Page 1 Catalyst 3750-X and 3560-X Switch Software Configuration Guide Cisco IOS Release 15.0(2)SE and Later November 2013 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-25303-03...
Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Page 3 Using Configuration Logging Using Command History Using Editing Features Searching and Filtering Output of show and more Commands Accessing the CLI Understanding Cisco Configuration Engine Software Understanding Cisco IOS Agents Configuring Cisco IOS Agents Displaying CNS Configuration 1-14 Understanding the Boot Process...
Page 4: Table Of Contents
Configuring 802.1x Authentication 1-37 Displaying 802.1x Statistics and Status 1-76 Understanding Media Access Control Security and MACsec Key Agreement Configuring MKA and MACsec Understanding Cisco TrustSec MACsec Configuring Cisco TrustSec MACsec 1-10 Understanding Web-Based Authentication Configuring Web-Based Authentication Displaying Web-Based Authentication Status...
Page 5 Configuring Layer 3 Interfaces 1-40 Configuring the System MTU 1-43 Configuring the Power Supplies 1-46 Configuring the Cisco RPS 2300 in a Mixed Stack 1-46 Configuring the Cisco eXpandable Power System (XPS) 2200 1-48 Monitoring and Maintaining the Interfaces 1-51...
Page 6 Contents Understanding Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features 1-11 Displaying the Spanning-Tree Status 1-19 Understanding REP Configuring REP Monitoring REP 1-14 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and MAC Address-Table Move Update Monitoring Flex Links and the MAC Address-Table Move Update 1-14 Understanding DHCP Features Configuring DHCP Features...
Page 7 Contents Configuring Storm Control Configuring Protected Ports Configuring Port Blocking Configuring Port Security Configuring Protocol Storm Protection 1-19 Displaying Port-Based Traffic Control Settings 1-21 Understanding LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service 1-11 Understanding UDLD Configuring UDLD...
Page 8 Contents Displaying IPv4 ACL Configuration 1-44 Understanding QoS Configuring Auto-QoS 1-23 Displaying Auto-QoS Information 1-36 Configuring Standard QoS 1-36 Displaying Standard QoS Information 1-91 Understanding IPv6 ACLs Configuring IPv6 ACLs Displaying IPv6 ACLs Understanding EtherChannels Configuring EtherChannels 1-11 Displaying EtherChannel, PAgP, and LACP Status 1-22 Understanding Link-State Tracking 1-23...
Page 9 Configuring Enhanced Object Tracking Features Monitoring Enhanced Object Tracking 1-12 Understanding WCCP Configuring WCCP Monitoring and Maintaining WCCP 1-10 Understanding Cisco’s Implementation of IP Multicast Routing Multicast Routing and Switch Stacks 1-10 Configuring IP Multicast Routing 1-10 Configuring Advanced PIM Features 1-35...
Page 10 Contents Troubleshooting Power over Ethernet Switch Ports 1-13 SFP Module Security and Identification 1-14 Monitoring SFP Module Status 1-14 Monitoring Temperature 1-15 Using Ping 1-15 Using Layer 2 Traceroute 1-16 Using IP Traceroute 1-18 Using TDR 1-19 Using Debug Commands 1-20 Using the show platform forward Command 1-22...
Page 11 Contents Multicast 1-13 NetFlow Commands 1-13 Network Address Translation (NAT) Commands 1-13 1-14 RADIUS 1-14 SNMP 1-14 Spanning Tree 1-15 VLAN 1-15 1-15 Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 12 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 13 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 14 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 15 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 16 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 17 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 18 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 19 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 20 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 21 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 22 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 23 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 24 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 25 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 26 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 27 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 28 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 29 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 30 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 31 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 32 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 33 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 34 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 35 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 36 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 37 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 38 Contents Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 39 Catalyst 3750-X switch stack, referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.
Page 40: Related Publications
Means reader be careful. In this situation, you might do something that could result in equipment Caution damage or loss of data. Related Publications Documents with complete information about the switch are available from these Cisco.com sites: Catalyst 3750-X http://www.cisco.com/en/US/products/ps10745/tsd_products_support_series_home.html Catalyst 3560-X http://www.cisco.com/en/US/products/ps10744/tsd_products_support_series_home.html...
Page 41: Obtaining Documentation And Submitting A Service Request
Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed...
Page 42 Preface Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 43: Software Features
SSH management session, can be encrypted. You must have a Cisco IOS software license for a specific feature set to enable it. For more information about the software license, see the Cisco IOS Software Installation document on Cisco.com.
Page 44 LLDP-based triggers, MAC address and OUI-based triggers, remote macros as well as for automatic configuration based on these two new device types: Cisco Digital Media Player (Cisco AutoSmartport enhancements, which add support for global macros, last-resort macros, event •...
Page 45 Using a single IP address and configuration file to manage the entire switch stack. – Automatic Cisco IOS version-check of new stack members with the option to automatically load – images from the stack master or from a TFTP server.
Page 46: Performance Features
Call Home to provide e-mail-based and web-based notification of critical system events. Users with • a service contract directly with Cisco Systems can register Call Home devices for the Cisco Smart Call Home service that generates automatic service requests with the Cisco TAC.
Page 47 • Cisco Group Management Protocol (CGMP) server support and Internet Group Management Protocol (IGMP) snooping for IGMP Versions 1, 2, and 3: (For CGMP devices) CGMP for limiting multicast traffic to specified end stations and reducing –...
Page 48: Management Options
Network Assistant—Network Assistant is a network management application that can be • downloaded from Cisco.com. You use it to manage a single switch, a cluster of switches, or a community of devices. For more information about Network Assistant, see Getting Started with Cisco Network Assistant, available on Cisco.com.
Page 49: Manageability Features
Network Time Protocol version 4 (NTPv4) to support both IPv4 and IPv6 and compatibility with NTPv3. • Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses. • Configuration logging to log and to view changes to the switch configuration.
Page 50 IGMPv2 clients to utilize SSM, allowing listeners to connect to multicast sources dynamically and reducing dependencies on the application. The HTTP client in Cisco IOS supports can send requests to both IPv4 and IPv6 HTTP servers, and •...
Page 51: Availability And Redundancy Features
Link-state tracking to mirror the state of the ports that carry upstream traffic from connected hosts • and servers and to allow the failover of the server traffic to an operational link on another Cisco Ethernet switch StackPower redundancy option. You can configure power supplies in a stack in redundant mode so •...
Page 52: Vlan Features
Security Features • Cisco IOS Release 15.0(1)SE2 on the Catalyst 3750-X and 3560-X switches is now certified under the Federal Information Processing Standard Publication 140-2 (FIPS 140-2) and the Common Criteria for Information Technology Security Evaluation standard (Common Criteria or CC) EAL Cisco IOS Release 15.0(2)SE1 on the Catalyst 3750-X and 3560-X switches has been submitted for...
Page 53 Chapter 1 Overview Software Features The images for the Cisco IOS Release 15.0(2)SE1 on the Catalyst 3750-X and 3560-X Note switches are FIPS certified. For information about using FIPS certified images, see the “Boot Loader Upgrade and Image Verification for the FIPS Mode of Operation” section on page 1-25 of the software configuration guide.
Page 54 Port security for controlling access to IEEE 802.1x ports – – Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized or unauthorized state of the port IP phone detection enhancement to detect and recognize a Cisco IP phone –...
Page 55 • TACACS+, a proprietary feature for managing network security through a TACACS server. Beginning with Cisco IOS Release 12.2(58)SE, the switch supports TACACS+ for IPv6. For information about configuring this feature, see the “Implementing ADSL for IPv6” chapter in the...
Page 56 When there is a change in policy for a user or user group in AAA, administrators can send the RADIUS CoA packets from the AAA server, such as Cisco Secure ACS to reinitialize authentication, and apply to the new policies IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) to...
Page 57: Qos And Cos Features
Trusted port states (CoS, DSCP, and IP precedence–both IPv4 and IPv6) within a QoS domain – and with a port bordering another QoS domain Trusted boundary for detecting the presence of a Cisco IP Phone, trusting the CoS value – received, and ensuring port security Policing •...
Page 58: Layer 3 Features
• Static IP routing for manually building a routing table of network path information. Starting with Cisco IOS Release 12.2(58)SE, the LAN Base feature set also supports static IP routing on SVIs for 16 user-configured routes. Equal-cost routing for load-balancing and redundancy •...
Page 59 IP Base or IP Services feature set). Power over Ethernet Features Ability to provide power to connected Cisco pre-standard and IEEE 802.3af-compliant powered • devices from Power over Ethernet (PoE)-capable ports if the switch detects that there is no power on the circuit.
Page 60: Monitoring Features
• Support for Cisco intelligent power management. The powered device and the switch negotiate through power-negotiation CDP messages for an agreed power-consumption level. The negotiation allows a high-power Cisco powered device to operate at its highest power mode.
Page 61 The traffic simulator includes a sophisticated scheduler that allows the user to run several tests simultaneously or periodically and over extended time periods (supported only on switches running the IP Base or IP Services feature set). For information, see the Configuring Cisco IOS IP SLAs Video Operations document at: http://www.cisco.com/en/US/docs/ios-xml/ios/ipsla/configuration/12-2se/Configuring_IP_SLAs_...
Page 62: Default Settings After Initial Switch Configuration
Switch cluster is disabled. For more information about switch clusters, see Chapter 1, “Clustering • Switches,” and the Getting Started with Cisco Network Assistant, available on Cisco.com. No passwords are defined. For more information, see Chapter 1, “Administering the Switch.” •...
Page 63 Chapter 1 Overview Default Settings After Initial Switch Configuration DNS is enabled. For more information, see Chapter 1, “Administering the Switch.” • TACACS+ is disabled. For more information, see Chapter 1, “Configuring Switch-Based • Authentication.” RADIUS is disabled. For more information, see Chapter 1, “Configuring Switch-Based •...
Page 64 Chapter 1 Overview Default Settings After Initial Switch Configuration Dynamic ARP inspection is disabled on all VLANs. For more information, see Chapter 1, • “Configuring Dynamic ARP Inspection.” • IGMP snooping is enabled. No IGMP filters are applied. For more information, see Chapter 1, “Configuring IGMP Snooping and MVR.”...
Page 65: Network Configuration Examples
Chapter 1 Overview Network Configuration Examples Network Configuration Examples This section provides network configuration concepts and includes examples of using the switch to create dedicated network segments and interconnecting the segments through Gigabit Ethernet and 10-Gigabit Ethernet connections. • Design Concepts for Using the Switch, page 1-23 •...
Page 66 Chapter 1 Overview Network Configuration Examples Table 1-2 Providing Network Services Network Demands Suggested Design Methods Efficient bandwidth usage for • Use IGMP snooping to efficiently forward multimedia and multicast traffic. multimedia applications and • Use other QoS mechanisms such as packet classification, marking, scheduling, guaranteed bandwidth for critical and congestion avoidance to classify traffic with the appropriate priority level, applications...
Page 67 Chapter 1 Overview Network Configuration Examples Figure 1-1 Cost-Effective Wiring Closet Catalyst Gigabit Gigabit Ethernet multilayer switch server Layer 2 StackWise Plus switch stack Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-25 OL-25303-03...
Page 68 The first illustration is of an isolated high-performance workgroup, where the Catalyst 3560-X switches are connected to Catalyst 3750-X switches in the distribution layer. The second illustration is of a high-performance workgroup in the branch office, where the Catalyst 3560-X switches are connected to a router in the distribution layer.
Page 69 Chapter 1 Overview Network Configuration Examples Figure 1-3 High-Performance Workgroup (Gigabit-to-the-Desktop) with Catalyst 3560-X Standalone Switches Stacking-capable switches Access-layer standalone switches Cisco 2600 router Access-layer standalone switches Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-27 OL-25303-03...
Page 70 Chapter 1 Overview Network Configuration Examples Redundant Gigabit backbone (Figure 1-4)—Using HSRP, you can create backup paths between two • Catalyst 3750-X Gigabit switches to enhance network reliability and load-balancing for different VLANs and subnets. Using HSRP also provides faster network convergence if any network failure occurs.
Page 71 Chapter 1 Overview Network Configuration Examples Figure 1-5 Server Aggregation Campus core Catalyst 6500 switches Catalyst 4500 multilayer switches StackWise Plus switch stacks Server racks Campus core Catalyst 6500 switches StackWise switch stacks Access-layer standalone switches Server racks Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-29 OL-25303-03...
Page 72 500 employees. This network uses a Catalyst 3750-X-only Layer 3 switch stack or Catalyst 3560-X Layer 3 switches with high-speed connections to two routers. For network reliability and load-balancing, this network has HSRP enabled on the routers and on the switches.
Page 73 Each PoE switch port provides 15.4 W of power per port. The powered device, such as a Cisco IP Phone, can receive redundant power when it is also connected to an AC power source. Powered devices not connected to Catalyst PoE switches must be connected to AC power sources to receive power.
Page 74 Figure 1-10 shows a configuration for a network that uses only Catalyst 3560-X switches in the wiring closets and two backbone switches, such as the Catalyst 6500 switches, to aggregate up to ten wiring closets. In the wiring closet, each switch stack or switch has IGMP snooping enabled to efficiently forward multimedia and multicast traffic.
Page 75 Chapter 1 Overview Network Configuration Examples Figure 1-9 Catalyst 3750-X Switch Stacks in Wiring Closets in a Backbone Configuration Cisco 7x00 routers Catalyst 6500 multilayer switches Mixed hardware Mixed hardware stack, including the stack, including the Catalyst 3750G Integrated Catalyst 3750G Integrated...
Page 76 Chapter 1 Overview Network Configuration Examples Figure 1-10 Catalyst 3560-X Switches in Wiring Closets in a Backbone Configuration Cisco 7x00 routers Catalyst 6500 multilayer switches Standalone Standalone switches switches IEEE 802.3af-compliant IEEE 802.3af-compliant powered device powered device (such as a web cam)
Page 77 Chapter 1 Overview Network Configuration Examples Multidwelling Network Using Catalyst 3750-X Switches A growing segment of residential and commercial customers are requiring high-speed access to Ethernet metropolitan-area networks (MANs). Figure 1-11 shows a configuration for a Gigabit Ethernet MAN ring using multilayer switch stacks as aggregation switches in the mini-point-of-presence (POP) location.
Page 78 The CWDM OADM modules on the receiving end separate (or demultiplex) the different wavelengths. For more information about the CWDM SFP modules and CWDM OADM modules, see the Cisco CWDM GBIC and CWDM SFP Installation Note. Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 79: Where To Go Next
Chapter 1, “Using the Command-Line Interface” • Chapter 1, “Assigning the Switch IP Address and Default Gateway” • To locate and download MIBs for a specific Cisco product and release, use the Cisco MIB Locator: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-37...
Page 80 Chapter 1 Overview Where to Go Next Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-38 OL-25303-03...
Page 81: Understanding Command Modes
C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your standalone Catalyst 3750-X or 3560-X switch or a Catalyst 3750-X switch stack, referred to as the switch.
Page 82 Chapter 1 Using the Command-Line Interface Understanding Command Modes Table 1-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the hostname Switch. Table 1-1 Command Mode Summary Mode...
Page 83: Understanding The Help System
Chapter 1 Using the Command-Line Interface Understanding the Help System For more detailed information on the command modes, see the command reference guide for this release. Understanding the Help System You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode.
Page 84: Understanding No And Default Forms Of Commands
Chapter 1 Using the Command-Line Interface Understanding no and default Forms of Commands Understanding no and default Forms of Commands Almost every configuration command also has a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface.
Page 85: Using Command History
You can choose to have the notifications sent to the syslog. For more information, see the “Configuration Change Notification and Logging” section of the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4: http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_config-logger_ps6350_TS...
Page 86: Recalling Commands
Chapter 1 Using the Command-Line Interface Using Editing Features Recalling Commands To recall commands from the history buffer, perform one of the actions listed in Table 1-4. These actions are optional. Table 1-4 Recalling Commands Action Result Press Ctrl-P or the up arrow key. Recall commands in the history buffer, beginning with the most recent command.
Page 87: Editing Commands Through Keystrokes
Chapter 1 Using the Command-Line Interface Using Editing Features To re-enable the enhanced editing mode for the current terminal session, enter this command in privileged EXEC mode: Switch# terminal editing To reconfigure a specific line to have enhanced editing mode, enter this command in line configuration mode: Switch(config-line)# editing Editing Commands through Keystrokes...
Page 88: Editing Command Lines That Wrap
Chapter 1 Using the Command-Line Interface Using Editing Features Table 1-5 Editing Commands through Keystrokes (continued) Capability Keystroke Purpose Press Esc L. Change the word at the cursor to lowercase. Press Esc U. Capitalize letters from the cursor to the end of the word. Designate a particular keystroke as Press Ctrl-V or Esc Q.
Page 89: Searching And Filtering Output Of Show And More Commands
Chapter 1 Using the Command-Line Interface Searching and Filtering Output of show and more Commands After you complete the entry, press Ctrl-A to check the complete syntax before pressing the Return key to execute the command. The dollar sign ($) appears at the end of the line to show that the line has been scrolled to the right: Switch(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1$ The software assumes you have a terminal screen that is 80 columns wide.
Page 90: Accessing The Cli Through A Console Connection Or Through Telnet
Chapter 1 Using the Command-Line Interface Accessing the CLI To debug a specific stack member, you can access it from the stack master by using the session stack-member-number privileged EXEC command. The stack member number is appended to the system prompt.
Page 91: Understanding Cisco Configuration Engine Software
For complete configuration information for the Cisco Configuration Engine Note http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.html For complete syntax and usage information for the commands used in this chapter, go to the Cisco IOS Network Management Command Reference, Release 12.4 http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_book.html This chapter consists of these sections: Understanding Cisco Configuration Engine Software, page 1-1 •...
Page 92: Configuration Service
(LDAP) URLs that reference the device-specific configuration information stored in a directory. The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server.
Page 93: Event Service
ID, and event. Cisco IOS devices recognize only event subject-names that match those configured in Cisco IOS software; for example, cisco.cns.config.load. You can use the namespace mapping service to designate events by using any desired naming convention.
Page 94 Therefore, the DeviceID, as originated on the switch, must match the DeviceID of the corresponding switch definition in the Configuration Engine. The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID variable and its usage reside within the event gateway adjacent to the switch.
Page 95: Understanding Cisco Ios Agents
Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent. The Cisco IOS agent feature supports the switch by providing these features: •...
Page 96: Synchronized Configuration
NVRAM for use at the next reboot. Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 1-6.
Page 97 For more information about running the setup program and creating templates on the Configuration Note Engine, see the Cisco Configuration Engine Installation and Setup Guide, 1.5 for Linux http://www.cisco.com/en/US/docs/net_mgmt/configuration_engine/1.5/installation_linux/guide/setup_ 1.html Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 98: Enabling The Cns Event Agent
Chapter 1 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling the CNS Event Agent You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Note Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch:...
Page 99: Enabling The Cisco Ios Cns Agent
Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: •...
Page 100 Chapter 1 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Command Purpose Step 7 discover {controller controller-type | dlci Specify the interface parameters in the CNS connect [subinterface subinterface-number] | interface profile. [interface-type] | line line-type} • For controller controller-type, enter the controller type.
Page 101 Chapter 1 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Command Purpose Step 13 cns id interface num {dns-reverse | ipaddress | (Optional) Set the unique EventID or ConfigID used by the mac-address} [event] [image] Configuration Engine. • For interface num, enter the type of interface–for...
Page 102 Verify your entries. To disable the CNS Cisco IOS agent, use the no cns config initial {ip-address | hostname} global configuration command. This example shows how to configure an initial configuration on a remote switch when the switch configuration is unknown (the CNS Zero Touch feature).
Page 103: Enabling A Partial Configuration
RemoteSwitch(config)# cns id ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 172.28.129.22 no-persist Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch: Command...
Page 104: Displaying Cns Configuration
Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed. show cns config stats Displays statistics about the Cisco IOS agent.
Page 105: Understanding The Boot Process
For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release and the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.4. This chapter consists of these sections: Understanding the Boot Process, page 1-1 •...
Page 106: Assigning Switch Information
Chapter 1 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The normal boot process involves the operation of the boot loader software and includes these activities: Performs low-level CPU initialization. It initializes the CPU registers, which control where physical •...
Page 107: Default Switch Information
Chapter 1 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Stack members retain their IP address when you remove them from a switch stack. To avoid a conflict Note by having two devices with the same IP address in your network, change the IP address of the switch that you removed from the switch stack.
Page 108: Dhcp Client Request Process
Chapter 1 Assigning the Switch IP Address and Default Gateway Assigning Switch Information With DHCP-based autoconfiguration, no DHCP client-side configuration is needed on your switch. However, you need to configure the DHCP server for various lease options associated with IP addresses. If you are using DHCP to relay the configuration file location on the network, you might also need to configure a Trivial File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server.
Page 109 Chapter 1 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The DHCP server sends the client a DHCPNAK denial broadcast message, which means that the offered configuration parameters have not been assigned, that an error has occurred during the negotiation of the parameters, or that the client has been slow in responding to the DHCPOFFER message (the DHCP server assigned the parameters to another client).
Page 110 • Example Configuration, page 1-10 • If your DHCP server is a Cisco device, for additional information about configuring DHCP see the Note “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.4.
Page 111 TFTP requests. Unavailability of other lease options does not affect autoconfiguration. The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent •...
Page 112: Configuring The Dns
If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
Page 113 Chapter 1 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Figure 1-2 Relay Device Used in Autoconfiguration Switch Cisco router (DHCP client) (Relay) 10.0.0.2 10.0.0.1 20.0.0.1 20.0.0.2 20.0.0.3 20.0.0.4 DHCP server TFTP server DNS server Obtaining Configuration Files...
Page 114 Figure 1-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (tftpserver) Table 1-2 shows the configuration of the reserved leases on the DHCP server.
Page 115: Configuring The Dhcp Auto Configuration And Image Update Features
Chapter 1 Assigning the Switch IP Address and Default Gateway Assigning Switch Information TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method. This file contains the hostname to be assigned to the switch based on its IP address.
Page 116 Chapter 1 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Command Purpose Step 4 network network-number mask Specify the subnet network number and mask of the DHCP address prefix-length pool. Note The prefix length specifies the number of bits that comprise the address prefix.
Page 117 Return to global configuration mode. Step 11 tftp-server flash:config.text Specify the Cisco IOS configuration file on the TFTP server. Step 12 tftp-server flash:imagename.tar Specify the image name on the TFTP server. Specify the text file that contains the name of the image file to download Step 13 tftp-server flash:filename.txt...
Page 118: Configuring The Client
Chapter 1 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the Client Beginning in privileged EXEC mode, follow these steps to configure a switch to download a configuration file and new image from a DHCP server: Command Purpose Step 1...
Page 119: Manually Assigning Ip Information
Chapter 1 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs): Note If the switch is running the IP services feature set, you can also manually assign IP information to a port if you first put the port into Layer 3 mode by using the no switchport interface configuration command.
Page 120: Checking And Saving The Running Configuration
EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix 1, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 121: Configuring The Nvram Buffer Size
Chapter 1 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Configuring the NVRAM Buffer Size The default NVRAM buffer size is 512 KB. In some cases, the configuration file might be too large to save to NVRAM.
Page 122: Modifying The Startup Configuration
The Cisco IOS image is stored in a directory that has the same name as the image file (excluding the .bin extension).
Page 123: Specifying The Filename To Read And Write The System Configuration
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot cycle.
Page 124: Booting A Specific Software Image
Chapter 1 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Command Purpose Step 4 show boot Verify your entries. The boot manual global command changes the setting of the MANUAL_BOOT environment variable. The next time you reboot the system, the switch is in boot loader mode, shown by the switch: prompt.
Page 125: Controlling Environment Variables
Environment variables store two kinds of data: • Data that controls code, which does not read the Cisco IOS configuration file. For example, the name of a boot loader helper file, which extends or patches the functionality of the boot loader can be stored as an environment variable.
Page 126 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
Page 127: Scheduling A Reload Of The Software Image
Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Table 1-4 Environment Variables (continued) Variable Boot Loader Command Cisco IOS Global Configuration Command SWITCH_NUMBER set SWITCH_NUMBER switch current-stack-member-number renumber stack-member-number new-stack-member-number Changes the member number of a stack Changes the member number of a stack member.
Page 128: Configuring A Scheduled Reload
Chapter 1 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Configuring a Scheduled Reload To configure your switch to reload the software image at a later time, use one of these commands in privileged EXEC mode: •...
Page 129: Displaying Scheduled Reload Information
Use signed and validated images. • Cisco IOS Release 15.0(2)SE1 supports an updated boot loader that can validate the Cisco IOS image signature only in the FIPS mode of operation. Ensure that the power is not turned off while updating the boot loader. If the power is turned...
Page 130 Status or Result Upgrade from an image that is in Boot with the Cisco IOS Release The boot loader is upgraded. • the FIPS mode to a Cisco IOS 15.0(2)SE1 image. • The image signature is verified. Release 15.0(2)SE1 image in the •...
Page 131 “WARNING: Unable to determine image authentication. Image is either unsigned or is signed but corrupted.” Downgrade from a Cisco IOS • Configure the no fips authoriza- • The boot loader is not downgraded.
Page 132 Chapter 1 Assigning the Switch IP Address and Default Gateway Boot Loader Upgrade and Image Verification for the FIPS Mode of Operation Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-28 OL-25303-03...
Page 133: Managing Switch Stacks
This chapter describes how to manage Catalyst 3750-X-only switch stacks. For information about Note managing hardware and software stacks and about using universal software images with software licenses, see the Cisco IOS Software Installation document on Cisco.com. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 134: Understanding Switch Stacks
The Catalyst 3750-E stack members use the Cisco StackWise Plus technology to work together as a unified system. Layer 2 and Layer 3 protocols present the entire switch stack as a single entity to the network.
Page 135 Encryption features are unavailable if the stack master is running the IP base or IP services feature set and the noncryptographic software image. In a mixed stack, Catalyst 3750 or Catalyst 3750-E switches running Cisco IOS Release 12.2(53)SE and Note earlier could be running a noncryptographic image.
Page 136: Switch Stack Membership
Note their LAN ports, such as the 10/100/1000 ports. For more information about how switch stacks differ from switch clusters, see the “Planning and Creating Clusters” chapter in the Getting Started with Cisco Network Assistant on Cisco.com. Switch Stack Membership A switch stack has up to nine stack members connected through their StackWise Plus ports.
Page 137 Chapter 1 Managing Switch Stacks Understanding Switch Stacks port LEDs on all switches in the stack should be green. Depending on the switch model, the last two right ports are 10-Gigabit Ethernet ports or small form-factor pluggable (SFP) module ports (10/100/1000 ports).
Page 138 The noncryptographic images apply only to mixed stacks that include Catalyst 3750-E or 3750 Note switches running Cisco IOS Release 12.2(53)SE or earlier. Catalyst 3750-X switches and Catalyst 3750-E or 3750 switches running later releases support only the cryptographic image.
Page 139: Switch Stack Bridge Id And Router Mac Address
Chapter 1 Managing Switch Stacks Understanding Switch Stacks When you power on or reset an entire switch stack, some stack members might not participate in the stack master election. Stack members that are powered on within the same 120-second time frame participate in the stack master election and have a chance to become the stack master.
Page 140: Stack Member Priority Values
Chapter 1 Managing Switch Stacks Understanding Switch Stacks If you manually change the number of a stack member and no interface-level configuration is associated with that new member number, that stack member resets to its default configuration. For more information about stack member numbers and configurations, see the “Switch Stack Configuration Files”...
Page 141 Chapter 1 Managing Switch Stacks Understanding Switch Stacks administratively shut down, and the no shutdown interface configuration command does not return it to active service. The interface associated with the provisioned switch does not appear in the display of the specific feature;...
Page 142 Chapter 1 Managing Switch Stacks Understanding Switch Stacks Table 1-1 Results of Comparing the Provisioned Configuration with the Provisioned Switch (continued) Scenario Result The stack member number of The stack master assigns a new stack member The switch stack applies the provisioned the provisioned switch is in number to the provisioned switch.
Page 143: Hardware Compatibility And Sdm Mismatch Mode In Switch Stacks
“Hardware Compatibility and SDM Mismatch Mode in Switch Stacks” section on page 1-11. All stack members must run the same Cisco IOS software image and feature set to ensure compatibility between stack members. For example, all stack members should run the universal software image and have the IP services feature set enabled for the Cisco IOS Release 12.2(53)SE2 or later.
Page 144: Stack Protocol Version Compatibility
You can display the stack protocol version by using the show platform stack-manager all privileged EXEC command. Switches with the same Cisco IOS software version have the same stack protocol version. Such switches are fully compatible, and all features function properly across the switch stack. Switches with the same Cisco IOS software version as the stack master immediately join the switch stack.
Page 145 Chapter 1 Managing Switch Stacks Understanding Switch Stacks Auto-copy automatically copies the software image running on any stack member to the switch – in VM mode to upgrade (auto-upgrade) it. Auto-copy occurs if auto-upgrade is enabled, if there is enough flash memory in the switch in VM mode, and if the software image running on the switch stack is suitable for the switch in VM mode.
Page 146 Chapter 1 Managing Switch Stacks Understanding Switch Stacks *Mar 11 20:31:19.247:%STACKMGR-6-STACK_LINK_CHANGE:Stack Port 2 Switch 2 has changed to state UP *Mar 11 20:31:23.232:%STACKMGR-6-SWITCH_ADDED_VM:Switch 1 has been ADDED to the stack (VERSION_MISMATCH) *Mar 11 20:31:23.291:%STACKMGR-6-SWITCH_ADDED_VM:Switch 1 has been ADDED to the stack (VERSION_MISMATCH) (Stack_1-3) *Mar 11 20:33:23.248:%IMAGEMGR-6-AUTO_COPY_SW_INITIATED:Auto-copy-software process initiated for switch number(s) 1...
Page 147: Incompatible Software And Stack Member Image Upgrades
EXEC command, the proper directory structure is not created. For more information about the info file, see the “File Format of Images on a Server or Cisco.com” section on page 1-26. Incompatible Software and Stack Member Image Upgrades You can upgrade a switch that has an incompatible universal software image by using the archive copy-sw privileged EXEC command.
Page 148: Switch Stack Configuration Files
Additional Considerations for System-Wide Configuration on Switch Stacks These sections provide additional considerations for configuring system-wide features on switch stacks: • “Planning and Creating Clusters” chapter in the Getting Started with Cisco Network Assistant, available on Cisco.com “MAC Addresses and Switch Stacks” section on page 1-14 •...
Page 149: Switch Stack Management Connectivity
Chapter 1 Managing Switch Stacks Understanding Switch Stacks “Private VLANs and Switch Stacks” section on page 1-5 • “Spanning Tree and Switch Stacks” section on page 1-12 • “MSTP and Switch Stacks” section on page 1-8 • “DHCP Snooping and Switch Stacks” section on page 1-7 •...
Page 150: Connectivity To Specific Stack Members
Note The noncryptographic software image was available only on Catalyst 3750 or Catalyst 3750-E switches running Cisco IOS Release 12.2(53)SE and earlier. The Catalyst 3750-X switches run only the cryptographic software image. Connectivity to the Switch Stack Through Console Ports or Ethernet Management Ports...
