Page 1 Cisco Industrial Ethernet 4000, 4010 and 5000 Switch Software Configuration Guide All Cisco IOS Releases up to 15.2(5)E and 15.2(4)EC First Published: September 2016 Last Updated: March 2018 Cisco Systems, Inc. www.cisco.com...
Page 2 Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
Page 3 Audience This guide is for the networking professional managing your switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking. Purpose This guide provides the information that you need to configure Cisco IOS software features on your switch.
Page 4: Related Publications
Compatibility matrix documents are available from this Cisco.com site: http://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html Obtain Documentation and Submit a Service Request For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation.
Page 5: Configuration Overview
Unless otherwise indicated, all features and configurations in this guide are supported beginning with release 15.2(2)EA for the IE-4000, 15.2(2)EB for the IE-5000 and in release 15.2(4)EC for the IE-4010. Where new features or support for existing features was added after these releases, detailed release information will be indicated in the Feature History Table for that feature.
Page 6: Displaying License Information
FEATURE CONSTITUTES YOUR FULL ACCEPTANCE THE FOLLOWING TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO BE BOUND BY ALL THE TERMS SET FORTH HEREIN. Use of this product feature requires an additional license from Cisco, together...
Page 7: Performance Features
User-defined and Cisco-default Smartports macros for creating custom switch configurations for simplified deployment across the network.  A removable SD flash card that stores the Cisco IOS software image and configuration files for the switch. You can replace and upgrade the switch without reconfiguring the software features. ...
Page 8: Management Options
Network Assistant—Network Assistant is a network management application that can be downloaded from Cisco.com. You use it to manage a single switch, a cluster of switches, or a community of devices. For more information about Network Assistant, see Getting Started with Cisco Network Assistant, available at software.cisco.com/download/.
Page 9: Default Settings After Initial Switch Configuration
Profinet Version 2—Support for PROFINET IO, a modular communication framework for distributed automation applications. The embedded Profinet GSD file allows user to bring up Cisco IE switch using Siemens STEP7 or TIA Portal software then monitor the functionality via command line or Web based Device Manger.
Page 10 Configuration Overview Default Settings After Initial Switch Configuration — Interface speed and duplex mode is autonegotiate. — Auto-MDIX is enabled. — Flow control is off.  VLANs — Default VLAN is VLAN 1. — VLAN trunking setting is dynamic auto (DTP). —...
Page 11 Configuration Overview Default Settings After Initial Switch Configuration  Syslog messages are enabled and appear on the console.  SNMP is enabled (Version 1).  No ACLs are configured.  QoS is enabled.  No EtherChannels are configured.  IP unicast routing is disabled.
Page 12 Configuration Overview Default Settings After Initial Switch Configuration...
Page 13: Command Modes
Command Modes The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode.
Page 14 Using the Command-Line Interface Information About Using the Command-Line Interface Table 1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method About This Mode Switch(config-vlan) Config-vlan While in global To exit to global Use this mode to configure configuration mode, configuration VLAN parameters.
Page 15: Understanding Abbreviated Commands
Using the Command-Line Interface CLI Error Messages Table 2 Help Summary (continued) Command Purpose List all commands available for a particular command mode. For example: Switch> ? command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword.
Page 16: Configuration Logging
Using the Command-Line Interface How to Use the CLI to Configure Features Table 3 Common CLI Error Messages Error Message Meaning How to Get Help % Ambiguous command: You did not enter enough characters Reenter the command followed by a question mark (?) "show con"...
Page 17: Recalling Commands
Using the Command-Line Interface How to Use the CLI to Configure Features The range is from 0 to 256. Beginning in line configuration mode, enter this command to configure the number of command lines the switch records for all sessions on a particular line: Switch(config-line)# history size number-of-lines The range is from 0 to 256.
Page 18: Editing Commands Through Keystrokes
Using the Command-Line Interface How to Use the CLI to Configure Features Switch (config-line)# no editing To reenable the enhanced editing mode for the current terminal session, enter this command in privileged EXEC mode: Switch# terminal editing To reconfigure a specific line to have enhanced editing mode, enter this command in line configuration mode: Switch(config-line)# editing Editing Commands Through Keystrokes Table 5 on page 14...
Page 19: Editing Command Lines That Wrap
Using the Command-Line Interface How to Use the CLI to Configure Features Table 5 Editing Commands through Keystrokes (continued) Capability Keystroke Purpose Designate a particular keystroke as Press Ctrl-V or Esc Q. an executable command, perhaps as a shortcut. Scroll down a line or screen on Press the Return key.
Page 20: Searching And Filtering Output Of Show And More Commands
Using the Command-Line Interface How to Use the CLI to Configure Features Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands. This is useful when you need to sort through large amounts of output or if you want to exclude output that you do not need to see.
Page 21: Table Of Contents
The switch supports user-network interfaces (UNIs), network node interfaces (NNIs), and enhanced network interfaces (ENIs). UNIs are typically connected to a host, such as a PC or a Cisco IP phone. NNIs are typically connected to a router or to another switch. ENIs have the same functionality as UNIs, but can be configured to support protocol control packets for Cisco Discovery Protocol (CDP), Spanning-Tree Protocol (STP), Link Layer Discovery Protocol (LLDP), and EtherChannel Link Aggregation Control Protocol (LACP) or Port Aggregation Protocol (PAgP).
Page 22: Understanding Interface Types
Configuring Interfaces Understanding Interface Types All ports on the switch can be configured as UNIs or ENIs. The default state for a UNI or ENI is administratively down to prevent unauthorized users from gaining access to other ports as you configure the switch. Traffic is not switched between these ports, and all arriving traffic at UNIs or ENIs must leave on NNIs to prevent a user from gaining access to another user’s private network.
Page 23: Switch Ports
Configuring Interfaces Understanding Interface Types Switch Ports Switch ports are Layer 2 only interfaces associated with a physical port. Switch ports belong to one or more VLANs. A switch port can be an access port, a trunk port, a private-VLAN port, or a tunnel port. You can configure a port as an access port or trunk port.
Page 24: Routed Ports
Configuring Interfaces Understanding Interface Types Note: IEEE 802.1Q tunneling is only supported when the switch is running the IP Services license. Tunnel ports cannot be trunk ports or access ports and must belong to a VLAN unique to each customer. Routed Ports A routed port is a physical port that acts like a port on a router;...
Page 25: Power Over Ethernet Ports
Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. Exceptions are the Cisco Discovery Protocol (CDP), Link Aggregation Control Protocol (LACP), and the Port Aggregation Protocol (PAgP), which operate only on physical NNI or ENI ports.
Page 26: Power Management Modes
LEDs. Power Management Modes To limit the overall PoE budget of DIN rail switches such as the IE-4000, use the global configuration command power inline wattage max <4-125>.
