a static route to a network as the static default route: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip default-network network number Specify a default network. Step 3 end Return to privileged EXEC mode. Step 4 show ip route Display the selected default route in the gateway of last resort display.
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to configure a route map for redistribution: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 route-map map-tag [permit | deny] [sequence number] Define any route maps used to control redistribution and enter route-map configuration mode. map-tag—A meaningful name for the route map.
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 12 set metric metric value Set the metric value to give the redistributed routes (for any protocol except IGRP or EIGRP). The metric value is an integer from -294967295 to 294967295.
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features You can distribute routes from one routing domain into another and control route distribution. Beginning in privileged EXEC mode, follow these steps to control route redistribution. Note that the keywords are the same as defined in the previous procedure. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router {rip | ospf | igrp | eigrp} Enter router configuration mode.
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Filtering Routing Information You can filter routing protocol information by performing the tasks described in this section. Note When routes are redistributed between OSPF processes, no OSPF metrics are preserved.
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Controlling Advertising and Processing in Routing Updates You can use the distribute-list router configuration command with access control lists to suppress routes from being advertised in routing updates and to prevent other routers from learning one or more routes. When used in OSPF, this feature applies to only external routes, and you cannot specify an interface name.
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Step 3 Command Purpose distance weight {ip-address {ip-address mask}} [ip access list] Define an administrative distance. weight—The administrative distance as an integer from 10 to 255. Used alone, weight specifies a default administrative distance that is used when no other specification exists for a routing information source. Routes with a distance of 255 are not installed in the routing table.
Chapter 22 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Step 5 Command Purpose accept-lifetime start-time {infinite | end-time | duration seconds} (Optional) Specify the time period during which the key can be received. The start-time and end-time syntax can be either hh:mm:ss Month date year or hh:mm:ss date Month year. The default is forever with the default start-time and the earliest acceptable date as January 1, 1993. The default end-time and duration is infinite.
Chapter 22 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network This is an example of output from the show ip route privileged EXEC command when entered without an address: Switch# show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2
Chapter 22 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network This is an example of output from the show ip route supernets-only privileged EXEC command. This display shows supernets only; it does not show subnets.
C H A P T E R 23 Configuring HSRP This chapter describes how to use Hot Standby Router Protocol (HSRP) to provide routing redundancy for routing IP traffic without being dependent on the availability of any single router. To use this feature, you must have the enhanced multilayer software image installed on your switch. All Catalyst 3550 Gigabit Ethernet switches ship with the enhanced multilayer software image (EMI) installed.
Chapter 23 Configuring HSRP Understanding HSRP Note Routers in an HSRP group can be any router interface that supports HSRP, including Catalyst 3550 routed ports and switch virtual interfaces (SVIs). HSRP provides high network availability by providing redundancy for IP traffic from hosts on networks.
Chapter 23 Configuring HSRP Configuring HSRP Figure 23-1 Typical HSRP Configuration Host B 172.20.130.5 172.20.128.1 Si Virtual router Si Standby router 172.20.128.3 172.20.128.2 Si Router A Router B Stacked Catalyst 3550 or 2900XL/3500XL switches Stacked Catalyst 3550 or 2900XL/3500XL switches 172.20.128.55 172.20.128.
Chapter 23 Configuring HSRP Configuring HSRP • Etherchannel port channel in Layer 3 mode: a port-channel logical interface created by using the interface port-channel port-channel-number global configuration command and binding the Ethernet interface into the channel group. For more information, see the “Configuring Layer 3 EtherChannels” section on page 21-11. All Layer 3 interfaces must have IP addresses assigned to them. See the “Configuring Layer 3 Interfaces” section on page 8-22.
Chapter 23 Configuring HSRP Configuring HSRP Beginning in privileged EXEC mode, follow these steps to create or enable HSRP on a Layer 3 interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the Layer 3 interface on which you want to enable HSRP. Step 3 standby [group-number] ip [ip-address [secondary]] Create (or enable) the HSRP group using its number and virtual IP address.
Chapter 23 Configuring HSRP Configuring HSRP Configuring HSRP Group Attributes Although HSRP can run with no other configuration required, you can configure attributes for the HSRP group, including authentication, priority, preemption and preemption delay, timers, or MAC address.
Chapter 23 Configuring HSRP Configuring HSRP Beginning in privileged EXEC mode, use one or more of these steps to configure HSRP priority characteristics on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the HSRP interface on which you want to set priority.
Chapter 23 Configuring HSRP Configuring HSRP Use the no standby [group-number] priority priority [preempt [delay delay]] and no standby [group-number] [priority priority] preempt [delay delay] interface configuration commands to restore default priority, preempt, and delay values. Use the no standby [group-number] track type number [interface-priority] interface configuration command to remove the tracking.
Chapter 23 Configuring HSRP Configuring HSRP Step 4 Command Purpose standby [group-number] timers hellotime holdtime (Optional) Configure the time between hello packets and the time before other routers declare the active router to be down. • group-number—The group number to which the command applies. • hellotime—The hello interval in seconds. The range is from 1 to 255; the default is 3 seconds. • holdtime—The time in seconds before the active or standby router is declared to be down.
Chapter 23 Configuring HSRP Displaying HSRP Configurations Displaying HSRP Configurations From privileged EXEC mode, use this command to display HSRP settings: show standby [interface-id [group]] [brief] [detail] You can display HSRP information for the whole switch, for a specific interface, for an HSRP group, or for an HSRP group on an interface. You can also specify whether to display a concise overview of HSRP information or detailed HSRP information. The default display is detail.
C H A P T E R 24 Configuring IP Multicast Routing IP multicasting is a more efficient way to use network resources, especially for bandwidth-intensive services such as audio and video. IP multicast allows a host (source) to send packets to a group of hosts (receivers) anywhere within the IP network by using a special form of IP address called the IP multicast group address.
Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing • Configuring Basic DVMRP Interoperability Features, page 24-43 • Configuring Advanced DVMRP Interoperability Features, page 24-50 • Monitoring and Maintaining IP Multicast Routing, page 24-57 For information on configuring the Multicast Source Discovery Protocol (MSDP), see Chapter 25, “Configuring MSDP.
Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing Understanding IGMP To participate in IP multicasting, multicast hosts, routers, and multilayer switches must have IGMP operating. This protocol is the group membership protocol used by hosts to inform routers and multilayer switches of the existence of members on their directly connected networks and to allow them to send and receive multicast datagrams.
Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing IGMP Version 2 IGMPv2 provides enhancements over IGMPv1. The query and membership report messages are identical to IGMPv1 message with two exceptions. The first difference is that the IGMPv2 query message is broken into two categories: general queries, which perform the same function as the IGMPv1 queries, and group-specific queries, which are queries directed to a single group.
Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing group-specific query. It responds with an IGMPv2 membership report to inform Router 1 that a member is still present. When Router 1 receives the report, it keeps the group active on the subnet. If no response is received, the query router stops forwarding its traffic to the subnet.
Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing The simplest form of a multicast distribution tree is a source tree whose root is the source of the multicast traffic and whose branches form a spanning tree through the network to the receivers. Because this tree uses the shortest path through the network, it is also referred to as a shortest-path tree (SPT). A separate SPT exists for every individual source sending to each group.
Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing PIM SM PIM SM uses shared trees and SPTs to distribute multicast traffic to multicast receivers in the network. In PIM SM, a router or multilayer switch assumes that other routers or switches do not forward multicast packets for a group, unless there is an explicit request for the traffic (join message).
Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing Prune messages are sent up the distribution tree to prune multicast group traffic. This action permits branches of the shared tree or SPT that were created with explicit join messages to be torn down when they are no longer needed.
Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing travel hop-by-hop throughout the PIM domain. Because BSR messages contain the IP address of the current BSR, the flooding mechanism allows candidate RPs to automatically learn which device is the elected BSR. Candidate RPs send candidate RP advertisements showing the group range for which they are responsible directly to the BSR, which stores this information in its local candidate-RP cache.
Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing Figure 24-6 RPF Check Multicast packet from source 151.10.3.21 is forwarded. Multicast packet from source 151.10.3.21 packet is discarded. Gigabit Ethernet 0/2 Gigabit Ethernet 0/1 Si Gigabit Ethernet 0/3 Gigabit Ethernet 0/4 Routing Table 151.10.0.0/16 198.14.32.0/32 204.1.16.
Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing Understanding DVMRP Distance Vector Multicast Routing Protocol (DVMRP) is implemented in the equipment of many vendors and is based on the public-domain mrouted program. This protocol has been deployed in the multicast backbone (MBONE) and in other intradomain multicast networks. Cisco routers and multilayer switches run PIM and can forward multicast packets to and receive from a DVMRP neighbor.
Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing CGMP is a protocol used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP. CGMP permits Layer 2 group membership information to be communicated from the CGMP server to the switch, which can learn on which ports multicast members reside instead of flooding multicast traffic to all switch ports.
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Leaving a Group with CGMP When an IGMPv2 host leaves a group, it can send an IGMP leave group message to the all-multicast-routers group (224.0.0.2). The CGMP server translates this leave group message into a CGMP leave message and sends it to the switch.
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Table 24-1 Default Multicast Routing Configuration (continued) Feature Default Setting Candidate RPs Disabled. Shortest-path tree threshold rate 0 kbps. PIM router query message interval 30 seconds.
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Auto-RP and BSR Configuration Guidelines There are two approaches to using PIMv2. You can use Version 2 exclusively in your network or migrate to Version 2 by employing a mixed PIM version environment. • If your network is all Cisco routers and multilayer switches, you can use either Auto-RP or BSR. • If you have non-Cisco routers in your network, you must use BSR.
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 3 Command Purpose interface interface-id Enter interface configuration mode, and specify the Layer 3 interface on which you want to enable multicast routing. The specified interface must be one of the following: • A routed port: a physical port that has been configured as a Layer 3 port by entering the no switchport interface configuration command.
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring a Rendezvous Point If you have configured PIM SM or PIM SM-DM, you must configure an RP for the multicast group.
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list, repeating the command as many times as necessary. • For access-list-number, enter the access list number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing This section contains this configuration information: • Setting up Auto-RP in a New Internetwork, page 24-19 • Adding Auto-RP to an Existing Sparse-Mode Cloud, page 24-19 • Preventing Join Messages to False RPs, page 24-20 • Preventing Candidate RP Spoofing, page 24-21 For overview information, see the “Auto-RP” section on page 24-8.
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 4 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list, repeating the command as many times as necessary. • For access-list-number, enter the access list number specified in Step 3. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing If all interfaces are in sparse mode, use a default-configured RP to support the two well-known groups 224.0.1.39 and 224.0.1.40. Auto-RP uses these two well-known groups to collect and distribute RP-mapping information. When this is the case and the ip pim accept-rp auto-rp command is configured, another ip pim accept-rp command accepting the RP must be configured as follows: Switch(config)# ip pim accept-rp 172.10.20.
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a filter on incoming RP announcement messages, use the no ip pim rp-announce-filter rp-list access-list-number group-list access-list-number global configuration command.
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to define the PIM domain border: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be configured. Step 3 ip pim bsr-border Define a PIM bootstrap message boundary for the PIM domain.
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Defining the IP Multicast Boundary You define a multicast boundary to prevent Auto-RP messages from entering the PIM domain. You create an access list to deny packets destined for 224.0.1.39 and 224.0.1.40, which carry Auto-RP information. Beginning in privileged EXEC mode, follow these steps to define a multicast boundary: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Candidate BSRs You can configure one or more candidate BSRs. The devices serving as candidate BSRs should have good connectivity to other devices and be in the backbone portion of the network. Beginning in privileged EXEC mode, follow these steps to configure your multilayer switch as a candidate BSR: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Candidate RPs You can configure one or more candidate RPs. Similar to BSRs, the RPs should also have good connectivity to other devices and be in the backbone portion of the network. An RP can serve the entire IP multicast address space or a portion of it. Candidate RPs send candidate RP advertisements to the BSR.
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows how to configure the multilayer switch to advertise itself as a candidate RP to the BSR in its PIM domain. Standard access list number 4 specifies the group prefix associated with the RP that has the address identified by Gigabit Ethernet interface 0/2. That RP is responsible for the groups with the prefix 239.
Chapter 24 Configuring IP Multicast Routing Configuring Advanced PIM Features Troubleshooting PIMv1 and PIMv2 Interoperability Problems When debugging interoperability problems between PIMv1 and PIMv2, check these in the order shown: 1. Verify RP mapping with the show ip pim rp-hash privileged EXEC command, making sure that all systems agree on the same RP for the same group. 2. Verify interoperability between different versions of DRs and RPs.
Chapter 24 Configuring IP Multicast Routing Configuring Advanced PIM Features This process describes the move from a shared tree to a source tree: 1. A receiver joins a group; leaf Router C sends a join message toward the RP. 2. The RP puts a link to Router C in its outgoing interface list. 3. A source sends data; Router A encapsulates the data in a register message and sends it to the RP. 4. The RP forwards the data down the shared tree to Router C and sends a join message toward the source.
Chapter 24 Configuring IP Multicast Routing Configuring Advanced PIM Features Beginning in privileged EXEC mode, follow these steps to configure a traffic rate threshold that must be reached before multicast routing is switched from the source tree to the shortest-path tree: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list.
Chapter 24 Configuring IP Multicast Routing Configuring Optional IGMP Features By default, multicast routers and multilayer switches send PIM router-query messages every 30 seconds. Beginning in privileged EXEC mode, follow these steps to modify the router-query message interval: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be configured.
Chapter 24 Configuring IP Multicast Routing Configuring Optional IGMP Features Table 24-2 Default IGMP Configuration (continued) Feature Default Setting Access to multicast groups All groups are allowed on an interface. IGMP host-query message interval 60 seconds on all interfaces. Multilayer switch as a statically connected member Disabled.
Chapter 24 Configuring IP Multicast Routing Configuring Optional IGMP Features You can determine the query interval by entering the show ip igmp interface interface-id privileged EXEC command. Beginning in privileged EXEC mode, follow these steps to change the IGMP query timeout: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be configured.
Chapter 24 Configuring IP Multicast Routing Configuring Optional IGMP Features Configuring the Multilayer Switch as a Member of a Group Multilayer switches can be configured as members of a multicast group. This is useful to determine multicast reachability in a network. If all the multicast-capable routers and multilayer switches that you administer are members of a multicast group, pinging that group causes all these devices to respond.
Chapter 24 Configuring IP Multicast Routing Configuring Optional IGMP Features Controlling Access to IP Multicast Groups The multilayer switch sends IGMP host-query messages to determine which multicast groups have members on attached local networks. The switch then forwards to these group members all packets addressed to the multicast group. You can place a filter on each interface to restrict the multicast groups that hosts on the subnet serviced by the interface can join.
Chapter 24 Configuring IP Multicast Routing Configuring Optional IGMP Features Modifying the IGMP Host-Query Message Interval The multilayer switch periodically sends IGMP host-query messages to discover which multicast groups are present on attached networks. These messages are sent to the all-hosts multicast group (224.0.0.1) with a time-to-live (TTL) of 1. The switch sends host-query messages to refresh its knowledge of memberships present on the network.
Chapter 24 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Beginning in privileged EXEC mode, follow these steps to configure the switch itself to be a statically connected member of a group (and allow fast switching): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be configured.
Chapter 24 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Enabling CGMP Server Support The multilayer switch serves as a CGMP server for devices that do not support IGMP snooping but have CGMP client functionality. CGMP is a protocol used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP.
Chapter 24 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Configuring sdr Listener Support The MBONE is the small subset of Internet routers and hosts that are interconnected and capable of forwarding IP multicast traffic. Other interesting multimedia content is often broadcast over the MBONE.
Chapter 24 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip sdr cache-timeout global configuration command. To delete the entire cache, use the clear ip sdr privileged EXEC command.