Page 151: Switch Stack Configuration Scenarios
Only Catalyst 3650-E or 3750 switches Note software image and the IP the cryptographic image installed and running Cisco IOS Release 12.2(53)SE or services feature set and the IP services feature set enabled and earlier could be running the the IP services feature set that the other stack member has the noncyrptographic image.
Page 152 Only Catalyst 3650-E or 3750 switches Note software image and the IP the cryptographic image installed and running Cisco IOS Release 12.2(53)SE or base feature set the IP base feature set enabled and that earlier could be running the the other stack member has the noncyrptographic image.
Page 153: Stack Configuration
Chapter 1 Managing Switch Stacks Understanding Switch Stacks Rolling Stack Upgrade After you upgrade or downgrade a stack, it reloads, and the connected hosts lose network connectivity. Use the rolling stack upgrade feature to minimize the network disruption only when your stack has redundant links.
Page 154 Chapter 1 Managing Switch Stacks Understanding Switch Stacks Enter the archive download-sw /rolling-stack-upgrade privileged EXEC command to start the stack upgrade. During the upgrade, you can display the member upgrade sequence or the upgrade status on an member that is not being upgraded. This process occurs in the software: The stack is split into the unupgraded and the upgraded stacks.
Page 155 Chapter 1 Managing Switch Stacks Understanding Switch Stacks Member 6 Member 5 Member 2 Member 3 Member 4 Figure 1-5 Stack Port 1 on Member 1 is Connected to Member 2 Stack Stack Dual-attached Standby switch Member 1 Port 2 Port 1 host Stack...
Page 156: Configuring The Switch Stack
Chapter 1 Managing Switch Stacks Configuring the Switch Stack Configuring the Switch Stack These sections contain this configuration information: Default Switch Stack Configuration, page 1-24 • Enabling Persistent MAC Address, page 1-24 • Assigning Stack Member Information, page 1-26 • Running a Rolling Stack Update, page 1-28 •...
Page 157 Chapter 1 Managing Switch Stacks Configuring the Switch Stack If you enter a time delay of 1 to 60 minutes, the stack MAC address of the previous stack master is • used until the configured time period expires or until you enter the no stack-mac persistent timer command.
Page 158: Assigning Stack Member Information
Chapter 1 Managing Switch Stacks Configuring the Switch Stack WARNING: not appear elsewhere in this network domain. If it does, WARNING: user traffic may be blackholed. Switch(config)# end Switch# show switch Switch/Stack Mac Address : 0016.4727.a900 Mac persistency wait time: 7 mins Current Switch# Role...
Page 159 Chapter 1 Managing Switch Stacks Configuring the Switch Stack Beginning in privileged EXEC mode, follow these steps to assign a priority value to a stack member: This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 switch stack-member-number priority Specify the stack member number and the new priority for the stack...
Page 160 Chapter 1 Managing Switch Stacks Configuring the Switch Stack To remove provisioned information and to avoid receiving an error message, remove the specified switch from the stack before you use the no form of this command. For example, if you are removing a provisioned switch in a stack with this configuration: The stack has four members •...
Page 161 Chapter 1 Managing Switch Stacks Configuring the Switch Stack Command Purpose Step 6 rsu {active | standby} On another member, configures the other half of the redundant uplink, and assigns the other role to the member interface. • active—Sets the interface to active. •...
Page 162: Accessing The Cli Of A Specific Stack Member
Chapter 1 Managing Switch Stacks Accessing the CLI of a Specific Stack Member Switch# show switch stack-upgrade status Upgrade Time Remaining: 21 minutes Unupgraded Stack: Switch# Status Reload In Progress RSU in Progress RSU in Progress Upgraded Stack: Switch# Status Switch# Accessing the CLI of a Specific Stack Member Note...
Page 163: Troubleshooting Stacks
Chapter 1 Managing Switch Stacks Troubleshooting Stacks Table 1-4 Commands for Displaying Stack Information (continued) Command Description show switch stack-ports [summary] Display port information for the stack. Use the summary keyword to display the stack cable length, the stack link status, and the loopback status.
Page 164 Chapter 1 Managing Switch Stacks Troubleshooting Stacks Re-Enabling a Stack Port While Another Member Starts Stack Port 1 on Switch 1 is connected to Port 2 on Switch 4. If Port 1 is flapping, disable Port 1 with the switch 1 stack port 1 disable privileged EXEC command. While Port 1 on Switch 1 is disabled and Switch 1 is still powered on: Disconnect the stack cable between Port 1 on Switch 1 and Port 2 on Switch 4.
Page 165: Identifying Loopback Problems
Chapter 1 Managing Switch Stacks Troubleshooting Stacks Table 1-5 show switch stack-ports summary Command Output (continued) Field Description Link OK This shows if the link is stable. The link partner is a stack port on a neighbor switch. No—The link partner receives invalid protocol messages from the •...
Page 166: Software Loopback
Chapter 1 Managing Switch Stacks Troubleshooting Stacks Software Loopback In a stack with three members, stack cables connect all the members. Switch# show switch stack-ports summary Switch#/ Stack Neighbor Cable Link Link Sync Port# Port Length Active Changes Loopback Status To LinkOK -------- ------...
Page 167 Chapter 1 Managing Switch Stacks Troubleshooting Stacks Software Loopback Example: No Connected Stack Cable Catalyst 3750 switch port status: Switch# show switch stack-ports summary Switch#/ Stack Neighbor Cable Link Link Sync Port# Port Length Active Changes Loopback Status To LinkOK -------- ------ --------...
Page 168: Hardware Loopback
Chapter 1 Managing Switch Stacks Troubleshooting Stacks Hardware Loopback The show platform stack ports buffer privileged EXEC command output shows the hardware loopback values. Switch# show platform stack ports buffer Stack Debug Event Data Trace ============================================================== Event type LINK: Link status change Event type RAC: RAC changes to Not OK Event type SYNC: Sync changes to Not OK ==============================================================...
Page 169 Chapter 1 Managing Switch Stacks Troubleshooting Stacks On a Catalyst 3750-E or 3750-X switch: Switch# show platform stack ports buffer Stack Debug Event Data Trace ============================================================== Event type LINK: Link status change Event type RAC: RAC changes to Not OK Event type SYNC: Sync changes to Not OK ============================================================== Event...
Page 170: Finding A Disconnected Stack Cable
Chapter 1 Managing Switch Stacks Troubleshooting Stacks Event type LINK: Link status change Event type RAC: RAC changes to Not OK Event type SYNC: Sync changes to Not OK ============================================================== Event Stack Stack PCS Info Ctrl-Status Loopback Cable Count Port IOS / HW length =========...
Page 171: Fixing A Bad Connection Between Stack Ports
Chapter 1 Managing Switch Stacks Troubleshooting Stacks This is now the port status: Switch# show switch stack-ports summary Switch#/ Stack Neighbor Cable Link Link Sync Port# Port Length Active Changes Loopback Status To LinkOK -------- ------ -------- -------- ---- ------ ---- --------- --------...
Page 172 Chapter 1 Managing Switch Stacks Troubleshooting Stacks Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-40 OL-25303-03...
Page 173: Clustering Switches
Network Assistant has a Cluster Conversion Wizard to help you convert a cluster to a community. For more information about Network Assistant, including introductory information on managing switch clusters and converting a switch cluster to a community, see Getting Started with Cisco Network Assistant, available on Cisco.com.
Page 174: Understanding Switch Clusters
The switches can be in the same location, or they can be distributed across a Layer 2 or Layer 3 (if your cluster is using a Catalyst 3560, Catalyst 3750, Catalyst 3560-E, Catalyst 3750-E, Catalyst 3560-X, or Catalyst 3750-X switch as a Layer 3 router between the Layer 2 switches in the cluster) network.
Page 175: Cluster Command Switch Characteristics
• It has an IP address. • • It has Cisco Discovery Protocol (CDP) Version 2 enabled (the default). • It is not a command or cluster member switch of another cluster. • It is connected to the standby cluster command switches through the management VLAN and to the cluster member switches through a common VLAN.
Page 176: Candidate Switch And Cluster Member Switch Characteristics
Chapter 1 Clustering Switches Planning a Switch Cluster Standby cluster command switches must be the same type of switches as the cluster command Note switch. For example, if the cluster command switch is a Catalyst 3750-E switch, the standby cluster command switches must also be Catalyst 3750-E switches. See the switch configuration guide of other cluster-capable switches for their requirements on standby cluster command switches.
Page 177: Automatic Discovery Of Cluster Candidates And Members
Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
Page 178 Device 15 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Page 179 Planning a Switch Cluster Discovery Through Different VLANs If the cluster command switch is a Catalyst 3560-E, Catalyst 3750-E, Catalyst 3560-X, or Catalyst 3750-X switch, the cluster can have cluster member switches in different VLANs. As cluster member switches, they must be connected through at least one VLAN in common with the cluster command switch.
Page 180: Discovery Through Routed Ports
Catalyst 2960 Catalyst 2970, Catalyst 3550, Catalyst 3560, Catalyst 3560-E, Catalyst 3750, Catalyst 3750-E, Catalyst 3560-X, or Catalyst 3750-X cluster command switches) have ports assigned to VLANs 9, 16, and 62. The management VLAN on the cluster command switch is VLAN 9. Each...
Page 181: Discovery Of Newly Installed Switches
Chapter 1 Clustering Switches Planning a Switch Cluster Figure 1-5 Discovery Through Routed Ports Command device VLAN 9 VLAN 62 VLAN VLAN 62 VLAN 9 Member (management device 7 VLAN 62) VLAN 4 Discovery of Newly Installed Switches To join a cluster, the new, out-of-the-box switch must be connected to the cluster through one of its access ports.
Page 182: Hsrp And Standby Cluster Command Switches
Chapter 1 Clustering Switches Planning a Switch Cluster HSRP and Standby Cluster Command Switches The switch supports Hot Standby Router Protocol (HSRP) so that you can configure a group of standby cluster command switches. Because a cluster command switch manages the forwarding of all communication and configuration information to all the cluster member switches, we strongly recommend the following: For a cluster command switch stack, a standby cluster command switch is necessary if the entire...
Page 183 Chapter 1 Clustering Switches Planning a Switch Cluster Virtual IP Addresses You need to assign a unique virtual IP address and group number and name to the cluster standby group. This information must be configured on a specific VLAN or routed port on the active cluster command switch.
Page 184 • the same VLAN. In this example, the cluster command switch and standby cluster command switches are Catalyst 3560-E, Catalyst 3750-E, Catalyst 3560-X, or Catalyst 3750-X cluster command switches. Each standby-group member must also be redundantly connected to each other through at least one VLAN in common with the switch cluster.
Page 185 Chapter 1 Clustering Switches Planning a Switch Cluster This limitation applies to all clusters: If the active cluster command switch fails and there are more • than two switches in the cluster standby group, the new cluster command switch does not discover any Catalyst 1900, Catalyst 2820, and Catalyst 2916M XL cluster member switches.
Page 186 Chapter 1 Clustering Switches Planning a Switch Cluster Passwords You do not need to assign passwords to an individual switch if it will be a cluster member. When a switch joins a cluster, it inherits the command-switch password and retains it when it leaves the cluster. If no command-switch password is configured, the cluster member switch inherits a null password.
Page 187 Chapter 1 Clustering Switches Planning a Switch Cluster Table 1-2 Basic Comparison of Switch Stacks and Switch Clusters (continued) Switch Stack Switch Cluster Can be a cluster command switch or a cluster member switch Cannot be a stack master or stack member Stack master is the single point of complete management for Cluster command switch is the single point of some manage- all stack members in a particular switch stack...
Page 188: Lre Profiles
Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
Page 189: Catalyst 1900 And Catalyst 2820 Cli Considerations
Chapter 1 Clustering Switches Using SNMP to Manage Switch Clusters Catalyst 1900 and Catalyst 2820 CLI Considerations If your switch cluster has Catalyst 1900 and Catalyst 2820 switches running standard edition software, the Telnet session accesses the management console (a menu-driven interface) if the cluster command switch is at privilege level 15.
Page 190 Chapter 1 Clustering Switches Using SNMP to Manage Switch Clusters Figure 1-8 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 Member 1 Member 2 Member 3 Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-18 OL-25303-03...
Page 191: Managing The System Time And Date
You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.4. These sections contain this configuration information: •...
Page 192: Understanding The System Clock
Chapter 1 Administering the Switch Managing the System Time and Date Understanding the System Clock The heart of the time service is the system clock. This clock runs from the moment the system starts up and keeps track of the date and time. The system clock can then be set from these sources: •...
Page 193 Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Page 194: Ntp Version 4
“Disabling NTPv4 Services on a Specific Interface” section of the “Implementing NTPv4 in IPv6” chapter of the Cisco IOS IPv6 Configuration Guide, Release 12.4T. For details about configuring NTPv4, see the “Implementing NTPv4 in IPv6” chapter of the Cisco IOS IPv6 Configuration Guide, Release 12.4T.
Page 195 Chapter 1 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to set the system clock: Command Purpose Step 1 clock set hh:mm:ss day month year Manually set the system clock using one of these formats. •...
Page 196 Chapter 1 Administering the Switch Managing the System Time and Date Command Purpose Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. The minutes-offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC.
Page 197: Configuring A System Name And Prompt
Chapter 1 Administering the Switch Configuring a System Name and Prompt Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1...
Page 198: Default System Name And Prompt Configuration
Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.4 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.4.
Page 199 Chapter 1 Administering the Switch Configuring a System Name and Prompt To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the hostnames, specify the name server that is present on your network, and enable the DNS.
Page 200: Creating A Banner
If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
Page 201 Chapter 1 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1...
Page 202: Configuring A Login Banner
Chapter 1 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1...
Page 203: Building The Address Table
Chapter 1 Administering the Switch Managing the MAC Address Table These sections contain this configuration information: Building the Address Table, page 1-13 • MAC Addresses and VLANs, page 1-13 • MAC Addresses and Switch Stacks, page 1-14 • Default MAC Address Table Configuration, page 1-14 •...
Page 204: Mac Addresses And Switch Stacks
Chapter 1 Administering the Switch Managing the MAC Address Table When private VLANs are configured, address learning depends on the type of MAC address: Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the associated •...
Page 205: Removing Dynamic Address Entries
Chapter 1 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the dynamic address table aging time: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table aging-time [0 | Set the length of time that a dynamic entry remains in the MAC 10-1000000] [vlan vlan-id] address table after the entry is used or updated.
Page 206 Chapter 1 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address change notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message.
Page 207: Configuring Mac Address Move Notification Traps
Chapter 1 Administering the Switch Managing the MAC Address Table Command Purpose Step 9 show mac address-table notification change interface Verify your entries. show running-config Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable MAC address-change notification traps, use the no snmp-server enable traps mac-notification change global configuration command.
Page 208: Configuring Mac Threshold Notification Traps
Chapter 1 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address-move notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} Specify the recipient of the trap message.
Page 209 Chapter 1 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address table threshold notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 210: Adding And Removing Static Address Entries
Chapter 1 Administering the Switch Managing the MAC Address Table You can verify your settings by entering the show mac address-table notification threshold privileged EXEC commands. Adding and Removing Static Address Entries A static address has these characteristics: • It is manually entered in the address table and must be manually removed. It can be a unicast or multicast address.
Page 211: Configuring Unicast Mac Address Filtering
Chapter 1 Administering the Switch Managing the MAC Address Table This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packet is received in VLAN 4 with this MAC address as its destination address, the packet is forwarded to the specified port: Switch(config)# mac address-table static c2f3.220a.12f4 vlan 4 interface gigabitethernet0/1...
Page 212: Disabling Mac Address Learning On A Vlan
Chapter 1 Administering the Switch Managing the MAC Address Table Command Purpose Step 4 show mac address-table static Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable unicast MAC address filtering, use the no mac address-table static mac-addr vlan vlan-id global configuration command.
Page 213: Displaying Address Table Entries
Chapter 1 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to disable MAC address learning on a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no mac address-table learning vlan Disable MAC address learning on the specified VLAN or VLANs.
Page 214: Managing The Arp Table
(represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, see the Cisco IOS Release 12.4 documentation on Cisco.com. Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 215: Understanding The Sdm Templates
C H A P T E R Configuring SDM Templates This chapter describes how to configure the Switch Database Management (SDM) templates on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 216 Chapter 1 Configuring SDM Templates Understanding the SDM Templates Use this template when configuring IPv4 static routing on SVIs on switches running the LAN Note Base feature set. You can configure up to 16 static routes. • Access—The access template maximizes system resources for access control lists (ACLs) to accommodate a large number of ACLs.
Page 217: Dual Ipv4 And Ipv6 Sdm Templates
Layer 2, ACLs, and QoS for IPv6 on the switch. With the indirect IPv4 and IPv6 routing template (introduced in Cisco IOS Release 12.2(58)SE), the switch supports more IPv6 indirect routes for deployments that do not need much direct IPv6 host route connectivity.
Page 218: Sdm Templates And Switch Stacks
Chapter 1 Configuring SDM Templates Understanding the SDM Templates Table 1-2 Approximate Feature Resources Allowed by Dual IPv4-IPv6 Templates (continued) Dual IPv4-and IPv6 Templates Indirect IPv4 and Resource Default VLAN Routing IPv6 Routing Total IPv4 unicast routes: 2.7 K Directly connected IPv4 hosts 1.5 K •...
Page 219: Configuring The Switch Sdm Template
On switches running the LAN Base feature set, none of the routing values shown for the templates are valid. Beginning with Cisco IOS Release 12.2(58)SE, the LAN Base feature set supports configuration of • 16 static IPv4 routes on SVIs. Use the default template when configuring static routing on switches running the LAN Base feature set.
Page 220: Setting The Sdm Template
Chapter 1 Configuring SDM Templates Configuring the Switch SDM Template Setting the SDM Template To configure an SDM template:, follow these steps beginning in privileged EXEC mode: Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 sdm prefer {access | default | Specifies the SDM template to be used on the switch.
Page 221: Displaying The Sdm Templates
Chapter 1 Configuring SDM Templates Displaying the SDM Templates number of directly connected hosts: number of indirect routes: number of qos aces: 0.5K number of security aces: On next reload, template will be “desktop vlan” template. To return to the default template, use the no sdm prefer global configuration command. This example shows how to configure a switch running the IP Base or IP Services feature set with the routing template: Switch(config)# sdm prefer routing...
Page 222 Chapter 1 Configuring SDM Templates Displaying the SDM Templates number of unicast mac addresses: number of igmp groups + multicast routes: number of unicast routes: number of directly connected hosts: number of indirect routes: number of policy based routing aces: 0.5K number of qos aces: 0.5K...
Page 223 Switches in a power stack must be members of the same switch (data) stack. The Cisco eXpandable Power System (XPS) 2200 is a standalone power system that you can connect to Catalyst 3560-X and Catalyst 3750-X switches that are running Cisco IOS Release 12.2(55)SE1 and later.
Page 224: Understanding Cisco Stackpower
Chapter 1 Configuring Catalyst 3750-X StackPower Understanding Cisco StackPower Configuring Cisco StackPower, page 1-6 • Understanding Cisco StackPower Some reasons for connecting individual switches in a power stack are: In case of power supply failure, if there is enough spare power budget in the rest of the power stack, •...
Page 225 This command is visible only on PoE ports. Note Although the power inline port priority {high | low} command is visible on the Catalyst 3560-X switch PoE ports, it has no effect because Catalyst 3560-X switches do not participate in StackPower.
Page 226 For example, in a power stack with four 1100 W power supplies, the power stack can lose two 1100 W power supplies and continue to operate. In addition, Cisco StackPower can support a loss of more than one-half of the total input power when the power supply failures are more than five minutes apart.
Page 227 Chapter 1 Configuring Catalyst 3750-X StackPower Understanding Cisco StackPower Temperature State: GREEN Yellow Threshold : 49 Degree Celsius Red Threshold : 59 Degree Celsius Serial# Status Sys Pwr PoE Pwr Watts ------------------ ---------- --------------- ------- ------- ----- NG3K-PWR-715WAC LIT133705FH Good...
Page 228: Configuring Cisco Stackpower
Switch: 2 Switch: 1 Configuring Cisco StackPower Configuring Cisco StackPower includes these tasks: Identifying a stack ID and setting the power stack mode for the power stack to power sharing or • redundant with a strict or non-strict (loose) adherence to the power budget. See the “Configuring...
Page 229 Chapter 1 Configuring Catalyst 3750-X StackPower Configuring Cisco StackPower For information about configuring the XPS 2000, see the configuration notes on Cisco.com: http://www.cisco.com/en/US/docs/switches/power_supplies/xps2200/software/configuration/note/ol24 241.html Note A stack power member switch that does not have a PSU connected in Slot A or Slot B might fail during a Cisco IOS upgrade.
Page 230 Chapter 1 Configuring Catalyst 3750-X StackPower Configuring Cisco StackPower Configuring Power Stack Switch Power Parameters Beginning in privileged EXEC mode, follow these steps to configure a switch in a power stack: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 231 Chapter 1 Configuring Catalyst 3750-X StackPower Configuring Cisco StackPower Configuring PoE Port Priority Beginning in privileged EXEC mode, follow these steps to configure the priority of a PoE port on a switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 232 Chapter 1 Configuring Catalyst 3750-X StackPower Configuring Cisco StackPower Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-10 OL-25303-03...
Page 233: Preventing Unauthorized Access To Your Switch
C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 234: Protecting Access To Privileged Exec Commands
Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.4.
Page 235: Setting Or Changing A Static Enable Password
Chapter 1 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1...
Page 236 By default, no password is defined. • (Optional) For encryption-type, types 9, 8, and 5 are available.These are Cisco proprietary encryption algorithms. If you specify an encryption type, you must provide an encrypted password—an encrypted password that you copy from another switch configuration.
Page 237: Disabling Password Recovery
Disable password recovery. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
Page 238: Setting A Telnet Password For A Terminal Line
Chapter 1 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting a Telnet Password for a Terminal Line When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use. The setup program also prompts you to configure your switch for Telnet access through a password.
Page 239: Configuring Multiple Privilege Levels
Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Page 240 Chapter 1 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting the Privilege Level for a Command Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 241 Chapter 1 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 242: Controlling Switch Access With Tacacs
“Implementing ADSL for IPv6” chapter in the Cisco IOS XE IPv6 Configuration Guide, Release For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.4 and the Cisco IOS IPv6 Command Reference.
Page 243 Chapter 1 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 1-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ Catalyst 6500 server 1) series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) 171.20.10.8 Configure the switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers).
Page 244: Configuring Tacacs
Chapter 1 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user.
Page 245 Chapter 1 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, • page 1-16 • Starting TACACS+ Accounting, page 1-17 Default TACACS+ Configuration TACACS+ and AAA are disabled by default. To prevent a lapse in security, you cannot configure TACACS+ through a network management application.
Page 246 Chapter 1 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 6 Return to privileged EXEC mode. Step 7 show tacacs Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the specified TACACS+ server name or address, use the no tacacs-server host hostname global configuration command.
Page 247 Chapter 1 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 3 aaa authentication login {default | Create a login authentication method list. list-name} method1 [method2...] • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations.
Page 248 Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.4.
Page 249: Controlling Switch Access With Radius
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco IOS privilege level and for network services:...
Page 250: Understanding Radius
Chapter 1 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.4 and the Cisco IOS IPv6 Command Reference.
Page 251: Radius Operation
• Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
Page 252: Radius Change Of Authorization
RADIUS Change of Authorization (CoA) extensions defined in RFC 5176 that are typically used in a pushed model and allow for the dynamic reconfiguring of sessions from external authentication, authorization, and accounting (AAA) or policy servers. Beginning with Cisco IOS Release 12.2(52)SE, the switch supports these per-session CoA requests: Session reauthentication •...
Page 253 Chapter 1 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS The request is initiated from a CoA client (typically a RADIUS or policy server) and directed to the switch that acts as a listener. This section includes these topics: CoA Request Response Code •...
Page 254 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code Identifier Length +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Authenticator +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+- The attributes field is used to carry Cisco VSAs. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-22 OL-25303-03...
Page 255 • CoA Disconnect-Request • • CoA Request: Disable Host Port • CoA Request: Bounce-Port Beginning with Cisco IOS Release 12.2(52)SE, the switch supports the commands shown in Table 1-4. Table 1-4 CoA Commands Supported on the Switch Command Cisco VSA Reauthenticate host Cisco:Avpair=“subscriber:command=reauthenticate”...
Page 256 To restrict a host’s access to the network, use a CoA Request with the Cisco:Avpair="subscriber:command=disable-host-port" VSA. This command is useful when a host is known to be causing problems on the network, and you need to immediately block network access for the host.
Page 257 CoA Request: Disable Host Port This command is carried in a standard CoA-Request message that has this new VSA: Cisco:Avpair="subscriber:command=disable-host-port" Because this command is session-oriented, it must be accompanied by one or more of the session identification attributes described in the “Session Identification”...
Page 258: Configuring Radius
Chapter 1 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS If the stack master fails before the port-bounce completes, a port-bounce is initiated after stack master change-over based on the original command (which is subsequently removed). If the stack master fails before sending a CoA-ACK message, the new stack master treats the re-sent command as a new command.
Page 259 Chapter 1 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring the Switch for Vendor-Proprietary RADIUS Server Communication, page 1-36 • (optional) • Configuring CoA on the Switch, page 1-37 Monitoring and Troubleshooting CoA Functionality, page 1-38 • Configuring RADIUS Server Load Balancing, page 1-39 (optional) •...
Page 260 Chapter 1 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS You can configure the switch to use AAA server groups to group existing server hosts for authentication. For more information, see the “Defining AAA Server Groups” section on page 1-31. Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication.
Page 261: Configuring Radius Login Authentication
Chapter 1 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2...
Page 262 Chapter 1 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 3 aaa authentication login {default | Create a login authentication method list. list-name} method1 [method2...] • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations.
Page 263 Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.4.
Page 264 Chapter 1 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or hostname of the remote RADIUS server host.
Page 265: Configuring Radius Authorization For User Privileged Access And Network Services
Chapter 1 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 1-29.
Page 266 (AV) pairs and is stored on the security server. You can then analyze the data for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
Page 267 1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Page 268 Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Page 269 Chapter 1 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with the switch.
Page 270 Monitoring and Troubleshooting CoA Functionality The following Cisco IOS commands can be used to monitor and troubleshoot CoA functionality on the switch: debug radius •...
Page 271: Displaying The Radius Configuration
Configuring RADIUS Server Load Balancing This feature allows access and authentication requests to be evenly across all RADIUS servers in a server group. For more information, see the “RADIUS Server Load Balancing” chapter of the Cisco IOS Security Configuration Guide, Release 12.4.
Page 272 Chapter 1 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos The Kerberos credential scheme uses a process called single logon. This process authenticates a user once and then allows secure authentication (without encrypting another password) wherever that user credential is accepted. This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts (such as UNIX servers and PCs).
Page 273: Kerberos Operation
Chapter 1 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 1-5 Kerberos Terms (continued) Term Definition Kerberos server A daemon that is running on a network host. Users and network services register their identity with the Kerberos server. Network services query the Kerberos server to authenticate to other network services.
Page 274: Configuring Kerberos
KDC and obtain a TGT from the KDC to access network services. For instructions about how to authenticate to a KDC, see the “Obtaining a TGT from a KDC” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.4. Authenticating to Network Services This section describes the third layer of security through which a remote user must pass.
Page 275: Configuring The Switch For Local Authentication And Authorization
Configure the switch to use the Kerberos protocol. • For instructions, see the “Kerberos Configuration Task List” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.4. Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode.
Page 276: Configuring The Switch For Secure Shell
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
Page 277: Configuring Ssh
Chapter 1 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell The switch supports an SSHv1 client. SSH supports the Data Encryption Standard (DES) encryption algorithm, the Triple DES (3DES) encryption algorithm, and password-based user authentication. SSH also supports these user authentication methods: TACACS+ (for more information, see the “Controlling Switch Access with TACACS+”...
Page 278 Chapter 1 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell When generating the RSA key pair, the message might appear. If it does, • No host name specified you must configure a hostname by using the hostname global configuration command. •...
Page 279 Chapter 1 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Configuring the SSH Server Beginning in privileged EXEC mode, follow these steps to configure the SSH server: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip ssh version [1 | 2] (Optional) Configure the switch to run SSH Version 1 or SSH Version 2.
Page 280: Displaying The Ssh Configuration And Status
(pages) back to the HTTP secure server, which, in turn, responds to the original request. The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.
Page 281: Certificate Authority Trustpoints
Chapter 1 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Certificate Authority Trustpoints Certificate authorities (CAs) manage certificate requests and issue certificates to participating network devices. These services provide centralized security key and certificate management for the participating devices.
Page 282: Configuring Secure Http Servers And Clients
For additional information on Certificate Authorities, see the “Configuring Certification Authority Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 12.4. CipherSuites A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection.
Page 283 Chapter 1 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Configuring the Secure HTTP Server, page 1-52 • Configuring the Secure HTTP Client, page 1-54 • Default SSL Configuration The standard HTTP server is enabled. SSL is enabled. No CA trustpoints are configured.
Page 284 Chapter 1 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Command Purpose Step 9 primary (Optional) Specify that the trustpoint should be used as the primary (default) trustpoint for CA requests. Step 10 exit Exit CA trustpoint configuration mode and return to global configuration mode.
Page 285 Chapter 1 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Command Purpose Step 6 ip http secure-client-auth (Optional) Configure the HTTP server to request an X.509v3 certificate from the client for authentication during the connection process. The default is for the client to request a certificate from the server, but the server does not attempt to authenticate the client.
Page 286: Displaying Secure Http Server And Client Status
Chapter 1 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Configuring the Secure HTTP Client The standard HTTP client and secure HTTP client are always enabled. A certificate authority is required for secure HTTP client certification. This procedure assumes that you have previously configured a CA trustpoint on the switch.
Page 287: Information About Secure Copy
A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.
Page 288 Chapter 1 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-56 OL-25303-03...
Page 289: Understanding Ieee 802.1X Port-Based Authentication
Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. Switches running the IP base or IP services feature set also support Cisco TrustSec Security Group Tag (SGT) Exchange Protocol (SxP). This feature supports security group access control lists (SGACLs), which define ACL policies for a group of devices instead of an IP address.
Page 290 Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
Page 291 Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 292 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The devices that can act as intermediaries include the Catalyst 3750-X, Catalyst 3750-E, Catalyst 3750, Catalyst 3650-X, Catalyst 3560-E, Catalyst 3560, Catalyst 3550, Catalyst 2970, Catalyst 2960, Catalyst 2955, Catalyst 2950, Catalyst 2940 switches, or a wireless access point. These devices must be running software that supports the RADIUS client and IEEE 802.1x authentication.
Page 293 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 1-2 Authentication Flowchart Start Is the client IEEE Is MAC authentication IEEE 802.1x authentication bypass enabled? 1 802.1x capable? process times out. The switch gets an EAPOL message, and the EAPOL User does not have a message...