Page 27: Power Monitoring And Power Policing
The switch also polices the power usage with the power policing feature. Power monitoring is backward-compatible with Cisco intelligent power management and CDP-based power consumption. It works with these features to ensure that the PoE port can supply power to the powered device. For more...
Page 28 Configuring Interfaces Understanding Interface Types If power policing is enabled, the switch polices power usage by comparing the real-time power consumption to the maximum power allocated to the device. For more information about the maximum power consumption, also referred to as the cutoff power, on a PoE port, see Maximum Power Allocation (Cutoff Power) on a PoE Port, page 24.
Page 29: Connecting Interfaces
PoE ports. Because the switch supports internal power supplies and the Cisco Redundant Power System 2300 (also referred to as the RPS 2300), the total amount of power available for the powered devices varies depending on the power supply configuration.
Page 30: Using The Switch Usb Port
Configuring Interfaces Using the Switch USB Port Figure 1 Connecting VLANs with the Switch Layer 3 switch with routing enabled 172.20.128.1 SVI 1 SVI 2 172.20.129.1 Host A Host B VLAN 20 VLAN 30 When the IP services image is running on the switch, routing can be enabled on the switch. Whenever possible, to maintain high performance, forwarding is done by the switch hardware.
Page 31: Using Interface Configuration Mode
Configuring Interfaces Using Interface Configuration Mode Configuring the Console Media Type Beginning in privileged EXEC mode, follow these steps to select the RJ-45 console media type. If you configure the RJ-45 console, USB console operation is disabled, and input always remains with the RJ-45 console. Command Purpose configure terminal...
Page 32: Procedures For Configuring Interfaces
Configuring Interfaces Using Interface Configuration Mode  Type—10/100/1000 Mbps Ethernet ports, Gigabit Ethernet (gigabitethernet or gi), TenGigabitEthernet (tengigethernet or te) for or small form-factor pluggable (SFP) module Gigabit Ethernet interfaces.  Module number—The module or slot number on the switch. ...
Page 33 Configuring Interfaces Using Interface Configuration Mode Command Purpose configure terminal Enter global configuration mode. interface range {port-range} Specify the range of interfaces (VLANs or physical ports) to be configured, and enter interface range configuration mode.  You can use the interface range command to configure up to five port ranges or a previously defined macro.
Page 34: Configuring And Using Interface Range Macros
Configuring Interfaces Using Interface Configuration Mode Switch(config-if-range)# flowcontrol receive on If you enter multiple configuration commands while you are in interface range mode, each command is executed as it is entered. The commands are not batched together and executed after you exit interface range mode. If you exit interface range configuration mode while the commands are being executed, some commands might not be executed on all interfaces in the range.
Page 35: Configuring Ethernet Interfaces
Configuring Interfaces Configuring Ethernet Interfaces  The VLAN interfaces must have been configured with the interface vlan command. The show running-config privileged EXEC command displays the configured VLAN interfaces. VLAN interfaces not displayed by the show running-config command cannot be used as interface-ranges. ...
Page 36: Default Ethernet Interface Configuration
Note: The switch might not support a pre-standard powered device—such as Cisco IP phones and access points that do not fully support 802.3af/802.3at—if that powered device is connected to the switch through a crossover cable. This is regardless of whether auto-MIDX is enabled on the switch port.
Page 37: Configuring The Port Type
Configuring Interfaces Configuring Ethernet Interfaces Table 7 Default Ethernet Configuration for UNIs and ENIs Feature Default Setting Operating mode Layer 2 or switching mode (switchport command). Allowed VLAN range VLANs 1– 4094. Default VLAN (for access ports) VLAN 1 (Layer 2 interfaces only). Native VLAN (for 802.1Q trunks) VLAN 1 (Layer 2 interfaces only).
Page 38: Configuring Interface Speed And Duplex Mode
Configuring Interfaces Configuring Ethernet Interfaces Command Purpose configure terminal Enter global configuration mode interface interface-id Specify the interface to configure, and enter interface configuration mode. no shutdown Enable the port, if necessary. By default, UNIs and ENIs are disabled, and NNIs are enabled.
Page 39: Setting The Interface Speed And Duplex Parameters
Configuring Interfaces Configuring Ethernet Interfaces On a 100BASE-FX SFP module, you cannot configure the speed as nonegotiate.  You cannot configure duplex mode on SFP module ports; they operate in full-duplex mode except in these situations: — When a Cisco1000BASE-T SFP module is in the SFP module slot, you can configure duplex mode to auto or full.
Page 40: Configuring A Power Management Mode On A Poe Port
10 W, the switch removes power from the port and then redetects the powered device. The switch repowers the port only if the powered device is a Class 1, Class 2, or a Cisco-only powered device.
Page 41: Budgeting Power For Devices Connected To A Poe Port
The CDP protocol works with Cisco powered devices and does not apply to IEEE third-party powered devices. For these devices, when the switch grants a power request, the switch adjusts the power budget according to the powered-device IEEE classification.
Page 42 Configuring Interfaces Configuring Ethernet Interfaces When you enter the power inline consumption default wattage or the no power inline consumption default global configuration command, or the power inline consumption wattage or the no power inline consumption interface configuration command this caution message appears: %CAUTION: Interface interface-id: Misconfiguring the 'power inline consumption/allocation' command may cause damage to the switch and void your warranty.
Page 43 Configuring Interfaces Configuring Ethernet Interfaces Beginning in privileged EXEC mode, follow these steps to configure amount of power budgeted to a powered device connected to a specific PoE port: Command Purpose configure terminal Enter global configuration mode. no cdp run (Optional) Disable CDP.
Page 44 Auto-MDIX is enabled by default. When you enable auto-MDIX, you must also set the speed and duplex on the interface to auto so that the feature operates correctly. Auto-MDIX is supported on all 10/100 and 10/100/1000 Mbps interfaces and on Cisco 10/100/1000 BASE-T/TX SFP module interfaces. It is not supported on 1000 BASE-SX or -LX SFP module interfaces.
Page 45: Adding A Description For An Interface
Configuring Interfaces Configuring Ethernet Interfaces Command Purpose Return to privileged EXEC mode. show controllers ethernet-controller Verify the operational state of the auto-MDIX feature on the interface. interface-id phy copy running-config startup-config (Optional) Save your entries in the configuration file. To disable auto-MDIX, use the no mdix auto interface configuration command. This example shows how to enable auto-MDIX on a port: Switch# configure terminal Switch(config)# interface GigabitEthernet1/17...
Page 46: Configuring Layer 3 Interfaces
Configuring Interfaces Configuring Layer 3 Interfaces Configuring Layer 3 Interfaces The switch must be running the IP services image to support Layer 3 interfaces:  SVIs: You should configure SVIs for any VLANs for which you want to route traffic. SVIs are created when you enter a VLAN ID following the interface vlan global configuration command.