Chapter 24 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features multicast packets with an initial TTL value set to 99. The engineering and marketing departments have set a TTL threshold of 40 at the perimeter of their networks; therefore, multicast applications running on these networks can prevent their multicast transmissions from leaving their respective networks.
Chapter 24 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Configuring an IP Multicast Boundary Like TTL thresholds, administratively-scoped boundaries can also be used to limit the forwarding of multicast traffic outside of a domain or subdomain. This approach uses a special range of multicast addresses, called administratively-scoped addresses, as the boundary mechanism.
Chapter 24 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to set up an administratively-scoped boundary: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list, repeating the command as many times as necessary. • For access-list-number, the range is 1 to 99.
Chapter 24 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Configuring DVMRP Interoperability Cisco multicast routers and multilayer switches using PIM can interoperate with non-Cisco multicast routers that use the DVMRP. PIM devices dynamically discover DVMRP multicast routers on attached networks by listening to DVMR probe messages.
Chapter 24 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to configure the sources that are advertised and the metrics that are used when DVMRP route-report messages are sent: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list, repeating the command as many times as necessary.
Chapter 24 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features This example shows how to configure DVMRP interoperability when the PIM device and the DVMRP router are on the same network segment. In this example, access list 1 advertises the networks (198.92.35.0, 198.92.36.0, 198.92.37.0, 131.108.0.0, and 150.136.0.0) to the DVMRP router, and access list 2 prevents all other networks from being advertised (ip dvmrp metric 0 interface configuration command).
Chapter 24 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to configure a DVMRP tunnel: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list, repeating the command as many times as necessary. • For access-list-number, the range is 1 to 99.
Chapter 24 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Command Purpose Step 11 show running-config Verify your entries. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the filter, use the no ip dvmrp accept-filter access-list-number [distance] neighbor-list access-list-number interface configuration command. This example shows how to configure a DVMRP tunnel.
Chapter 24 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Step 3 Command Purpose ip dvmrp default-information {originate | only} Advertise network 0.0.0.0 to DVMRP neighbors. Use this command only when the multilayer switch is a neighbor of mrouted version 3.6 machines. The keywords have these meanings: • originate—Specifies that other routes more specific than 0.0.0.0 can also be advertised. • only—Specifies that no DVMRP routes other than 0.0.0.
Chapter 24 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Configuring Advanced DVMRP Interoperability Features Cisco routers and multilayer switches run PIM to forward multicast packets to receivers and receive multicast packets from senders. It is also possible to propagate DVMRP routes into and through a PIM cloud. PIM uses this information; however, Cisco routers and multilayer switches do not implement DVMRP to forward multicast packets.
Chapter 24 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Rejecting a DVMRP Nonpruning Neighbor By default, Cisco devices accept all DVMRP neighbors as peers, regardless of their DVMRP capability. However, some non-Cisco devices run old versions of DVMRP that cannot prune, so they continuously receive forwarded packets, wasting bandwidth. Figure 24-13 shows this scenario.
Chapter 24 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 24-14 Router Rejects Nonpruning DVMRP Neighbor Source router or RP RP Router A Multicast traffic gets to receiver, not to leaf DVMRP device Router B Receiver Multilayer switch Si Leaf nonpruning DVMRP device 44971 Configure the ip dvmrp reject-non-pruners command on this interface. Note that the ip dvmrp reject-non-pruners interface configuration command prevents peering with neighbors only.
Chapter 24 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Controlling Route Exchanges This section describes how to tune the Cisco device advertisements of DVMRP routes.
Chapter 24 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Changing the DVMRP Route Threshold By default, 10,000 DVMRP routes can be received per interface within a 1-minute interval. When that rate is exceeded, a syslog message is issued, warning that there might be a route surge occurring. The warning is typically used to quickly detect when devices have been misconfigured to inject a large number of routes into the MBONE.
Chapter 24 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 24-15 Only Connected Unicast Routes Are Advertised by Default interface tunnel 0 ip unnumbered fa0/1 DVMRP Report 151.16.0.0/16 m = 39 172.34.15.0/24 m = 42 202.13.3.0/24 m = 40 176.32.10.0/24 m=1 176.32.15.0/24 m=1 interface fastethernet 0/1 ip addr 176.32.10.1 255.255.255.0 ip pim dense-mode DVMRP router interface fastethernet 0/2 ip addr 176.32.15.1 255.255.255.
Chapter 24 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Disabling DVMRP Autosummarization By default, the Cisco IOS software automatically performs some level of DVMRP summarization. Disable this function if you want to advertise all routes, not just a summary. In some special cases, you can use the neighboring DVMRP router with all subnet information to better control the flow of multicast traffic in the DVMRP network.
Chapter 24 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to change the default metric: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be configured. Step 3 ip dvmrp metric-offset [in | out] increment Change the metric added to DVMRP routes advertised in incoming reports.
Chapter 24 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Clearing Caches, Tables, and Databases You can remove all contents of a particular cache, table, or database. Clearing a cache, table, or database might be necessary when the contents of the particular structure are or suspected to be invalid.
Chapter 24 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Table 24-4 Commands for Displaying System and Network Statistics (continued) Command Purpose show ip pim interface [type number] [count] Display information about interfaces configured for PIM. show ip pim neighbor [type number] List the PIM neighbors discovered by the multilayer switch. show ip pim rp [group-name | group-address] Display the RP routers associated with a sparse-mode multicast group.
Chapter 24 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Catalyst 3550 Multilayer Switch Software Configuration Guide 24-60 78-11194-03
C H A P T E R 25 Configuring MSDP This chapter describes how to configure the Multicast Source Discovery Protocol (MSDP) on your multilayer switch. The MSDP connects multiple Protocol-Independent Multicast sparse-mode (PIM-SM) domains. MSDP is not fully supported in this IOS release because of a lack of support for Multicast Border Gateway Protocol (MBGP), which works closely with MSDP. However, it is possible to create default peers that MSDP can operate with if MBGP is not running.
Chapter 25 Configuring MSDP Understanding MSDP The purpose of this topology is to have domains discover multicast sources in other domains. If the multicast sources are of interest to a domain that has receivers, multicast data is delivered over the normal, source-tree building mechanism in PIM-SM. MSDP is also used to announce sources sending to a group. These announcements must originate at the domain RP. MSDP depends heavily on the Border Gateway Protocol (BGP) or MBGP for interdomain operation.
Chapter 25 Configuring MSDP Understanding MSDP Figure 25-1 MSDP Running Between RP Peers MSDP peer RP + MSDP peer MSDP SA MSDP SA TCP connection BGP M SD P SA Peer RPF flooding MSDP peer Receiver 49885 Register Multicast (S,G) Join PIM DR Source PIM sparse-mode domain MSDP Benefits MSDP has these benefits: • It breaks up the shared multicast distribution tree. You can make the shared tree local to your domain.
Chapter 25 Configuring MSDP Configuring MSDP Configuring MSDP This section describes how to configure MSDP.
Chapter 25 Configuring MSDP Configuring MSDP Figure 25-2 Default MSDP Peer Network Router C Default MSDP peer ISP C PIM domain 10.1.1.1 Router A Si Multilayer Switch B Default MSDP peer Default MSDP peer ISP A PIM domain Customer PIM domain 49884 SA SA SA Beginning in privileged EXEC mode, follow these steps to specify a default MSDP peer: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 25 Configuring MSDP Configuring MSDP Step 3 Step 4 Command Purpose ip prefix-list name [description string] | seq number {permit | deny} network length (Optional) Create a prefix list using the name specified in Step 2. ip msdp description {peer-name | peer-address} text • (Optional) For description string, enter a description of up to 80 characters to describe this prefix list. • For seq number, enter the sequence number of the entry. The range is 1 to 4294967294.
Chapter 25 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to enable the caching of source/group pairs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp cache-sa-state [list access-list-number] Enable the caching of source/group pairs (create an SA state). Those pairs that pass the access list are cached. For list access-list-number, the range is 100 to 199.