Page 294: Authentication Initiation And Message Exchange
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Authentication Initiation and Message Exchange During 802.1x authentication, the switch or the client can initiate authentication. If you enable authentication on a port by using the authentication port-control auto or dot1x port-control auto interface configuration command, the switch initiates authentication when the link state changes from down to up or periodically as long as the port remains up and unauthenticated.
Page 295: Authentication Manager
RADIUS Access/Accept Authentication Manager In Cisco IOS Release 12.2(46)SE and earlier, you could not use the same authorization methods, including CLI commands and messages, on this switch and also on other network devices, such as a Catalyst 6000. You had to use separate authentication configurations. Cisco IOS Release 12.2(50)SE and later supports the same authorization methods on all Catalyst switches in a network.
Page 296 4. For clients that do not support 802.1x authentication. Per-User ACLs and Filter-Ids ACLs configured on the switch are compatible with other devices running Cisco IOS releases. You can only set any as the source in the ACL. For any ACL configured for multiple-host mode, the source portion of statement must be any. (For Note example, permit icmp any host 10.10.1.1.)
Page 297 The authentication manager commands provide the same functionality as earlier 802.1x commands. Table 1-2 Authentication Manager Commands and Earlier 802.1x Commands The authentication manager The equivalent 802.1x commands in commands in Cisco IOS Cisco IOS Release 12.2(46)SE and Release 12.2(50)SE or later earlier Description authentication control-direction dot1x control-direction {both | Enable 802.1x authentication with the...
Page 298: Ports In Authorized And Unauthorized States
802.1x CLI commands Beginning with Cisco IOS Release 12.2(55)SE, you can filter out verbose system messages generated by the authentication manager. The filtered content typically relates to authentication success. You can also filter verbose messages for 802.1x authentication and MAB authentication. There is a separate command for each authentication method: •...
Page 299: X Authentication And Switch Stacks
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication You control the port authorization state by using the dot1x port-control interface configuration command and these keywords: • force-authorized—disables 802.1x authentication and causes the port to change to the authorized state without any authentication exchange required.
Page 300: X Host Mode
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication To avoid loss of connectivity to the RADIUS server, you should ensure that there is a redundant connection to it. For example, you can have a redundant connection to the stack master and another to a stack member, and if the stack master fails, the switch stack still has connectivity to the RADIUS server.
Page 301: Mac Move
When a port is in multiple-authentication mode, the guest VLAN and authentication-failed VLAN Note features do not activate. Beginning with Cisco IOS Release 12.2(55)SE, you can assign a RADIUS-server-supplied VLAN in multi-auth mode, under these conditions: • The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
Page 302: Mac Replace
“Enabling MAC Move” section on page 1-52. MAC Replace Beginning with Cisco IOS Release 12.2(55)SE, the MAC replace feature can be configured to address the violation that occurs when a host attempts to connect to a port where another host was previously authenticated.
Page 303: X Readiness Check
DHCP snooping bindings table. You can view the AV pairs that are being sent by the switch by entering the debug radius accounting privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.4.
Page 304: X Authentication With Vlan Assignment
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication This feature only works if the supplicant on the client supports a query with the NOTIFY EAP notification packet. The client must respond within the 802.1x timeout value. For information on configuring the switch for the 802.1x readiness check, see the “Configuring 802.1x Readiness Check”...
Page 305 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication If a voice device is authorized and is using a downloaded voice VLAN, the removal of the voice • VLAN configuration, or modifying the configuration value to dot1p or untagged results in voice device un-authorization and the disablement of multi-domain host mode.
Page 306: X Authentication With Downloadable Acls And Redirect Urls
If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
Page 307 ACL by using the ip access-list extended auth-default-acl global configuration command. The auth-default-ACL does not support Cisco Discovery Protocol (CDP) bypass in the single host mode. Note You must configure a static ACL on the interface to support CDP bypass.
Page 308 ACL, this ACL takes precedence over the default ACL that is configured on the switch port. However, if the switch receives an host access policy from the Cisco Secure ACS but the default ACL is not configured, the authorization failure is declared.
Page 309: X Authentication With Guest Vlan
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication This feature is not supported on Cisco ACS Server. (The ACS server ignores the sent VLAN-IDs for new Note hosts and only authenticates based on the MAC address.) For configuration information, see the “Configuring VLAN ID-based MAC Authentication”...
Page 310: X Authentication With Restricted Vlan
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The switch supports MAC authentication bypass. When MAC authentication bypass is enabled on an 802.1x port, the switch can authorize clients based on the client MAC address when IEEE 802.1x authentication times out while waiting for an EAPOL message exchange.
Page 311: X Authentication With Inaccessible Authentication Bypass
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication For more information, see the “Configuring a Restricted VLAN” section on page 1-62. 802.1x Authentication with Inaccessible Authentication Bypass Use the inaccessible authentication bypass feature, also referred to as critical authentication or the AAA fail policy, when the switch cannot reach the configured RADIUS servers and new hosts cannot be authenticated.
Page 312 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Feature Interactions Guest VLAN—Inaccessible authentication bypass is compatible with guest VLAN. When a guest • VLAN is enabled on 8021.x port, the features interact as follows: If at least one RADIUS server is available, the switch assigns a client to a guest VLAN when –...
Page 313 VLAN, the connected device (the phone) is put in the configured voice VLAN for the port. The IP phones learn the voice VLAN identification through CDP (Cisco devices) or through LLDP or DHCP. You can configure the voice VLAN for a port by entering the switchport voice vlan vlan-id interface configuration command.
Page 314 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Command Purpose Step 4 radius-server host ip-ad- Configures the RADIUS server parameters: dress [acct-port udp-port] • acct-port udp-port—Specifies the UDP port for the RADIUS accounting server. [auth-port udp-port] [test The range for the UDP port number is from 0 to 65536.
Page 315: X User Distribution
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Switch(config)# radius-server host 1.1.1.2 acct-port 1550 auth-port 1560 test username user1 idle-time 30 key abc1234 Switch(config)# interface gigabitethernet 1/0/1 Switch(config)# radius-server deadtime 60 Switch(config-if)# authentication event server dead action reinitialicze vlan 20 Switch(config-if)# switchport voice vlan Switch(config-if)# authentication event server dead action authorize voice Switch(config-if)# end...
Page 316 If you enable IEEE 802.1x authentication on an access port on which a voice VLAN is configured and Note to which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
Page 317 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication When a host that uses WoL is attached through an IEEE 802.1x port and the host powers off, the IEEE 802.1x port becomes unauthorized. The port can only receive and send EAPOL packets, and WoL magic packets cannot reach the host.
Page 318 For more configuration information, see the “Authentication Manager” section on page 1-7. Cisco IOS Release 12.2(55)SE and later supports filtering of verbose MAB system messages. See the “Authentication Manager CLI Commands” section on page 1-9. Network Admission Control Layer 2 IEEE 802.1x Validation The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which...
Page 319: Flexible Authentication Ordering
The switch supports multidomain authentication (MDA), which allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.
Page 320 When a port host mode is changed from single- or multihost to multidomain mode, an authorized • data device remains authorized on the port. However, a Cisco IP phone that has been allowed on the port voice VLAN is automatically removed and must be reauthenticated on that port.
Page 321 Spanning Tree Protocol (STP) bridge protocol data unit (BPDU) packets before the supplicant switch has authenticated. Beginning with Cisco IOS Release 15.0(1)SE, you can control traffic exiting the supplicant port during the authentication period.
Page 322 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 1-6 Authenticator and Supplicant Switch using CISP Workstations (clients) Supplicant switch (outside wiring closet) Authenticator switch Access control server (ACS) Trunk port Guidelines • You can configure NEAT ports with the same configurations as the other authentication ports. When the supplicant switch authenticates, the port mode is changed from access to trunk based on the switch vendor-specific attributes (VSAs).
Page 323: Common Session Id
The ID appears automatically. No configuration is required. Device Sensor Device Sensor uses protocols such as Cisco Discovery Protocol (CDP), Link Layer Discovery Protocol (LLDP), and DHCP to obtain endpoint information from network devices and make this information available to its clients.
Page 324 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 1-7 Device Sensor and Clients Client notifications and accounting messages that contain profiling data and other session-related data are generated and sent to the internal clients and the ISE. By default, client notifications and accounting events are generated only when an incoming packet includes a Type-Length-Value (TLV) that has not previously been received within a given access session.
Page 325: Configuring 802.1X Authentication
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring 802.1x Authentication These sections contain this configuration information: Default 802.1x Authentication Configuration, page 1-38 • 802.1x Authentication Configuration Guidelines, page 1-39 • Configuring 802.1x Readiness Check, page 1-41 (optional) •...
Page 326 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Resetting the 802.1x Authentication Configuration to the Default Values, page 1-76 (optional) • Default 802.1x Authentication Configuration Table 1-4 Default 802.1x Authentication Configuration Feature Default Setting Switch 802.1x enable state Disabled.
Page 327: X Authentication Configuration Guidelines
EtherChannel configuration from the interfaces on which 802.1x authentication and EtherChannel are configured. If you are using a device running the Cisco Access Control Server (ACS) application for • IEEE 802.1x authentication with EAP-Transparent LAN Services (TLS) and EAP-MD5, make sure that the device is running ACS Version 3.2.1 or later.
Page 328 Only Catalyst 3750, 3560, and 2960 switches support CDP bypass. The Catalyst 3750-X, Note 3560-X, 3750-E, and 3560-E switches do not support CDP bypass. Cisco IOS Release 12.2(55)SE and later supports filtering of system messages related to 802.1x • authentication. See the “Authentication Manager CLI Commands”...
Page 329 In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with • a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN. In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one •...
Page 330 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication When you configure the dot1x test eapol-capable command on an 802.1x-enabled port, and the link • comes up, the port queries the connected client about its 802.1x capability. When the client responds with a notification packet, it is 802.1x-capable.
Page 331 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication If you use the errdisable recovery cause security-violation global configuration command to • configure error-disabled recovery, the port is automatically re-enabled. If error-disabled recovery is not configured for the port, you re-enable it by using the shutdown and no-shutdown interface configuration commands.
Page 332 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure the security violation actions on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA.
Page 333 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Re-authentication is performed, as necessary. Step 5 The switch sends an interim accounting update to the accounting server that is based on the result of Step 6 re-authentication. The user disconnects from the port. Step 7 The switch sends a stop message to the accounting server.
Page 334 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring the Switch-to-RADIUS-Server Communication RADIUS security servers are identified by their hostname or IP address, hostname and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address.
Page 335: Configuring The Host Mode
IEEE 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. Use the multi-domain keyword to configure and enable multidomain authentication (MDA), which allows both a host and a voice device, such as an IP phone (Cisco or non-Cisco), on the same switch port. This procedure is optional.
Page 336 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication This example shows how to enable MDA and to allow both a host and a voice device on the port: Switch(config)# interface gigabitethernet3/0/1 Switch(config-if)# authentication port-control auto Switch(config-if)# authentication host-mode multi-domain Switch(config-if)# switchport voice vlan 101 Switch(config-if)# end Configuring Periodic Re-Authentication...
Page 337: Changing The Quiet Period
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication This example shows how to enable periodic re-authentication and set the number of seconds between re-authentication attempts to 4000: Switch(config-if)# authentication periodic Switch(config-if)# authentication timer reauthenticate 4000 Manually Re-Authenticating a Client Connected to a Port You can manually re-authenticate the client connected to a specific port at any time by entering the dot1x re-authenticate interface interface-id privileged EXEC command.
Page 338 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Changing the Switch-to-Client Retransmission Time The client responds to the EAP-request/identity frame from the switch with an EAP-response/identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time) and then resends the frame.
Page 339 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to set the switch-to-client frame-retransmission number. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode.
Page 340: Enabling Mac Move
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication To return to the default re-authentication number, use the no dot1x max-reauth-req interface configuration command. This example shows how to set 4 as the number of times that the switch restarts the authentication process before the port changes to the unauthorized state: Switch(config-if)# dot1x max-reauth-req 4 Enabling MAC Move...
Page 341 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file. This example shows how to enable MAC replace on an interface: Switch(config)# interface gigabitethernet2/0/2 Switch(config-if)# authentication violation replace Configuring 802.1x Accounting...
Page 342 LLDP filter--organizationally-specific (type 127) • • DHCP filter--message-type (type 53) Enabling Accounting Augmentation, page 1-54 • Creating a Cisco Discovery Protocol Filter, page 1-55 • Creating an LLDP Filter, page 1-56 • Creating a DHCP Filter, page 1-56 • Applying a Protocol Filter to the Device Sensor Output, page 1-57 •...
Page 343 Returns to privileged EXEC mode. Example: Switch(config)# end Creating a Cisco Discovery Protocol Filter Beginning in privileged EXEC mode, follow these steps to create a CDP filter containing a list of TLVs that can be included or excluded in the Device Sensor output:...
Page 344 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Creating an LLDP Filter Beginning in privileged EXEC mode, follow these steps to create an LLDP filter containing a list of TLVs that can be included or excluded in the Device Sensor output: Command Purpose Step 1...
Page 345 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 3 option {name option-name | number Adds individual DHCP options to the option list. You can delete teh option-number} entire option list without removing options individually from the list by using the no device-sensor filter-list dhcp list option-list-name command.
Page 346 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Tracking TLV Changes By default, client notifications and accounting events are generated only when an incoming packet includes a TLV that has not previously been received within a given session. To enable client notifications and accounting events for TLV changes, begin in privileged EXCEC mode and follow these steps.
Page 347 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication 11:duplex-type 5 00 0B 00 05 01 9:vtp-mgmt-domain-type 4 00 09 00 04 4:capabilities-type 8 00 04 00 08 00 00 00 28 1:device-name 14 00 01 00 0E 73 75 70 70 6C 69 63 61 6E 74 lldp 0:end-of-lldpdu 2 00 00...
Page 348: Configuring A Guest Vlan
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication The following example shows how to create a DHCP filter containing a list of options: Switch> enable Switch# configure terminal Switch(config)# device-sensor filter-list dhcp list dhcp-list Switch(config)# device-sensor filter-list dhcp list dhcp-list Switch(config-sensor-dhcplist)# option name domain-name Switch(config-sensor-dhcplist)# option name host-name Switch(config-sensor-dhcplist)# option number 50...
Page 349 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 7 show authentication interface Verify your entries. interface-id Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable and remove the guest VLAN, use the no authentication event no-response action authorize vlan vlan-id interface configuration command.
Page 350: Configuring A Restricted Vlan
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication This example shows how to set 3 as the quiet time on the switch, to set 15 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before re-sending the request, and to enable VLAN 2 as an 802.1x guest VLAN when an 802.1x port is connected to a DHCP client: Switch(config-if)# authentication timer inactivity 3...
Page 351 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure the maximum number of allowed authentication attempts. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode.
Page 352 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure the port as a critical port and enable the inaccessible authentication bypass and critical voice VLAN features. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 353 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 5 dot1x critical {eapol | recovery (Optional) Configure the parameters for inaccessible authentication bypass: delay milliseconds} eapol—Specify that the switch sends an EAPOL-Success message when the switch successfully authenticates the critical port. recovery delay milliseconds—Set the recovery delay period during which the switch waits to re-initialize a critical port when a RADIUS server that was unavailable becomes available.
Page 354: Configuring Mac Authentication Bypass
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring 802.1x Authentication with WoL Beginning in privileged EXEC mode, follow these steps to enable 802.1x authentication with WoL. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode.
Page 355 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 6 show authentication interface Verify your entries. interface-id Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable MAC authentication bypass, use the no authentication order interface configuration command.
Page 356 For more information about these commands, see the Cisco IOS Security Command Reference. Configuring NAC Layer 2 802.1x Validation You can configure NAC Layer 2 802.1x validation, which is also referred to as 802.1x authentication with a RADIUS server.
Page 357: Configuring An Authenticator And A Supplicant Switch With Neat
1-33. Note The cisco-av-pairs must be configured as device-traffic-class=switch on the ACS, which sets the interface as a trunk after the supplicant is successfully authenticated. Beginning in privileged EXEC mode, follow these steps to configure a switch as an authenticator:...
Page 358 Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 5 password password Create a password for the new username. Step 6 dot1x supplicant force-multicast Force the switch to send only multicast EAPOL packets when it receives either unicast or multicast packets.
Page 359 Configuring 802.1x Authentication Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs In addition to configuring 802.1x authentication on the switch, you need to configure the ACS. For more information, see the Configuration Guide for Cisco Secure ACS 4.2: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/co nfiguration/guide/acs_config.pdf You must configure a downloadable ACL on the ACS before downloading it to the switch.
Page 360: Configuring A Downloadable Policy
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring a Downloadable Policy Beginning in privileged EXEC mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number deny Defines the default port ACL by using a source address and wildcard. source source-wildcard log The access-list-number is a decimal number from 1 to 99 or 1300 to 1999.
Page 361 EXEC command to confirm the RADIUS attribute 32. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.4. This example shows how to globally enable VLAN ID-based MAC authentication on a switch: Switch# config terminal Enter configuration commands, one per line.
Page 362: Configuring Flexible Authentication Ordering
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring Flexible Authentication Ordering Beginning in privileged EXEC mode, follow these steps: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode.
Page 363 Switch(config) end For more information about the ip auth-proxy auth-proxy-banner command, see the “Authentication Proxy Commands” section of the Cisco IOS Security Command Reference on Cisco.com. Disabling 802.1x Authentication on the Port You can disable 802.1x authentication on the port by using the no dot1x pae interface configuration command.
Page 364: Displaying 802.1X Statistics And Status
EXEC command. Beginning with Cisco IOS Release 12.2(55)SE, you can use the no dot1x logging verbose global configuration command to filter verbose 802.1x authentication messages. See the “Authentication...
Page 365 Cisco TrustSec NDAC MACsec switches Cisco TrustSec and Cisco SAP are meant only for switch-to-switch links and are not supported on switch ports connected to end hosts, such as PCs or IP phones. MKA is meant for switch-to-host facing links and is not supported on switch-to-switch links.
Page 366: Understanding Media Access Control Security And Macsec Key Agreement
Chapter 1 Configuring MACsec Encryption Understanding Media Access Control Security and MACsec Key Agreement Understanding Media Access Control Security and MACsec Key Agreement MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys.
Page 367: Virtual Ports
Chapter 1 Configuring MACsec Encryption Understanding Media Access Control Security and MACsec Key Agreement Replay protection. You can configure MACsec window size, as defined by the number of • out-of-order frames that are accepted. This value is used while installing the security associations in the MACsec.
Page 368 Chapter 1 Configuring MACsec Encryption Understanding Media Access Control Security and MACsec Key Agreement MACsec, MKA and 802.1x Host Modes You can use MACsec and the MKA Protocol with 802.1x single-host mode, multiple-host mode, or Multi Domain Authentication (MDA) mode. Multiple authentication mode is not supported. Single-Host Mode Figure 1-1 shows how a single EAP authenticated session is secured by MACsec by using MKA.
Page 369 Chapter 1 Configuring MACsec Encryption Understanding Media Access Control Security and MACsec Key Agreement MKA Statistics Some MKA counters are aggregated globally, while others are updated both globally and per session. You can also obtain information about the status of MKA sessions. This is an example of the show mka statistics command output: SWitch# show mka statistics MKA Global Statistics...
Page 370: Configuring Mka And Macsec
Chapter 1 Configuring MACsec Encryption Configuring MKA and MACsec MKPDU Failures MKPDU Tx......0 MKPDU Rx Validation....0 MKPDU Rx Bad Peer MN..... 0 MKPDU Rx Non-recent Peerlist MN.. 0 For description of the output fields, see the command reference for this release. Configuring MKA and MACsec Default MACsec MKA Configuration, page 1-6 •...
Page 371 Chapter 1 Configuring MACsec Encryption Configuring MKA and MACsec Configuring MACsec on an Interface Beginning in privileged EXEC mode, follow these steps to configure MACsec on an interface with one MACsec session for voice and one for data: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 372: Understanding Cisco Trustsec Macsec
Authc Success Understanding Cisco TrustSec MACsec Cisco TrustSec MACsec for switch-to-switch security is supported only on switches running the IP base Note or IP services feature set. It is not supported on switches running the NPE or LAN base feature set.
Page 373 NPE or the LAN base image. Cisco TrustSec NDAC SAP is supported on trunk ports because it is intended only for network device to network device links, that is, switch-to-switch links. It is not supported on: Host facing access ports (these ports support MKA MACsec) •...
Page 374: Configuring Cisco Trustsec Macsec
RADIUS and AAA before configuring switch-to-switch security. Configuring Cisco TrustSec Credentials on the Switch To enable Cisco TrustSec features, you must create Cisco TrustSec credentials on the switch to use in other TrustSec configurations. Beginning in privilege EXEC mode, follow these steps to configure Cisco TrustSec credentials.
Page 375 If you select GCM as the SAP operating mode, you must have a MACsec encryption software license from Cisco. MACsec is supported on Catalyst 3750-X and 3560-X universal IP base and IP services licenses. It is not supported with the NPE license or with a LAN base service image.
Page 376 If you select GCM as the SAP operating mode, you must have a MACsec Encryption software • license from Cisco. If you select GCM without the required license, the interface is forced to a link-down state. These protection levels are supported when you configure SAP pairwise master key (sap pmk): •...
Page 377 TrustSec-related interface characteristics. Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file. This example shows how to configure Cisco TrustSec authentication in manual mode on an interface: Switch# configure terminal Switch(config)# interface tengiigabitethernet 1/1/2 Switch(config-if)# cts manual...
Page 378 Configuring Cisco TrustSec MACsec Cisco TrustSec Switch-to-Switch Link Security Configuration Example This example shows the configuration necessary for a seed and non-seed device for Cisco TrustSec switch-to-switch security. You must configure the AAA and RADIUS for link security. In this example, ACS-1 through ACS-3 can be any server names and cts-radius is the Cisco TrustSec server.
Page 379 Chapter 1 Configuring MACsec Encryption Configuring Cisco TrustSec MACsec Switch(config)# interface gi1/1/4 Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Switch(config-if)# shutdown Switch(config-if)# cts manual Switch(config-if-cts-dot1x)# sap pmk 033445AABBCCDDEEFF mode-list gcm-encrypt gmac Switch(config-if-cts-dot1x)# no propagate sgt Switch(config-if-cts-dot1x)# exit Switch(config-if)# exit...
Page 380 Chapter 1 Configuring MACsec Encryption Configuring Cisco TrustSec MACsec Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-16 OL-25303-03...
Page 381 C H A P T E R Configuring Web-Based Authentication This chapter describes how to configure web-based authentication on the Catalyst 3750-X or 3560-X switch. It contains these sections: Understanding Web-Based Authentication, page 1-1 • Configuring Web-Based Authentication, page 1-9 •...
Page 382: Understanding Web-Based Authentication
Chapter 1 Configuring Web-Based Authentication Understanding Web-Based Authentication Authentication Process, page 1-3 • Web Authentication Customizable Web Pages, page 1-6 • Web-based Authentication Interactions with Other Features, page 1-7 • Device Roles With web-based authentication, the devices in the network have these specific roles: Client—The device (workstation) that requests access to the LAN and the services and responds to •...
Page 383: Session Creation
Chapter 1 Configuring Web-Based Authentication Understanding Web-Based Authentication Session Creation When web-based authentication detects a new host, it creates a session as follows: Reviews the exception list. • If the host IP is included in the exception list, the policy from the exception list entry is applied, and the session is established.
Page 384: Local Web Authentication Banner
You create a banner by using the ip admission auth-proxy-banner http global configuration command. The default banner Cisco Systems and Switch host-name Authentication appear on the Login Page. Cisco Systems appears on the authentication result pop-up page, as shown in Figure 1-2.
Page 385 Figure 1-4. Figure 1-4 Login Screen With No Banner For more information, see the Cisco IOS Security Command Reference and the “Configuring a Web Authentication Local Banner” section on page 1-16.
Page 386: Web Authentication Customizable Web Pages
You must include an HTML redirect command in the success page to access a specific URL. • The URL string must be a valid URL (for example, http://www.cisco.com). An incomplete URL • might cause page not found or similar errors on a web browser.
Page 387 Chapter 1 Configuring Web-Based Authentication Understanding Web-Based Authentication Figure 1-5 Customizeable Authentication Page For more information, see the “Customizing the Authentication Proxy Web Pages” section on page 1-13. Web-based Authentication Interactions with Other Features • Port Security, page 1-7 LAN Port IP, page 1-8 •...
Page 388 ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface, the ACL is applied to the host traffic only after the web-based authentication host policy is applied. For Layer 2 web-based authentication, you must configure a port ACL (PACL) as the default access policy for ingress traffic from hosts connected to the port.
Page 389 You must configure the default ACL on the interface before configuring web-based authentication. • Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface. You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts •...
Page 390: Configuring The Authentication Rule And Interfaces
Chapter 1 Configuring Web-Based Authentication Configuring Web-Based Authentication Hosts that are more than one hop away might experience traffic disruption if an STP topology • change results in the host traffic arriving on a different port. This occurs because the ARP and DHCP updates might not be sent after a Layer 2 (STP) topology change.
Page 391: Configuring Aaa Authentication
Chapter 1 Configuring Web-Based Authentication Configuring Web-Based Authentication This example shows how to verify the configuration: Switch# show ip admission configuration Authentication Proxy Banner not configured Authentication global cache time is 60 minutes Authentication global absolute time is 0 minutes Authentication global init state time is 2 minutes Authentication Proxy Watch-list is disabled Authentication Proxy Rule Configuration...
Page 392 For more information, see the Cisco IOS Security Configuration Guide, Release 12.4 and the Cisco IOS Security Command Reference, Release 12.4.
Page 393: Configuring The Http Server
Chapter 1 Configuring Web-Based Authentication Configuring Web-Based Authentication You need to configure some settings on the RADIUS server, including: the switch IP address, the key Note string to be shared by both the server and the switch, and the downloadable ACL (DACL). For more information, see the RADIUS server documentation.
Page 394 Chapter 1 Configuring Web-Based Authentication Configuring Web-Based Authentication Command Purpose Step 3 ip admission proxy http failure page file Specify the location of the custom HTML file to use in place of the device:fail-filename default login failure page. Step 4 ip admission proxy http login expired page Specify the location of the custom HTML file to use in place of the file device:expired-filename...
Page 395 To remove the specification of a redirection URL, use the no form of the command. • This example shows how to configure a redirection URL for successful login: Switch(config)# ip admission proxy http success redirect www.cisco.com This example shows how to verify the redirection URL for successful login: Switch# show ip admission configuration...
Page 396 Switch(config)# aaa ip auth-proxy auth-proxy-banner C My Switch C Switch(config) end For more information about the ip auth-proxy auth-proxy-banner command, see the “Authentication Proxy Commands” section of the Cisco IOS Security Command Reference on Cisco.com. Removing Web-Based Authentication Cache Entries Command...
Page 397: Displaying Web-Based Authentication Status
Chapter 1 Configuring Web-Based Authentication Displaying Web-Based Authentication Status Displaying Web-Based Authentication Status Perform this task to display the web-based authentication settings for all interfaces or for specific ports: Command Purpose Step 1 show authentication sessions Displays the web-based authentication settings. [interface type slot/port] type = fastethernet, gigabitethernet, or tengigabitethernet (Optional) Use the interface keyword to display the web-based authentication...
Page 398 Chapter 1 Configuring Web-Based Authentication Displaying Web-Based Authentication Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-18 OL-25303-03...
Page 399 (ISE). Cisco ISE can provision switches with TrustSec Identities and Security Group ACLs (SGACLs), though these may be configured manually on the switch. To configure Cisco Trustsec on the switch, see the Cisco TrustSec Switch Configuration Guide at the following URL: http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html Release notes for Cisco TrustSec General Availability releases are at the following URL: http://www.cisco.com/en/US/docs/switches/lan/trustsec/release/notes/rn_cts_crossplat.html...
Page 400 Security Group Tag Exchange Protocol (SXP). With SXP, (SXP) devices that are not TrustSec-hardware-capable can receive SGT attributes for authenticated users or devices from the Cisco Secure Access Control System (ACS). The devices can forward the sourceIP-to-SGT binding to a TrustSec-hardware-capable device for tagging and SGACL enforcement.
Page 401: Configuration Guidelines And Limitations
SGT of a previously authenticated host, the VLAN port (VP) to which these hosts belong is error-disabled. Cisco TrustSec enforcement is supported only on up to eight VLANs on a VLAN-trunk link. If there • are more than eight VLANs configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be error-disabled.
Page 402 Chapter 1 Cisco TrustSec Configuration Guidelines and Limitations Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 403: Interface Types
• For complete syntax and usage information for the commands used in this chapter, see the switch Note command reference for this release and the online Cisco IOS Interface Command Reference, Release 12.4. Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface types.
Page 404 Chapter 1 Configuring Interface Characteristics Interface Types These sections describe the interface types: Port-Based VLANs, page 1-2 • Switch Ports, page 1-3 • Routed Ports, page 1-4 • Switch Virtual Interfaces, page 1-5 • EtherChannel Port Groups, page 1-6 • 10-Gigabit Ethernet Interfaces, page 1-7 •...
Page 405: Switch Ports
Catalyst 6500 series switch; the Catalyst 3750-X or 3560-X switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 1, “Configuring Voice VLAN.”...
Page 406: Routed Ports
Chapter 1 Configuring Interface Characteristics Interface Types Trunk Ports A trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN database. These trunk port types are supported: In an ISL trunk port, all received packets are expected to be encapsulated with an ISL header, and •...
Page 407: Switch Virtual Interfaces
The IP Base feature set supports static routing and the Routing Information Protocol (RIP). Starting with Note Cisco IOS Release 12.2(58)E, the LAN Base feature set supports 16 user-configured static routes on SVIs. For full Layer 3 routing or for fallback bridging, you must enable the IP Services feature set on the standalone switch, or the active switch.
Page 408: Etherchannel Port Groups
RIP. For more advanced routing or for fallback bridging, enable the IP Services feature set on the standalone switch or the active switch. For information about using the software activation feature to install a software license for a specific feature set, see the Cisco IOS Software Activation document. SVI Autostate Exclude The line state of an SVI with multiple ports on a VLAN is in the up state when it meets these conditions: •...
Page 409: Gigabit Ethernet Interfaces
Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. Exceptions are the DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP), which operate only on physical ports.
Page 410 CDP messages for an agreed-upon power-consumption level. The negotiation allows a high-power Cisco powered device, which consumes more than 7 W, to operate at its highest power mode. The powered device first boots up in low-power mode, consumes less than 7 W, and negotiates to obtain enough power to operate in high-power mode.
Page 411 (TLVs), and Power-via-MDA TLVs, for negotiating power up to 30 W. Cisco prestandard devices and Cisco IEEE powered devices can use CDP or the IEEE 802.3at power-via-MDI power negotiation mechanism to request power levels up to 30 W.
Page 412: Power Management Modes
Chapter 1 Configuring Interface Characteristics Interface Types Power Management Modes The switch supports these PoE modes: auto—The switch automatically detects if the connected device requires power. If the switch • discovers a powered device connected to the port and if the switch has enough power, it grants power, updates the power budget, turns on power to the port on a first-come, first-served basis, and updates the LEDs.