Page 47: Configuring The System Mtu
Configuring Interfaces Configuring the System MTU Command Purpose Return to privileged EXEC mode. show interfaces [interface-id] Verify the configuration. show ip interface [interface-id] show running-config interface [interface-id] copy running-config startup-config (Optional) Save your entries in the configuration file. To remove an IP address from an interface, use the no ip address interface configuration command. This example shows how to configure a port as a routed port and to assign it an IP address: Switch# configure terminal Enter configuration commands, one per line.
Page 48 Configuring Interfaces Configuring the System MTU  routed packets larger than the routing MTU value For example, if the system mtu value is 1998 bytes and the system mtu jumbo value is 5000 bytes, packets up to 5000 bytes can be received on interfaces operating at 1000 Mbps. However, although a packet larger than 1998 bytes can be received on an interface operating at 1000 Mbps, if its destination interface is operating at 10 or 100 Mbps, the packet is dropped.
Page 49: Monitoring And Maintaining The Interfaces
Configuring Interfaces Monitoring and Maintaining the Interfaces Monitoring and Maintaining the Interfaces These sections contain interface monitoring and maintenance information:  Monitoring Interface Status, page 45  Using FEFI to Maintain the Fiber FE Interfaces, page 46  Clearing and Resetting Interfaces and Counters, page 47 ...
Page 50 Display physical and operational status about an SFP module. properties | detail}] module number] show port-type [eni | nni | uni] Display interface type information for the Cisco ME switch. show running-config interface [interface-id] Display the running configuration in RAM for the interface.
Page 51: Clearing And Resetting Interfaces And Counters
Configuring Interfaces Monitoring and Maintaining the Interfaces Using FEFI on GE SFP Ports FEFI can be used on the switch Gigabit Ethernet (GE) SFP ports when the GE ports are connected with 100FX/LX SFP transceiver type. However, using these SFP transceivers limits the GE interfaces to 100 MB/s. Clearing and Resetting Interfaces and Counters Table 9 on page 47 lists the privileged EXEC mode clear commands that you can use to clear counters and reset...
Page 52 Configuring Interfaces Monitoring and Maintaining the Interfaces...
Page 53: Global Status Monitoring Alarms
For example, if the FCS bit error-rate alarm value is configured to 10 , that value is the alarm set threshold. To set the alarm clear threshold at 5*10 , the hysteresis, value h, is determined as follows: Cisco Systems, Inc. www.cisco.com...
Page 54: Port Status Monitoring Alarms
You can associate any alarm condition with the alarm relay. Each fault condition is assigned a severity level based on the Cisco IOS System Error Message Severity Level. Configuring the Power Supply Alarms, page 51 for more information on configuring the relay.
Page 55 Configuring Switch Alarms How to Configure Switch Alarms SNMP is an application-layer protocol that provides a message format for communication between managers and agents. The SNMP system consists of an SNMP manager, an SNMP agent, and a management information base (MIB).
Page 56: Configuring The Switch Temperature Alarms
Configuring Switch Alarms How to Configure Switch Alarms Command Purpose show env power Displays the switch power status. show facility-alarm status Displays all generated alarms for the switch. show alarm settings Verifies the configuration. copy running-config startup-config (Optional) Saves your entries in the configuration file. Configuring the Switch Temperature Alarms Command Purpose...
Page 57: Setting The Fcs Error Hysteresis Threshold
Configuring Switch Alarms How to Configure Switch Alarms Command Purpose configure terminal Enters global configuration mode. interface interface-id Enters the interface to be configured, and enters interface configuration mode. fcs-threshold value Sets the FCS error rate. For value, the range is 6 to 11 to set a maximum bit error rate of 10 to 10 By default, the FCS bit error rate is 10 Returns to privileged EXEC mode.
Page 58: Attaching An Alarm Profile To A Specific Port
Configuring Switch Alarms Monitoring and Maintaining Switch Alarms Status Modifying an Alarm Profile You can modify an alarm profile from alarm profile configuration mode. You can enter more than one alarm type separated by a space. Command Purpose alarm {fcs-error | link-fault | not-forwarding | (Optional) Adds or modifies alarm parameters for not-operating} a specific alarm.
Page 59 Configuring Switch Alarms Configuration Examples for Switch Alarms Table 13 Commands for Displaying Global and Port Alarm Status (continued) Command Purpose show alarm settings Displays all global alarm settings on the switch. show env {alarm-contact | all | power | Displays the status of environmental facilities on the switch.
Page 60 Configuring Switch Alarms Configuration Examples for Switch Alarms Switch(config)# power-supply dual These examples show how to display information when two power supplies are not present which results in a triggered alarm. Switch# show facility-alarm status Source Severity Description Relay Time Switch MAJOR 5 Redundant Pwr missing or failed NONE Mar 01 1993 00:23:52 Switch# show env power...
Page 61 Configuring Switch Alarms Additional References Notifies Disabled Syslog Disabled SD-Card Alarm Disabled Relay Notifies Disabled Syslog Enabled Input-Alarm 1 Alarm Enabled Relay Notifies Disabled Syslog Enabled Input-Alarm 2 Alarm Enabled Relay Notifies Disabled Syslog Enabled Additional References The following sections provide references related to switch administration:...
Page 62 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 63 The slot for the flash memory card is hot swappable and front-accessed. A cover protects the flash card and holds the card firmly in place. The cover is hinged and closed with a captive screw, which prevents the card from coming loose and protects against shock and vibration. Cisco Systems, Inc. www.cisco.com...
Page 64 The Cisco IOS image is stored in a directory that has the same name as the image file (excluding the .bin extension). In a depth-first search of a directory, each encountered subdirectory is completely searched before continuing the search in the original directory.
Page 65 Performing Switch Setup Configuration Information About Performing Switch Setup Configuration Reload sequences occur immediately if your switch is set up to automatically bring up the system by using information in the BOOT environment variable. Otherwise, these reload sequences occur after you enter the manual boot command in bootloader configuration mode.
Page 66: Switch Default Settings
Performing Switch Setup Configuration Information About Performing Switch Setup Configuration Switch Default Settings Feature Default Setting IP address and subnet mask No IP address or subnet mask is defined. Default gateway No default gateway is defined. Enable secret password No password is defined. Hostname The factory-assigned default hostname is Switch.
Page 67 Performing Switch Setup Configuration Information About Performing Switch Setup Configuration Figure 2 DHCP Client and Server Message Exchange DHCPDISCOVER (broadcast) Switch A DHCPOFFER (unicast) DHCP server DHCPREQUEST (broadcast) DHCPACK (unicast) The client, Switch A, broadcasts a DHCPDISCOVER message to locate a DHCP server. The DHCP server offers configuration parameters (such as an IP address, subnet mask, gateway IP address, DNS IP address, a lease for the IP address, and so forth) to the client in a DHCPOFFER unicast message.