Chapter 25 Configuring MSDP Configuring MSDP Requesting Source Information from an MSDP Peer Local RPs can send SA requests and get immediate responses for all active sources for a given group. By default, the multilayer switch does not send any SA request messages to its MSDP peers when a new member joins a group and wants to receive multicast traffic. The new member waits to receive the next periodic SA message.
Chapter 25 Configuring MSDP Configuring MSDP Redistributing Sources SA messages are originated on RPs to which sources have registered. By default, any source that registers with an RP is advertised. The A flag is set in the RP when a source is registered, which means the source is advertised in an SA unless it is filtered.
Chapter 25 Configuring MSDP Configuring MSDP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] Create an IP standard access list, repeating the command as many times as necessary. or or access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended access list, repeating the command as many times as necessary.
Chapter 25 Configuring MSDP Configuring MSDP Filtering Source-Active Request Messages By default, only multilayer switches that are caching SA information can respond to SA requests. By default, such a switch honors all SA request messages from its MSDP peers and supplies the IP addresses of the active sources. However, you can configure the switch to ignore all SA requests from an MSDP peer. You can also honor only those SA request messages from a peer for groups described by a standard access list.
Chapter 25 Configuring MSDP Configuring MSDP Controlling Source Information that Your Switch Forwards By default, the multilayer switch forwards all SA messages it receives to all its MSDP peers. However, you can prevent outgoing messages from being forwarded to a peer by using a filter or by setting a time-to-live (TTL) value. These methods are described in the next sections.
Chapter 25 Configuring MSDP Configuring MSDP Step 3 Command Purpose access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard (Optional) Create an IP extended access list, repeating the command as many times as necessary. • For access-list-number, enter the number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 25 Configuring MSDP Configuring MSDP Using TTL to Limit the Multicast Data Sent in SA Messages You can use a TTL value to control what data is encapsulated in the first SA message for every source. Only multicast packets with an IP-header TTL greater than or equal to the ttl argument are sent to the specified MSDP peer. For example, you can limit internal traffic to a TTL of 8. If you want other groups to go to external locations, you must send those packets with a TTL greater than 8.
Chapter 25 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to apply a filter: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp sa-filter in ip-address | name Filter all SA messages from the specified MSDP peer. or or ip msdp sa-filter in {ip-address | name} list access-list-number From the specified peer, pass only those SA messages that pass the IP extended access list.
Chapter 25 Configuring MSDP Configuring MSDP Configuring an MSDP Mesh Group An MSDP mesh group is a group of MSDP speakers that have fully meshed MSDP connectivity among one another. Any SA messages received from a peer in a mesh group are not forwarded to other peers in the same mesh group. Thus, you reduce SA message flooding and simplify peer-RPF flooding. Use the ip msdp mesh-group global configuration command when there are multiple RPs within a domain.
Chapter 25 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to shut down a peer: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp shutdown {peer-name | peer address} Administratively shut down the specified MSDP peer without losing configuration information. For peer-name | peer address, enter the IP address or name of the MSDP peer to shut down. Step 3 end Return to privileged EXEC mode.
Chapter 25 Configuring MSDP Configuring MSDP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note that the ip msdp originator-id global configuration command also identifies an interface type and number to be used as the RP address.
Chapter 25 Configuring MSDP Monitoring and Maintaining MSDP Monitoring and Maintaining MSDP To monitor MSDP SA messages, peers, state, or peer status, use one or more of the privileged EXEC commands in Table 25-1: Table 25-1 Commands for Monitoring and Maintaining MSDP Command Purpose debug ip msdp [peer-address | name] [detail] [routes] Debugs an MSDP activity. debug ip msdp resets Debugs MSDP peer reset reasons.
Chapter 25 Configuring MSDP Monitoring and Maintaining MSDP Catalyst 3550 Multilayer Switch Software Configuration Guide 25-20 78-11194-03
C H A P T E R 26 Configuring Fallback Bridging This chapter describes how to configure fallback bridging on your switch. With fallback bridging, you can forward non-IP protocols that the multilayer switch does not route between VLAN bridge domains and routed ports. To use this feature, you must have the enhanced multilayer software (EMI) image installed on your switch. All Catalyst 3550 Gigabit Ethernet switches ship with the EMI installed.
Chapter 26 Configuring Fallback Bridging Understanding Fallback Bridging acts like a port on a router, but it is not connected to a router. A routed port is not associated with a particular VLAN, does not support VLAN subinterfaces, but behaves like a normal routed interface. For more information about SVIs and routed ports, see Chapter 8, “Configuring Interface Characteristics.” A bridge group is an internal organization of network interfaces on a switch.
Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Configuring Fallback Bridging This section describes how to configure fallback bridging on your switch.
Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Creating a Bridge Group To configure fallback bridging for a set of SVIs or routed ports, these interfaces must be assigned to bridge groups. All interfaces in the same group belong to the same bridge domain. Each SVI or routed port can be assigned to only one bridge group. A maximum of 31 bridge groups can be configured on the switch. Note The protected port feature is not compatible with fallback bridging.
Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging This example shows how to create bridge group 10, specify the VLAN-bridge STP to run in the bridge group, and assign an interface to the bridge group: Switch(config)# bridge 10 protocol vlan-bridge Switch(config)# interface gigabitethernet0/1 Switch(config-if)# no switchport Switch(config-if)# bridge-group 10 Preventing the Forwarding of Dynamically Learned Stations By default, the switch forwards any frames for stations that it has d
Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Configuring the Bridge Table Aging Time A switch forwards, floods, or drops packets based on the bridge table. The bridge table maintains both static and dynamic entries. Static entries are entered by you or learned by the switch. Dynamic entries are entered by the bridge learning process.
Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Beginning in privileged EXEC mode, follow these steps to filter by the MAC-layer address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 bridge bridge-group address mac-address Specify the MAC address to discard or forward. {forward | discard} [interface-id] • For bridge-group, specify the bridge group number. The range is 1 to 255.
Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Changing the Switch Priority You can globally configure the priority of an individual switch when two switches tie for position as the root switch, or you can configure the likelihood that a switch will be selected as the root switch. This priority is determined by default; however, you can change it.
Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Command Purpose Step 5 show running-config Verify your entry. Step 6 copy running-config startup-config (Optional) Save your entry in the configuration file. No no form of this command exists. To return to the default setting, use the bridge-group bridge-group priority number interface configuration command.
Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Adjusting BPDU Intervals You can adjust BPDU intervals as described in these sections: Note • Adjusting the Interval between Hello BPDUs • Defining the Forward Delay Interval • Defining the Maximum Idle Interval Each switch in a spanning tree adopts the interval between hello BPDUs, the forward delay interval, and the maximum idle interval parameters of the root switch, regardless of what its individual configuration might be.
Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entry. Step 5 copy running-config startup-config (Optional) Save your entry in the configuration file. To return to the default setting, use the no bridge bridge-group forward-time seconds global configuration command.
Chapter 26 Configuring Fallback Bridging Monitoring and Maintaining the Network Disabling the Spanning Tree on an Interface When a loop-free path exists between any two switched subnetworks, you can prevent BPDUs generated in one switching subnetwork from impacting devices in the other switching subnetwork, yet still permit switching throughout the network as a whole. For example, when switched LAN subnetworks are separated by a WAN, BPDUs can be prevented from traveling across the WAN link.
C H A P T E R 27 Troubleshooting This chapter describes how to identify and resolve software problems related to the IOS software. Depending on the nature of the problem, you can use the command-line interface (CLI) or the Cluster Management Suite (CMS) to identify and solve problems. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 3550 Multilayer Switch Command Reference for this release and the Cisco IOS Command Summary for Release 12.1.
Chapter 27 Troubleshooting Using Recovery Procedures Recovering from Corrupted Software Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity. This procedure uses the XMODEM Protocol to recover from a corrupt or wrong image file.
Chapter 27 Troubleshooting Using Recovery Procedures Recovering from a Lost or Forgotten Password The default configuration for Catalyst 3550 switches allows an end user with physical access to the switch to recover from a lost password by interrupting the boot process during power-on and by entering a new password.