Page 413 The switch also polices the power usage with the power policing feature. Power monitoring is backward-compatible with Cisco intelligent power management and CDP-based power consumption. It works with these features to ensure that the PoE port can supply power to the powered device.
Page 414 Chapter 1 Configuring Interface Characteristics Interface Types without CDP or LLDP, the switch does not allow devices to consume more than 15.4 W of power because values from 15400 to 30000 mW are only allocated based on CDP or LLDP requests. If a powered device consumes more than 15.4 W without CDP or LLDP negotiation, the device might be in violation of the maximum current (Imax) limitation and might experience an Icut fault for drawing more current than the maximum.
Page 415 This feature is available on switches running Cisco IOS Release 15.0(2)SE2 and higher. Note Universal Power over Ethernet (UPoE) is a Cisco proprietary technology that extends the IEEE 802.at PoE standard to provide the capability to source up to 60 W of power over standard Ethernet cabling infrastructure (Class D or better).
Page 416 Te1/Gi2 and Te2/Gi4. These ports can operate at either 1 Gigabit per second or 10 Gigabits per second. They are identified in software as gigabitethernet x/1/2 and x/1/4 and tengigabitethernet x/1/1 and x/1/2, with x being the switch number on Catalyst 3750-X stacks. The Catalyst 3560-X switch port numbers are the same, with no switch number.
Page 417: Connecting Interfaces
Chapter 1 Configuring Interface Characteristics Interface Types 10-Gigabit Ethernet Network Module The C3KX-NM-10GT 10-Gigabit Ethernet Network Module has two 10-Gigabit Ethernet copper ports that can operate at either 1 Gigabit per second or 10 Gigabits per second. To configure the port speed to 1 Gigabit per second, use the hw-module switch global configuration command.
Page 418: Using The Switch Usb Ports
Chapter 1 Configuring Interface Characteristics Using the Switch USB Ports SVIs or routed ports to bridge groups with each SVI or routed port assigned to only one bridge group. All interfaces in the same group belong to the same bridge domain. For more information, Chapter 1, “Configuring Fallback Bridging.”...
Page 419 Chapter 1 Configuring Interface Characteristics Using the Switch USB Ports switch-stack-1 1 00:20:48.635: %USB_CONSOLE-6-MEDIA_RJ45: Console media-type is RJ45. You can configure the console type to always be RJ-45, and you can configure an inactivity timeout for the USB connector. Configuring the Console Media Type If you configure the RJ-45 console, USB console operation is disabled, and input always remains with the RJ-45 console.This configuration is global and applies to all switches in a stack.
Page 420 The USB Type A port provides access to external Cisco USB flash devices, also known as thumb drives or USB keys. The switch supports Cisco 64 MB, 256 MB, 512 MB, and 1 GB flash drives. You can use standard Cisco IOS command- line interface (CLI) commands to read, write, erase, and copy to or from the flash device.
Page 421 Chapter 1 Configuring Interface Characteristics Using the Switch USB Ports Booting from the USB Flash Device To allow booting from the USB flash device, follow these steps beginning in privileged EXEC mode: Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 boot system flash usbflash0: image Configures the switch to boot from the USB flash device.
Page 422: Using Interface Configuration Mode
Chapter 1 Configuring Interface Characteristics Using Interface Configuration Mode Number of Endpoints: 2 Endpoint: Number: 1 Transfer Type: BULK Transfer Direction: Device to Host Max Packet: 512 Interval: 0 Endpoint: Number: 2 Transfer Type: BULK Transfer Direction: Host to Device Max Packet: 512 Interval: 0 This is sample output from the show usb port command:...
Page 423: Procedures For Configuring Interfaces
Ethernet module slots, the port numbers restart with the 10-Gigabit Ethernet ports: tengigabitethernet1/0/1. On a switch with 10/100/1000 ports and Cisco dual SFP X2 converter modules in the 10-Gigabit Ethernet module slots, the SFP module ports are numbered consecutively following the 10/100/1000 interfaces.
Page 424: Configuring A Range Of Interfaces
Chapter 1 Configuring Interface Characteristics Using Interface Configuration Mode You can also configure a range of interfaces by using the interface range or interface range macro global configuration commands. Interfaces configured in a range must be the same type and must be configured with the same feature options.
Page 425 Chapter 1 Configuring Interface Characteristics Using Interface Configuration Mode gigabitethernet stack member/module/{first port} - {last port} (for 3750-X switches), where – the module is always 0. tengigabitethernet module/{first port} - {last port} (for 3560-X switches), where the module is always 0. –...
Page 426: Configuring And Using Interface Range Macros
Chapter 1 Configuring Interface Characteristics Using Interface Configuration Mode Configuring and Using Interface Range Macros You can create an interface range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface range macro global configuration command string, you must use the define interface-range global configuration command to define the macro.
Page 427 Chapter 1 Configuring Interface Characteristics Using Interface Configuration Mode You must add a space between the first interface number and the hyphen when entering an • interface-range. For example, gigabitethernet1/0/1 - 4 is a valid range; gigabitethernet1/0/1-4 is not a valid range. The VLAN interfaces must have been configured with the interface vlan command.
Page 428: Using The Ethernet Management Port
Chapter 1 Configuring Interface Characteristics Using the Ethernet Management Port This example shows how to create a multiple-interface macro named macro1: Switch# configure terminal Switch(config)# define interface-range macro1 gigabitethernet1/0/1 - 2, gigabitethernet1/0/5 - 7, tengigabitethernet1/0/1 -2 Switch(config)# end This example shows how to enter interface-range configuration mode for the interface-range macro enet_list: Switch# configure terminal Switch(config)# interface range macro enet_list...
Page 429 Chapter 1 Configuring Interface Characteristics Using the Ethernet Management Port For a Catalyst 3560-X switch or a standalone Catalyst 3750-X switch, connect the Ethernet management port to the PC as shown in Figure 1-2. Figure 1-2 Connecting a Switch to a PC...
Page 430: Supported Features On The Ethernet Management Port
– Speed—10 Mb/s, 100 Mb/s, and autonegotiation – Duplex mode—Full, half, and autonegotiation – Loopback detection • Cisco Discovery Protocol (CDP) DHCP relay agent • IPv4 and IPv6 access control lists (ACLs) • Routing protocols • Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 431: Configuring The Ethernet Management Port
Loads and boots an executable image from the TFTP server and enters the command-line interface. For more details, see the command reference for this release. copy tftp:/source-file-url Copies a Cisco IOS image from the TFTP server to the specified filesystem:/destination-file- location. For more details, see the command reference for this release.
Page 432: Configuring Ethernet Interfaces
Chapter 1 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Ethernet Interfaces These sections contain this configuration information: Default Ethernet Interface Configuration, page 1-30 • Configuring Interface Speed and Duplex Mode, page 1-31 • Configuring IEEE 802.3x Flow Control, page 1-33 •...
Page 433: Configuring Interface Speed And Duplex Mode
The switch might not support a pre-standard powered device—such as Note Cisco IP phones and access points that do not fully support IEEE 802.3af—if that powered device is connected to the switch through a crossover cable. This is regardless of whether auto-MIDX is enabled on the switch port.
Page 434: Setting The Interface Speed And Duplex Parameters
Chapter 1 Configuring Interface Characteristics Configuring Ethernet Interfaces The 1000BASE-T SFP module ports support the same speed and duplex options as the – 10/100/1000-Mb/s ports. For information about which SFP modules are supported on your switch, see the product release notes.
Page 435 Chapter 1 Configuring Interface Characteristics Configuring Ethernet Interfaces Command Purpose Step 4 duplex {auto | full | half} This command is not available on a 10-Gigabit Ethernet interface. Enters the duplex parameter for the interface. Enables half-duplex mode (for interfaces operating only at 10 or 100 Mb/s).
Page 436 Chapter 1 Configuring Interface Characteristics Configuring Ethernet Interfaces When set to desired, an interface can operate with an attached device that is required to send flow-control packets or with an attached device that is not required to but can send flow-control packets. These rules apply to flow control settings on the device: receive on (or desired): The port cannot send pause frames but can operate with an attached device •...
Page 437 Chapter 1 Configuring Interface Characteristics Configuring Ethernet Interfaces Table 1-4 shows the link states that result from auto-MDIX settings and correct and incorrect cabling. Table 1-4 Link Conditions and Auto-MDIX Settings Local Side Auto-MDIX Remote Side Auto-MDIX With Correct Cabling With Incorrect Cabling Link up Link up...
Page 438 • If a port has a Cisco powered device connected to it, do not use Note the power inline never command to configure the port. A false linkup can occur, placing the port into the error-disabled state.
Page 439 Configuring Ethernet Interfaces Budgeting Power for Devices Connected to a PoE Port When Cisco powered devices are connected to PoE ports, the switch uses Cisco Discovery Protocol (CDP) to determine the CDP-specific power consumption of the devices, and the switch adjusts the power budget accordingly.
Page 440 Chapter 1 Configuring Interface Characteristics Configuring Ethernet Interfaces Command Purpose Step 5 show power inline consumption Displays the power consumption status. default Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file. To return to the default setting, use the no power inline consumption default global configuration command.
Page 441: Adding A Description For An Interface
Chapter 1 Configuring Interface Characteristics Configuring Ethernet Interfaces Command Purpose Step 3 power inline police [action log] If the real-time power consumption exceeds the maximum power allocation on the port, configure the switch to take one of these actions: • Shut down the PoE port, turn off power to it, and put it in the error-dsabled state—Enter the power inline police command.
Page 442: Configuring Layer 3 Interfaces
Chapter 1 Configuring Interface Characteristics Configuring Layer 3 Interfaces To add a description for an interface, follow these steps beginning in privileged EXEC mode: Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 interface interface-id Specifies the interface for which you are adding a description, and enter interface configuration mode.
Page 443 Chapter 1 Configuring Interface Characteristics Configuring Layer 3 Interfaces Layer 3 EtherChannel ports—EtherChannel interfaces made up of routed ports. • EtherChannel port interfaces are described in Chapter 1, “Configuring EtherChannels and Link-State Tracking.” A Layer 3 switch can have an IP address assigned to each routed port and SVI. There is no defined limit to the number of SVIs and routed ports that can be configured in a switch or in a switch stack.
Page 444: Configuring Svi Autostate Exclude
Chapter 1 Configuring Interface Characteristics Configuring Layer 3 Interfaces To remove an IP address from an interface, use the no ip address interface configuration command. This example shows how to configure a port as a routed port and to assign it an IP address: Switch# configure terminal Enter configuration commands, one per line.
Page 445: Configuring The System Mtu
Unlike the system MTU routing configuration, the MTU settings you enter with the system mtu and system mtu jumbo commands are not saved in the switch Cisco IOS configuration file, even if you enter the copy running-config startup-config privileged EXEC command.
Page 446 Chapter 1 Configuring Interface Characteristics Configuring the System MTU Table 1-5 System MTU Values Configuration system mtu command system jumbo mtu command system routing mtu command Standalone Catalyst You can enter the command on Use the system mtu jumbo Use the system mtu routing 3750-X, 3750-E, 3560-X on a Catalyst 3750-X, bytes command.
Page 447 The range is 1500 to 1998 bytes; the default is 1500 bytes. This command does not apply to Note Catalyst 3560-X switches. Step 5 Returns to privileged EXEC mode. Step 6 copy running-config startup-config Saves your entries in the configuration file.
Page 448: Configuring The Power Supplies
In a mixed stack with Catalyst 3750-X and 3750-E switches, one or more Catalyst 3750-E switches can be connected to a Cisco Redundant Power System 2300, also known as the RPS 2300. You can configure and manage an RPS 2300 connected to a Catalyst 3750-E switch in the stack.
Page 449 Chapter 1 Configuring Interface Characteristics Configuring the Cisco RPS 2300 in a Mixed Stack Follow these guidelines when configuring the RSP-2300: The RPS name is a 16-character-maximum string. • In a switch stack, the RPS name applies to the RPS ports connected to the specified switch.
Page 450: Configuring The Cisco Expandable Power System (Xps) 2200
Configuring the Cisco eXpandable Power System (XPS) 2200 The Cisco XPS 2200 is a standalone power system that you can connect to Catalyst 3560-X and Catalyst 3750-X switches to provide backup power to connected devices or, in a Catalyst 3750-X power stack, to supply additional power to the power stack budget.
Page 451 Chapter 1 Configuring Interface Characteristics Configuring the Cisco eXpandable Power System (XPS) 2200 You use the switch CLI to configure the XPS: Configuring the System Names, page 1-49 • Configuring XPS Ports, page 1-50 • Configuring XPS Power Supplies, page 1-51 •...
Page 452 • the port. This is the default. When a Catalyst 3560-X switch or Catalyst 3750-X switch running the LAN base image is connected, the mode is RPS. When a Catalyst-3750-X switch is connected, the mode is stack power (SP).
Page 453: Monitoring And Maintaining The Interfaces
Chapter 1 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces For auto-SP ports participating in stack power, configure stack power characteristics by using the stack power commands described in Chapter 1, “Configuring Catalyst 3750-X StackPower.” Configuring XPS Power Supplies You can configure the mode of an XPS power supply and you can configure it to be on or off. To configure XPS 2200 power supplies.
Page 454: Monitoring Interface Status
(You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference, Release 12.4. Table 1-6...
Page 455: Clearing And Resetting Interfaces And Counters
Chapter 1 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Table 1-6 Show Commands for Interfaces (continued) Command Purpose show interfaces transceiver properties (Optional) Displays temperature, voltage, or amount of current on the interface. show interfaces [interface-id] [{transceiver Displays physical and operational status about an SFP module. properties | detail}] module number] show running-config interface [interface-id] Displays the running configuration in RAM for the interface.
Page 456 Chapter 1 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces To shut down an interface, follow these steps beginning in privileged EXEC mode: Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 interface {vlan vlan-id} | {gigabitethernet interface-id} | Selects the interface to be configured.
Page 457: Configuring Vlans
C H A P T E R Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 3750-X or 3560-X switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS).
Page 458: Supported Vlans
On switches running the LAN base feature set, static routing between VLANs is supported only on Note switches running Cisco IOS Release 12.2(58)SE or later. An SVI must be explicitly configured and assigned an IP address to route traffic between VLANs. For more information, see the “Switch Virtual Interfaces”...
Page 459: Vlan Port Membership Modes
Chapter 1 Configuring VLANs Understanding VLANs The switch or switch stack supports a total of 1005 (normal range and extended range) VLANs when running the IP base or IP services feature set, and 255 VLANs when running the LAN base feature set. However, the number of routed ports, SVIs, and other configured features affects the use of the switch hardware.
Page 460: Configuring Normal-Range Vlans
VLAN Membership Characteristics VTP Characteristics Voice VLAN A voice VLAN port is an access port attached to a Cisco IP VTP is not required; it has no effect on Phone, configured to use one VLAN for voice traffic and a voice VLAN.
Page 461: Token Ring Vlans
Chapter 1 Configuring VLANs Configuring Normal-Range VLANs Security Association Identifier (SAID) • Bridge identification number for TrBRF VLANs • Ring number for FDDI and TrCRF VLANs • Parent VLAN number for TrCRF VLANs • Spanning Tree Protocol (STP) type for TrCRF VLANs •...
Page 462 Chapter 1 Configuring VLANs Configuring Normal-Range VLANs With VTP versions 1 and 2, the switch supports VLAN IDs 1006 through 4094 only in VTP • transparent mode (VTP disabled). These are extended-range VLANs and configuration options are limited. Extended-range VLANs created in VTP transparent mode are not saved in the VLAN database and are not propagated.
Page 463: Saving Vlan Configuration
Chapter 1 Configuring VLANs Configuring Normal-Range VLANs Saving VLAN Configuration The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN database (vlan.dat file). If the VTP mode is transparent, they are also saved in the switch running configuration file. You can enter the copy running-config startup-config privileged EXEC command to save the configuration in the startup configuration file.
Page 464: Creating Or Modifying An Ethernet Vlan
Chapter 1 Configuring VLANs Configuring Normal-Range VLANs Table 1-2 Ethernet VLAN Defaults and Ranges (continued) Parameter Default Range Remote SPAN disabled enabled, disabled Private VLANs none configured 2 to 1001, 1006 to 4094. Creating or Modifying an Ethernet VLAN Each Ethernet VLAN in the VLAN database has a unique, 4-digit ID that can be a number from 1 to 1001.
Page 465: Deleting A Vlan
Chapter 1 Configuring VLANs Configuring Normal-Range VLANs To return the VLAN name to the default settings, use the no name, no mtu, or no remote-span commands. This example shows how to create Ethernet VLAN 20, name it test20, and add it to the VLAN database: Switch# configure terminal Switch(config)# vlan 20 Switch(config-vlan)# name test20...
Page 466: Configuring Extended-Range Vlans
Chapter 1 Configuring VLANs Configuring Extended-Range VLANs Beginning in privileged EXEC mode, follow these steps to assign a port to a VLAN in the VLAN database: Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface-id Enter the interface to be added to the VLAN.
Page 467: Default Vlan Configuration
Chapter 1 Configuring VLANs Configuring Extended-Range VLANs Creating an Extended-Range VLAN with an Internal VLAN ID, page 1-13 • Default VLAN Configuration Table 1-2 on page 1-7 for the default configuration for Ethernet VLANs. You can change only the MTU size, private VLAN, and the remote SPAN configuration state on extended-range VLANs; all other characteristics must remain at the default state.
Page 468 Chapter 1 Configuring VLANs Configuring Extended-Range VLANs Although the switch or switch stack supports a total of 1005 (normal-range and extended-range) • VLANs with the IP base or IP services feature set and 255 VLANs with the LAN base feature set, the number of routed ports, SVIs, and other configured features affects the use of the switch hardware.
Page 469 Chapter 1 Configuring VLANs Configuring Extended-Range VLANs Command Purpose Step 7 show vlan id vlan-id Verify that the VLAN has been created. Step 8 copy running-config startup config Save your entries in the switch startup configuration file. To save extended-range VLAN configurations, you need to save the VTP transparent mode configuration and the extended-range VLAN configuration in the switch startup configuration file.
Page 470: Displaying Vlans
Chapter 1 Configuring VLANs Displaying VLANs Command Purpose Step 7 vlan vlan-id Enter the new extended-range VLAN ID, and enter VLAN configuration mode. Step 8 exit Exit from VLAN configuration mode, and return to global configuration mode. Step 9 interface interface-id Specify the interface ID for the routed port that you shut down in Step 4, and enter interface configuration mode.
Page 471: Trunking Overview
Ethernet trunks carry the traffic of multiple VLANs over a single link, and you can extend the VLANs across an entire network. Two trunking encapsulations are available on all Ethernet interfaces: Inter-Switch Link (ISL)—Cisco-proprietary trunking encapsulation. • IEEE 802.1Q— industry-standard trunking encapsulation.
Page 472 Chapter 1 Configuring VLANs Configuring VLAN Trunks You can also specify on DTP interfaces whether the trunk uses ISL or IEEE 802.1Q encapsulation or if the encapsulation type is autonegotiated. The DTP supports autonegotiation of both ISL and IEEE 802.1Q trunks. Note DTP is not supported on private-VLAN ports or tunnel ports.
Page 473: Default Layer 2 Ethernet Interface Vlan Configuration
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q switch.
Page 474: Interaction With Other Features
Chapter 1 Configuring VLANs Configuring VLAN Trunks These sections contain this configuration information: Interaction with Other Features, page 1-18 • Defining the Allowed VLANs on a Trunk, page 1-19 • Changing the Pruning-Eligible List, page 1-21 • Configuring the Native VLAN for Untagged Traffic, page 1-21 •...
Page 475 Chapter 1 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 3 switchport trunk encapsulation {isl | Configure the port to support ISL or IEEE 802.1Q encapsulation or to dot1q | negotiate} negotiate (the default) with the neighboring interface for encapsulation type.
Page 476 Configuring VLANs Configuring VLAN Trunks VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a Note requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.
Page 477 Chapter 1 Configuring VLANs Configuring VLAN Trunks Changing the Pruning-Eligible List The pruning-eligible list applies only to trunk ports. Each trunk port has its own eligibility list. VTP pruning must be enabled for this procedure to take effect. The “Enabling VTP Pruning” section on page 1-16 describes how to enable VTP pruning.
Page 478: Configuring Trunk Ports For Load Sharing
Chapter 1 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to configure the native VLAN on an IEEE 802.1Q trunk: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Define the interface that is configured as the IEEE 802.1Q trunk, and enter interface configuration mode.
Page 479 Chapter 1 Configuring VLANs Configuring VLAN Trunks In this way, Trunk 1 carries traffic for VLANs 8 through 10, and Trunk 2 carries traffic for VLANs 3 through 6. If the active trunk fails, the trunk with the lower priority takes over and carries the traffic for all of the VLANs.
Page 480 Chapter 1 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 13 Repeat Steps 7 through 11on Switch A for a second port in the switch or switch stack. Step 14 Repeat Steps 7 through 11on Switch B to configure the trunk ports that connect to the trunk ports configured on Switch A.
Page 481 Return to global configuration mode. Step 6 Repeat Steps 2 through 5 on a second interface in Switch A (for a Catalyst 3560-X switch) or in the Switch A stack (for a Catalyst 3750-X switch). Step 7 Return to privileged EXEC mode.
Page 482: Configuring Vmps
Chapter 1 Configuring VLANs Configuring VMPS Configuring VMPS The VLAN Query Protocol (VQP) is used to support dynamic-access ports, which are not permanently assigned to a VLAN, but give VLAN assignments based on the MAC source addresses seen on the port. Each time an unknown MAC address is seen, the switch sends a VQP query to a remote VMPS;...
Page 483: Default Vmps Client Configuration
Chapter 1 Configuring VLANs Configuring VMPS Dynamic-Access Port VLAN Membership A dynamic-access port can belong to only one VLAN with an ID from 1 to 4094. When the link comes up, the switch does not forward traffic to or from this port until the VMPS provides the VLAN assignment.
Page 484: Configuring The Vmps Client
Chapter 1 Configuring VLANs Configuring VMPS Trunk ports cannot be dynamic-access ports, but you can enter the switchport access vlan dynamic • interface configuration command for a trunk port. In this case, the switch retains the setting and applies it if the port is later configured as an access port. You must turn off trunking on the port before the dynamic-access setting takes effect.
Page 485 Chapter 1 Configuring VLANs Configuring VMPS Configuring Dynamic-Access Ports on VMPS Clients If you are configuring a port on a cluster member switch as a dynamic-access port, first use the rcommand privileged EXEC command to log in to the cluster member switch. Dynamic-access port VLAN membership is for end stations or hubs connected to end stations.
Page 486: Monitoring The Vmps
Chapter 1 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to change the reconfirmation interval: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vmps reconfirm minutes Enter the number of minutes between reconfirmations of the dynamic VLAN membership.
Page 487: Vmps Configuration Example
Chapter 1 Configuring VLANs Configuring VMPS This is an example of output for the show vmps privileged EXEC command: Switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.87 Reconfirmation status ---------------------...
Page 488 Chapter 1 Configuring VLANs Configuring VMPS Figure 1-5 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6500 series switch A Primary VMPS Router Server 1 172.20.26.150 172.20.22.7 Client switch B Dynamic-access port 172.20.26.151 station 1 Trunk port Switch C Catalyst 6500 series 172.20.26.152 Secondary VMPS Server 2...
Page 489: Understanding Vtp
C H A P T E R Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 490: The Vtp Domain
EXEC command shows the VLAN in a suspended state. VTP version 1 and version 2 support only normal-range VLANs (VLAN IDs 1 to 1005). Cisco IOS Release 12.2(52)SE and later support VTP version 3. VTP version 3 supports the entire VLAN range (VLANs 1 to 4094).
Page 491: Vtp Modes
Chapter 1 Configuring VTP Understanding VTP When you make a change to the VLAN configuration on a VTP server, the change is propagated to all switches in the VTP domain. VTP advertisements are sent over all IEEE trunk connections, including Inter-Switch Link (ISL) and IEEE 802.1Q.
Page 492: Vtp Advertisements
Chapter 1 Configuring VTP Understanding VTP Table 1-1 VTP Modes (continued) VTP Mode Description VTP transparent VTP transparent switches do not participate in VTP. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. However, in VTP version 2 or version 3, transparent switches do forward VTP advertisements that they receive from other switches through their trunk interfaces.
Page 493: Vtp Version 2
Chapter 1 Configuring VTP Understanding VTP VLAN type • VLAN state • Additional VLAN configuration information specific to the VLAN type • In VTP version 3, VTP advertisements also include the primary server ID, an instance number, and a start index. VTP Version 2 If you use VTP in your network, you must decide which version of VTP to use.
Page 494: Vtp Pruning
Chapter 1 Configuring VTP Understanding VTP Support for any database in a domain. In addition to propagating VTP information, version 3 can • propagate Multiple Spanning Tree (MST) protocol database information. A separate instance of the VTP protocol runs for each application that uses VTP. VTP primary server and VTP secondary servers.
Page 495 Chapter 1 Configuring VTP Understanding VTP Figure 1-1 Flooding Traffic without VTP Pruning Switch D Port 2 Switch E Switch B VLAN Port 1 Switch F Switch C Switch A Figure 1-2 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch A is not forwarded to Switches C, E, and F because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch B and Port 4 on Switch D).
Page 496: Vtp And Switch Stacks
Chapter 1 Configuring VTP Configuring VTP VTP pruning is not designed to function in VTP transparent mode. If one or more switches in the network are in VTP transparent mode, you should do one of these: • Turn off VTP pruning in the entire network. Turn off VTP pruning by making all VLANs on the trunk of the switch upstream to the VTP •...
Page 497: Default Vtp Configuration
Chapter 1 Configuring VTP Configuring VTP Default VTP Configuration Table 1-2 shows the default VTP configuration. Table 1-2 Default VTP Configuration Feature Default Setting VTP domain name Null. VTP mode (VTP version 1 and Server. version 2) VTP mode (VTP version 3) The mode is the same as the mode in VTP version 1 or 2 before conversion to version 3.
Page 498 2. If there is a version 1-only switch, it does not exchange VTP information with switches that have version 2 enabled. Cisco recommends placing VTP version 1 and 2 switches at the edge of the network because they •...
Page 499: Configuring Vtp Mode
Chapter 1 Configuring VTP Configuring VTP If there are TrBRF and TrCRF Token Ring networks in your environment, you must enable VTP • version 2 or version 3 for Token Ring VLAN switching to function properly. To run Token Ring and Token Ring-Net, disable VTP version 2.
Page 500 Chapter 1 Configuring VTP Configuring VTP When you configure the switch for VTP transparent mode, VTP is disabled on the switch. The • switch does not send VTP updates and does not act on VTP updates received from other switches. However, a VTP transparent switch running VTP version 2 does forward received VTP advertisements on its trunk links.
Page 501 Chapter 1 Configuring VTP Configuring VTP Command Purpose Step 3 vtp mode {client | server | Configure the switch for VTP mode (client, server, transparent or off). transparent | off} {vlan | mst | (Optional) Configure the database: unknown} • vlan—the VLAN database is the default if none are configured.
Page 502 Chapter 1 Configuring VTP Configuring VTP Configuring a VTP Version 3 Password Beginning in privileged EXEC mode, follow these steps to configure the password when using VTP version 3: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp password password [hidden | (Optional) Set the password for the VTP domain.
Page 503: Enabling The Vtp Version
Chapter 1 Configuring VTP Configuring VTP This example shows how to configure a switch as the primary server for the VLAN database (the default) when a hidden or secret password was configured: Switch# vtp primary vlan Enter VTP password: mypassword This switch is becoming Primary server for vlan feature in the VTP domain VTP Database Conf Switch ID...
Page 504: Enabling Vtp Pruning
Chapter 1 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode.
Page 505: Adding A Vtp Client Switch To A Vtp Domain
Chapter 1 Configuring VTP Configuring VTP Adding a VTP Client Switch to a VTP Domain Before adding a VTP client to a VTP domain, always verify that its VTP configuration revision number is lower than the configuration revision number of the other switches in the VTP domain. Switches in a VTP domain always use the VLAN configuration of the switch with the highest VTP configuration revision number.
Page 506: Monitoring Vtp
Chapter 1 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 1-3 shows the privileged EXEC commands for monitoring VTP activity.
Page 507: Understanding Voice Vlan
The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. When the switch is connected to a Cisco 7960 IP Phone, the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service (CoS) values, which are both set to 5 by default. Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p CoS.
Page 508: Cisco Ip Phone Voice Traffic
Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports on...
Page 509: Default Voice Vlan Configuration
For more information, see Chapter 1, “Configuring QoS.” You must enable CDP on the switch port connected to the Cisco IP Phone to send the configuration • to the phone. (CDP is globally enabled by default on all switch interfaces.)
Page 510: Configuring A Port Connected To A Cisco 7960 Ip Phone
VLAN, the Port Fast feature is not automatically disabled. • If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the same IP subnet. These conditions indicate that they are in the same VLAN: –...
Page 511 Configuring Cisco IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value.
Page 512: Configuring The Priority Of Incoming Data Frames
Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.1p frames), you can configure the switch to send CDP packets to instruct the phone how to send data packets from the device attached to the access port on the Cisco IP Phone.
Page 513: Displaying Voice Vlan
(Optional) Save your entries in the configuration file. startup-config This example shows how to configure a port connected to a Cisco IP Phone to not change the priority of frames received from the PC or the attached device: Switch# configure terminal Enter configuration commands, one per line.
Page 514 Chapter 1 Configuring Voice VLAN Displaying Voice VLAN Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 515: Understanding Private Vlans
C H A P T E R Configuring Private VLANs This chapter describes how to configure private VLANs on the Catalyst 3750- or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 516 Chapter 1 Configuring Private VLANs Understanding Private VLANs Figure 1-1 Private-VLAN Domain Primary VLAN Private Private VLAN VLAN domain domain Subdomain Subdomain Subdomain Subdomain Secondary Secondary Secondary Secondary community VLAN community VLAN isolated VLAN isolated VLAN There are two types of secondary VLANs: Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the •...
Page 517: Ip Addressing Scheme With Private Vlans
Chapter 1 Configuring Private VLANs Understanding Private VLANs Primary and secondary VLANs have these characteristics: Primary VLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a • member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports.
Page 518: Private Vlans Across Multiple Switches
Chapter 1 Configuring Private VLANs Understanding Private VLANs Private VLANs across Multiple Switches As with regular VLANs, private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. The trunk port treats the private VLAN as any other VLAN.
Page 519 Chapter 1 Configuring Private VLANs Understanding Private VLANs You should also see the “Secondary and Primary VLAN Configuration” section on page 1-7 under the “Private-VLAN Configuration Guidelines” section. Private VLANs and Unicast, Broadcast, and Multicast Traffic In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but devices connected to interfaces in different VLANs must communicate at the Layer 3 level.
Page 520: Tasks For Configuring Private Vlans
Chapter 1 Configuring Private VLANs Configuring Private VLANs If two stacks merge, private VLANs on the winning stack are not affected, but private-VLAN • configuration on the losing switch is lost when that switch reboots. For more information about switch stacks, see Chapter 1, “Managing Switch Stacks.”...