Page 68: Dhcp Autoconfiguration
DHCP Server Configuration Guidelines, page 64 and the “Configuring DHCP” section of the “IP addressing and Services” section of the Cisco IOS IP DHCP Configuration Guide, Release 15.0. After you install the switch in your network, the auto-image update feature starts. The downloaded configuration file is saved in the running configuration of the switch, and the new image is downloaded and installed on the switch.
Page 69: Tftp Server
 The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational. If your DHCP server is a Cisco device, for additional information about configuring DHCP, see the “Configuring DHCP”...
Page 70 Performing Switch Setup Configuration Information About Performing Switch Setup Configuration If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command. For example, in...
Page 71  Data that controls code, which does not read the Cisco IOS configuration file. For example, the name of a boot loader helper file, which extends or patches the functionality of the boot loader can be stored as an environment variable.
Page 72 BOOT filesystem:/file-url ... boot system filesystem:/file-url ... A semicolon-separated list of executable files to Specifies the Cisco IOS image to load during the try to load and execute when automatically next boot cycle. This command changes the booting. If the BOOT environment variable is not setting of the BOOT environment variable.
Page 73 Performing Switch Setup Configuration How to Perform Switch Setup Configuration If you modify your configuration file, the switch prompts you to save the configuration before reloading. During the save operation, the system requests whether you want to proceed with the save if the CONFIG_FILE environment variable points to a startup configuration file that no longer exists.
Page 74: Configuring The Client
Uploads the tar file for the new image to the switch. exit Returns to global configuration mode. tftp-server flash:config.text Specifies the Cisco IOS configuration file on the TFTP server. tftp-server flash:imagename.tar Specifies the image name on the TFTP server. tftp-server flash:filename.txt Specifies the text file that contains the name of the image file to download.
Page 75 Performing Switch Setup Configuration How to Perform Switch Setup Configuration Command Purpose banner config-save ^C warning-message ^C (Optional) Creates warning messages to be displayed when you try to save the configuration file to NVRAM. Returns to privileged EXEC mode. show boot Verifies the configuration.
Page 76: Modifying The Startup Configuration
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the config.text file to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot-up cycle.
Page 77: Booting A Specific Software Image
Performing Switch Setup Configuration How to Perform Switch Setup Configuration Command Purpose configure terminal Enters global configuration mode. boot manual Enables the switch to manually boot up during the next boot cycle. Returns to privileged EXEC mode. show boot Verifies your entries. The boot manual global command changes the setting of the MANUAL_BOOT environment variable.
Page 78 To display information stored in the NVRAM section of flash memory, use the show startup-config or more startup-config privileged EXEC command. For more information about alternative locations from which to copy the configuration file, see Working with the Cisco IOS File System, Configuration Files, and Software Images, page 993...
Page 79 Figure 4 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (tftpserver) Table 15 on page 75 shows the configuration of the reserved leases on the DHCP server.
Page 80 Performing Switch Setup Configuration Configuration Examples for Performing Switch Setup Configuration Table 15 DHCP Server Configuration (continued) Switch A Switch B Switch C Switch D TFTP server name tftpserver or tftpserver or tftpserver or tftpserver or 10.0.0.3 10.0.0.3 10.0.0.3 10.0.0.3 Boot filename (configuration file) switcha-confg switchb-confg...
Page 81 Performing Switch Setup Configuration Configuration Examples for Performing Switch Setup Configuration Switch(dhcp-config)# default-router 10.10.10.1 Switch(dhcp-config)# option 150 10.10.10.1 Switch(dhcp-config)# exit Switch(config)# tftp-server flash:config-boot.text Switch(config)# interface GigabitEthernet1/18 Switch(config-if)# no switchport Switch(config-if)# ip address 10.10.10.1 255.255.255.0 Switch(config-if)# end Configuring a Switch as a DHCP Server: Example This example shows how to configure a switch as a DHCP server so it downloads a configuration file: Switch# config terminal Switch(config)# ip dhcp pool pool1...
Page 82 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 83 Set the CNS DeviceID  When using the Cisco Configuration Engine user interface, you must first set the DeviceID field to the hostname value that the switch acquires after, not before, you use the cns config initial global configuration command at the switch.
Page 84 Figure 5 on page 81). Each Cisco Configuration Engine service manages a group of Cisco devices (switches and routers) and the services that they deliver, storing their configurations and delivering them as needed. Cisco Configuration Engine automates initial configurations and configuration updates by generating device-specific configuration changes, sending them to the device, executing the configuration change, and logging the results.
Page 85: Configuration Service
The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server.
Page 86: Namespace Mapper
The logical Cisco IOS termination point on the event bus is embedded in the event gateway, which in turn functions as a proxy on behalf of the switch. The event gateway represents the switch and its corresponding DeviceID to the event bus.
Page 87: Initial Configuration
The Cisco IOS agents initiate communication with Configuration Engine by using the appropriate ConfigID and EventID. Configuration Engine maps the ConfigID to a template and downloads the full configuration file to the switch.
Page 88: Synchronized Configuration
Configuring Cisco IOS Agents CNS Event Agent and Cisco IOS CNS Agent embedded in the Cisco IOS software on the switch allows the switch to be connected and automatically configured. Both agents must be enabled and the CNS configuration can be initial or partial.
Page 89 Returns to privileged EXEC mode. show cns event connections Verifies information about the event agent. Enabling Cisco IOS CNS Agent and an Initial Configuration Command Purpose configure terminal Enters global configuration mode.
Page 90 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Command Purpose cns connect name [retries number] Enters CNS connect configuration mode, specifies the name of [retry-interval seconds] [sleep seconds] the CNS connect profile, and defines the profile parameters. The [timeout seconds] switch uses the CNS connect profile to connect to Configuration Engine.
Page 91 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Command Purpose cns id interface num {dns-reverse | ipaddress (Optional) Sets the unique EventID or ConfigID used by the | mac-address} [event] [image] Configuration Engine.  interface num—Enters the type of interface for example, ethernet, group-async, loopback, or virtual-template.
Page 92: Enabling A Partial Configuration
Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Command Purpose cns config initial {hostname | ip-address} Enables the Cisco IOS agent and initiates an initial configuration. [port-number] [event] [no-persist] [page  {hostname | ip-address}—Enters the hostname or the page] [source ip-address] [syntax-check] IP address of the configuration server.
Page 93 Monitoring and Maintaining Cisco IOS Configuration Engine Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed.
Page 94 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 95: Cluster Command Switch Characteristics
This chapter provides the concepts and procedures to create and manage switch clusters on your switch. You can create and manage switch clusters by using the command-line interface (CLI), Cisco Network Assistant (CNA) or SNMP. For information about CNA, see the online help for CNA.