Chapter 27 Troubleshooting Using Recovery Procedures Step 2 If you had set the console port speed to anything other than 9600, it has been reset to that particular speed. Change the emulation software line speed to match that of the switch console port.
Chapter 27 Troubleshooting Using Recovery Procedures Step 12 Return to privileged EXEC mode: Switch (config)# exit Switch# Step 13 Write the running configuration to the startup configuration file: Switch# copy running-config startup-config The new password is now in the startup configuration. Note This procedure is likely to leave your switch virtual interface in a shutdown state. You can see which interface is in this state by entering the show running-config privileged EXEC command.
Chapter 27 Troubleshooting Using Recovery Procedures Step 3 Display the contents of Flash memory: switch: dir flash: The switch file system is displayed: Directory of flash: 13 drwx 192 17 -rwx 27 5 -rwx 90 Mar 01 1993 22:30:48 Mar 01 1993 22:30:57 Mar 01 1993 22:30:57 c3550-i5q3l2-mz-121-0.0.53 env_vars system_env_vars 16128000 bytes total (10003456 bytes free) Step 4 Boot the system: Switch: boot You are prompted to start the setup program.
Chapter 27 Troubleshooting Using Recovery Procedures Recovering from a Command Switch Failure This section describes how to recover from a failed command switch. You can configure a redundant command switch group by using the Hot Standby Router Protocol (HSRP). For more information, see Chapter 5, “Clustering Switches” and Chapter 23, “Configuring HSRP.” Note HSRP is the preferred method for supplying redundancy to a cluster.
Chapter 27 Troubleshooting Using Recovery Procedures Step 9 Use the setup program to configure the switch IP information. This program prompts you for IP address information and passwords. From privileged EXEC mode, enter setup, and press Return. Switch# setup --- System Configuration Dialog --Continue with configuration dialog? [yes/no]: y At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'.
Chapter 27 Troubleshooting Using Recovery Procedures Replacing a Failed Command Switch with Another Switch To replace a failed command switch with a switch that is command-capable but not part of the cluster, follow these steps: Step 1 Insert the new switch in place of the failed command switch, and duplicate its connections to the cluster members. Step 2 Start a CLI session on the new command switch.
Chapter 27 Troubleshooting Preventing Autonegotiation Mismatches Step 10 When prompted, assign a name to the cluster, and press Return. The cluster name can be 1 to 31 alphanumeric characters, dashes, or underscores. Step 11 When the initial configuration displays, verify that the addresses are correct. Step 12 If the displayed information is correct, enter Y, and press Return. If this information is not correct, enter N, press Return, and begin again at Step 9.
Chapter 27 Troubleshooting Diagnosing Connectivity Problems Diagnosing Connectivity Problems This section describes how to troubleshoot connectivity problems: • Understanding Ping, page 27-11 • Executing Ping, page 27-11 • Understanding IP Traceroute, page 27-12 • Executing IP Traceroute, page 27-13 Understanding Ping The switch supports IP ping, which you can use to test connectivity to remote hosts. Ping sends an echo request packet to an address and waits for a reply.
Chapter 27 Troubleshooting Diagnosing Connectivity Problems This example shows how to ping an IP host: Switch# ping 172.20.52.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 172.20.52.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Switch# Table 27-1 describes the possible ping character output. Table 27-1 Ping Output Display Characters Character Description ! Each exclamation point means receipt of a reply. .
Chapter 27 Troubleshooting Diagnosing Connectivity Problems To determine when a datagram reaches its destination, traceroute sets the UDP destination port number in the datagram to a very large value that the destination host is unlikely to be using. When a host receives a datagram destined to itself containing a destination port number that is unused locally, it sends an ICMP port unreachable error to the source.
Chapter 27 Troubleshooting Using Debug Commands To terminate a trace in progress, enter the escape sequence (Ctrl-^ X by default). You enter the default by simultaneously pressing and releasing the Ctrl, Shift, and 6 keys, and then pressing the X key. Using Debug Commands This section explains how you use debug commands to diagnose and resolve internetworking problems.
Chapter 27 Troubleshooting Using the show forward Command Enabling All-System Diagnostics Beginning in privileged EXEC mode, enter this command to enable all-system diagnostics: Switch# debug all Caution Because debugging output takes priority over other network traffic, and because the debug all privileged EXEC command generates more output than any other debug command, it can severely diminish switch performance or even render it unusable.
Chapter 27 Troubleshooting Using the show forward Command This is an example of the output from the show forward privileged EXEC command for Fast Ethernet port 8, where VLAN ID, source and destination MAC addresses, and source and destination IP addresses were provided. Switch# show forward fa0/8 vlan 8 0000.1111.2222 0022.3355.9800 ip 8.8.8.10 4.4.4.
Chapter 27 Troubleshooting Using the crashinfo File Using the crashinfo File The crashinfo file saves information that helps Cisco technical support representatives to debug problems that caused the IOS image to fail (crash). The switch writes the crash information to the console at the time of the failure, and the file is created the next time you boot the IOS image after the failure (instead of while the system is failing).
Chapter 27 Troubleshooting Using the crashinfo File Catalyst 3550 Multilayer Switch Software Configuration Guide 27-18 78-11194-03
A P P E N D I X A Supported MIBs This appendix lists the supported management information base (MIBs) for this release.
Appendix A Supported MIBs Using FTP to Access the MIB Files • CISCO-MEMORY-POOL-MIB • CISCO-RTTMON-MIB (subsystems supported: sub_rtt_rmon and sub_rtt_rmonlib) • CISCO-PROCESS-MIB • OLD-CISCO-SYS-MIB • CISCO-CONFIG-MAN-MIB • CISCO-MAC-NOTIFICATION-MIB • CISCO-IGMP-FILTER-MIB Using FTP to Access the MIB Files You can obtain each MIB file by using this procedure: Step 1 Use FTP to access the server ftp.cisco.com. Step 2 Log in with the username anonymous.