Page 521 Chapter 1 Configuring Private VLANs Configuring Private VLANs Private-VLAN Configuration Guidelines Guidelines for configuring private VLANs fall into these categories: Secondary and Primary VLAN Configuration, page 1-7 • Private-VLAN Port Configuration, page 1-8 • Limitations with Other Features, page 1-9 •...
Page 522 Chapter 1 Configuring Private VLANs Configuring Private VLANs SVIs belonging to normal VLANs SVIs belonging to private VLANs For more information about using the ip sticky-arp global configuration and the ip sticky-arp interface configuration commands, see the command reference for this release. You can configure VLAN maps on primary and secondary VLANs (see the “Configuring VLAN •...
Page 523 Chapter 1 Configuring Private VLANs Configuring Private VLANs Limitations with Other Features When configuring private VLANs, remember these limitations with other features: In some cases, the configuration is accepted with no error messages, but the commands have no effect. Note Do not configure fallback bridging on switches with private VLANs.
Page 524: Configuring And Associating Vlans In A Private Vlan
Chapter 1 Configuring Private VLANs Configuring Private VLANs Configuring and Associating VLANs in a Private VLAN Beginning in privileged EXEC mode, follow these steps to configure a private VLAN: The private-vlan commands do not take effect until you exit VLAN configuration mode. Note Command Purpose...
Page 525 Chapter 1 Configuring Private VLANs Configuring Private VLANs When you associate secondary VLANs with a primary VLAN, note this syntax information: The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated • items. Each item can be a single private-VLAN ID or a hyphenated range of private-VLAN IDs. The secondary_vlan_list parameter can contain multiple community VLAN IDs but only one •...
Page 526: Configuration File
Chapter 1 Configuring Private VLANs Configuring Private VLANs Command Purpose Step 3 switchport mode private-vlan host Configure the Layer 2 port as a private-VLAN host port. Step 4 switchport private-vlan host-association Associate the Layer 2 port with a private VLAN. primary_vlan_id secondary_vlan_id Step 5 Return to privileged EXEC mode.
Page 527: Mapping Secondary Vlans To A Primary Vlan Layer 3 Vlan Interface
Chapter 1 Configuring Private VLANs Configuring Private VLANs Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN promiscuous port and map it to primary and secondary VLANs: Note Isolated and community VLANs are both secondary VLANs.
Page 528 Chapter 1 Configuring Private VLANs Configuring Private VLANs Isolated and community VLANs are both secondary VLANs. Note Beginning in privileged EXEC mode, follow these steps to map secondary VLANs to the SVI of a primary VLAN to allow Layer 3 switching of private-VLAN traffic: Command Purpose Step 1...
Page 529: Monitoring Private Vlans
Chapter 1 Configuring Private VLANs Monitoring Private VLANs Monitoring Private VLANs Table 1-1 shows the privileged EXEC commands for monitoring private-VLAN activity. Table 1-1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces, including the VLANs to which they belongs.
Page 530 Chapter 1 Configuring Private VLANs Monitoring Private VLANs Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-16 OL-25303-03...
Page 531: Understanding Ieee 802.1Q Tunneling
C H A P T E R Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Virtual private networks (VPNs) provide enterprise-scale connectivity on a shared infrastructure, often Ethernet-based, with the same security, prioritization, reliability, and manageability requirements of private networks. Tunneling is a feature designed for service providers who carry traffic of multiple customers across their networks and are required to maintain the VLAN and Layer 2 protocol configurations of each customer without impacting the traffic of other customers.
Page 532 Chapter 1 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling tagged packets. A port configured to support IEEE 802.1Q tunneling is called a tunnel port. When you configure tunneling, you assign a tunnel port to a VLAN ID that is dedicated to tunneling. Each customer requires a separate service-provider VLAN ID, but that VLAN ID supports all of the customer’s VLANs.
Page 533 Chapter 1 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling Figure 1-2 Original (Normal), IEEE 802.1Q, and Double-Tagged Ethernet Packet Formats Source address Destination Length/ Frame Check address EtherType Sequence Len/Etype Data Original Ethernet frame IEE 802.1Q frame from Etype Len/Etype Data...
Page 534: Configuring Ieee 802.1Q Tunneling
Chapter 1 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling These sections contain this configuration information: Default IEEE 802.1Q Tunneling Configuration, page 1-4 • IEEE 802.1Q Tunneling Configuration Guidelines, page 1-4 • IEEE 802.1Q Tunneling and Other Features, page 1-6 •...
Page 535: System Mtu
Chapter 1 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling These are some ways to solve this problem: Use ISL trunks between core switches in the service-provider network. Although customer • interfaces connected to edge switches must be IEEE 802.1Q trunks, we recommend using ISL trunks for connecting switches in the core layer.
Page 536 When a port is configured as an IEEE 802.1Q tunnel port, spanning-tree bridge protocol data unit • (BPDU) filtering is automatically enabled on the interface. Cisco Discovery Protocol (CDP) and the Layer Link Discovery Protocol (LLDP) are automatically disabled on the interface.
Page 537 Chapter 1 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling Configuring an IEEE 802.1Q Tunneling Port Beginning in privileged EXEC mode, follow these steps to configure a port as an IEEE 802.1Q tunnel port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 538: Understanding Layer 2 Protocol Tunneling
VLAN should build a proper spanning tree that includes the local site and all remote sites across the service-provider network. Cisco Discovery Protocol (CDP) must discover neighboring Cisco devices from local and remote sites. VLAN Trunking Protocol (VTP) must provide consistent VLAN configuration throughout all sites in the customer network.
Page 539 Chapter 1 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling Figure 1-4 Layer 2 Protocol Tunneling Customer X Site 1 VLANs 1 t o 100 Customer X Site 2 VLANs 1 t o 100 Service VLAN 30 provider VLAN 30...
Page 540 Chapter 1 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling Figure 1-5 Layer 2 Network Topology without Proper Convergence Customer X virtual network VLANs 1 to 100 In an SP network, you can use Layer 2 protocol tunneling to enhance the creation of EtherChannels by emulating a point-to-point network topology.
Page 541: Configuring Layer 2 Protocol Tunneling
When the Layer 2 PDUs that entered the service-provider inbound edge switch through a Layer 2 protocol-enabled port exit through the trunk port into the service-provider network, the switch overwrites the customer PDU-destination MAC address with a well-known Cisco proprietary multicast address (01-00-0c-cd-cd-d0). If IEEE 802.1Q tunneling is enabled, packets are also double-tagged; the outer tag is the customer metro tag, and the inner tag is the customer’s VLAN tag.
Page 542: Default Layer 2 Protocol Tunneling Configuration
Chapter 1 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Figure 1-4, with Customer X and Customer Y in access VLANs 30 and 40, respectively. Asymmetric links connect the customers in Site 1 to edge switches in the service-provider network. The Layer 2 PDUs (for example, BPDUs) coming into Switch B from Customer Y in Site 1 are forwarded to the infrastructure as double-tagged packets with the well-known MAC address as the destination MAC address.
Page 543: Layer 2 Protocol Tunneling Configuration Guidelines
Chapter 1 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Layer 2 Protocol Tunneling Configuration Guidelines These are some configuration guidelines and operating characteristics of Layer 2 protocol tunneling: The switch supports tunneling of CDP, STP, including multiple STP (MSTP), and VTP. Protocol •...
Page 544 Chapter 1 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Beginning in privileged EXEC mode, follow these steps to configure a port for Layer 2 protocol tunneling: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 545: Configuring Layer 2 Tunneling For Etherchannels
Chapter 1 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Use the no l2protocol-tunnel [cdp | stp | vtp] interface configuration command to disable protocol tunneling for one of the Layer 2 protocols or for all three. Use the no l2protocol-tunnel shutdown-threshold [cdp | stp | vtp] and the no l2protocol-tunnel drop-threshold [cdp | stp | vtp] commands to return the shutdown and drop thresholds to the default settings.
Page 546 Chapter 1 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Command Purpose Step 5 l2protocol-tunnel (Optional) Configure the threshold for packets-per-second accepted for shutdown-threshold [point-to-point encapsulation. The interface is disabled if the configured threshold is [pagp | lacp | udld]] value exceeded.
Page 547: Configuring The Customer Switch
Chapter 1 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Configuring the Customer Switch After configuring the SP edge switch, begin in privileged EXEC mode and follow these steps to configure a customer switch for Layer 2 protocol tunneling for EtherChannels: Command Purpose Step 1...
Page 548 Chapter 1 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Switch(config-if)# l2protocol-tunnel drop-threshold point-to-point pagp 1000 Switch(config-if)# exit Switch(config)# interface gigabitethernet1/0/3 Switch(config-if)# switchport trunk encapsulation isl Switch(config-if)# switchport mode trunk SP edge switch 2 configuration: Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# switchport access vlan 19 Switch(config-if)# switchport mode dot1q-tunnel...
Page 549: Monitoring And Maintaining Tunneling Status
Chapter 1 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status Monitoring and Maintaining Tunneling Status Table 1-2 shows the privileged EXEC commands for monitoring and maintaining IEEE 802.1Q and Layer 2 protocol tunneling. Table 1-2 Commands for Monitoring and Maintaining Tunneling Command Purpose...
Page 550 Chapter 1 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-20 OL-25303-03...
Page 551: Understanding Spanning-Tree Features
Catalyst 3750-X or 3560-X switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard. A switch stack appears as a single spanning-tree node to the rest of the network, and all stack members use the same bridge ID.
Page 552: Stp Overview
Chapter 1 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Modes and Protocols, page 1-10 • Supported Spanning-Tree Instances, page 1-10 • Spanning-Tree Interoperability and Backward Compatibility, page 1-11 • STP and IEEE 802.1Q Trunks, page 1-12 • VLAN-Bridge Spanning Tree, page 1-12 •...
Page 553 Chapter 1 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: The unique bridge ID (switch priority and MAC address) associated with each VLAN on each •...
Page 554 Chapter 1 Configuring STP Understanding Spanning-Tree Features Only one outgoing port on the stack root switch is selected as the root port. The remaining switches in the stack become its designated switches (Switch 2 and Switch 3) as shown in Figure 1-1 on page 1-4.
Page 555 Chapter 1 Configuring STP Understanding Spanning-Tree Features Bridge ID, Switch Priority, and Extended System ID The IEEE 802.1D standard requires that each switch has an unique bridge identifier (bridge ID), which controls the selection of the root switch. Because each VLAN is considered as a different logical bridge with PVST+ and rapid PVST+, the same switch must have a different bridge IDs for each configured VLAN.
Page 556 Chapter 1 Configuring STP Understanding Spanning-Tree Features An interface moves through these states: From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled • From learning to forwarding or to disabled •...
Page 557: Listening State
Chapter 1 Configuring STP Understanding Spanning-Tree Features there is only one switch in the network, no exchange occurs, the forward-delay timer expires, and the interface moves to the listening state. An interface always enters the blocking state after switch initialization. An interface in the blocking state performs these functions: •...
Page 558: How A Switch Or Port Becomes The Root Switch Or Root Port
Chapter 1 Configuring STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational. A disabled interface performs these functions: Discards frames received on the interface •...
Page 559: Spanning Tree And Redundant Connectivity
Chapter 1 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices, as shown in Figure 1-4. Spanning tree automatically disables one interface but enables it if the other one fails.
Page 560 Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary • extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
Page 561 Chapter 1 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Interoperability and Backward Compatibility Table 1-2 lists the interoperability and compatibility among the supported spanning-tree modes in a network. Table 1-2 PVST+, MSTP , and Rapid-PVST+ Interoperability PVST+ MSTP Rapid PVST+ PVST+ Yes (with restrictions) Yes (reverts to PVST+) MSTP...
Page 562: Spanning Tree And Switch Stacks
VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.
Page 563: Configuring Spanning-Tree Features
Chapter 1 Configuring STP Configuring Spanning-Tree Features If a neighboring switch external to the switch stack fails or is powered down, normal spanning-tree • processing occurs. Spanning-tree reconvergence might occur as a result of losing a switch in the active topology. If a new switch external to the switch stack is added to the network, normal spanning-tree processing •...
Page 564 Chapter 1 Configuring STP Configuring Spanning-Tree Features Table 1-3 Default Spanning-Tree Configuration (continued) Feature Default Setting Spanning-tree VLAN port cost (configurable on a per-VLAN basis) 1000 Mb/s: 4. 100 Mb/s: 19. 10 Mb/s: 100. Spanning-tree timers Hello time: 2 seconds. Forward-delay time: 15 seconds.
Page 565 Chapter 1 Configuring STP Configuring Spanning-Tree Features Spanning-tree commands control the configuration of VLAN spanning-tree instances. You create a spanning-tree instance when you assign an interface to a VLAN. The spanning-tree instance is removed when the last interface is moved to another VLAN. You can configure switch and port parameters before a spanning-tree instance is created;...
Page 566: Disabling Spanning Tree
Chapter 1 Configuring STP Configuring Spanning-Tree Features Command Purpose Step 6 clear spanning-tree detected-protocols (Recommended for rapid-PVST+ mode only) If any port on the switch is connected to a port on a legacy IEEE 802.1D switch, restart the protocol migration process on the entire switch. This step is optional if the designated switch detects that this switch is running rapid PVST+.
Page 567 Chapter 1 Configuring STP Configuring Spanning-Tree Features Configuring the Root Switch The switch maintains a separate spanning-tree instance for each active VLAN configured on it. A bridge ID, consisting of the switch priority and the switch MAC address, is associated with each instance. For each VLAN, the switch with the lowest bridge ID becomes the root switch for that VLAN.
Page 568 Chapter 1 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure a switch to become the root for the specified VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root primary Configure a switch to become the root for the specified VLAN.
Page 569 Chapter 1 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure a switch to become the secondary root for the specified VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root secondary Configure a switch to become the secondary root for the specified...
Page 570 Chapter 1 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure the port priority of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Page 571 Chapter 1 Configuring STP Configuring Spanning-Tree Features Configuring Path Cost The spanning-tree path cost default value is derived from the media speed of an interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Page 572: Configuring The Switch Priority Of A Vlan
Chapter 1 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree path costs, see the “Configuring Trunk Ports for Load Sharing”...
Page 573 Chapter 1 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 1-4 describes the timers that affect the entire spanning-tree performance. Table 1-4 Spanning-Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches. Forward-delay timer Controls how long each of the listening and learning states last before the interface begins forwarding.
Page 574 Chapter 1 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 575: Displaying The Spanning-Tree Status
Chapter 1 Configuring STP Displaying the Spanning-Tree Status Configuring the Transmit Hold-Count You can configure the BPDU burst size by changing the transmit hold count value. Changing this parameter to a higher value can have a significant impact on CPU utilization, especially Note in Rapid-PVST mode.
Page 576 Chapter 1 Configuring STP Displaying the Spanning-Tree Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-26 OL-25303-03...
Page 577 C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Catalyst 3750-X or 3560-X switch. The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard.
Page 578: Understanding Mstp
Chapter 1 Configuring MSTP Understanding MSTP Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic, enables load-balancing, and reduces the number of spanning-tree instances required to support a large number of VLANs.
Page 579 Chapter 1 Configuring MSTP Understanding MSTP The IST is the only spanning-tree instance that sends and receives BPDUs. All of the other spanning-tree instance information is contained in M-records, which are encapsulated within MSTP BPDUs. Because the MSTP BPDU carries information for all instances, the number of BPDUs that need to be processed to support multiple spanning-tree instances is significantly reduced.
Page 580 Chapter 1 Configuring MSTP Understanding MSTP The IST connects all the MSTP switches in the region and appears as a subtree in the CIST that encompasses the entire switched domain. The root of the subtree is the CIST regional root. The MST region appears as a virtual switch to adjacent STP switches and MST regions.
Page 581: Hop Count
Understanding MSTP IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network. Because the CIST is the only spanning-tree instance that spans the whole network, only the CIST parameters require the external rather than the internal or regional qualifiers.
Page 582: Boundary Ports
The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary, unless it is running in an STP-compatible mode.
Page 583 Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
Page 584: Mstp And Switch Stacks
Chapter 1 Configuring MSTP Understanding MSTP Figure 1-3 illustrates a unidirectional link failure that typically creates a bridging loop. Switch A is the root switch, and its BPDUs are lost on the link leading to switch B. RSTP and MST BPDUs include the role and state of the sending port.
Page 585: Understanding Rstp
Chapter 1 Configuring MSTP Understanding RSTP to a port when the switch to which this switch is connected has joined the region. To restart the protocol migration process (force the renegotiation with neighboring switches), use the clear spanning-tree detected-protocols privileged EXEC command. If all the legacy switches on the link are RSTP switches, they can process MSTP BPDUs as if they are RSTP BPDUs.
Page 586: Rapid Convergence
Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of discarding. Designated ports start in the listening state. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN.
Page 587: Synchronization Of Port Roles
Chapter 1 Configuring MSTP Understanding RSTP When Switch C is connected to Switch B, a similar set of handshaking messages are exchanged. Switch C selects the port connected to Switch B as its root port, and both ends immediately transition to the forwarding state. With each iteration of this handshaking process, one more switch joins the active topology.
Page 588: Bridge Protocol Data Unit Format And Processing
Chapter 1 Configuring MSTP Understanding RSTP After ensuring that all of the ports are synchronized, the switch sends an agreement message to the designated switch corresponding to its root port. When the switches connected by a point-to-point link are in agreement about their port roles, the RSTP immediately transitions the port states to forwarding. The sequence of events is shown in Figure 1-5.
Page 589: Topology Changes
Chapter 1 Configuring MSTP Understanding RSTP The sending switch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN. The port role in the proposal message is always set to the designated port. The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal.
Page 590: Configuring Mstp Features
Chapter 1 Configuring MSTP Configuring MSTP Features Propagation—When an RSTP switch receives a TC message from another switch through a • designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them.
Page 591: Mstp Configuration Guidelines
• For two or more Catalyst 3560-X switches to be in the same MST region, they must have the same VLAN-to-instance map, the same configuration revision number, and the same name. For two or more stacked Catalyst 3750-X switches to be in the same MST region, they must have •...
Page 592: Specifying The Mst Region Configuration And Enabling Mstp
Chapter 1 Configuring MSTP Configuring MSTP Features All MST boundary ports must be forwarding for load-balancing between a PVST+ and an MST • cloud or between a rapid-PVST+ and an MST cloud. For this to occur, the IST master of the MST cloud should also be the root of the CST.
Page 593 Chapter 1 Configuring MSTP Configuring MSTP Features Command Purpose Step 3 instance instance-id vlan vlan-range Map VLANs to an MST instance. • For instance-id, the range is 0 to 4094. • For vlan vlan-range, the range is 1 to 4094. When you map VLANs to an MST instance, the mapping is incremental, and the VLANs specified in the command are added to or removed from the VLANs that were previously mapped.
Page 594 Chapter 1 Configuring MSTP Configuring MSTP Features Instance Vlans Mapped -------- --------------------- 1-9,21-4094 10-20 ------------------------------- Switch(config-mst)# exit Switch(config)# Configuring the Root Switch The switch maintains a spanning-tree instance for the group of VLANs mapped to it. A switch ID, consisting of the switch priority and the switch MAC address, is associated with each instance. For a group of VLANs, the switch with the lowest switch ID becomes the root switch.
Page 595 Chapter 1 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure a switch as the root switch. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst instance-id root primary Configure a switch as the root switch.
Page 596 Chapter 1 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure a switch as the secondary root switch. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst instance-id root Configure a switch as the secondary root switch.
Page 597 Chapter 1 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the MSTP port priority of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Page 598: Configuring The Switch Priority
Chapter 1 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the MSTP cost of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Page 599: Configuring The Hello Time
Chapter 1 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the switch priority. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst instance-id priority priority Configure the switch priority.
Page 600 Chapter 1 Configuring MSTP Configuring MSTP Features Configuring the Forwarding-Delay Time Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst forward-time seconds Configure the forward time for all MST instances.
Page 601: Specifying The Link Type To Ensure Rapid Transitions
Chapter 1 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Hop Count Beginning in privileged EXEC mode, follow these steps to configure the maximum-hop count for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-hops hop-count Specify the number of hops in a region before the BPDU is...
Page 602: Designating The Neighbor Type
Chapter 1 Configuring MSTP Configuring MSTP Features Designating the Neighbor Type A topology could contain both prestandard and IEEE 802.1s standard compliant devices. By default, ports can automatically detect prestandard devices, but they can still receive both standard and prestandard BPDUs. When there is a mismatch between a device and its neighbor, only the CIST runs on the interface.
Page 603: Displaying The Mst Configuration And Status
Chapter 1 Configuring MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 1-5: Table 1-5 Commands for Displaying MST Status Command Purpose show spanning-tree mst configuration...
Page 604 Chapter 1 Configuring MSTP Displaying the MST Configuration and Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-28 OL-25303-03...
Page 605: Understanding Optional Spanning-Tree Features
C H A P T E R Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Catalyst 3750-X or 3560-X switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+).
Page 606: Understanding Port Fast
Chapter 1 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. You can use Port Fast on interfaces connected to a single workstation or server, as shown in Figure 1-1, to allow those devices to...
Page 607: Understanding Bpdu Filtering
Chapter 1 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features At the interface level, you enable BPDU guard on any port by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature. When the port receives a BPDU, it is put in the error-disabled state.
Page 608 Chapter 1 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 1-2 Switches in a Hierarchical Network Backbone switches Root bridge Distribution switches Access switches Active link Blocked link If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port.
Page 609 Chapter 1 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 1-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure...
Page 610: How Csuf Works
Chapter 1 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root. As shown in Figure 1-5, the stack-root port on Switch 1 provides the path to the root of the spanning tree. The alternate stack-root ports on Switches 2 and 3 can provide an alternate path to the spanning-tree root if the current stack-root switch fails or if its link to the spanning-tree root fails.
Page 611: Understanding Backbonefast
Chapter 1 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Each switch in the stack decides if the sending switch is a better choice than itself to be the stack root of this spanning-tree instance by comparing the root, cost, and bridge ID. If the sending switch is the best choice as the stack root, each switch in the stack returns an acknowledgement;...
Page 612 Chapter 1 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features BackboneFast, which is enabled by using the spanning-tree backbonefast global configuration command, starts when a root port or blocked interface on a switch receives inferior BPDUs from its designated switch. An inferior BPDU identifies a switch that declares itself as both the root bridge and the designated switch.
Page 613 Chapter 1 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If link L1 fails as shown in Figure 1-7, Switch C cannot detect this failure because it is not connected directly to link L1. However, because Switch B is directly connected to the root switch over L1, it detects the failure, elects itself the root, and begins sending BPDUs to Switch C, identifying itself as the root.
Page 614: Understanding Etherchannel Guard
Chapter 1 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding EtherChannel Guard You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device. A misconfiguration can occur if the switch interfaces are configured in an EtherChannel, but the interfaces on the other device are not.
Page 615: Understanding Loop Guard
Chapter 1 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Figure 1-9 Root Guard in a Service-Provider Network Customer network Service-provider network Potential spanning-tree root without root guard enabled Desired root switch Enable the root-guard feature on these interfaces to prevent switches in the customer network from becoming the root switch or being...
Page 616: Enabling Port Fast
Chapter 1 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BackboneFast, page 1-16 (optional) • Enabling EtherChannel Guard, page 1-17 (optional) • Enabling Root Guard, page 1-18 (optional) • Enabling Loop Guard, page 1-18 (optional) • Default Optional Spanning-Tree Configuration Table 1-1 shows the default optional spanning-tree configuration.
Page 617: Enabling Bpdu Guard
Chapter 1 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP. Beginning in privileged EXEC mode, follow these steps to enable Port Fast. This procedure is optional. Command Purpose Step 1...
Page 618: Enabling Bpdu Filtering
Chapter 1 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features The BPDU guard feature provides a secure response to invalid configurations because you must manually put the port back in service. Use the BPDU guard feature in a service-provider network to prevent an access port from participating in the spanning tree.
Page 619: Enabling Uplinkfast For Use With Redundant Links
Chapter 1 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU filtering on any interface without also enabling the Port Fast feature. This command prevents the interface from sending or receiving BPDUs. Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in Caution spanning-tree loops.
Page 620: Enabling Backbonefast
Chapter 1 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to enable UplinkFast and CSUF. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree uplinkfast [max-update-rate Enable UplinkFast.
Page 621: Enabling Etherchannel Guard
Chapter 1 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not Note supported on Token Ring VLANs. This feature is supported for use with third-party switches. You can configure the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
Page 622: Enabling Root Guard
Chapter 1 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Root Guard Root guard enabled on an interface applies to all the VLANs to which the interface belongs. Do not enable the root guard on interfaces to be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in the blocked state) replace the root port in the case of a failure.
Page 623: Displaying The Spanning-Tree Status
Chapter 1 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Command Purpose Step 3 spanning-tree loopguard default Enable loop guard. By default, loop guard is disabled. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Page 624 Chapter 1 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-20 OL-25303-03...
Page 625: Understanding Rep
C H A P T E R Configuring Resilient Ethernet Protocol Resilient Ethernet Protocol (REP) is a Cisco proprietary protocol that provides an alternative to Spanning Tree Protocol (STP) to control network loops, handle link failures, and improve convergence time. REP controls a group of ports connected in a segment, ensures that the segment does not create any bridging loops, and responds to link failures within the segment.
Page 626 Chapter 1 Configuring Resilient Ethernet Protocol Understanding REP Figure 1-1 REP Open Segments Edge port Blocked port Link failure The segment shown in Figure 1-1 is an open segment; there is no connectivity between the two edge ports. The REP segment cannot cause a bridging loop and it is safe to connect the segment edges to any network.
Page 627: Link Integrity
Chapter 1 Configuring Resilient Ethernet Protocol Understanding REP You can construct almost any type of network based on REP segments. REP also supports VLAN load-balancing, controlled by the primary edge port but occurring at any port in the segment. In access ring topologies, the neighboring switch might not support REP, as shown in Figure 1-3.
Page 628: Fast Convergence
By default, REP packets are sent to a BPDU class MAC address. The packets can also be sent to the Cisco multicast address, which is used only to send blocked port advertisement (BPA) messages when there is a failure in the segment. The packets are dropped by devices not running REP.
Page 629 Chapter 1 Configuring Resilient Ethernet Protocol Understanding REP number (downstream position from the primary edge port) or a negative offset number (downstream position from the secondary edge port). If E2 became the primary edge port, its offset number would then be 1 and E1 would be -1. By entering the preferred keyword to select the port that you previously configured as the preferred •...
Page 630: Spanning Tree Interaction
Chapter 1 Configuring Resilient Ethernet Protocol Configuring REP Spanning Tree Interaction REP does not interact with STP or with the Flex Link feature, but can coexist with both. A port that belongs to a segment is removed from spanning tree control and STP BPDUs are not accepted or sent from segment ports.
Page 631: Default Rep Configuration
Chapter 1 Configuring Resilient Ethernet Protocol Configuring REP Default REP Configuration REP is disabled on all interfaces. When enabled, the interface is a regular segment port unless it is configured as an edge port. When REP is enabled, the sending of segment topology change notices (STCNs) is disabled, all VLANs are blocked, and the administrative VLAN is VLAN 1.
Page 632: Configuring The Rep Administrative Vlan
REP sends all LSL PDUs in untagged frames on the native VLAN. The BPA message sent to the • Cisco multicast address is sent on the administration VLAN, which is VLAN 1 by default. • You can configure how long a REP interface remains up without receiving a hello from a neighbor.
Page 633: Configuring Rep Interfaces
Chapter 1 Configuring Resilient Ethernet Protocol Configuring REP This example shows how to configure the administrative VLAN as VLAN 100 and verify the configuration by entering the show interface rep detail command on one of the REP interfaces: Switch# configure terminal Switch (conf)# rep admin vlan 100 Switch (conf-if)# end Switch# show interface gigabitethernet1/1 rep detail...
Page 634 Chapter 1 Configuring Resilient Ethernet Protocol Configuring REP Command Purpose Step 4 rep segment segment-id [edge [no-neighbor] Enables REP on the interface, and identifies a segment number. The [primary]] [preferred] segment ID range is from 1 to 1024. These optional keywords are available: You must configure two edge ports, including one primary Note...
Page 635 Chapter 1 Configuring Resilient Ethernet Protocol Configuring REP Command Purpose Step 6 rep block port {id port-id | neighbor_offset | (Optional) Configures VLAN load balancing on the primary edge preferred} vlan {vlan-list | all} port, identifies the REP alternate port in one of three ways, and configures the VLANs to be blocked on the alternate port.
Page 636: Setting Manual Preemption For Vlan Load Balancing
Chapter 1 Configuring Resilient Ethernet Protocol Configuring REP Switch (conf-if)# rep segment 1 edge primary Switch (conf-if)# rep stcn segment 2-5 Switch (conf-if)# rep block port 0009001818D68700 vlan all Switch (conf-if)# rep preempt delay 60 Switch (conf-if)# rep lsl-age-timer 6000 Switch (conf-if)# end This example shows how to configure the same configuration when the interface has no external REP neighbor:...
Page 637: Configuring Snmp Traps For Rep
Chapter 1 Configuring Resilient Ethernet Protocol Monitoring REP Command Purpose Step 1 rep preempt segment segment-id Manually triggers VLAN load balancing on the segment. You will need to confirm the command before it is executed. Step 2 show rep topology Displays REP topology information.
Page 638 Chapter 1 Configuring Resilient Ethernet Protocol Monitoring REP Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-14 OL-25303-03...
Page 639: Understanding Flex Links And The Mac Address-Table Move Update
C H A P T E R Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the Catalyst 3750-X or 3560-X switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature.
Page 640: Vlan Flex Link Load Balancing And Support
Chapter 1 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update typically configured in service provider or enterprise networks where customers do not want to run STP on the switch. If the switch is running STP, Flex Links is not necessary because STP already provides link-level redundancy or backup.
Page 641: Flex Link Multicast Fast Convergence
Chapter 1 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Figure 1-2 VLAN Flex Links Load Balancing Configuration Example Uplink Uplink switch B switch C Forwarding Forwarding (1-50) (51-100) gi2/0/6 gi2/0/8 Switch A...
Page 642: Leaking Igmp Reports
Chapter 1 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Leaking IGMP Reports To achieve multicast traffic convergence with minimal loss, a redundant data path must be set up before the Flex Link active link goes down.
Page 643 Chapter 1 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Similarly, both Flex Link ports are part of learned groups. In this example, GigabitEthernet2/0/11 is a receiver/host in VLAN 1, which is interested in two multicast groups: Switch# show ip igmp snooping groups Vlan Group...
Page 644 Chapter 1 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Whenever a host responds to the general query, the switch forwards this report on all the mrouter ports. When you turn on this feature through the command-line port, and when a report is forwarded by the switch on GigabitEthernet1/0/11, it is also leaked to the backup port GigabitEthernet1/0/12.
Page 645: Configuring Flex Links And Mac Address-Table Move Update
Chapter 1 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Figure 1-3 MAC Address-Table Move Update Example Server Switch C Port 3 Port 4 Switch B Switch D Port 1 Port 2 Switch A Configuring Flex Links and MAC Address-Table Move Update...