Page 96 Configuring Switch Clusters Restrictions for Configuring Switch Clusters  Has CDP version 2 enabled.  Is not a command or cluster member switch of another cluster.  If a cluster standby group exists, the switch is connected to every standby cluster command switch through at least one common VLAN.
Page 97 Table 1 lists the switches eligible for switch clustering, including which ones can be cluster command switches and which ones can only be cluster member switches, and the required software versions. Table 16 Eligible Switch Clusters Switch Cisco IOS Release Cluster Capability IE 2000 15.0(2)EA1 or later Member or command switch IE 3010 12.2(53)EZ or later...
Page 98: Automatic Discovery Of Cluster Candidates And Members
Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
Page 99 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Page 100: Discovery Through Different Vlans
Configuring Switch Clusters How to Plan for Switch Clustering Figure 8 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices Command device Third-party hub Catalyst 6500 switch (non-CDP-capable) (noncluster-capable) Candidate device Candidate device Discovery Through Different VLANs If the cluster command switch is a Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 switch, the cluster can have cluster member switches in different VLANs.
Page 101: Discovery Through Different Management Vlans
Configuring Switch Clusters How to Plan for Switch Clustering Figure 9 Discovery Through Different VLANs Command device VLAN 62 VLAN trunk 9,16 VLAN 50 VLAN 62 VLAN trunk 9,16 VLAN 16 VLAN trunk 4,16 Discovery Through Different Management VLANs Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 cluster command switches can discover and manage cluster member switches in different VLANs and different management VLANs.
Page 102 Configuring Switch Clusters How to Plan for Switch Clustering Figure 10 Discovery Through Routed Ports Command device VLAN 9 VLAN 62 VLAN VLAN 62 VLAN 9 (management Member device 7 VLAN 62) VLAN 4 Figure 11 Discovery Through Different Management VLANs with a Layer 3 Cluster Command Switch Command Standby command device...
Page 103 Configuring Switch Clusters How to Plan for Switch Clustering The cluster command switch in Figure 12 on page 99 belongs to VLANs 9 and 16. When new cluster-capable switches join the cluster:  One cluster-capable switch and its access port are assigned to VLAN 9. ...
Page 104 Configuring Switch Clusters How to Plan for Switch Clustering If a switch received its hostname from the cluster command switch, was removed from a cluster, was then added to a new cluster, and kept the same member number (such as 5), the switch overwrites the old hostname (such as eng-cluster-5) with the hostname of the cluster command switch in the new cluster (such as mkg-cluster-5).
Page 105: Using The Cli To Manage Switch Clusters
EXEC command and the cluster member switch number to start a Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
Page 106 Configuring Switch Clusters Additional References If a cluster member switch has its own IP address and community strings, they can be used in addition to the access provided by the cluster command switch. Figure 13 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3...
Page 107 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 108 Configuring Switch Clusters Additional References...
Page 109: Network Time Protocol
NTP from a stratum 1 time server, and so on. A device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP. This strategy effectively builds a self-organizing tree of NTP speakers. Cisco Systems, Inc. www.cisco.com...
Page 110 Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Page 111: Default Dns Configuration
(.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.
Page 112: Mac Address Table
Performing Switch Administration Information About Performing Switch Administration The MOTD and login banners are not configured. System Name and Prompt You configure the system name on the switch to identify it. By default, the system name and prompt are Switch. If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt.
Page 113: Default Mac Address Table Configuration
Performing Switch Administration Information About Performing Switch Administration Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned Static addresses None configured Address Aging Time for VLANs Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use. You can change the aging time setting for all VLANs or for a specified VLAN.
Page 114 Performing Switch Administration Information About Performing Switch Administration Unicast MAC Address Filtering When unicast MAC address filtering is enabled, the switch drops packets with specific source or destination MAC addresses. This feature is disabled by default and only supports unicast static addresses. Follow these guidelines when using this feature: ...
Page 115: Configuring Time And Date Manually
Performing Switch Administration How to Perform Switch Administration  If you disable MAC address learning on a VLAN that includes a secure port, MAC address learning is not disabled on that port. If you disable port security, the configured MAC address learning state is enabled. To reenable MAC address learning on a VLAN, use the default mac address-table learning vlan vlan-id global configuration command.
Page 116: Configuring The Time Zone
Performing Switch Administration How to Perform Switch Administration Configuring the Time Zone The minutes-offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC. For example, the time zone for some sections of Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and .5 means 50 percent.
Page 117: Configuring A System Name
DNS query is made to map the name to an IP address. The default domain name is the value set by the ip domain-name global configuration command. If there is a period (.) in the hostname, the Cisco IOS software looks up...
Page 118: Configuring Login Banners
Performing Switch Administration How to Perform Switch Administration Command Purpose configure terminal Enters global configuration mode. ip domain-name name Defines a default domain name that the software uses to complete unqualified hostnames (names without a dotted-decimal domain name). Do not include the initial period that separates an unqualified name from the domain name.
Page 119: Managing The Mac Address Table
Performing Switch Administration How to Perform Switch Administration Command Purpose configure terminal Enters global configuration mode. banner login c message c Specifies the login message.  c—Enters the delimiting character of your choice, for example, a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text.
Page 120: Configuring Mac Address Change Notification Traps
Performing Switch Administration How to Perform Switch Administration Configuring MAC Address Change Notification Traps Command Purpose configure terminal Enters global configuration mode. snmp-server host host-addr {traps | informs} {version {1 | Specifies the recipient of the trap message. 2c | 3}} community-string notification-type ...
Page 121: Configuring Mac Address Move Notification Traps
Performing Switch Administration How to Perform Switch Administration Configuring MAC Address Move Notification Traps When you configure MAC-move notification, an SNMP notification is generated and sent to the network management system whenever a MAC address moves from one port to another within the same VLAN. Command Purpose configure terminal...
Page 122 Performing Switch Administration How to Perform Switch Administration Command Purpose configure terminal Enters global configuration mode. snmp-server host host-addr {traps | informs} {version {1 | Specifies the recipient of the trap message. 2c | 3}} community-string notification-type  host-addr—Specifies the name or address of the NMS.
Page 123: Adding And Removing Static Address Entries
Performing Switch Administration How to Perform Switch Administration Adding and Removing Static Address Entries Command Purpose configure terminal Enters global configuration mode. mac address-table static mac-addr Adds a static address to the MAC address table. vlan vlan-id interface interface-id  mac-addr—Specifies the destination MAC unicast address to add to the address table.
Page 124 Performing Switch Administration Monitoring and Maintaining Switch Administration Monitoring and Maintaining Switch Administration Command Purpose clear mac address-table dynamic Removes all dynamic entries. clear mac address-table dynamic address mac-address Removes a specific MAC address. clear mac address-table dynamic interface interface-id Removes all addresses on the specified physical port or port channel.