A P P E N D I X B Working with the IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the Flash file system, how to copy configuration files, and how to archive (upload and download) software images. Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 3550 Multilayer Switch Command Reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown in this example: Switch# show file systems File Systems: * Table B-1 Size(b) 16128000 16128000 32768 - Free(b) 11118592 11118592 26363 - Type flash unknown nvram network opaque opaque opaque opaque network network Flags rw rw rw rw rw
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Setting the Default File System You can specify the file system or directory that the system uses as the default file system by using the cd filesystem: privileged EXEC command. You can set the default file system to omit the filesystem: argument from related commands.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Step 1 Command Purpose dir filesystem: Display the directories on the specified file system. For filesystem:, use flash: for the system board Flash device. Step 2 mkdir old_configs Create a new directory.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Some invalid combinations of source and destination exist.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating, Displaying, and Extracting tar Files You can create a tar file and write files into it, list the files in a tar file, and extract the files from a tar file as described in the next sections.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System You can also limit the display of the files by specifying an optional list of files or directories after the tar file; then only these files are displayed. If none are specified, all files and directories are displayed. This example shows how to display the contents of the c3550-i5q3l2-mz.121-6.EA1.tar file that is in Flash memory: Switch# archive tar /table flash:c3550-i5q3l2-mz.121-6.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Displaying the Contents of a File To display the contents of any readable file, including a file on a remote file system, use the more [/ascii | /binary | /ebcdic] file-url privileged EXEC command: This example shows how to display the contents of a configuration file on a TFTP server: Switch# ! ! Saved ! version service service service service ! more tftp://serverA/hampton/savedconfig
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files • Copying Configuration Files By Using FTP, page B-12 • Copying Configuration Files By Using RCP, page B-16 • Clearing Configuration Information, page B-19 Guidelines for Creating and Using Configuration Files Creating configuration files can aid in your switch configuration. Configuration files can contain some or all of the commands needed to configure one or more switches.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Creating a Configuration File By Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately. This is one method of creating a configuration file: Step 1 Copy an existing configuration from a switch to a server.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files • Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation). • For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read. • Before uploading the configuration file, you might need to create an empty file on the TFTP server.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading the Configuration File By Using TFTP To upload a configuration file from a switch to a TFTP server for storage, follow these steps: Step 1 Verify that the TFTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using TFTP” section on page B-10. Step 2 Log into the switch through the console port or a Telnet session.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files If the server has a directory structure, the configuration file is written to or copied from the directory associated with the username on the server. For example, if the configuration file resides in the home directory of a user on the server, specify that user's name as the remote username. For more information, refer to the documentation for your FTP server.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 Using FTP, copy the configuration file from a network server copy ftp:[[[//[username[:password]@]location]/directory] to the running configuration or to the startup configuration file.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using FTP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using FTP: Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using FTP” section on page B-13.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Copying Configuration Files By Using RCP The Remote Copy Protocol (RCP) provides another method of downloading, uploading, and copying configuration files between remote hosts and the switch. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection-oriented.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files • When you upload a file to the RCP server, it must be properly configured to accept the RCP write request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to specify a remote username of netadmin1. Then it copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images This example shows how to store a startup configuration file on a server: Switch# configure terminal Switch(config)# ip rcmd remote-username netadmin2 Switch(config)# end Switch# copy nvram:startup-config rcp: Remote host[]? 172.16.101.101 Name of configuration file to write [switch2-confg]? Write file switch2-confg on host 172.16.101.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images This section includes this information: Note • Image Location on the Switch, page B-20 • tar File Format of Images on a Server or Cisco.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Table B-3 info and info.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Preparing to Download or Upload an Image File By Using TFTP Before you begin downloading or uploading an image file by using TFTP, do these tasks: • Ensure that the workstation acting as the TFTP server is properly configured. On a Sun workstation, make sure that the /etc/inetd.conf file contains this line: tftp dgram udp wait root /usr/etc/in.tftpd in.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Step 3 Step 4 Command Purpose archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tar Download the image file from the TFTP server to the switch, and overwrite the current image. archive download-sw /leave-old-sw /reload tftp:[[//location]/directory]/image-name.tar • The /overwrite option overwrites the software image in Flash with the downloaded image.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Uploading an Image File By Using TFTP You can upload an image from the switch to a TFTP server. You can later download this image to the switch or to another switch of the same type. The upload feature is available only if the HTML pages associated with the Cluster Management Suite (CMS) have been installed with the existing image.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Copying Image Files By Using FTP You can download a switch image from an FTP server or upload the image from the switch to an FTP server. You download a switch image file from a server to upgrade the switch software. You can overwrite the current image with the new one or keep the current image after a download. You upload a switch image file to a server for backup purposes.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Before you begin downloading or uploading an image file by using FTP, do these tasks: • Ensure that the switch has a route to the FTP server. The switch and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the FTP server by using the ping command.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Command Step 7 Step 8 Purpose archive download-sw /overwrite /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and overwrite the current image. /image-name.tar • The /overwrite option overwrites the software image in Flash with the downloaded image.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board Flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images The archive upload-sw command builds an image file on the server by uploading these files in order: info, the IOS image, the HTML files, and info.ver. After these files are uploaded, the upload algorithm creates the tar file format. Caution For the download and upload algorithms to operate properly, do not rename image names.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images For the RCP copy request to execute successfully, an account must be defined on the network server for the remote username. If the server has a directory structure, the image file is written to or copied from the directory associated with the remote username on the server.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 archive download-sw /overwrite /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Download the image file from the RCP server to the switch, and overwrite the current image. Step 7 archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-na me.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images If you specify the /leave-old-sw, the existing files are not removed. If there is not enough room to install the new image an keep the running image, the download process stops, and an error message is displayed. The algorithm installs the downloaded image onto the system board Flash device (flash:).
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 archive upload-sw rcp:[[[//[username@]location]/directory]/image-na me.tar] Upload the currently running switch image to the RCP server. • For //username, specify the username; for the RCP copy request to execute, an account must be defined on the network server for the remote username.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Catalyst 3550 Multilayer Switch Software Configuration Guide B-34 78-11194-03
A P P E N D I X C Unsupported CLI Commands This appendix lists the unsupported command-line interface (CLI) commands that are displayed when you enter the question mark (?) at the switch prompt. The unsupported commands are listed by software feature and command mode.
Appendix C Unsupported CLI Commands FallBack Bridging FallBack Bridging Unsupported Privileged EXEC Commands clear bridge [bridge-group] multicast [router-ports | groups | counts] [group-address] [interface-unit] [counts] clear vlan statistics show bridge [bridge-group] circuit-group [circuit-group] [src-mac-address] [dst-mac-address] show bridge [bridge-group] multicast [router-ports | groups] [group-address] show bridge vlan show interfaces crb show interfaces {ethernet | fastethernet} [interface | slo
Appendix C Unsupported CLI Commands HSRP bridge-group bridge-group input-pattern-list access-list-number bridge-group bridge-group input-type-list access-list-number bridge-group bridge-group lat-compression bridge-group bridge-group output-address-list access-list-number bridge-group bridge-group output-lat-service-deny group-list bridge-group bridge-group output-lat-service-permit group-list bridge-group bridge-group output-lsap-list access-list-number bridge-group bridge-group output-pattern-list acces
Appendix C Unsupported CLI Commands Interface Configuration Commands Interface Configuration Commands switchport broadcast level switchport multicast level switchport unicast level Note These commands were replaced in IOS release 12.1(8)EA1 by the storm-control {broadcast | multicast | unicast} level level [.level] interface configuration command.
Appendix C Unsupported CLI Commands IP Unicast Routing Unsupported Interface Configuration Commands frame-relay ip rtp header-compression [active | passive] frame-relay map ip ip-address dlci [broadcast] compress frame-relay map ip ip-address dlci rtp header-compression [active | passive] ip igmp helper-address ip-address ip multicast helper-map {group-address | broadcast} {broadcast-address | multicast-address} extended-access-list-number ip multicast rate-limit {in | out} [video | whiteboard] [group-lis
Appendix C Unsupported CLI Commands IP Unicast Routing ip reflexive-list ip vrf router bgp router egp router-isis router iso-igrp router mobile router odr router static Unsupported Interface Configuration Commands ip accounting ip load-sharing [per-packet] ip mtu bytes ip route-cache ip verify ip vrf ip unnumbered type number All ip security commands Unsupported VPN Configuration Commands All Unsupported VRF Configuration Commands All Unsupported Route Map Commands set automatic-tag set ip destinatio
Appendix C Unsupported CLI Commands MSDP MSDP Unsupported Privileged EXEC Commands show access-expression show exception show location show pm LINE show smf [interface-id] show subscriber-policy [policy-number] show template [template-name] Unsupported Global Configuration Commands ip msdp default-peer ip-address | name [prefix-list list] (Because BGP/MBGP is not supported, use the ip msdp peer command instead of this command.
Appendix C Unsupported CLI Commands RADIUS Catalyst 3550 Multilayer Switch Software Configuration Guide C-8 78-11194-03
I N D EX accounting with RADIUS Numerics 6-27 accounting with TACACS+ 802.1Q ACEs and trunk ports 8-3 and QoS configuration limitations encapsulation 9-24 defined 9-22, 9-24 802.1Q trunk mode 3-9 802.1X See port-based authentication 802.
Index ACLs (continued) host keyword ACLs (continued) VLAN maps 19-12 IP configuration guidelines applying to interface creating configuring 19-18 defined 19-6 fragments and QoS guidelines implicit deny named displaying the MAC address table 19-9 matching criteria accelerated aging options and QoS guidelines default aging defined 19-15 virtual terminal lines, setting on limiting actions log keyword named 26-6 24-1 STP address management 19-20 10-8 static adding and removing 20-20
Index aggregate policing 1-4 authorization with RADIUS aging, accelerating 10-10 authorization with TACACS+ aging time authorized ports with 802.