Page 646 Chapter 1 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update An interface can belong to only one Flex Link pair. An interface can be a backup link for only one •...
Page 647 Chapter 1 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show interface [interface-id] switchport backup Verify the configuration. Step 6 copy running-config startup config (Optional) Save your entries in the switch startup configuration file.
Page 648: Configuring Vlan Load Balancing On Flex Links
Chapter 1 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Command Purpose Step 7 show interface [interface-id] switchport backup Verify the configuration. Step 8 copy running-config startup config (Optional) Save your entries in the switch startup configuration file.
Page 649 Chapter 1 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update In the following example, VLANs 1 to 50, 60, and 100 to 120 are configured on the switch: Switch(config)#interface gigabitethernet 2/0/6 Switch(config-if)#switchport backup interface gigabitethernet 2/0/8 prefer vlan 60,100-120 When both interfaces are up, Gi2/0/8 forwards traffic for VLANs 60 and 100 to 120 and Gi2/0/6 forwards traffic for VLANs 1 to 50.
Page 650 Chapter 1 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring the MAC Address-Table Move Update Feature This section contains this information: Configuring a switch to send MAC address-table move updates •...
Page 651 Chapter 1 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update This example shows how to verify the configuration: Switch# show mac-address-table move update Switch-ID : 010b.4630.1780 Dst mac-address : 0180.c200.0010 Vlans/Macs supported : 1023/8320 Default/Current settings: Rcv Off/On, Xmt Off/On Max packets per min : Rcv 40, Xmt 60...
Page 652: Monitoring Flex Links And The Mac Address-Table Move Update
Chapter 1 Configuring Flex Links and the MAC Address-Table Move Update Feature Monitoring Flex Links and the MAC Address-Table Move Update Monitoring Flex Links and the MAC Address-Table Move Update Table 1-1 shows the privileged EXEC commands for monitoring the Flex Links configuration and the MAC address-table move update information.
Page 653: Understanding Dhcp Features
For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release, and see the “DHCP Commands” section in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.4.
Page 654: Dhcp Server
• For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.4. DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them.
Page 655 Chapter 1 Configuring DHCP Features and IP Source Guard Understanding DHCP Features When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware address.
Page 656 Chapter 1 Configuring DHCP Features and IP Source Guard Understanding DHCP Features Figure 1-1 DHCP Relay Agent in a Metropolitan Ethernet Network DHCP server Catalyst switch Access layer (DHCP relay agent) VLAN 10 Subscribers Host A Host B (DHCP client) (DHCP client) When you enable the DHCP snooping information option 82 on the switch, this sequence of events occurs:...
Page 657 Chapter 1 Configuring DHCP Features and IP Source Guard Understanding DHCP Features In the port field of the circuit ID suboption, the port numbers start at 3. For example, on a Catalyst 3750-E switch with 24 10/100/1000 ports and four small form-factor pluggable (SFP) module slots, port 3 is the Gigabit Ethernet 1/0/1 port, port 4 is the Gigabit Ethernet 1/0/2 port, and so forth.
Page 658: Cisco Ios Dhcp Server Database
An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address from a DHCP address pool.
Page 659: Dhcp Snooping And Switch Stacks
Chapter 1 Configuring DHCP Features and IP Source Guard Understanding DHCP Features When reloading, the switch reads the binding file to build the DHCP snooping binding database. The switch updates the file when the database changes. When a switch learns of new bindings or when it loses bindings, the switch immediately updates the entries in the database.
Page 660: Configuring Dhcp Features
• Enabling DHCP Snooping and Option 82, page 1-12 Enabling DHCP Snooping on Private VLANs, page 1-14 • Enabling the Cisco IOS DHCP Server Database, page 1-14 • Enabling the DHCP Snooping Binding Database Agent, page 1-15 • Default DHCP Configuration...
Page 661: Dhcp Snooping Configuration Guidelines
Configuring DHCP Features and IP Source Guard Configuring DHCP Features Table 1-1 Default DHCP Configuration (continued) Feature Default Setting Cisco IOS DHCP server binding database Enabled in Cisco IOS software, requires configuration. The switch gets network addresses and Note configuration parameters only from a device configured as a DHCP server.
Page 662: Configuring The Dhcp Server
RSPAN VLANs, DHCP packets might not reach the RSPAN destination port. Configuring the DHCP Server The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational.
Page 663: Configuring The Dhcp Relay Agent
To disable the DHCP server and relay agent, use the no service dhcp global configuration command. See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.4 for these procedures: Checking (validating) the relay agent information •...
Page 664: Enabling Dhcp Snooping And Option 82
Chapter 1 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Command Purpose Step 6 interface range port-range Configure multiple physical ports that are connected to the DHCP clients, and enter interface range configuration mode. interface interface-id Configure a single physical port that is connected to the DHCP client, and enter interface configuration mode.
Page 665 Chapter 1 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Command Purpose Step 5 ip dhcp snooping information option (Optional) Configure the remote-ID suboption. format remote-id [string ASCII-string | You can configure the remote ID as: hostname] • String of up to 63 ASCII characters (no spaces) Configured hostname for the switch •...
Page 666: Enabling Dhcp Snooping On Private Vlans
VLANs, on which DHCP snooping is enabled. Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database, see the “DHCP Configuration Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide, Release 12.4.
Page 667: Enabling The Dhcp Snooping Binding Database Agent
Chapter 1 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Enabling the DHCP Snooping Binding Database Agent Beginning in privileged EXEC mode, follow these steps to enable and configure the DHCP snooping binding database agent on the switch: Command Purpose Step 1...
Page 668: Displaying Dhcp Snooping Information
Chapter 1 Configuring DHCP Features and IP Source Guard Displaying DHCP Snooping Information Displaying DHCP Snooping Information Table 1-2 Commands for Displaying DHCP Information Command Purpose show ip dhcp snooping Displays the DHCP snooping configuration for a switch show ip dhcp snooping binding Displays only the dynamically configured bindings in the DHCP snooping binding database, also referred to as a binding table.
Page 669: Source Ip Address Filtering
Chapter 1 Configuring DHCP Features and IP Source Guard Understanding IP Source Guard Source IP Address Filtering When IPSG is enabled with this option, IP traffic is filtered based on the source IP address. The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table.
Page 670: Configuring Ip Source Guard
Chapter 1 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Some IP hosts with multiple network interfaces can inject some invalid packets into a network Note interface. The invalid packets contain the IP or MAC address for another network interface of the host as the source address.
Page 671: Enabling Ip Source Guard
Chapter 1 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard If you enable IP source guard with source IP and MAC address filtering, DHCP snooping and port • security must be enabled on the interface. You must also enter the ip dhcp snooping information option global configuration command and ensure that the DHCP server supports option 82.
Page 672: Configuring Ip Source Guard For Static Hosts
Chapter 1 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Command Purpose or ip verify source port-security Enable IP source guard with source IP and MAC address filtering. When you enable both IP source guard and port security by using the ip verify source port-security interface configuration command, there are two caveats: The DHCP server must support option 82, or the client is not...
Page 673 Chapter 1 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port You must configure the ip device tracking maximum limit-number interface configuration command Note globally for IPSG for static hosts to work. If you only configure this command on a port without enabling IP device tracking globally or by setting an IP device tracking maximum on that interface, IPSG with static hosts rejects all the IP traffic from that interface.
Page 674 Chapter 1 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Command Purpose Step 11 show ip verify source interface interface-id Verify the configuration and display IPSG permit ACLs for static hosts. Step 12 show ip device track all Verify the configuration by displaying the IP-to-MAC [active | inactive] count binding for a given host on the switch interface.
Page 675 Chapter 1 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Switch# show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan --------- ----------- ----------- --------------- ----------------- ---- Gi1/0/3 ip-mac trk active 40.1.1.24 00:00:00:00:03:04 Gi1/0/3 ip-mac trk active 40.1.1.20 00:00:00:00:03:05 Gi1/0/3...
Page 676: Configuring Ip Source Guard For Static Hosts On A Private Vlan Host Port
Chapter 1 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard This example displays all inactive IP or MAC binding entries for all interfaces. The host was first learned on GigabitEthernet 1/0/1 and then moved to GigabitEthernet 0/2. the IP or MAC binding entries learned on GigabitEthernet1/ 0/1 are marked as inactive.
Page 677 Chapter 1 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Command Purpose Step 10 exit Exit VLAN configuration mode. Step 11 interface fastEthernet interface-id Enter interface configuration mode. Step 12 switchport mode private-vlan host (Optional) Establish a port as a private VLAN host. Step 13 switchport private-vlan host-association vlan-id1 (Optional) Associate this port with the corresponding...
Page 678: Displaying Ip Source Guard Information
In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP to the attached device. The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and not a third-party server.
Page 679: Configuring Dhcp Server Port-Based Address Allocation
Chapter 1 Configuring DHCP Features and IP Source Guard Configuring DHCP Server Port-Based Address Allocation Configuring DHCP Server Port-Based Address Allocation Default Port-Based Address Allocation Configuration, page 1-27 • Port-Based Address Allocation Configuration Guidelines, page 1-27 • Enabling DHCP Server Port-Based Address Allocation, page 1-27 •...
Page 680 Chapter 1 Configuring DHCP Features and IP Source Guard Configuring DHCP Server Port-Based Address Allocation Command Purpose Step 7 show running config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. After enabling DHCP port-based address allocation on the switch, use the ip dhcp pool global configuration command to preassign IP addresses and to associate them to clients.
Page 681: Displaying Dhcp Server Port-Based Address Allocation
10.1.1.7 Et1/0 For more information about configuring the DHCP server port-based address allocation feature, go to Cisco.com, and enter Cisco IOS IP Addressing Services in the Search field to access the Cisco IOS software documentation. You can also access the documentation: http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_book.html...
Page 682 Chapter 1 Configuring DHCP Features and IP Source Guard Displaying DHCP Server Port-Based Address Allocation Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-30 OL-25303-03...
Page 683: Understanding Dynamic Arp Inspection
C H A P T E R Configuring Dynamic ARP Inspection This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 3750-X or 3560-X switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 684 Chapter 1 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Figure 1-1 ARP Cache Poisoning Host A Host B (IA, MA) (IB, MB) Host C (man-in-the-middle) (IC, MC) Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet.
Page 685: Interface Trust States And Network Security
Chapter 1 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header.
Page 686: Rate Limiting Of Arp Packets
Chapter 1 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a switch running dynamic ARP inspection.
Page 687: Logging Of Dropped Packets
Chapter 1 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Logging of Dropped Packets When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
Page 688: Dynamic Arp Inspection Configuration Guidelines
Chapter 1 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Table 1-1 Default Dynamic ARP Inspection Configuration (continued) Feature Default Setting Log buffer When dynamic ARP inspection is enabled, all denied or dropped ARP packets are logged. The number of entries in the log is 32. The number of system messages is limited to 5 per second.
Page 689: Configuring Dynamic Arp Inspection In Dhcp Environments
Chapter 1 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection EtherChannel ports is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets on the channel-port members.
Page 690 Chapter 1 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Command Purpose Step 3 ip arp inspection vlan vlan-range Enable dynamic ARP inspection on a per-VLAN basis. By default, dynamic ARP inspection is disabled on all VLANs. For vlan-range, specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma.
Page 691 Chapter 1 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Configuring ARP ACLs for Non-DHCP Environments This procedure shows how to configure dynamic ARP inspection when Switch B shown in Figure 1-2 on page 1-3 does not support dynamic ARP inspection or DHCP snooping. If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and Host 1 could be attacked by either Switch B or Host 2.
Page 692: Limiting The Rate Of Incoming Arp Packets
Chapter 1 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Command Purpose Step 6 ip arp inspection smartlog Specify that whatever packets are currently being logged are also smart-logged. By default, all dropped packets are logged. Step 7 interface interface-id Specify the Switch A interface that is connected to Switch B, and enter interface configuration mode.
Page 693 Chapter 1 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Unless you configure a rate limit on an interface, changing the trust state of the interface also changes Note its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate limit even when its trust state is changed.
Page 694: Performing Validation Checks
Chapter 1 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Performing Validation Checks Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can configure the switch to perform additional checks on the destination MAC address, the sender and target IP addresses, and the source MAC address.
Page 695: Configuring The Log Buffer
Chapter 1 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Configuring the Log Buffer When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
Page 696: Displaying Dynamic Arp Inspection Information
Chapter 1 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Command Purpose Step 3 ip arp inspection vlan vlan-range Control the type of packets that are logged per VLAN. By default, all denied logging {acl-match {matchlog | or all dropped packets are logged. The term logged means the entry is placed none} | dhcp-bindings {all | none | in the log buffer and a system message is generated.
Page 697 Chapter 1 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Table 1-3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics. show ip arp inspection statistics [vlan Displays statistics for forwarded, dropped, MAC vlan-range] validation failure, IP validation failure, ACL...
Page 698 Chapter 1 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-16 OL-25303-03...
Page 699 For complete syntax and usage information for the commands used in this chapter, see the switch Note command reference for this release and the “IP Multicast Routing Commands” section in the Cisco IOS IP Command Reference, Volume 3 of 3:Multicast, Release 12.4.
Page 700: Understanding Igmp Snooping
Chapter 1 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Understanding IGMP Snooping Layer 2 switches can use IGMP snooping to constrain the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with IP multicast devices.
Page 701: Igmp Versions
Chapter 1 Configuring IGMP Snooping and MVR Understanding IGMP Snooping IGMP Versions The switch supports IGMP Version 1, IGMP Version 2, and IGMP Version 3. These versions are interoperable on the switch. For example, if IGMP snooping is enabled on an IGMPv2 switch and the switch receives an IGMPv3 report from a host, the switch can forward the IGMPv3 report to the multicast router.
Page 702 Chapter 1 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 1-1 Initial IGMP Join Message Router A IGMP report 224.1.2.3 VLAN Forwarding table Host 1 Host 2 Host 3 Host 4 Router A sends a general query to the switch, which forwards the query to ports 2 through 5, which are all members of the same VLAN.
Page 703: Leaving A Multicast Group
Chapter 1 Configuring IGMP Snooping and MVR Understanding IGMP Snooping If another host (for example, Host 4) sends an unsolicited IGMP join message for the same group (Figure 1-2), the CPU receives that message and adds the port number of Host 4 to the forwarding table as shown in Table 1-2.
Page 704: Immediate Leave
Chapter 1 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Immediate Leave Immediate Leave is only supported on IGMP Version 2 hosts. The switch uses IGMP snooping Immediate Leave to remove from the forwarding table an interface that sends a leave message without the switch sending group-specific queries to the interface. The VLAN interface is pruned from the multicast tree for the multicast group specified in the original leave message.
Page 705: Igmp Snooping And Switch Stacks
Chapter 1 Configuring IGMP Snooping and MVR Configuring IGMP Snooping IGMP Snooping and Switch Stacks IGMP snooping functions across the switch stack; that is, IGMP control information from one switch is distributed to all switches in the stack. (See Chapter 1, “Managing Switch Stacks,” for more information about switch stacks.) Regardless of the stack member through which IGMP multicast data enters the stack, the data reaches the hosts that have registered for that group.
Page 706: Enabling Or Disabling Igmp Snooping
Snooping on IGMP queries, Protocol-Independent Multicast (PIM) packets, and Distance Vector Multicast Routing Protocol (DVMRP) packets Listening to Cisco Group Management Protocol (CGMP) packets from other routers • Statically connecting to a multicast router port with the ip igmp snooping mrouter global •...
Page 707 Chapter 1 Configuring IGMP Snooping and MVR Configuring IGMP Snooping You can configure the switch either to snoop on IGMP queries and PIM/DVMRP packets or to listen to CGMP self-join or proxy-join packets. By default, the switch snoops on PIM/DVMRP packets on all VLANs.
Page 708: Configuring A Host Statically To Join A Group
Chapter 1 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to enable a static connection to a multicast router: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id mrouter Specify the multicast router VLAN ID and the interface to the interface interface-id multicast router.
Page 709: Enabling Igmp Immediate Leave
Chapter 1 Configuring IGMP Snooping and MVR Configuring IGMP Snooping This example shows how to statically configure a host on a port: Switch# configure terminal Switch(config)# ip igmp snooping vlan 105 static 224.2.4.12 interface gigabitethernet1/0/1 Switch(config)# end Enabling IGMP Immediate Leave When you enable IGMP Immediate Leave, the switch immediately removes a port when it detects an IGMP Version 2 leave message on that port.
Page 710 Chapter 1 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to enable the IGMP configurable-leave timer: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping Configure the IGMP leave timer globally. The range is 100 to last-member-query-interval time 32768 milliseconds.
Page 711 Chapter 1 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show ip igmp snooping Verify the TCN settings. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default flooding query count, use the no ip igmp snooping tcn flood query count global configuration command.
Page 712: Configuring The Igmp Snooping Querier
Chapter 1 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 3 no ip igmp snooping tcn flood Disable the flooding of multicast traffic during a spanning-tree TCN event. By default, multicast flooding is enabled on an interface. Step 4 exit Return to privileged EXEC mode.
Page 713: Disabling Igmp Report Suppression
Chapter 1 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 4 ip igmp snooping querier query-interval (Optional) Set the interval between IGMP queriers. The range is 1 to interval-count 18000 seconds. Step 5 ip igmp snooping querier tcn query [count (Optional) Set the time between Topology Change Notification count | interval interval] (TCN) queries.
Page 714: Displaying Igmp Snooping Information
Chapter 1 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Beginning in privileged EXEC mode, follow these steps to disable IGMP report suppression: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no ip igmp snooping report-suppression Disable IGMP report suppression.
Page 715: Understanding Multicast Vlan Registration
Chapter 1 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Table 1-4 Commands for Displaying IGMP Snooping Information (continued) Command Purpose show ip igmp snooping mrouter [vlan vlan-id] Display information on dynamically learned and manually configured multicast router interfaces. When you enable IGMP snooping, the switch automatically Note learns the interface to which a multicast router is connected.
Page 716: Using Mvr In A Multicast Television Application
Chapter 1 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration You can set the switch for compatible or dynamic mode of MVR operation: In compatible mode, multicast data received by MVR hosts is forwarded to all MVR data ports, •...
Page 717 Chapter 1 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Figure 1-3 Multicast VLAN Registration Example Multicast VLAN Cisco router Multicast server Switch B Multicast Multicast data data Switch A RP1 RP2 RP3 RP4 RP5 RP6 RP7 Customer premises...
Page 718: Configuring Mvr
Chapter 1 Configuring IGMP Snooping and MVR Configuring MVR Layer 3 device. The access layer switch, Switch A, modifies the forwarding behavior to allow the traffic to be forwarded from the multicast VLAN to the subscriber port in a different VLAN, selectively allowing traffic to cross between two VLANs.
Page 719: Configuring Mvr Global Parameters
Chapter 1 Configuring IGMP Snooping and MVR Configuring MVR MVR can coexist with IGMP snooping on a switch. • MVR data received on an MVR receiver port is not forwarded to MVR source ports. • MVR does not support IGMPv3 messages. •...
Page 720: Configuring Mvr Interfaces
Chapter 1 Configuring IGMP Snooping and MVR Configuring MVR This example shows how to enable MVR, configure the group address, set the query time to 1 second (10 tenths), specify the MVR multicast VLAN as VLAN 22, and set the MVR mode as dynamic: Switch(config)# mvr Switch(config)# mvr group 228.1.23.4 Switch(config)# mvr querytime 10...
Page 721: Displaying Mvr Information
Chapter 1 Configuring IGMP Snooping and MVR Displaying MVR Information Command Purpose Step 8 show mvr Verify the configuration. show mvr interface show mvr members Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the interface to its default settings, use the no mvr [type | immediate | vlan vlan-id | group] interface configuration commands.
Page 722: Configuring Igmp Filtering And Throttling
Chapter 1 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Configuring IGMP Filtering and Throttling In some environments, for example, metropolitan or multiple-dwelling unit (MDU) installations, you might want to control the set of multicast groups to which a user on a switch port can belong. You can control the distribution of multicast services, such as IP/TV, based on some type of subscription or service plan.
Page 723: Configuring Igmp Profiles
Chapter 1 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling When the maximum number of groups is in forwarding table, the default IGMP throttling action is to deny the IGMP report. For configuration guidelines, see the “Configuring the IGMP Throttling Action” section on page 1-27.
Page 724: Applying Igmp Profiles
Chapter 1 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling This example shows how to create IGMP profile 4 allowing access to the single IP multicast address and how to verify the configuration. If the action was to deny (the default), it would not appear in the show ip igmp profile output display.
Page 725: Setting The Maximum Number Of Igmp Groups
Chapter 1 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Setting the Maximum Number of IGMP Groups You can set the maximum number of IGMP groups that a Layer 2 interface can join by using the ip igmp max-groups interface configuration command.
Page 726 Chapter 1 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling If you configure the throttling action and set the maximum group limitation after an interface has • added multicast entries to the forwarding table, the forwarding-table entries are either aged out or removed, depending on the throttling action.
Page 727: Displaying Igmp Filtering And Throttling Configuration
Chapter 1 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Displaying IGMP Filtering and Throttling Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface. You can also display the IGMP throttling configuration for all interfaces on the switch or for a specified interface.
Page 728 Chapter 1 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-30 OL-25303-03...
Page 729: Understanding Mld Snooping
For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release or the Cisco IOS documentation referenced in the procedures. This chapter includes these sections: “Understanding MLD Snooping” section on page 1-1 •...
Page 730 Chapter 1 Configuring IPv6 MLD Snooping Understanding MLD Snooping MLD is a protocol used by IPv6 multicast routers to discover the presence of multicast listeners (nodes wishing to receive IPv6 multicast packets) on the links that are directly attached to the routers and to discover which multicast packets are of interest to neighboring nodes.
Page 731: Mld Messages
Chapter 1 Configuring IPv6 MLD Snooping Understanding MLD Snooping MLD Messages MLDv1 supports three types of messages: Listener Queries are the equivalent of IGMPv2 queries and are either General Queries or • Multicast-Address-Specific Queries (MASQs). • Multicast Listener Reports are the equivalent of IGMPv2 reports •...
Page 732: Multicast Router Discovery
Chapter 1 Configuring IPv6 MLD Snooping Understanding MLD Snooping Multicast Router Discovery Like IGMP snooping, MLD snooping performs multicast router discovery, with these characteristics: Ports configured by a user never age out. • Dynamic port learning results from MLDv1 snooping queries and IPv6 PIMv2 packets. •...
Page 733: Topology Change Notification Processing
Chapter 1 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping The number of MASQs generated is configured by using the ipv6 mld snooping last-listener-query count global configuration command. The default number is 2. The MASQ is sent to the IPv6 multicast address for which the Done message was sent. If there are no reports sent to the IPv6 multicast address specified in the MASQ during the switch maximum response time, the port on which the MASQ was sent is deleted from the IPv6 multicast address database.
Page 734: Default Mld Snooping Configuration
Chapter 1 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Default MLD Snooping Configuration Table 1-1 Default MLD Snooping Configuration Feature Default Setting MLD snooping (Global) Disabled. MLD snooping (per VLAN) Enabled. MLD snooping must be globally enabled for VLAN MLD snooping to take place.
Page 735: Enabling Or Disabling Mld Snooping
Chapter 1 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Enabling or Disabling MLD Snooping By default, IPv6 MLD snooping is globally disabled on the switch and enabled on all VLANs. When MLD snooping is globally disabled, it is also disabled on all VLANs. When you globally enable MLD snooping, the VLAN configuration overrides the global configuration.
Page 736: Configuring A Static Multicast Group
Chapter 1 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Configuring a Static Multicast Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure an IPv6 multicast address and member ports for a VLAN. Beginning in privileged EXEC mode, follow these steps to add a Layer 2 port as a member of a multicast group: Command...
Page 737: Enabling Mld Immediate Leave
Chapter 1 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Beginning in privileged EXEC mode, follow these steps to add a multicast router port to a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 mld snooping vlan vlan-id mrouter Specify the multicast router VLAN ID, and specify the interface interface interface-id to the multicast router.
Page 738: Configuring Mld Snooping Queries
Chapter 1 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Configuring MLD Snooping Queries When Immediate Leave is not enabled and a port receives an MLD Done message, the switch generates MASQs on the port and sends them to the IPv6 multicast address for which the Done message was sent. You can optionally configure the number of MASQs that are sent and the length of time the switch waits for a response before deleting the port from the multicast group.
Page 739: Disabling Mld Listener Message Suppression
Chapter 1 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping This example shows how to set the MLD snooping global robustness variable to 3: Switch# configure terminal Switch(config)# ipv6 mld snooping robustness-variable 3 Switch(config)# exit This example shows how to set the MLD snooping last-listener query count for a VLAN to 3: Switch# configure terminal Switch(config)# ipv6 mld snooping vlan 200 last-listener-query-count 3 Switch(config)# exit...
Page 740: Displaying Mld Snooping Information
Chapter 1 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information Displaying MLD Snooping Information You can display MLD snooping information for dynamically learned and statically configured router ports and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for MLD snooping.
Page 741: Understanding Cdp
• Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
Page 742: Cdp And Switch Stacks
Chapter 1 Configuring CDP Configuring CDP For a switch and connected endpoint devices running Cisco Medianet CDP identifies connected endpoints that communicate directly with the switch. • To prevent duplicate reports of neighboring devices, only one wired switch reports the location •...
Page 743: Disabling And Enabling Cdp
1-5. Disabling and Enabling CDP CDP is enabled by default. Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Note Disabling CDP can interrupt cluster discovery and device connectivity. For more information, see Chapter 1, “Clustering Switches”...
Page 744: Disabling And Enabling Cdp On An Interface
Chapter 1 Configuring CDP Configuring CDP Beginning in privileged EXEC mode, follow these steps to disable the CDP device discovery capability: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no cdp run Disable CDP. Step 3 Return to privileged EXEC mode.
Page 745: Monitoring And Maintaining Cdp
Chapter 1 Configuring CDP Monitoring and Maintaining CDP Beginning in privileged EXEC mode, follow these steps to enable CDP on a port when it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you are enabling CDP, and enter interface configuration mode.
Page 746 Chapter 1 Configuring CDP Monitoring and Maintaining CDP Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 747: Configuring Storm Control
C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Page 748 When the storm control threshold for multicast traffic is reached, all multicast traffic except control Note traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. However, the switch does not differentiate between routing updates, such as OSPF, and regular multicast data traffic, so both types of traffic are blocked.
Page 749: Default Storm Control Configuration
Chapter 1 Configuring Port-Based Traffic Control Configuring Storm Control You use the storm-control interface configuration commands to set the threshold value for each traffic type. Default Storm Control Configuration By default, unicast, broadcast, and multicast storm control are disabled on the switch interfaces; that is, the suppression level is 100 percent.
Page 750 Chapter 1 Configuring Port-Based Traffic Control Configuring Storm Control Command Purpose Step 3 storm-control {broadcast | multicast | Configure broadcast, multicast, or unicast storm control. By unicast} level {level [level-low] | bps bps default, storm control is disabled. [bps-low] | pps pps [pps-low]} The keywords have these meanings: •...
Page 751 Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by the switch, but they do not cause the switch storm-control counters to increment. In Cisco IOS Release 12.2(44)SE and later, you can configure a port to be error disabled if small frames arrive at a specified rate (threshold).
Page 752: Configuring Protected Ports
Chapter 1 Configuring Port-Based Traffic Control Configuring Protected Ports Command Purpose Step 5 interface interface-id Enter interface configuration mode, and specify the interface to be configured. Step 6 small violation-rate pps Configure the threshold rate for the interface to drop incoming packets and error disable the port.
Page 753: Protected Port Configuration Guidelines
Chapter 1 Configuring Port-Based Traffic Control Configuring Port Blocking Protected Port Configuration Guidelines You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group.
Page 754: Default Port Blocking Configuration
Chapter 1 Configuring Port-Based Traffic Control Configuring Port Security Default Port Blocking Configuration The default is to not block flooding of unknown multicast and unicast traffic out of a port, but to flood these packets to all ports. Blocking Flooded Traffic on an Interface Note The interface can be a physical interface or an EtherChannel group.
Page 755: Understanding Port Security
Chapter 1 Configuring Port-Based Traffic Control Configuring Port Security If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.
Page 756: Security Violations
Chapter 1 Configuring Port-Based Traffic Control Configuring Port Security If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration. The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum number of available MAC addresses allowed in the system.
Page 757: Default Port Security Configuration
When you enable port security on an interface that is also configured with a voice VLAN, set the • maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice...
Page 758 Configuring Port Security VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
Page 759: Enabling And Configuring Port Security
Chapter 1 Configuring Port-Based Traffic Control Configuring Port Security Enabling and Configuring Port Security Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port: Command Purpose Step 1...
Page 760 Chapter 1 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 7 switchport port-security violation (Optional) Set the violation mode, the action to be taken when a security {protect | restrict | shutdown | violation is detected, as one of these: shutdown vlan} •...
Page 761 Chapter 1 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 8 switchport port-security (Optional) Enter a secure MAC address for the interface. You can use this [mac-address mac-address [vlan command to enter the maximum number of secure MAC addresses. If you {vlan-id | {access | voice}}] configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
Page 762 Chapter 1 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table.
Page 763: Enabling And Configuring Port Security Aging
Chapter 1 Configuring Port-Based Traffic Control Configuring Port Security Switch(config-if)# switchport port-security mac-address 0000.0000.0003 Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0001 vlan voice Switch(config-if)# switchport port-security mac-address 0000.0000.0004 vlan voice Switch(config-if)# switchport port-security maximum 10 vlan access Switch(config-if)# switchport port-security maximum 10 vlan voice Enabling and Configuring Port Security Aging You can use port security aging to set the aging time for all secure addresses on a port.
Page 764: Port Security And Switch Stacks
Chapter 1 Configuring Port-Based Traffic Control Configuring Port Security To disable port security aging for all secure addresses on a port, use the no switchport port-security aging time interface configuration command. To disable aging for only statically configured secure addresses, use the no switchport port-security aging static interface configuration command. This example shows how to set the aging time as 2 hours for the secure addresses on a port: Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# switchport port-security aging time 120...
Page 765: Configuring Protocol Storm Protection
Chapter 1 Configuring Port-Based Traffic Control Configuring Protocol Storm Protection This example shows how to configure port security on a PVLAN host and promiscuous ports Switch(config)# interface gigabitethernet 0/8 Switch(config-if)# switchport private-vlan mapping 2061 2201-2206,3101 Switch(config-if)# switchport mode private-vlan promiscuous Switch(config-if)# switchport port-security maximum 288 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security violation restrict...
Page 766: Default Protocol Storm Protection Configuration
Chapter 1 Configuring Port-Based Traffic Control Configuring Protocol Storm Protection Excess packets are dropped on no more than two virtual ports. Note Virtual port error disabling is not supported for EtherChannel and Flexlink interfaces Default Protocol Storm Protection Configuration Protocol storm protection is disabled by default. When it is enabled, auto-recovery of the virtual port is disabled by default.