Page 125 Performing Switch Administration Configuration Examples for Performing Switch Admininistration Configuring a MOTD Banner: Examples This example shows how to configure a MOTD banner for the switch by using the pound sign (#) symbol as the beginning and ending delimiter: Switch(config)# banner motd # This is a secure site.
Page 126 Performing Switch Administration Additional References Configuring MAC Threshold Notification Traps: Example This example shows how to specify 172.20.10.10 as the NMS, enable the MAC address threshold notification feature, set the interval time to 123 seconds, and set the limit to 78 per cent. Switch(config)# snmp-server host 172.20.10.10 traps private mac-notification Switch(config)# snmp-server enable traps mac-notification threshold Switch(config)# mac address-table notification threshold...
Page 127 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 128 Performing Switch Administration Additional References...
Page 129 For information about configuring PTP on Cisco Industrial Ethernet switches, see Precision Time Protocol Software Configuration Guide for IE 4000, IE 4010 and IE 5000 Switches.
Page 130 Configuring PTP...
Page 131 Configuring PROFINET PROFINET Restrictions for Configuring Cisco IE series switches support PROFINET I/O, RT but not IRT (isochronous real-time). PROFINET Information About Configuring PROFINET is the PROFIBUS International (PI) open Industrial Ethernet Standard that uses TCP/IP and IT standards for automation control.
Page 132 Discovery and Configuration Protocol (DCP), and sets the device name and IP address, you do not need to enter Cisco IOS commands for the basic configuration. For advanced configurations (for example, QoS, DHCP, and similar features) you must use Cisco IOS commands on the switch because these features cannot be configured by using PROFINET.
Page 133 Configuring PROFINET Information About Configuring PROFINET Table 17 PROFINET I/O Switch Attributes PROFINET I/O Switch Configuration Value or Action Attributes Device name Configures a name for the device. TCP/IP IP address, subnet mask, default gateway, SVI. Primary temperature alarm Enables or disables monitoring for the specified alarm. Secondary temperature alarm Enables or disables monitoring for the specified alarm.
Page 134 You must use the GSD file that is associated with the Cisco IOS release on the switch to manage your PROFINET network. Both the I/O supervisor and the Cisco IOS software alert you to a mismatch between the GSD file and the switch Cisco IOS software version.
Page 135 131. Be aware that the output of a debug command might cause a serial link to fail. You should use these commands only under the guidance of a Cisco Technical Support engineer. When you use this command, use Telnet to access the Cisco IOS command-line interface (CLI) by using Ethernet rather than a serial port.
Page 136 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 137 20 Enters interface configuration mode. cip enable Enables CIP on a VLAN. Returns to privileged EXEC mode. show running-config Verifies your entries. copy running-config (Optional) Saves your entries in the configuration file. startup-config Cisco Systems, Inc. www.cisco.com...
Page 138: Troubleshooting Cip
Configuring CIP Monitoring CIP Monitoring CIP Table 21 Commands for Displaying the CIP Configuration Command Purpose show cip {connection | faults | file | Displays information about the CIP subsystem. miscellaneous | object | security| session | status} Troubleshooting CIP Table 22 Commands for Troubleshooting the CIP Configuration Command...
Page 139 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 140 Configuring CIP Additional References...
Page 141: Sdm Templates
Routing—The routing template maximizes system resources for IPv4 unicast routing, typically required for a router or aggregator in the center of a network. Dual IPv4 and IPv6 SDM Default Template, page 138. There are four templates for ip services and one template for lanbase licensing. Cisco Systems, Inc. www.cisco.com...
Page 142 Configuring SDM Templates Information About Configuring SDM Templates Table 23 IP Services license SDM Templates Resource Default IPv4 Routing Dual-Default Dual-Routing Unicast MAC addresses 16 K 16 K 16 K 16 K IPv4 IGMP or IPv6 groups 1K IPv4 1K IPv4 1K IPv4 1K IPv4 1K IPv6...
Page 143: Setting The Sdm Template
Configuring SDM Templates How to Configure the Switch SDM Templates How to Configure the Switch SDM Templates Setting the SDM Template Command Purpose configure terminal Enters global configuration mode. sdm prefer {default | dual-ipv4-and-ipv6 Specifies the SDM template to be used on the switch: {default} | routing} ...
Page 144 Configuring SDM Templates Configuration Examples for Configuring SDM Templates Switch# show sdm prefer dual-ipv4-and-ipv6 default "dual IPv4/IPv6 default" template: The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast mac addresses: number of IPv4 IGMP groups + multicast routes: number of IPv4 unicast routes:...
Page 145 Configuring SDM Templates Configuration Examples for Configuring SDM Templates number of IPv4/MAC qos aces: 0.5K number of IPv4/MAC security aces: number of IPv6 policy based routing aces: number of IPv6 qos aces: number of IPv6 security aces: Configuring Lanbase Templates: Example This is an example of output from the show sdm prefer command on a Lanbase image: Switch# show sdm prefer The current template is "IPv4 default"...
Page 146 Configuring SDM Templates Configuration Examples for Configuring SDM Templates...
Page 147 To use Secure Shell, you must install the cryptographic (encrypted) software image on your switch. You must obtain authorization to use this feature and to download the cryptographic software files from Cisco.com. For more information, see the release notes for this release.
Page 148: Password Protection
Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication  You can also enable the login enhancements feature, which logs both failed and unsuccessful login attempts. Login enhancements can also be configured to block future login attempts after a set number of unsuccessful attempts are made.
Page 149 Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Page 150 The goal of TACACS+ is to provide a method for managing multiple network access points from a single management service. Your switch can be a network access server along with other Cisco routers and access servers. A network access server provides connections to a single user, to a network or subnetwork, and to interconnected networks as...
Page 151 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user.
Page 152 RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco routers and switches. Clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information. The RADIUS host is normally a multiuser system running RADIUS server software from Cisco (Cisco Secure Access Control Server Version 3.0), Livingston, Merit, Microsoft, or...
Page 153  Networks already using RADIUS. You can add a Cisco switch containing a RADIUS client to the network. This might be the first step when you make a transition to a TACACS+ server.
Page 154: Radius Operation
Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Figure 17 Transitioning from RADIUS to TACACS+ Services RADIUS server RADIUS server TACACS+ server Remote TACACS+ server Workstation RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: The user is prompted to enter a username and password.
Page 155 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Radius COA Overview A standard RADIUS interface is typically used in a pulled model where the request originates from a network attached device and the response come from the queried servers. Catalyst switches support the RADIUS Change of Authorization (CoA) extensions defined in RFC 5176 that are typically used in a pushed model and allow for the dynamic reconfiguring of sessions from external authentication, authorization, and accounting (AAA) or policy servers.