Index banners candidate switch configuring login adding automatic discovery 6-51 message-of-the-day login default configuration when displayed defined 6-50 HC 6-49 blocking packets 23-9 booting boot loader, function of boot process 4-2 requirements 5-3 5-22 caution, described xxx CC (command switch) 4-13 5-22 CDP 4-14 automatic discovery in switch clusters boot loader accessing 4-15 described 4-2 configuring described 4-15 trap-door mechanism 13-1 BPDU guard, STP enabling
Index Cisco Discovery Protocol clusters, switch (continued) See CDP planning considerations Cisco Express Forwarding See CEF Cisco Technical Assistance Center CiscoWorks 2000 xxxiii 1-6, 18-3 classless routing 22-8 class maps for QoS configuring host names 5-16 IP addresses 5-15 LRE profiles 5-17 5-16 5-16, 5-26 TACACS+ 20-56 redundancy 8-20 client mode, VTP 5-18 5-17 5-22 See also candidate switch, command switch, cluster standby group, member switch, and standby command switch C
Index CMS (continued) commands displaying system messages error checking features active (AC) 3-4 interaction modes requirements configuration conflicts defined 3-31 priority 3-27 Topology view 5-25 5-12 recovery 3-10 verifying configuration changes window components 3-32 from failure 27-7 from lost member connectivity 3-28 27-10 recovery from command-switch failure 3-26 CMS online help redundant 3-27 Collapse Cluster view command modes requirements 2-1 enabling and disablin
Index configuration files conventions clearing the startup configuration creating using a text editor default name publication 4-12 text B-19 CoS B-8 downloading xxx xxx xxx 1-4, 20-2 CoS-to-DSCP map for QoS automatically preparing xxx for examples B-10 deleting a stored configuration described command B-19 CoS-to-egress-queue map 4-12 20-39 20-45 counters, clearing interface B-10, B-13, B-16 reasons for B-8 using FTP B-13 crashinfo file using RCP B-17 cross-stack UplinkFast
Index default configuration (continued) EtherChannel 23-3 IGMP 24-31 destination addresses, in ACLs 21-7 fallback bridging HSRP device discovery protocol 26-3 Front Panel view 11-20 IGMP snooping 11-5 device labels 4-3 IP addressing, IP routing 22-4 IP multicast routing Layer 2 interfaces 11-15 NTP Front Panel view autoconfiguration example 4-8 client request message exchange 4-4 configuring client side DNS 6-3 RADIUS 4-3 4-6 relay device 20-18 server-side 6-20 4-6 4-5 TFTP
Index Disqualification Code option DSCP 3-25 Distance Vector Multicast Routing Protocol 1-4, 20-2 DSCP-to-CoS map for QoS 20-42 DSCP-to-DSCP-mutation map for QoS See DVMRP distance-vector protocols distribute-list command DSCP-to-threshold map for QoS 22-2 DTP 22-62 DNS 20-47 1-3, 9-22 DUAL finite state machine, EIGRP and DHCP-based autoconfiguration default configuration overview 6-47 setting up 6-48 support for all-DVMRP-routers multicast group address disabling 1-2 24-11 24-54
Index DVMRP (continued) support for EIGRP (continued) definition 1-5 tunnels interface parameters, configuring configuring 24-46 displaying neighbor information dynamic access mode 24-49 characteristics configuring monitoring 22-51 support for 1-4 enable password 3-9 dynamic access ports defined 22-46 6-4 enable secret password encryption for passwords 9-38 9-24 6-4 Enhanced IGRP 8-2 limit on number of hosts See EIGRP 9-40 environment variables dynamic addresses function of
Index EtherChannel (continued) Layer 3 interface load balancing expedite queue for QoS (continued) Gigabit-capable Ethernet ports 22-3 allocating bandwidth 21-5, 21-13 logical interfaces, described number of interfaces per overview configuring 21-2 described 21-1 PAgP 3-26 extended system ID for STP aggregate-port learners displaying status 21-5 learn method and priority configuration 21-4 21-4 support for 1-2 creating 21-2 8-3 1-2 26-12 function of 26-2 21-5 removing 26-4 26-4
Index fallback bridging (continued) filtering STP in a VLAN disabling on an interface forward-delay interval hello BPDU interval interface priority non-IP traffic 26-12 with fallback bridging 26-10 support for 26-6 See ACLs, IP 26-11 Flash device, number of flash updates, IGRP 26-8 VLAN-bridge STP B-1 22-31 flooded traffic, blocking 26-1, 26-2 12-6 flow-based packet classification 1-4 SVIs and routed ports 10-9 QoS classification fallback VLAN name 9-34 QoS policing and marking
Index FTP (continued) hello time, STP help, for the command line image files deleting old image downloading uploading Help button, CMS B-28 Help Contents B-26 preparing the server described 2-5 disabling 2-5 2-5 2-5 history table, level and number of syslog messages 1000BASE-SX module 1000BASE-T module host name list, CMS 1-9 3-28 abbreviations appended to 1-9 in clusters 1-9 5-22 5-16 hosts, limit on dynamic ports 1-9 18-2 get-next-request operation 18-2, 18-3 See HSRP HP Ope
Index IGMP (continued) I leave processing, enabling ICMP leaving multicast group redirect messages support for 22-15 multicast reachability 1-5 overview time exceeded messages traceroute and 27-12 queries 27-12 19-5 unreachables and ACLs 11-4 24-34 24-3 11-3 support for unreachable messages 11-9 1-2 Version 1 19-6 changing to Version 2 ICMP ping hosts joining a group 24-3 24-3 executing 27-11 hosts leaving a group overview 27-11 membership queries ICMP Router Discovery Proto
Index IGMP snooping (continued) Immediate Leave method interfaces (continued) 11-4 11-6 flow control 8-16 management 1-5 monitoring 11-9 monitoring support for 1-2 naming VLAN configuration IGP 8-18 8-17 physical, identifying 11-6 range of 22-35 IGRP 8-9 restarting 8-21 advertisements 22-30 shutting down alternate routes 22-31 supported configuring default configuration described flash updates See IGP 22-30 Interior Gateway Routing Protocol interior routes 22-30 load
Index IP addresses IP multicast routing (continued) candidate or member classes of Auto-RP 5-3, 5-15 adding to an existing sparse-mode cloud 22-5 cluster access benefits of 5-2 command switch default configuration for IP routing IOS release 22-4 overview 22-10 using with BSR configuring candidate RPs 11-20 24-25 24-26 defining the IP multicast boundary assigned defining the PIM domain border IOS release 4-10 through DHCP-based autoconfiguration default configuration 24-19 24-15 c
Index IP multicast routing (continued) IP routes, monitoring IP routing MBONE deleting sdr cache entries described connecting interfaces with 24-58 enabling 24-39 displaying sdr cache 24-39 limiting DVMRP routes advertised limiting sdr cache entry lifetime 24-53 executing 27-13 overview 27-12 address resolution 24-39 monitoring ARP 22-56, 22-62 22-10 assigning IP addresses to Layer 3 interfaces packet rate loss 24-59 peering devices 24-59 tracing a path authentication keys PIMv1
Index IP unicast routing (continued) L protocols distance-vector dynamic Layer 2 frames, classification with CoS 22-2 Layer 2 interfaces, default configuration 22-2 link-state proxy ARP 22-2 Layer 2 trunks 22-10 Layer 3 features redistribution reverse address resolution subnet mask UDP 22-6 22-8 22-3 Layer 3 parameters of ACEs 19-10 Layer 4 parameters of ACEs 19-10 leave processing, IGMP port 22-3 11-9 3-8 See also EIGRP port modes See also IGRP RPS 3-8 3-7 See also OSPF l
Index marking M action in policy map MAC addresses aging time action with aggregate policers 6-53 described and VLAN association 6-52 building the address table default configuration displaying 6-52 6-53 6-57 maximum aging time, STP 10-30 maximum-paths command 22-54 membership mode, VLAN port 6-52 removing in ACLs adding 6-54 3-9, 9-3 19-28 defined 22-10 static adding 6-56 6-56 5-2 managing 5-25 passwords 5-15 requirements 6-56 MAC address multicast entries, monitoring MAC
Index mirroring traffic for analysis 15-1 mismatches, autonegotiation 27-10 Mode button monitoring (continued) speed and duplex mode traffic flowing among switches 3-8 modes traffic suppression access to CMS port filters VLAN port membership VMPS modules, GBIC VTP 1000BASE-SX GigaStack 9-13 9-21 and dense-mode regions sending SA messages to 1-9 benefits of access groups 25-3 14-1 forwarded by switch 25-12 25-8 CDP 13-5 originated by switch CEF 22-54 received by switch incom
Index MSDP (continued) N source-active messages caching named IP ACLs 25-6 clearing cache entries defined native VLANs 25-19 filtering from a peer filtering incoming filtering to a peer neighboring devices, types of 25-14 large network static joins performance 11-4 1-7 1-8 network management configuring CDP 11-8 ACLs on 19-42 blocking 12-6 configuring SNMP 16-1 18-1 Network Time Protocol multicast router interfaces, monitoring multicast router ports, adding 11-10 See NTP no comm
Index NTP (continued) out-of-profile markdown output interface, getting information about restricting access creating an access group overheating indication, switch 6-39 disabling NTP services per interface source IP address, configuring stratum 6-40 1-2 3-5 P packet modification, with QoS synchronizing devices 27-16 6-40 6-32 support for 1-4 6-36 20-17 PAgP time See EtherChannel services 6-33 synchronizing parallel links 6-32 9-29 parallel paths, in routing tables 22-54 passiv
Index PIM policers default configuration configuring 24-13 dense mode for each matched traffic class (S,G) notation 24-6 graft messages 24-6 overview for more than one traffic class described 24-5 pruning and SPT 24-5 rendezvous point (RP), described RPF lookups enabling a mode number of 1-4, 20-9 characteristics of 24-30 configuring shared tree and source tree, overview 24-28 described shortest path tree, delaying the use of 24-29 displaying sparse mode POP (*,G) notation 20-
Index port-based authentication (continued) EAP-response/identity frame dynamic VLAN membership, reconfirming 7-3 enabling forwarding, resuming 802.