Page 767: Displaying Port-Based Traffic Control Settings
Chapter 1 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings When protocol storm protection is configured, a counter records the number of dropped packets. To see this counter, use the show psp statistics [arp | igmp | dhcp] privileged EXEC command. To clear the counter for a protocol, use the clear psp counter [arp | igmp | dhcp] command.
Page 768 Chapter 1 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-22 OL-25303-03...
Page 769: Understanding Lldp, Lldp-Med, And Wired Location Service
Wired Location Service, page 1-3 LLDP The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches). CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network.
Page 770 Note not the individual stack members. When you configure LLDP or CDP location information on a per-port basis, remote devices can send Cisco Medianet location information to the switch. For information, go to http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_cdp_discover.html. LLDP-MED LLDP for Media Endpoint Devices (LLDP-MED) is an extension to LLDP that operates between endpoint devices such as IP phones and network devices such as switches.
Page 771: Wired Location Service
The switch uses the location service feature to send location and attachment tracking information for its connected devices to a Cisco Mobility Services Engine (MSE). The tracked device can be a wireless endpoint, a wired endpoint, or a wired switch or controller. The switch notifies the MSE of device link up and link down events through the Network Mobility Services Protocol (NMSP) location and attachment notifications.
Page 772 Chapter 1 Configuring LLDP, LLDP-MED, and Wired Location Service Understanding LLDP, LLDP-MED, and Wired Location Service When the switch determines the presence or absence of a device on a link-up or link-down event, it obtains the client-specific information such as the MAC address, IP address, and username. If the client is LLDP-MED- or CDP-capable, the switch obtains the serial number and UDI through the LLDP-MED location TLV or CDP.
Page 773: Default Lldp Configuration
Chapter 1 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Default LLDP Configuration, page 1-5 • Configuration Guidelines, page 1-5 • Enabling LLDP, page 1-6 • Configuring LLDP Characteristics, page 1-6 •...
Page 774: Enabling Lldp
Chapter 1 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Enabling LLDP Beginning in privileged EXEC mode, follow these steps to enable LLDP: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 lldp run Enable LLDP globally on the switch.
Page 775 Chapter 1 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Command Purpose Step 3 lldp reinit delay (Optional) Specify the delay time in seconds for LLDP to initialize on an interface. The range is 2 to 5 seconds; the default is 2 seconds. Step 4 lldp timer rate (Optional) Set the sending frequency of LLDP updates in seconds.
Page 776 Chapter 1 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Beginning in privileged EXEC mode, follow these steps to enable a TLV on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you are configuring an LLDP-MED...
Page 777 Chapter 1 Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Command Purpose Step 3 {voice | voice-signaling} vlan [vlan-id Configure the policy attributes: {cos cvalue | dscp dvalue}] | [[dot1p voice—Specify the voice application type. {cos cvalue | dscp dvalue}] | none | voice-signaling—Specify the voice-signaling application type.
Page 778: Configuring Location Tlv And Wired Location Service
Use the no form of each command to return to the default setting. This example shows how to configure civic location information on the switch: Switch(config)# location civic-location identifier 1 Switch(config-civic)# number 3550 Switch(config-civic)# primary-road-name "Cisco Way" Switch(config-civic)# city "San Jose" Switch(config-civic)# state CA Switch(config-civic)# building 19...
Page 779: Monitoring And Maintaining Lldp, Lldp-Med, And Wired Location Service
Chapter 1 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Switch(config-civic)# county "Santa Clara" Switch(config-civic)# country US Switch(config-civic)# end Beginning in privileged EXEC mode, follow these steps to enable wired location service on the switch. Command Purpose Step 1...
Page 780 Chapter 1 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Command Description show lldp neighbors [interface-id] Display information about neighbors, including device type, interface type and [detail] number, holdtime settings, capabilities, and port ID. You can limit the display to neighbors of a specific interface or expand the display for more detailed information.
Page 781: Understanding Udld
C H A P T E R Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 782: Methods To Detect Unidirectional Links
Chapter 1 Configuring UDLD Understanding UDLD A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection.
Page 783 Chapter 1 Configuring UDLD Understanding UDLD Event-driven detection and echoing • UDLD relies on echoing as its detection mechanism. Whenever a UDLD device learns about a new neighbor or receives a resynchronization request from an out-of-sync neighbor, it restarts the detection window on its side of the connection and sends echo messages in reply.
Page 784: Default Udld Configuration
Chapter 1 Configuring UDLD Configuring UDLD Configuring UDLD Default UDLD Configuration, page 1-4 • Configuration Guidelines, page 1-4 • Enabling UDLD Globally, page 1-5 • Enabling UDLD on an Interface, page 1-6 • Resetting an Interface Disabled by UDLD, page 1-6 •...
Page 785: Enabling Udld Globally
Chapter 1 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch and all members in the switch stack: Command Purpose...
Page 786: Enabling Udld On An Interface
Chapter 1 Configuring UDLD Configuring UDLD Enabling UDLD on an Interface Beginning in privileged EXEC mode, follow these steps either to enable UDLD in the aggressive or normal mode or to disable UDLD on a port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 787: Displaying Udld Status
Chapter 1 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release.
Page 788 Chapter 1 Configuring UDLD Displaying UDLD Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 789: Understanding Span And Rspan
You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device can send TCP reset packets to close down the TCP session of a suspected attacker.
Page 790: Local Span
Chapter 1 Configuring SPAN and RSPAN Understanding SPAN and RSPAN These sections contain this conceptual information: Local SPAN, page 1-2 • Remote SPAN, page 1-3 • SPAN and RSPAN Concepts and Terminology, page 1-4 • SPAN and RSPAN Interaction with Other Features, page 1-9 •...
Page 791: Remote Span
Chapter 1 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 1-2 is an example of a local SPAN in a switch stack, where the source and destination ports reside on different stack members. Figure 1-2 Example of Local SPAN Configuration on a Switch Stack Switch stack Switch 1 1/0/4...
Page 792: Span And Rspan Concepts And Terminology
Chapter 1 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 1-3 Example of RSPAN Configuration RSPAN destination ports RSPAN Switch C destination session Intermediate switches must support RSPAN VLAN RSPAN VLAN Switch A Switch B RSPAN RSPAN source source session A session B RSPAN...
Page 793 Chapter 1 Configuring SPAN and RSPAN Understanding SPAN and RSPAN RSPAN consists of at least one RSPAN source session, an RSPAN VLAN, and at least one RSPAN destination session. You separately configure RSPAN source sessions and RSPAN destination sessions on different network devices. To configure an RSPAN source session on a device, you associate a set of source ports or source VLANs with an RSPAN VLAN.
Page 794: Monitored Traffic
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
Page 795 Chapter 1 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Source Ports A source port (also called a monitored port) is a switched or routed port that you monitor for network traffic analysis. In a local SPAN session or RSPAN source session, you can monitor source ports or VLANs for traffic in one or both directions.
Page 796: Destination Port
Chapter 1 Configuring SPAN and RSPAN Understanding SPAN and RSPAN When a VLAN filter list is specified, only those VLANs in the list are monitored on trunk ports or • on voice VLAN access ports. • SPAN traffic coming from other port types is not affected by VLAN filtering; that is, all VLANs are allowed on other ports.
Page 797: Span And Rspan Interaction With Other Features
Chapter 1 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Local SPAN and RSPAN destination ports behave differently regarding VLAN tagging and encapsulation: • For local SPAN, if the encapsulation replicate keywords are specified for the destination port, these packets appear with the original encapsulation (untagged, ISL, or IEEE 802.1Q). If these keywords are not specified, packets appear in the untagged format.
Page 798: Span And Rspan And Switch Stacks
Chapter 1 Configuring SPAN and RSPAN Understanding SPAN and RSPAN VLAN and trunking—You can modify VLAN membership or trunk settings for source or • destination ports at any time. However, changes in VLAN membership or trunk settings for a destination port do not take effect until you remove the SPAN destination configuration. Changes in VLAN membership or trunk settings for a source port immediately take effect, and the respective SPAN sessions automatically adjust accordingly.
Page 799: Understanding Flow-Based Span
Chapter 1 Configuring SPAN and RSPAN Understanding Flow-Based SPAN Understanding Flow-Based SPAN You can control the type of network traffic to be monitored in SPAN or RSPAN sessions by using flow-based SPAN (FSPAN) or flow-based RSPAN (FRSPAN), which apply access control lists (ACLs) to the monitored traffic on the source ports.
Page 800: Configuring Span And Rspan
Chapter 1 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Configuring SPAN and RSPAN Default SPAN and RSPAN Configuration, page 1-12 • Configuring Local SPAN, page 1-12 • Configuring RSPAN, page 1-17 • Default SPAN and RSPAN Configuration Table 1-1 Default SPAN and RSPAN Configuration Feature Default Setting...
Page 801 Chapter 1 Configuring SPAN and RSPAN Configuring SPAN and RSPAN For local SPAN, outgoing packets through the SPAN destination port carry the original • encapsulation headers—untagged, ISL, or IEEE 802.1Q—if the encapsulation replicate keywords are specified. If the keywords are not specified, the packets are sent in native form. You can configure a disabled port to be a source or destination port, but the SPAN function does not •...
Page 802 Chapter 1 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 4 monitor session session_number Specify the SPAN session and the destination port (monitoring port). destination {interface interface-id [, | -] For session_number, specify the session number entered in step 3. [encapsulation replicate]} Note For local SPAN, you must use the same session number for the...
Page 803 VLANs and the destination ports, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating a Local SPAN Session”...
Page 804 Chapter 1 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 5 Return to privileged EXEC mode. Step 6 show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command.
Page 805: Configuring Rspan
Chapter 1 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 5 monitor session session_number Specify the SPAN session and the destination port (monitoring port). destination {interface interface-id [, | -] For session_number, specify the session number entered in Step 3. [encapsulation replicate]} For interface-id, specify the destination port.
Page 806 Chapter 1 Configuring SPAN and RSPAN Configuring SPAN and RSPAN For RSPAN configuration, you can distribute the source ports and the destination ports across • multiple switches in your network. • RSPAN does not support BPDU packet monitoring or other Layer 2 switch protocols. The RSPAN VLAN is configured only on trunk ports and not on access ports.
Page 807: Creating An Rspan Source Session
Chapter 1 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to create RSPAN VLAN 901. Switch(config)# vlan 901 Switch(config-vlan)# remote span Switch(config-vlan)# end Creating an RSPAN Source Session Beginning in privileged EXEC mode, follow these steps to start an RSPAN source session and to specify the monitored source and the destination RSPAN VLAN: Command Purpose...
Page 808 Chapter 1 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 6 show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command. To remove a source port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command.
Page 809: Creating An Rspan Destination Session
Chapter 1 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 5 monitor session session_number Specify the RSPAN session and the destination remote VLAN destination remote vlan vlan-id (RSPAN VLAN). For session_number, enter the session number specified in Step 3. For vlan-id, specify the RSPAN VLAN to carry the monitored traffic to the destination port.rt group {a | b | c} to specify the ports that carry RSPAN traffic.
Page 810: Creating An Rspan Destination Session And Configuring Incoming Traffic
RSPAN VLAN and the destination port, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating an RSPAN Destination...
Page 811 Chapter 1 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 3 monitor session session_number source Specify the RSPAN session and the source RSPAN VLAN. remote vlan vlan-id For session_number, the range is 1 to 66. For vlan-id, specify the source RSPAN VLAN to monitor. Step 4 monitor session session_number Specify the SPAN session, the destination port, the packet...
Page 812: Configuring Fspan And Frspan
Chapter 1 Configuring SPAN and RSPAN Configuring FSPAN and FRSPAN Configuring FSPAN and FRSPAN FSPAN and FRSPAN Configuration Guidelines, page 1-24 • Configuring an FSPAN Session, page 1-25 • Configuring an FRSPAN Session, page 1-26 • FSPAN and FRSPAN Configuration Guidelines You can attach ACLs to only one SPAN or RSPAN session at a time.
Page 813: Configuring An Fspan Session
Chapter 1 Configuring SPAN and RSPAN Configuring FSPAN and FRSPAN Configuring an FSPAN Session Beginning in privileged EXEC mode, follow these steps to create a SPAN session, specify the source (monitored) ports or VLANs and the destination (monitoring) ports, and configure FSPAN for the session: Command Purpose...
Page 814: Configuring An Frspan Session
Chapter 1 Configuring SPAN and RSPAN Configuring FSPAN and FRSPAN Command Purpose Step 4 monitor session session_number Specify the SPAN session and the destination port (monitoring port). destination {interface interface-id [, | -] For session_number, specify the session number entered in Step 3. [encapsulation replicate]} Note For local SPAN, you must use the same session number for...
Page 815 Chapter 1 Configuring SPAN and RSPAN Configuring FSPAN and FRSPAN Command Purpose Step 3 monitor session session_number source Specify the RSPAN session and the source port (monitored port). {interface interface-id | vlan vlan-id} [, | -] For session_number, the range is 1 to 66. [both | rx | tx] Enter a source port or source VLAN for the RSPAN session: For source interface-id, specify the source port to monitor.
Page 816: Displaying Span, Rspan. Fspan, And Frspan Status
Chapter 1 Configuring SPAN and RSPAN Displaying SPAN, RSPAN. FSPAN, and FRSPAN Status Displaying SPAN, RSPAN. FSPAN, and FRSPAN Status To display the current SPAN, RSPAN, FSPAN, or FRSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured sessions.
Page 817: Understanding Rmon
For complete syntax and usage information for the commands used in this chapter, see the “System Note Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.4. Understanding RMON, page 1-1 •...
Page 818 Chapter 1 Configuring RMON Configuring RMON Figure 1-1 Remote Monitoring Example Network management station with generic RMON console application RMON alarms and events configured. SNMP configured. RMON history and statistic collection enabled. Workstations Workstations The switch supports these RMON groups (defined in RFC 1757): •...
Page 819: Default Rmon Configuration
Chapter 1 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface, page 1-5 (optional) • Collecting Group Ethernet Statistics on an Interface, page 1-5 (optional) • Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station.
Page 820 Chapter 1 Configuring RMON Configuring RMON Command Purpose Step 3 rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535.
Page 821: Collecting Group History Statistics On An Interface
Chapter 1 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface. This procedure is optional.
Page 822: Displaying Rmon Status
Displays the RMON statistics table. For information about the fields in these displays, see the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.4. Catalyst 3750-X and 3560-X Switch Software Configuration Guide OL-25303-03...
Page 823: Understanding System Message Logging
This chapter describes how to configure system message logging on the Catalyst 3750-X or 3560-X switch. The switch also supports Smart Logging to capture packet flows based on configured triggers. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.4 and the command reference for this...
Page 824: Configuring System Message Logging
On Catalyst 3750-X switches, messages appear on the active consoles after the process that generated them has finished. On Catalyst 3560-X switches, messages appear on the console after the process that generated them has finished.
Page 825 Chapter 1 Configuring System Message Logging and Smart Logging Configuring System Message Logging Table 1-1 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages”...
Page 826: Default System Message Logging Configuration
Configuring System Message Logging and Smart Logging Configuring System Message Logging This example shows a partial switch system message on a Catalyst 3560-X switch: 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up...
Page 827: Setting The Message Display Destination Device
Chapter 1 Configuring System Message Logging and Smart Logging Configuring System Message Logging Command Purpose Step 4 show running-config Verify your entries. show logging Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Disabling the logging process can slow down the switch because a process must wait until the messages are written to the console before continuing.
Page 828: Synchronizing Log Messages
Chapter 1 Configuring System Message Logging and Smart Logging Configuring System Message Logging Command Purpose Step 4 logging file flash:filename Store log messages in a file in flash memory on a standalone switch or, in [max-file-size [min-file-size]] the case of a switch stack, on the stack master. [severity-level-number | type] •...
Page 829 Chapter 1 Configuring System Message Logging and Smart Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to configure synchronous logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line [console | vty] line-number Specify the line to be configured for synchronous logging of [ending-line-number]...
Page 830: Enabling And Disabling Time Stamps On Log Messages
Chapter 1 Configuring System Message Logging and Smart Logging Configuring System Message Logging Enabling and Disabling Time Stamps on Log Messages By default, log messages are not time-stamped. Beginning in privileged EXEC mode, follow these steps to enable time-stamping of log messages. This procedure is optional.
Page 831: Defining The Message Severity Level
Chapter 1 Configuring System Message Logging and Smart Logging Configuring System Message Logging Command Purpose Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable sequence numbers, use the no service sequence-numbers global configuration command. This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) (Switch-2) Defining the Message Severity Level...
Page 832: Limiting Syslog Messages Sent To The History Table And To Snmp
Chapter 1 Configuring System Message Logging and Smart Logging Configuring System Message Logging Table 1-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level. Table 1-3 Message Logging Level Keywords Level Keyword Level Description...
Page 833 The default is that configuration logging is disabled. For information about the commands, see the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3 T. Catalyst 3750-X and 3560-X Switch Software Configuration Guide...
Page 834: Configuring Unix Syslog Servers
Chapter 1 Configuring System Message Logging and Smart Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to enable configuration logging: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 archive Enter archive configuration mode. Step 3 log config Enter configuration-change logger configuration mode.
Page 835: Configuring The Unix System Logging Facility
Step 1 Add a line such as the following to the file /etc/syslog.conf: cisco.log local7.debug /usr/adm/logs/ The local7 keyword specifies the logging facility to be used; see Table 1-4 on page 1-14 for information on the facilities.
Page 836: Configuring Smart Logging
ACL permitted or denied traffic • To use smart logging, you must first configure a NetFlow exporter that you identify when you enable smart logging. For information on configuring Cisco Flexible NetFlow, see the Cisco IOS Flexible NetFlow Configuration Guide, Release 12.4T: http://www.cisco.com.do/en/US/docs/ios/fnetflow/configuration/guide/12_4t/fnf_12_4t_book.html...
Page 837 Chapter 1 Configuring System Message Logging and Smart Logging Configuring Smart Logging Smart logging processing creates a NetFlow packet for the configured event and sends the packet to the external NetFlow collector. Smart logging counters reflect the number of packets that are logged. This number is the same as the number of packets sent to the collector if no packets are dropped between the switch and the NetFlow collector.
Page 838 Chapter 1 Configuring System Message Logging and Smart Logging Configuring Smart Logging Enabling Smart Logging for Dynamic ARP Inspection Violations Dynamic ARP inspection intercepts ARP packets on untrusted ports and validates them before forwarding. The functionality is similar to DHCP snooping but for ARP packets. You can configure dynamic ARP inspection logging by using the ip arp inspection log-buffer global configuration command.
Page 839: Displaying The Logging Configuration
Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.4 on Cisco.com.
Page 840 Chapter 1 Configuring System Message Logging and Smart Logging Displaying the Logging Configuration Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-18 OL-25303-03...
Page 841: Understanding Snmp
3560-X standalone switch and to a Catalyst 3750-X switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release and the Cisco IOS Network Management Command Reference, Release 12.4. Understanding SNMP, page 1-1 •...
Page 842: Snmp Versions
Chapter 1 Configuring SNMP Understanding SNMP These sections contain this conceptual information: SNMP Versions, page 1-2 • SNMP Manager Functions, page 1-3 • SNMP Agent Functions, page 1-4 • SNMP Community Strings, page 1-4 • Using SNMP to Access MIB Variables, page 1-4 •...
Page 843: Snmp Manager Functions
Chapter 1 Configuring SNMP Understanding SNMP Table 1-1 identifies the characteristics of the different combinations of security models and levels. Table 1-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No...
Page 844: Snmp Agent Functions
(@esN, where N is the switch number) to the first configured RW and RO community strings on the command switch and propagates them to the member switches. For more information, see Chapter 1, “Clustering Switches” and see Getting Started with Cisco Network Assistant, available on Cisco.com. Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software.
Page 845: Snmp Notifications
Get-response, traps SNMP Agent SNMP Manager To locate and download MIBs for a specific Cisco product and release, use the Cisco MIB Locator: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml. SNMP Notifications SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP notifications can be sent as traps or inform requests.
Page 846: Default Snmp Configuration
Chapter 1 Configuring SNMP Configuring SNMP Table 1-3 ifIndex Values (continued) Interface Type ifIndex Range Physical (such as Gigabit Ethernet or SFP -module interfaces) based 10000–14500 on type and port numbers Null 10501 (nonstackable switches) 14501 (stackable switches) Loopback and Tunnel 24567 + 1.
Page 847: Snmp Configuration Guidelines
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
Page 848: Configuring Community Strings
Chapter 1 Configuring SNMP Configuring SNMP Configuring Community Strings You use the SNMP community string to define the relationship between the SNMP manager and the agent. The community string acts like a password to permit access to the agent on the switch. Optionally, you can specify one or more of these characteristics associated with the string: An access list of IP addresses of the SNMP managers that are permitted to use the community string •...
Page 849: Configuring Snmp Groups And Users
Chapter 1 Configuring SNMP Configuring SNMP Command Purpose Step 3 access-list access-list-number {deny | (Optional) If you specified an IP standard access list number in permit} source [source-wildcard] Step 2, then create the list, repeating the command as many times as necessary.
Page 850 Chapter 1 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure SNMP on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID {local engineid-string Configure a name for either the local or remote copy of SNMP. | remote ip-address [udp-port port-number] The engineid-string is a 24-character ID string with the name •...
Page 851 Chapter 1 Configuring SNMP Configuring SNMP Command Purpose Step 4 snmp-server user username groupname Add a new user for an SNMP group. {remote host [udp-port port]} {v1 [access • The username is the name of the user on the host that connects access-list] | v2c [access access-list] | v3 to the agent.
Page 852: Configuring Snmp Notifications
A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Note Many commands use the word traps in the command syntax.
Page 853 Though visible in the command-line help strings, the fru-ctrl, insertion, and removal keywords are not supported on the Catalyst 3560-X switch. To enable the sending of SNMP inform notifications, use the snmp-server enable traps global configuration command combined with the snmp-server host host-addr informs global configuration command.
Page 854 Chapter 1 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure the switch to send traps or informs to a host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID remote Specify the engine ID for the remote host.
Page 855 Chapter 1 Configuring SNMP Configuring SNMP Command Purpose Step 7 snmp-server trap-source interface-id (Optional) Specify the source interface, which provides the IP address for the trap message. This command also sets the source IP address for informs. Step 8 snmp-server queue-length length (Optional) Establish the message queue length for each trap host.
Page 856: Setting The Cpu Threshold Notification Types And Values
Chapter 1 Configuring SNMP Configuring SNMP Setting the CPU Threshold Notification Types and Values Beginning in privileged EXEC mode, follow these steps to set the CPU threshold notification types and values: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 process cpu threshold type {total | Set the CPU threshold notification types and values:...
Page 857: Limiting Tftp Servers Used Through Snmp
Chapter 1 Configuring SNMP Configuring SNMP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Limiting TFTP Servers Used Through SNMP Beginning in privileged EXEC mode, follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP to the servers specified in an access list: Command Purpose...
Page 858 Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
Page 859: Displaying Snmp Status
EXEC command. You also can use the other privileged EXEC commands in Table 1-6 to display SNMP information. For information about the fields in the displays, see the Cisco IOS Configuration Fundamentals Command Reference. Table 1-6 Commands for Displaying SNMP Information Feature...
Page 860 Chapter 1 Configuring SNMP Displaying SNMP Status Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-20 OL-25303-03...
Page 861: Understanding Embedded Event Manager
This chapter tells how to use EEM and how to configure it on a Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a standalone switch or a Catalyst 3750-X switch stack. Beginning with Cisco IOS Release 12.2(55)SE, the EEM feature is supported on the IP base and IP Note services feature set.
Page 862 Subscribes to receive events subscribers and implements policy actions EEM APPLET EEM SCRIPT See the EEM Configuration for Cisco Integrated Services Router Platforms Guide for examples of EEM deployment. Event Detectors, page 1-3 • Embedded Event Manager Actions, page 1-4 •...
Page 863: Event Detectors
Counter event detector—Publishes an event when a named counter crosses a specified threshold. • Interface counter event detector—Publishes an event when a generic Cisco IOS interface counter for • a specified interface crosses a defined threshold. A threshold can be specified as an absolute value or an incremental value.For example, if the incremental value is set to 50 an event would be...
Page 864: Embedded Event Manager Actions
Watchdog event detector (IOSWDSysMon)—Publishes an event only on the master switch when • Publishes an event when one of these events occurs: CPU utilization for a Cisco IOS process crosses a threshold. – Memory utilization for a Cisco IOS process crosses a threshold.
Page 865: Embedded Event Manager Environment Variables
Cisco built-in variables (available in EEM applets) • Defined by Cisco and can be read-only or read-write. The read-only variables are set by the system before an applet starts to execute. The single read-write variable, _exit_status, allows you to set the exit status for policies triggered from synchronous events.
Page 866: Registering And Defining An Embedded Event Manager Applet
Registering and Defining an Embedded Event Manager TCL Script, page 1-7 • For complete information about configuring embedded event manager, see the Cisco IOS Network Management Configuration Guide, Release 12.4T. To configure EEM, you must have the IP services feature set installed on the switch.
Page 867: Registering And Defining An Embedded Event Manager Tcl Script
Chapter 1 Configuring Embedded Event Manager Configuring Embedded Event Manager Command Purpose Step 4 action label syslog [priority Specify the action when an EEM applet is triggered. Repeat this action to add priority-level] msg msg-text other CLI commands to the applet. •...
Page 868: Displaying Embedded Event Manager Information
Switch(config)# event manager environment_cron_entry 0-59/2 0-23/1 * * 0-6 This example shows the sample EEM policy named tm_cli_cmd.tcl registered as a system policy. The system policies are part of the Cisco IOS image. User-defined TCL scripts must first be copied to flash memory.
Page 869 Reference, Volume 1 of 3: Addressing and Services, Release 12.4. Catalyst 3750-X and 3560-X switches running the IP base or IP services feature set also support Cisco TrustSec Security Group Tag (SCT) Exchange Protocol (SXP). This feature supports security group access control lists (SGACLs), which define ACL policies for a group of devices instead of an IP address.
Page 870: Understanding Acls
Chapter 1 Configuring Network Security with ACLs Understanding ACLs Using VLAN Maps with Router ACLs, page 1-40 • Displaying IPv4 ACL Configuration, page 1-44 • Understanding ACLs Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs filter traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or VLANs.
Page 871 Chapter 1 Configuring Network Security with ACLs Understanding ACLs Port ACLs access-control traffic entering a Layer 2 interface. The switch does not support port ACLs • in the outbound direction. You can apply only one IP access list and one MAC access list to a Layer 2 interface.
Page 872 Chapter 1 Configuring Network Security with ACLs Understanding ACLs Port ACLs Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only on physical interfaces and not on EtherChannel interfaces and can be applied only on interfaces in the inbound direction.
Page 873 Chapter 1 Configuring Network Security with ACLs Understanding ACLs You cannot apply more than one IP access list and one MAC access list to a Layer 2 interface. If an IP Note access list or MAC access list is already configured on a Layer 2 interface and you apply a new IP access list or MAC access list to the interface, the new ACL replaces the previously configured one.
Page 874: Handling Fragmented And Unfragmented Traffic
Chapter 1 Configuring Network Security with ACLs Understanding ACLs With VLAN maps, forwarding of packets is permitted or denied, based on the action specified in the map. Figure 1-2 shows how a VLAN map is applied to prevent a specific type of traffic from Host A in VLAN 10 from being forwarded.
Page 875: Acls And Switch Stacks
ACL information to all switches in the stack. Configuring IPv4 ACLs Configuring IP v4ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. The process is briefly described here. For more detailed information on configuring ACLs, see the “Configuring IP Services”...
Page 876: Creating Standard And Extended Ipv4 Acls
Chapter 1 Configuring Network Security with ACLs Configuring IPv4 ACLs Inbound and outbound rate limiting (except with QoS ACLs) • Reflexive ACLs or dynamic ACLs (except for some specialized dynamic ACLs used by the switch • clustering feature) ACL logging for port ACLs and VLAN maps •...
Page 877: Access List Numbers
Chapter 1 Configuring Network Security with ACLs Configuring IPv4 ACLs Access List Numbers The number you use to denote your ACL shows the type of access list that you are creating. Table 1-1 lists the access-list number and corresponding access list type and shows whether or not they are supported in the switch.
Page 878 Chapter 1 Configuring Network Security with ACLs Configuring IPv4 ACLs The first packet that triggers the ACL causes a logging message right away, and subsequent packets are collected over 5-minute intervals before they appear or logged. The logging message includes the access list number, whether the packet was permitted or denied, the source IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval.
Page 879 Control Protocol (tcp), or User Datagram Protocol (udp). For more details on the specific keywords for each protocol, see these command references: Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.4 • Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.4 •...
Page 880 Chapter 1 Configuring Network Security with ACLs Configuring IPv4 ACLs The switch does not support dynamic or reflexive access lists. It also does not support filtering based on Note the type of service (ToS) minimize-monetary-cost bit. Supported parameters can be grouped into these categories: TCP, UDP, ICMP, IGMP, or other IP. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-12 OL-25303-03...
Page 881 Chapter 1 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2a access-list access-list-number Define an extended IPv4 access list and the access conditions. {deny | permit} protocol The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
Page 882 TCP port. To see TCP port names, use the ? or see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.4. Use only TCP port numbers or names when filtering TCP.
Page 883 ICMP message type and code name. To see a list of ICMP message type names and code names, use the ?, or see the “Configuring IP Services” section of the Cisco IOS IP Configuration Guide, Release 12.4. Step 2e access-list access-list-number (Optional) Define an extended IGMP access list and the access conditions.
Page 884 Chapter 1 Configuring Network Security with ACLs Configuring IPv4 ACLs After creating a numbered extended ACL, you can apply it to terminal lines (see the “Applying an IPv4 ACL to a Terminal Line” section on page 1-20), to interfaces (see the “Applying an IPv4 ACL to an Interface”...
Page 885 Chapter 1 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create a standard ACL using names: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip access-list standard name Define a standard IPv4 access list using a name, and enter access-list configuration mode.
Page 886 Chapter 1 Configuring Network Security with ACLs Configuring IPv4 ACLs When you are creating standard extended ACLs, remember that, by default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end. For standard ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask.
Page 887 Chapter 1 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to configure a time-range parameter for an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 time-range time-range-name Assign a meaningful name (for example, workhours) to the time range to be created, and enter time-range configuration mode.
Page 888: Including Comments In Acls
Chapter 1 Configuring Network Security with ACLs Configuring IPv4 ACLs This example uses named ACLs to permit and deny the same traffic. Switch(config)# ip access-list extended deny_access Switch(config-ext-nacl)# deny tcp any any time-range new_year_day_2006 Switch(config-ext-nacl)# exit Switch(config)# ip access-list extended may_access Switch(config-ext-nacl)# permit tcp any any time-range workhours Switch(config-ext-nacl)# end Switch# show ip access-lists...
Page 889: Applying An Ipv4 Acl To An Interface
Chapter 1 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 890 Chapter 1 Configuring Network Security with ACLs Configuring IPv4 ACLs By default, the router sends Internet Control Message Protocol (ICMP) unreachable messages when a Note packet is denied by an access group. These access-group denied packets are not dropped in hardware but are bridged to the switch CPU so that it can generate the ICMP-unreachable message.