Page 156  Calling-Station-Id (IETF attribute 31 which contains the host MAC address)  Audit-Session-Id (Cisco VSA)  Acct-Session-Id (IETF attribute 44) Unless all session identification attributes included in the CoA message match the session, the switch returns a Disconnect-NAK or CoA-NAK with the Invalid Attribute Value error-code attribute.
Page 157: Coa Request Commands
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+- The attributes field is used to carry Cisco VSAs. CoA ACK Response Code If the authorization state is changed successfully, a positive acknowledgement (ACK) is sent. The attributes returned within CoA ACK will vary based on the CoA Request and are discussed in individual CoA Commands.
Page 158 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication To initiate session authentication, the AAA server sends a standard CoA-Request message which contains a Cisco vendor-specific attribute (VSA) in this form: Cisco:Avpair=“subscriber:command=reauthenticate” and one or more session identification attributes. The current session state determines the switch response to the message. If the session is currently authenticated by IEEE 802.1x, the switch responds by sending an Extensible Authentication Protocol over LAN (EAPoL) RequestId...
Page 159: Radius Server Host
CoA Request: Bounce-Port This command is carried in a standard CoA-Request message that contains this VSA: Cisco:Avpair="subscriber:command=bounce-host-port" Because this command is session-oriented, it must be accompanied by one or more of the session identification attributes described in the CoA Session Identification, page 152.
Page 160: Aaa Server Groups
Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Servers, page 176. You can configure the switch to use AAA server groups to group existing server hosts for authentication. For more information, see Defining AAA Server Groups, page 174. RADIUS Login Authentication To configure AAA authentication, you define a named list of authentication methods and then apply that list to various ports.
Page 161: Radius Accounting
: attribute sep value * protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Page 162: Understanding Kerberos
Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Understanding Kerberos Kerberos is a secret-key network authentication protocol, which was developed at the Massachusetts Institute of Technology (MIT). It uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication and authenticates requests for network resources.
Page 163 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Table 27 Kerberos-related terms Term Definition Authentication A process by which a user or service identifies itself to another service. For example, a client can authenticate to a switch or a switch can authenticate to another switch. Authorization A means by which the switch identifies what privileges the user has in a network or on the switch and what actions the user can perform.
Page 164: Kerberos Operation
Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication TGT = ticket granting ticket KDC = key distribution center KEYTAB = key table SRVTAB = server table Kerberos Operation A Kerberos server can be a switch that is configured as a network security server and that can authenticate remote users by using the Kerberos protocol.
Page 165: Kerberos Configuration
SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
Page 166: Ssh Configuration Guidelines
(encrypted) software image must be installed on your switch. You must obtain authorization to use this feature and to download the cryptographic software files from Cisco.com. For more information about the crypto image, see the release notes for this release.
Page 167: Certificate Authority Trustpoints
(pages) back to the HTTP secure server, which responds to the original request. The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.
Page 168 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication  If the switch is not configured with a hostname and a domain name, a temporary self-signed certificate is generated. If the switch reboots, any temporary self-signed certificate is lost, and a new temporary new self-signed certificate is assigned.
Page 169: Setting Or Changing A Static Enable Password
A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.
Page 170: Protecting Enable And Enable Secret Passwords With Encryption
Disables password recovery. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
Page 171: Setting A Telnet Password For A Terminal Line
Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Setting a Telnet Password for a Terminal Line Command Purpose Attaches a PC or workstation with emulation software to the switch console port. The default data characteristics of the console port are 9600, 8, 1, no parity.
Page 172: Setting The Privilege Level For A Command
Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Command Purpose line console 0 Enters line configuration mode, and configure the console port (line 0) or the VTY lines (line 0 to 15). line vty 0 15 login local Enables local password checking at login time. Authentication is based on the username specified in Step 2.
Page 173: Logging Into And Exiting A Privilege Level
Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Command Purpose privilege level level Changes the default privilege level for the line. level—The range is from 0 to 15. Level 1 is for normal user EXEC mode privileges. Level 15 is the level of access permitted by the enable password.
Page 174 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Identifying the TACACS+ Server Host and Setting the Authentication Key Command Purpose configure terminal Enters global configuration mode. tacacs-server host hostname [port Identifies the IP host or hosts maintaining a TACACS+ server. Enters this integer] [timeout integer] [key string] command multiple times to create a list of preferred hosts.
Page 175 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Command Purpose configure terminal Enters global configuration mode. aaa new-model Enables AAA. aaa authentication login {default | Creates a login authentication method list. list-name} method1 [method2...]  To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations.
Page 176 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Command Purpose configure terminal Enters global configuration mode. aaa authorization network tacacs+ Configures the switch for user TACACS+ authorization for all network-related service requests. aaa authorization exec tacacs+ Configures the switch for user TACACS+ authorization if the user has privileged EXEC access.
Page 177 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Command Purpose configure terminal Enters global configuration mode. radius-server host {hostname | Specifies the IP address or hostname of the remote RADIUS server host. ip-address} [auth-port port-number]  (Optional) auth-port port-number—Specifies the UDP destination [acct-port port-number] [timeout port for authentication requests.
Page 178: Defining Aaa Server Groups
Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Defining AAA Server Groups Command Purpose configure terminal Enters global configuration mode. radius-server host {hostname | Specifies the IP address or hostname of the remote RADIUS server host. ip-address} [auth-port  (Optional) auth-port port-number—Specifies the UDP destination port for port-number] [acct-port authentication requests.
Page 179: Configuring Radius Login Authentication
Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Configuring RADIUS Login Authentication Command Purpose configure terminal Enters global configuration mode. aaa new-model Enables AAA. aaa authentication login {default | Creates a login authentication method list. list-name} method1 [method2...]  To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations.
Page 180: Configuring Radius Authorization For User Privileged Access And Network Services
Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Configuring RADIUS Authorization for User Privileged Access and Network Services Command Purpose configure terminal Enters global configuration mode. aaa authorization network radius Configures the switch for user RADIUS authorization for all network-related service requests. aaa authorization exec radius Configures the switch for user RADIUS authorization if the user has privileged EXEC access.
Page 181: Configuring Coa On The Switch
Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Command Purpose radius-server deadtime minutes Specifies the number of minutes a RADIUS server, which is not responding to authentication requests, to be skipped, thus avoiding the wait for the request to timeout before trying the next configured server. The default is 0;...
Page 182: Configuring The Switch For Local Authentication And Authorization
Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Command Purpose client {ip-address | name} [vrf vrfname] Enters dynamic authorization local server configuration mode and [server-key string] specifies a RADIUS client from which a device will accept CoA and disconnect requests. server-key [0 | 7] string Configures the RADIUS key to be shared between a device and RADIUS clients.
Page 183: Configuring Secure Shell
Task Purpose Download the cryptographic software image from (Required) For more information, see the notes for Cisco.com. this release. Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server.
Page 184 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Command Purpose crypto key generate rsa Enables the SSH server for local and remote authentication on the switch and generates an RSA key pair. We recommend that a minimum modulus size of 1024 bits. When you generate RSA keys, you are prompted to enter a modulus length.