Index protected ports QoS (continued) 1-3, 12-5 protocol-dependent modules, EIGRP 22-47 Protocol-Independent Multicast Protocol configuring displaying See PIM 20-30 20-56 configuration examples proxy ARP configuring common wiring closet 22-13 definition distribution layer 22-10 with IP routing disabled 20-59 aggregate policers 9-28 20-37 9-7 default port CoS value overview 9-6 DSCP maps pruning-eligible list PVST xxxi Q IP extended ACLs 20-28 IP standard ACLs 20-27 MAC ACL
Index QoS (continued) QoS (continued) mapping tables queues CoS-to-DSCP 20-39 CoS-to-egress-queue displaying 20-45 DSCP-to-DSCP-mutation DSCP-to-threshold size of 20-47 20-13, 20-16 20-46 20-13, 20-47 WRED drop-percentage thresholds marking, described WRR scheduling 20-35 packet modification 20-13, 20-48 20-50 scheduling 20-3, 20-8 20-1 20-17 policers allocating bandwidth on 10/100 Ethernet ports 20-54 allocating bandwidth on Gigabit-capable ports 20-50 defined described 20-53
Index RADIUS (continued) redundancy configuring EtherChannel accounting features 6-27 authentication HSRP 6-23 authorization 21-1 1-3 23-1 STP 6-26 communication, global backbone 6-21, 6-28 communication, per-server 10-9 multidrop backbone 6-20, 6-21 multiple UDP ports 6-20 path cost default configuration 6-20 port priority defining AAA server groups 6-24 displaying the configuration 6-30 identifying the server method list, defined operation of overview See cluster standby
Index RFC (continued) 1253, OSPF 1305, NTP route summarization, OSPF 22-41 routing 22-35 default 6-32 22-2 1587, NSSAs 22-35 dynamic 1757, RMON 16-2 redistribution of information 1901, SNMPv2C static 18-2 1902 to 1907, SNMPv2 22-2 22-57 22-2 Routing Information Protocol 18-2 2236, IP multicast and IGMP See RIP 11-2 RIP routing protocol administrative distances advertisements authentication configuring 22-25 S 22-25 22-25 split horizon saving changes in CMS 22-29 support fo
Index show interfaces command snooping, IGMP 8-15, 8-17 show running-config command displaying ACLs software images location in Flash 19-19, 19-30, 19-32 interface description in B-20 recovery procedures 8-17 shutdown command on interfaces 27-2 scheduling reloads 8-21 Simple Network Management Protocol 4-17 tar file format, described source addresses, in ACLs 13-1 SNMP configuration guidelines 18-3 agent default configuration 18-3 destination ports 15-4 disabling 18-5 displaying
Index standby command switch configuring statistics (continued) 5-22 considerations 5-14 QoS ingress and egress 20-56 RMON group Ethernet 16-5 defined 5-2 RMON group history priority 5-12 SNMP input and output requirements VTP 5-3 virtual IP address See also cluster standby group and HSRP 9-13 configuring 12-3 definition standby group, cluster See cluster standby group and HSRP standby router 23-4 12-1 displaying 12-11 thresholds 12-1 STP 23-1 standby timers, HSRP accelera
Index STP (continued) STP (continued) EtherChannel guard described root switch affects of extended system ID 10-20 enabling configuring 10-37 extended system ID election affects on root switch affects on the secondary root switch overview 10-24 10-3 settings in a cascaded stack timers, described interface state, blocking to forwarding interface states 10-10 VLAN-bridge stratum, NTP disabled 10-8 stub areas, OSPF 10-7 subnet zero listening 10-7 summer time overview 10-6 SunNet M
Index switch priority, STP system name 10-28 switch software features default configuration 1-1 switch virtual interface default setting system prompt See system message logging default setting system clock daylight saving time manually time zones system routes, IGRP 6-43 22-30 T 6-42 6-32 tables, CMS See also NTP tabs, CMS System Database Management 3-29 3-29 TAC See SDM inquiries system message logging default configuration 17-3 website 17-8 xxxiii accounting, defined displ
Index tail drop timestamps in log messages described time zones 20-13 support for support for extracting toolbar B-6 Collapse Cluster view colors xxxiii xxxiii toll-free telephone numbers xxxiv Telnet setting a password 6-57 device labels 3-13 3-14 terminal lines, setting a password link icons 3-13 link labels 3-13 3-23 neighboring devices 6-6 TFTP pop-up menus configuration files downloading TOS 1-4 traffic configuration files in base directory configuring for autoconfigura
Index troubleshooting U connectivity problems 27-11 UDLD detecting EtherChannel misconfigurations unidirectional links displaying crash information globally 27-17 with ping neighbor database overview 27-14 support for 27-12 trunking encapsulation 14-4 14-5 1-3 UDP, configuring 1-3 22-19 unauthorized ports with 802.
Index uploading VLAN maps configuration files preparing applying 19-32 common uses for B-10, B-13, B-16 19-33 reasons for B-8 using FTP B-15 configuration guidelines using RCP B-18 configuring using TFTP configuration example B-12 image files preparing creating 19-30 defined 19-2 using FTP B-28 displaying using RCP B-32 examples URLs, Cisco 19-27 19-35 denying and permitting packets B-19 using TFTP 19-28 denying access example B-22, B-25, B-29 reasons for 19-34 19-3
Index VLANs (continued) VTP (continued) native, configuring 9-29 configuration requirements number supported 1-3, 9-2 port membership modes static-access ports supported configuring 9-3 client mode 9-11 9-18, 9-19 server mode 9-10 STP and 802.
Index VTP (continued) window components, CMS version 2 configuration guidelines disabling 9-12 enabling 9-12 overview 9-6 VLAN parameters VTP monitoring VTP pruning VVIDs 9-9 wizards 1-6, 3-26 WRED 1-4, 20-14 WRR 3-28 1-4, 20-3 X 9-15 9-13 XMODEM protocol 27-2 1-3 1-8 W web-based management software See CMS Weighted Random Early Detection See WRED Weighted Round Robin See WRR weighted round robin, described 20-3 Catalyst 3550 Multilayer Switch Software Configuration Guide 78-11194
Index Catalyst 3550 Multilayer Switch Software Configuration Guide IN-38 78-11194-03