Page 891: Hardware And Software Treatment Of Ip Acls
Chapter 1 Configuring Network Security with ACLs Configuring IPv4 ACLs When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits all packets. Remember this behavior if you use undefined ACLs for network security.
Page 892: Ipv4 Acl Configuration Examples
This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.4 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.4.
Page 893 Chapter 1 Configuring Network Security with ACLs Configuring IPv4 ACLs Time Range Applied to an IP ACL, page 1-27 • Commented IP ACL Entries, page 1-28 • ACL Logging, page 1-28 • ACLs in a Small Networked Office Figure 1-3 shows a small networked office environment with routed Port 2 connected to Server A, containing benefits and other information that all employees can access, and routed Port 1 connected to Server B, containing confidential payroll data.
Page 894: Numbered Acls
Chapter 1 Configuring Network Security with ACLs Configuring IPv4 ACLs This example uses an extended ACL to filter traffic coming from Server B into a port, permitting traffic from any source address (in this case Server B) to only the Accounting destination addresses 172.20.128.64 to 172.20.128.95.
Page 895: Named Acls
Chapter 1 Configuring Network Security with ACLs Configuring IPv4 ACLs In this example, the network is a Class B network with the address 128.88.0.0, and the mail host address is 128.88.1.2. The established keyword is used only for the TCP to show an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which show that the packet belongs to an existing connection.
Page 896: Commented Ip Acl Entries
Chapter 1 Configuring Network Security with ACLs Configuring IPv4 ACLs Switch(config-ext-nacl)# exit Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# ip access-group strict in Commented IP ACL Entries In this example of a numbered ACL, the workstation that belongs to Jones is allowed access, and the workstation that belongs to Smith is not allowed access: Switch(config)# access-list 1 remark Permit only Jones workstation through Switch(config)# access-list 1 permit 171.69.2.88...
Page 897: Creating Named Mac Extended Acls
Chapter 1 Configuring Network Security with ACLs Creating Named MAC Extended ACLs <output truncated> 00:09:34:%SEC-6-IPACCESSLOGS:list stan1 permitted 0.0.0.0 1 packet 00:09:59:%SEC-6-IPACCESSLOGS:list stan1 denied 10.1.1.15 1 packet 00:10:11:%SEC-6-IPACCESSLOGS:list stan1 permitted 0.0.0.0 1 packet This example is a named extended access list ext1 that permits ICMP packets from any source to 10.1.1.0 0.0.0.255 and denies all UDP packets.
Page 898 Chapter 1 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Define an extended MAC access list using a name.
Page 899: Applying A Mac Acl To A Layer 2 Interface
Chapter 1 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Applying a MAC ACL to a Layer 2 Interface After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that interface.
Page 900: Configuring Vlan Maps
Chapter 1 Configuring Network Security with ACLs Configuring VLAN Maps Configuring VLAN Maps VLAN maps are not supported on switches running the LAN base feature set. Note This section describes how to configure VLAN maps, which is the only way to control filtering within a VLAN.
Page 901: Vlan Map Configuration Guidelines
Chapter 1 Configuring Network Security with ACLs Configuring VLAN Maps VLAN Map Configuration Guidelines • If there is no ACL configured to deny traffic on an interface and no VLAN map is configured, all traffic is permitted. • Each VLAN map consists of a series of entries. The order of entries in an VLAN map is important. A packet that comes into the switch is tested against the first entry in the VLAN map.
Page 902: Creating A Vlan Map
Chapter 1 Configuring Network Security with ACLs Configuring VLAN Maps Creating a VLAN Map Each VLAN map consists of an ordered series of entries. Beginning in privileged EXEC mode, follow these steps to create, add to, or delete a VLAN map entry: Command Purpose Step 1...
Page 903 Chapter 1 Configuring Network Security with ACLs Configuring VLAN Maps This example shows how to create a VLAN map to permit a packet. ACL ip2 permits UDP packets and any packets that match the ip2 ACL are forwarded. In this map, any IP packets that did not match any of the previous ACLs (that is, packets that are not TCP packets or UDP packets) would get dropped.
Page 904: Applying A Vlan Map To A Vlan
Chapter 1 Configuring Network Security with ACLs Configuring VLAN Maps Switch(config-ext-macl)# permit any any vines-ip Switch(config-ext-nacl)# exit Switch(config)# vlan access-map drop-mac-default 10 Switch(config-access-map)# match mac address good-hosts Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan access-map drop-mac-default 20 Switch(config-access-map)# match mac address good-protocols Switch(config-access-map)# action forward Example 4 In this example, the VLAN map has a default action of drop for all packets (IP and non-IP).
Page 905: Wiring Closet Configuration
Chapter 1 Configuring Network Security with ACLs Configuring VLAN Maps Wiring Closet Configuration In a wiring closet configuration, routing might not be enabled on the switch. In this configuration, the switch can still support a VLAN map and a QoS classification ACL. In Figure 1-4, assume that Host X and Host Y are in different VLANs and are connected to wiring closet switches A and C.
Page 906 Chapter 1 Configuring Network Security with ACLs Configuring VLAN Maps Denying Access to a Server on Another a VLAN You can restrict access to a server on another VLAN. For example, server 10.1.1.100 in VLAN 10 needs to have access denied to these hosts (see Figure 1-5): Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access.
Page 907: Configuring Vacl Logging
Chapter 1 Configuring Network Security with ACLs Configuring VLAN Maps Configuring VACL Logging When you configure VACL logging, syslog messages are generated for denied IP packets under these circumstances: • When the first matching packet is received. • For any matching packets received within the last 5 minutes. •...
Page 908: Using Vlan Maps With Router Acls
This example shows how to configure global VACL logging parameters: DomainMember(config)# vlan access-log maxflow 800 DomainMember(config)# vlan access-log threshold 4000 For complete syntax and usage information of the commands used in this section, see the Cisco IOS LAN Note Switching Command Reference: http://www.cisco.com/en/US/docs/ios/lanswitch/command/reference/lsw_book.html...
Page 909: Examples Of Router Acls And Vlan Maps Applied To Vlans
Chapter 1 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs If you must configure a router ACL and a VLAN map on the same VLAN, use these guidelines for both router ACL and VLAN map configuration: • You can configure only one VLAN map and one router ACL in each direction (input/output) on a VLAN interface.
Page 910 Chapter 1 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 1-6 Applying ACLs on Switched Packets Input Output VLAN 10 router router VLAN 20 Frame Host A (VLAN 10) Routing function or fallback bridge Host C (VLAN 10) VLAN 10 VLAN 20...
Page 911: Acls And Multicast Packets
Chapter 1 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs ACLs and Routed Packets Figure 1-8 shows how ACLs are applied on routed packets. The ACLs are applied in this order: VLAN map for input VLAN Input router ACL Output router ACL VLAN map for output VLAN Figure 1-8...
Page 912: Displaying Ipv4 Acl Configuration
Chapter 1 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Figure 1-9 Applying ACLs on Multicast Packets Input Output VLAN 10 router router VLAN 20 Frame Host A Host B (VLAN 10) (VLAN 20) Routing function Host C (VLAN 10) VLAN 10 VLAN 20 Packet...
Page 913 Chapter 1 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration You can also display information about VLAN access maps or VLAN filters. Use the privileged EXEC commands in Table 1-3 to display VLAN map information. Table 1-3 Commands for Displaying VLAN Map Information Command Purpose show vlan access-map [mapname]...
Page 914 Chapter 1 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-46 OL-25303-03...
Page 915: Configuring Qos
Nonhierarchical policy maps are referred to as nonhierarchical single-level policy maps, and hierarchical policy maps are referred to as hierarchical dual-level policy maps in switch documentation for the Catalyst 3750 Metro switch, Cisco ME 3400E Series Ethernet Access Switch, and Cisco ME 3400 Series Ethernet Access Switch...
Page 916: Understanding Qos
Chapter 1 Configuring QoS Understanding QoS Understanding QoS Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Page 917 Chapter 1 Configuring QoS Understanding QoS Figure 1-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 IP header Data header Layer 2 ISL Frame ISL header Encapsulated frame 1... (26 bytes) (24.5 KB) (4 bytes) 3 bits used for CoS Layer 2 802.1Q and 802.1p Frame Start frame Preamble...
Page 918: Basic Qos Model
Chapter 1 Configuring QoS Understanding QoS Basic QoS Model To implement QoS, the switch must distinguish packets or flows from one another (classify), assign a label to indicate the given quality of service as the packets move through the switch, make the packets comply with the configured resource usage limits (police and mark), and provide different treatment (queue and schedule) in all situations where resource contention exists.
Page 919 Chapter 1 Configuring QoS Understanding QoS Figure 1-2 Basic QoS Model Classification Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification is enabled only if QoS is globally enabled on the switch. By default, QoS is globally disabled, so no classification occurs.
Page 920 Chapter 1 Configuring QoS Understanding QoS For IP traffic, you have these classification options as shown in Figure 1-3: Trust the DSCP value in the incoming packet (configure the port to trust DSCP), and assign the same • DSCP value to the packet. The IETF defines the 6 most-significant bits of the 1-byte ToS field as the DSCP.
Page 921 Chapter 1 Configuring QoS Understanding QoS Figure 1-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface Trust DSCP (IP traffic). configuration for classification. IP and non-IP Trust DSCP or Trust IP traffic IP precedence precedence (non-IP traffic). (IP traffic).
Page 922 Chapter 1 Configuring QoS Understanding QoS In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: • If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken.
Page 923: Policing And Marking
Chapter 1 Configuring QoS Understanding QoS The policy map can contain the police and police aggregate policy-map class configuration commands, which define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded. To enable the policy map, you attach it to a port by using the service-policy interface configuration command.
Page 924 Chapter 1 Configuring QoS Understanding QoS Policing on Physical Ports In policy maps on physical ports, you can create these types of policers: Individual—QoS applies the bandwidth limits specified in the policer separately to each matched • traffic class. You configure this type of policer within a policy map by using the police policy-map class configuration command.
Page 925: Policing On Svis
Chapter 1 Configuring QoS Understanding QoS Figure 1-4 Policing and Marking Flowchart on Physical Ports Start Get the clasification result for the packet. Is a policer configured for this packet? Check if the packet is in profile by querying the policer. Pass through Drop...
Page 926 Chapter 1 Configuring QoS Understanding QoS When configuring policing on an SVI, you can create and configure a hierarchical policy map with these two levels: • VLAN level—Create this primary level by configuring class maps and classes that specify the port trust state or set a new DSCP or IP precedence value in the packet.
Page 927: Mapping Tables
Chapter 1 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with a QoS label based on the DSCP or CoS value from the classification stage: • During classification, QoS uses configurable mapping tables to derive a corresponding DSCP or CoS value from a received CoS, DSCP, or IP precedence value.
Page 928: Queueing And Scheduling Overview
Marker Egress queues Stack ring Policer Marker Ingress queues Traffic Classify Policer Marker Policer Marker Figure 1-7 Ingress and Egress Queue Location on Catalyst 3560-X Switches Policer Marker Internal Egress ring queues Policer Marker Ingress queues Traffic Classify Policer Marker...
Page 929: Weighted Tail Drop
Chapter 1 Configuring QoS Understanding QoS Weighted Tail Drop Both the ingress and egress queues use an enhanced version of the tail-drop congestion-avoidance mechanism called weighted tail drop (WTD). WTD is implemented on queues to manage the queue lengths and to provide drop precedences for different traffic classifications. As a frame is enqueued to a particular queue, WTD uses the frame’s assigned QoS label to subject it to different thresholds.
Page 930 Chapter 1 Configuring QoS Understanding QoS In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue is empty and no longer requires a share of the link, the remaining queues can expand into the unused bandwidth and share it among them.
Page 931 Chapter 1 Configuring QoS Understanding QoS Figure 1-10 Queueing and Scheduling Flowchart for Ingress Ports on Catalyst 3560-X Switches Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds. Are thresholds being exceeded? Drop packet.
Page 932 Chapter 1 Configuring QoS Understanding QoS You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Page 933 Chapter 1 Configuring QoS Understanding QoS Queueing and Scheduling on Egress Queues Figure 1-11 Figure 1-12 show the queueing and scheduling flowcharts for egress ports. If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Note Figure 1-11 Queueing and Scheduling Flowchart for Egress Ports on Catalyst 3750-X Switches...
Page 934 Chapter 1 Configuring QoS Understanding QoS Figure 1-12 Queueing and Scheduling Flowchart for Egress Ports on Catalyst 3560-X Switches Start Receive packet from the internal ring. Read QoS label (DSCP or CoS value). Determine egress queue number and threshold based on the label.
Page 935 Chapter 1 Configuring QoS Understanding QoS buffers) or not empty (free buffers). If the queue is not over-limit, the switch can allocate buffer space from the reserved pool or from the common pool (if it is not empty). If there are no free buffers in the common pool or if the queue is over-limit, the switch drops the frame.
Page 936: Packet Modification
Chapter 1 Configuring QoS Understanding QoS The queues use WTD to support distinct drop percentages for different traffic classes. Each queue has three drop thresholds: two configurable (explicit) WTD thresholds and one nonconfigurable (implicit) threshold preset to the queue-full state. You assign the two WTD threshold percentages for threshold ID 1 and ID 2.
Page 937: Configuring Auto-Qos
IPv6 Auto-QoS is not supported on switches running the LAN base feature set. Note You can use auto-QoS commands to identify ports connected to these Cisco devices: Cisco IP Phones • Devices running the Cisco SoftPhone application •...
Page 938: Voip Device Specifics
DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. When there is no Cisco IP Phone, the ingress classification is set to not trust the QoS label in the packet. The policing is applied to the traffic matching the policy-map classification before the switch enables the trust boundary feature.
Page 939 “Configuring a Trusted Boundary to Ensure Port Security” section on page 39-42. When you enable auto-QoS by using the auto qos voip cisco-phone, the auto qos voip • cisco-softphone, or the auto qos voip trust interface configuration command, the switch...
Page 940 Chapter 1 Configuring QoS Configuring Auto-QoS A switch is enabled with QoS, these guidelines take effect: • If you configure the interface for conditional trust on a voice device, only the legacy auto-QoS – VoIP configuration is generated. If you configure the interface for conditional trust on a video device, the enhanced auto-QoS –...
Page 941 Chapter 1 Configuring QoS Configuring Auto-QoS Table 1-5 Generated Auto-QoS Configuration (continued) Enhanced Automatically Generated Description Automatically Generated Command {voip} Command{Video|Trust|Classify} The switch automatically maps Switch(config)# no mls qos srr-queue Switch(config)# no mls qos srr-queue output cos-map output cos-map CoS values to an egress queue and Switch(config)# mls qos srr-queue Switch(config)# mls qos srr-queue to a threshold ID.
Page 942 Chapter 1 Configuring QoS Configuring Auto-QoS Table 1-5 Generated Auto-QoS Configuration (continued) Enhanced Automatically Generated Description Automatically Generated Command {voip} Command{Video|Trust|Classify} The switch automatically maps Switch(config)# no mls qos srr-queue Switch(config)# no mls qos srr-queue output dscp-map output dscp-map DSCP values to an egress queue Switch(config)# mls qos srr-queue Switch(config)# mls qos srr-queue and to a threshold ID.
Page 943 Auto-QoS Generated Configuration For VoIP Devices If you entered the auto qos voip cisco-phone command, the switch automatically enables the trusted boundary feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone. Switch(config-if)# mls qos trust device cisco-phone If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and policy maps.
Page 944 AutoQoS-Police-SoftPhone to an ingress interface on which auto-QoS with the Cisco SoftPhone feature is enabled. Switch(config-if)# service-policy input AutoQoS-Police-SoftPhone If you entered the auto qos voip cisco-phone command, the switch automatically creates class maps and policy maps. Switch(config-if)# mls qos trust device cisco-phone If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and policy maps.
Page 945 Configuring Auto-QoS If you entered the auto qos video media-player command, the switch uses the CDP to detect the presence or absence of a Cisco digital media player. Switch(config-if)# mls qos trust device media-player If you entered the auto qos classify command, the switch automatically creates class maps and policy maps.
Page 946 Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-if)# service-policy input AUTOQOS-SRND4-CLASSIFY-POLICE-POLICY This is the enhanced configuration for the auto qos voip cisco-phone command: Switch(config)# mls qos map policed-dscp 0 10 18 24 26 46 to 8 Switch(config)# mls qos map cos-dscp 0 8 16 24 32 46 48 56...
Page 947 Chapter 1 Configuring QoS Configuring Auto-QoS Switch(config-pmap-c)# police 32000 8000 exceed-action policed-dscp-transmit Switch(config-pmap)# class AUTOQOS_MULTIENHANCED_CONF_CLASS Switch(config-pmap-c)# set dscp af41 Switch(config-pmap-c)# police 5000000 8000 exceed-action drop Switch(config-pmap)# class AUTOQOS_BULK_DATA_CLASS Switch(config-pmap-c)# set dscp af11 Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-pmap)# class AUTOQOS_TRANSACTION_CLASS Switch(config-pmap-c)# set dscp af21 Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-pmap)# class AUTOQOS_SCAVANGER_CLASS...
Page 948 When a device running Cisco SoftPhone is connected to a nonrouted or routed port, the Note switch supports only one Cisco SoftPhone application per port. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address • to the IP phone.
Page 949: Troubleshooting Auto Qos Commands
{cts | ip-camera | Enable auto-QoS for a video device. media-player} • cts—A port connected to a Cisco Telepresence system. • ip-camera—A port connected to an IP camera. media-player—A port connected to a CDP-capable Cisco digital •...
Page 950: Displaying Auto-Qos Information
Chapter 1 Configuring QoS Displaying Auto-QoS Information Displaying Auto-QoS Information To display the initial auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings.
Page 951: Default Standard Qos Configuration
Chapter 1 Configuring QoS Configuring Standard QoS Default Standard QoS Configuration QoS is disabled. There is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
Page 952: Default Egress Queue Configuration
Chapter 1 Configuring QoS Configuring Standard QoS Default Egress Queue Configuration Table 1-9 shows the default egress queue configuration for each queue-set when QoS is enabled. All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited. Table 1-9 Default Egress Queue Configuration Feature...
Page 953: Standard Qos Configuration Guidelines
Chapter 1 Configuring QoS Configuring Standard QoS Default Mapping Table Configuration Table 1-12 on page 1-73 shows the default CoS-to-DSCP map. Table 1-13 on page 1-74 shows the default IP-precedence-to-DSCP map. Table 1-14 on page 1-76 shows the default DSCP-to-CoS map. The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value.
Page 954 A QoS policy with both IPv4 and IPv6 classification can be attached to an SVI on a mixed switch • stack, but the policy applies to only IPv4 traffic entering Cisco 3750 switch interfaces, and to both IPv4 and IPv6 traffic on Catalyst 3750-X and Catalyst 3750-E switch interfaces.
Page 955: Policing Guidelines
Chapter 1 Configuring QoS Configuring Standard QoS QoS policies that include IPv6-specific classification (such as an IPv6 ACL or the match protocol • ipv6 command) are supported on Catalyst 3750-X and Catalyst 3750-E interfaces and on any SVI when a Catalyst 3750-X or Catalyst 3750-E switch is part of the stack. QoS policies that include common IPv4 and IPv6 classifications are supported on all •...
Page 956: Enabling Qos Globally
By default, VLAN-based QoS is disabled on all physical switch ports. The switch applies QoS, including class maps and policy maps, only on a physical-port basis. In Cisco IOS Release 12.2(25)SE or later, yYou can enable VLAN-based QoS on a switch port.
Page 957: Configuring Classification Using Port Trust States
Chapter 1 Configuring QoS Configuring Standard QoS Configuring Classification Using Port Trust States These sections describe how to classify incoming traffic by using port trust states. Depending on your network configuration, you must perform one or more of these tasks or one or more of the tasks in the “Configuring a QoS Policy”...
Page 958 Chapter 1 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be trusted, and enter interface configuration mode.
Page 959 CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue.
Page 960 Configuring QoS Configuring Standard QoS In some situations, you can prevent a PC connected to the Cisco IP Phone from taking advantage of a high-priority data queue. You can use the switchport priority extend cos interface configuration command to configure the telephone through the switch CLI to override the priority of the traffic received from the PC.
Page 961 Chapter 1 Configuring QoS Configuring Standard QoS Regardless of the DSCP transparency configuration, the switch modifies the internal DSCP value of the packet, which the switch uses to generate a class of service (CoS) value that represents the priority of the traffic.
Page 962 Chapter 1 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the DSCP-trusted state on a port and modify the DSCP-to-DSCP-mutation map. To ensure a consistent mapping strategy across both QoS domains, you must perform this procedure on the ports in both domains: Command Purpose Step 1...
Page 963: Configuring A Qos Policy
Chapter 1 Configuring QoS Configuring Standard QoS Configuring a QoS Policy Configuring a QoS policy typically requires classifying traffic into classes, configuring policies applied to those traffic classes, and attaching policies to ports. For background information, see the “Classification” section on page 1-5 and the “Policing and Marking”...
Page 964 Chapter 1 Configuring QoS Configuring Standard QoS Command Purpose Step 4 show access-lists Verify your entries. Step 5 copy running-config (Optional) Save your entries in the configuration file. startup-config To delete an access list, use the no access-list access-list-number global configuration command. This example shows how to allow access for only those hosts on the three specified networks.
Page 965 Chapter 1 Configuring QoS Configuring Standard QoS Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show access-lists Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete an access list, use the no access-list access-list-number global configuration command. This example shows how to create an ACL that permits IP traffic from any source to any destination that has the DSCP value set to 32: Switch(config)# access-list 100 permit ip any any dscp 32...
Page 966 Chapter 1 Configuring QoS Configuring Standard QoS Command Purpose Step 3 {deny | permit} protocol Enter deny or permit to specify whether to deny or permit the packet if conditions are matched. These are the conditions: {source-ipv6-prefix/prefix-len gth | any | host •...
Page 967 Chapter 1 Configuring QoS Configuring Standard QoS This example shows how to create an ACL that permits IPv6 traffic from any source to any destination that has the DSCP value set to 32: Switch(config)# ipv6 access-list 100 permit ip any any dscp 32 This example shows how to create an ACL that permits IPv6 traffic from a source host at 10.1.1.1 to a destination host at 10.1.1.2 with a precedence value of 5: Switch(config)# ipv6 access-list ipv6_Name_ACL permit ip host 10::1 host 10.1.1.2...
Page 968 Chapter 1 Configuring QoS Configuring Standard QoS This example shows how to create a Layer 2 MAC ACL with two permit statements. The first statement allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001. The second statement allows only Ethertype XNS-IDP traffic from the host with MAC address 0001.0000.0002 to the host with MAC address 0002.0000.0002.
Page 969 You can use the match protocol command with the match ip dscp or match precedence commands, but not with the match access-group command. For more information about the match protocol command, see Cisco IOS Quality of Service Solutions Command Reference. Catalyst 3750-X and 3560-X Switch Software Configuration Guide 1-55...
Page 970 Chapter 1 Configuring QoS Configuring Standard QoS Command Purpose Step 5 match {access-group acl-index-or-name | ip dscp Define the match criterion to classify traffic. dscp-list | ip precedence ip-precedence-list} By default, no match criterion is defined. Only one match criterion per class map is supported, and only one ACL per class map is supported.
Page 971 This command is available only when the dual IPv4 and IPv6 Note SDM template is configured. For more information about the match protocol command, see the Cisco IOS Quality of Service Solutions Command Reference. Step 4 match {ip dscp dscp-list | ip precedence Define the match criterion to classify traffic.
Page 972 Chapter 1 Configuring QoS Configuring Standard QoS Command Purpose Step 6 show class-map Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete an existing policy map, use the no policy-map policy-map-name global configuration command.
Page 973 Chapter 1 Configuring QoS Configuring Standard QoS A policy map also has these characteristics: A policy map can contain multiple class statements, each with different match criteria and policers. • A policy map can contain a pre-defined default traffic class explicitly placed at the end of the map. •...
Page 974 Chapter 1 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a nonhierarchical policy map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 class-map [match-all | match-any] Create a class map, and enter class-map configuration mode. class-map-name By default, no class maps are defined.
Page 975 Chapter 1 Configuring QoS Configuring Standard QoS Command Purpose Step 5 trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map.
Page 976 Chapter 1 Configuring QoS Configuring Standard QoS Command Purpose Step 8 exit Return to policy map configuration mode. Step 9 exit Return to global configuration mode. Step 10 interface interface-id Specify the port to attach to the policy map, and enter interface configuration mode.
Page 977 Use the interface-level policy map to specify the physical ports that are affected by individual policers. Beginning with Cisco IOS Release 12.2(52)SE, you can configure hierarchical policy maps that filter IPv4 and IPv6 traffic. Follow these guidelines when configuring hierarchical policy maps: Before configuring a hierarchical policy map, you must enable VLAN-based QoS on the physical •...
Page 978 Chapter 1 Configuring QoS Configuring Standard QoS A policy map can contain multiple class statements, each with different match criteria and actions. • A separate policy-map class can exist for each type of traffic received on the SVI. • In a switch stack, you cannot use the match input-interface class-map configuration command to •...
Page 979 Chapter 1 Configuring QoS Configuring Standard QoS When you configure a default traffic class by using the class class-default policy-map configuration • command, unclassified traffic (traffic that does not meet the match criteria specified in the traffic classes) is treated as default traffic class (class-default). Beginning in privileged EXEC mode, follow these steps to create a hierarchical policy map: Command Purpose...
Page 980 You can use the match protocol command with the match ip dscp or match precedence commands, but not with the match access-group command. For more information about the match protocol command, see the Cisco IOS Quality of Service Solutions Command Reference. Step 5 exit Return to class-map configuration mode.
Page 981 Chapter 1 Configuring QoS Configuring Standard QoS Command Purpose Step 11 policy-map policy-map-name Create an interface-level policy map by entering the policy-map name, and enter policy-map configuration mode. By default, no policy maps are defined, and no policing is performed. Step 12 class-map class-map-name Define an interface-level traffic classification, and enter policy-map...
Page 982 Chapter 1 Configuring QoS Configuring Standard QoS Command Purpose Step 18 trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map.
Page 983 Chapter 1 Configuring QoS Configuring Standard QoS Command Purpose Step 24 service-policy input policy-map-name Specify the VLAN-level policy-map name, and apply it to the SVI. Repeat the previous step and this command to apply the policy map to other SVIs. If the hierarchical VLAN-level policy map has more than one interface-level policy map, all class maps must be configured to the same VLAN-level policy map specified in the service-policy...
Page 984 Chapter 1 Configuring QoS Configuring Standard QoS Switch(config-pmap-c)# exit Switch(config-pmap)# class cm-2 Switch(config-pmap-c)# service-policy port-plcmap-1 Switch(config-pmap-c)# set dscp 10 Switch(config-pmap)# exit Switch(config-pmap)# class cm-3 Switch(config-pmap-c)# service-policy port-plcmap-2 Switch(config-pmap-c)# set dscp 20 Switch(config-pmap)# exit Switch(config-pmap)# class cm-4 Switch(config-pmap-c)# trust dscp Switch(config-pmap)# exit Switch(config)# interface vlan 10 Switch(config-if)# service-policy input vlan-plcmap Switch(config-if)# exit...
Page 985 Chapter 1 Configuring QoS Configuring Standard QoS Switch(config-pmap-c)# exit Switch(config-pmap)# class cm-4 Switch(config-pmap-c)# trust cos Switch(config-pmap-c)# exit Switch(config-pmap)# exit This example shows how the default traffic class is automatically placed at the end of policy-map pm3 even though class-default was configured first: Switch# show policy-map pm3 Policy Map pm3 Class cm-3...
Page 986 Chapter 1 Configuring QoS Configuring Standard QoS Command Purpose Step 4 policy-map policy-map-name Create a policy map by entering the policy map name, and enter policy-map configuration mode. For more information, see the “Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps” section on page 1-58.
Page 987: Configuring Dscp Maps
Chapter 1 Configuring QoS Configuring Standard QoS Switch(config-pmap-c)# trust dscp Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# class ipclass2 Switch(config-pmap-c)# set dscp 56 Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# class class-default Switch(config-pmap-c)# set dscp 10 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# service-policy input aggflow1 Switch(config-if)# exit...
Page 988 Chapter 1 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the CoS-to-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map cos-dscp dscp1...dscp8 Modify the CoS-to-DSCP map.
Page 989 Chapter 1 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the IP-precedence-to-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map ip-prec-dscp Modify the IP-precedence-to-DSCP map.
Page 990 Chapter 1 Configuring QoS Configuring Standard QoS To return to the default map, use the no mls qos policed-dscp global configuration command. This example shows how to map DSCP 50 to 57 to a marked-down DSCP value of 0: Switch(config)# mls qos map policed-dscp 50 51 52 53 54 55 56 57 to 0 Switch(config)# end Switch# show mls qos maps policed-dscp Policed-dscp map:...
Page 991 Chapter 1 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-CoS map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-cos dscp-list to cos Modify the DSCP-to-CoS map.
Page 992 Chapter 1 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-DSCP-mutation map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-mutation Modify the DSCP-to-DSCP-mutation map.
Page 993: Configuring Ingress Queue Characteristics
Chapter 1 Configuring QoS Configuring Standard QoS In the above DSCP-to-DSCP-mutation map, the mutated values are shown in the body of the matrix. The Note d1 column specifies the most-significant digit of the original DSCP; the d2 row specifies the least-significant digit of the original DSCP.
Page 994 Chapter 1 Configuring QoS Configuring Standard QoS Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and to set WTD thresholds.
Page 995: Allocating Buffer Space Between The Ingress Queues
Chapter 1 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent. It maps DSCP values 20 to 26 to ingress queue 1 and to threshold 2 with a drop threshold of 70 percent: Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 1 0 1 2 3 4 5 6 Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 2 20 21 22 23 24 25 26...
Page 996 Chapter 1 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to allocate bandwidth between the ingress queues. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input bandwidth Assign shared round robin weights to the ingress queues.
Page 997: Configuring Egress Queue Characteristics
Chapter 1 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the priority queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input Assign a queue as the priority queue and guarantee bandwidth on the stack priority-queue queue-id bandwidth or internal ring if the ring is congested.
Page 998 Chapter 1 Configuring QoS Configuring Standard QoS These sections contain this configuration information: Configuration Guidelines, page 1-84 • Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set, page 1-84 • (optional) Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID, page 1-86 (optional) •...
Page 999 Chapter 1 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and to drop thresholds for a queue-set. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos queue-set output qset-id Allocate buffers to a queue-set.
Page 1000 Chapter 1 Configuring QoS Configuring Standard QoS Command Purpose Step 7 show mls qos interface [interface-id] Verify your entries. buffers Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos queue-set output qset-id buffers global configuration command.

This manual is also suitable for:

Catalyst 3750-x

Cisco Catalyst 3560-X Software Configuration Manual

Quick Links

Troubleshooting

Related Manuals for Cisco Catalyst 3560-X

Summary of Contents for Cisco Catalyst 3560-X