Page 185: Configuring Secure Http Servers And Clients
Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Configuring Secure HTTP Servers and Clients Configuring a CA Trustpoint Command Purpose configure terminal Enters global configuration mode. hostname hostname Specifies the hostname of the switch (required only if you have not previously configured a hostname).
Page 186 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Command Purpose show ip http server status (Optional) Displays the status of the HTTP server to determine if the secure HTTP server feature is supported in the software. You should see one of these lines in the output: HTTP secure server capability: Present HTTP secure server capability: Not present configure terminal...
Page 187: Configuring The Secure Http Client
Configuring Switch-Based Authentication Monitoring and Maintaining Switch-Based Authentication Configuring the Secure HTTP Client Before You Begin The standard HTTP client and secure HTTP client are always enabled. A certificate authority is required for secure HTTP client certification. This procedure assumes that you have previously configured a CA trustpoint on the switch. If a CA trustpoint is not configured and the remote HTTPS server requires client authentication, connections to the secure HTTP client fail.
Page 188 Configuring Switch-Based Authentication Configuration Examples for Configuring Switch-Based Authentication Configuration Examples for Configuring Switch-Based Authentication Changing the Enable Password: Example This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted and provides access to level 15 (traditional privileged EXEC mode access): Switch(config)# enable password l1u2c3k4y5 Configuring the Encrypted Password: Example This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2:...
Page 189 ”tunnel-private-group-id(#81)=vlanid” This example shows how to apply an input ACL in ASCII format to an interface for the duration of this connection: cisco-avpair= “ip:inacl#1=deny ip 10.10.10.10 0.0.255.255 20.20.20.20 255.255.0.0” cisco-avpair= “ip:inacl#2=deny ip 10.10.10.10 0.0.255.255 any” cisco-avpair= “mac:inacl#3=deny any any decnet-iv”...
Page 190 Configuring Switch-Based Authentication Additional References <output truncated> You can remove this self-signed certificate by disabling the secure HTTP server and entering the no crypto pki trustpoint TP-self-signed-30890755072 global configuration command. If you later reenable a secure HTTP server, a new self-signed certificate is generated.
Page 191 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 192 Configuring Switch-Based Authentication Additional References...
Page 193 Until the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication, normal traffic passes through the port.
Page 194 RADIUS security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 195 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Figure 19 Authentication Flowchart Start Is the client IEEE Is MAC authentication IEEE 802.1x authentication bypass enabled? 1 802.1x capable? process times out. The switch gets an EAPOL message, and the EAPOL User does not have a message...
Page 196: Authentication Initiation And Message Exchange
Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Switch-to-RADIUS-Server Communication RADIUS security servers are identified by their hostname or IP address, hostname and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address.
Page 197 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Figure 20 Message Exchange Authentication server Client (RADIUS) EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS Access-Request EAP-Request/OTP RADIUS Access-Challenge EAP-Response/OTP RADIUS Access-Request EAP-Success RADIUS Access-Accept Port Authorized EAPOL-Logoff Port Unauthorized If 802.1x authentication times out while waiting for an EAPOL message exchange and MAC authentication bypass is enabled, the switch can authorize the client when the switch detects an Ethernet packet from the client.
Page 198: Authentication Manager
Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Authentication Manager Port-Based Authentication Methods Table 29 on page 194 lists the authentication methods supported in these host modes:  Single host—Only one data or voice host (client) can be authenticated on a port. ...
Page 199: Authentication Manager Cli Commands
Support was added for MDA- and multiauth-enabled ports. In 12.2(52)SE and later, support was added for ports in multihost mode. An ACL configured on the switch is not compatible with an ACL configured on another device running Cisco IOS software, such as a Catalyst 6500 switch.
Page 200: X Host Mode
Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication authenticated, the port changes to the authorized state, allowing all traffic for the client to flow normally. If the port is configured as a voice VLAN port, the port allows VoIP traffic and 802.1x protocol packets before the client is successfully authenticated.
Page 201: Multidomain Authentication
The switch supports multidomain authentication (MDA), which allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.
Page 202: X Multiple Authentication Mode
When a port host mode changes from single- or multihost to multidomain mode, an authorized data device remains authorized on the port. However, a Cisco IP phone on the port voice VLAN is automatically removed and must be reauthenticated on that port.
Page 203 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication You can globally enable MAC move so the device is reauthenticated on the new port. When a host moves to a second port, the session on the first port is deleted, and the host is reauthenticated on the new port. MAC move is supported on all host modes.
Page 204: X Readiness Check
Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication 802.1x Accounting Attribute-Value Pairs The information sent to the RADIUS server is represented in the form of Attribute-Value (AV) pairs. These AV pairs provide data for different applications. (For example, a billing application might require information that is in the Acct-Input-Octets or the Acct-Output-Octets attributes of a RADIUS packet.) AV pairs are automatically sent by a switch that is configured for 802.1x accounting.
Page 205: X Authentication With Vlan Assignment
Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Follow these guidelines to enable the readiness check on the switch:  The readiness check is typically used before 802.1x is enabled on the switch.  The 802.1x readiness check is allowed on all ports that can be configured for 802.1x. The readiness check is not available on a port that is configured as dot1x force-unauthorized.
Page 206 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication  If an 802.1x port is authenticated and put in the RADIUS server-assigned VLAN, any change to the port access VLAN configuration does not take effect. In the case of a multidomain host, the same applies to voice devices when the port is fully authorized with these exceptions: —...
Page 207 .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
Page 208: X Authentication With Downloadable Acls And Redirect Urls
ACL by using the ip access-list extended auth-default-acl global configuration command. Note: The auth-default ACL does not support Cisco Discovery Protocol (CDP) bypass in the single host mode. You must configure a static ACL on the interface to support CDP bypass.
Page 209 If the default ACL is configured on the switch and the Cisco Secure ACS sends a host-access-policy to the switch, it applies the policy to traffic from the host connected to a switch port. If the policy does not apply, the switch applies the default ACL.
Page 210: X Authentication With Guest Vlan
Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication For configuration information, see Configuring Optional 802.1x Authentication Features, page 224. Additional configuration is similar MAC authentication bypass, as described in Configuring 802.1x User Distribution, page 229. 802.1x Authentication with Guest VLAN You can configure a guest VLAN for each 802.1x port on the switch to provide limited services to clients, such as downloading the 802.1x client.
Page 211: X Authentication With Restricted Vlan
Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication 802.1x Authentication with Restricted VLAN You can configure a restricted VLAN (also referred to as an authentication failed VLAN) for each 802.1x port on a switch to provide limited services to clients that cannot access the guest VLAN. These clients are 802.1x-compliant and cannot access another VLAN because they fail the authentication process.
Page 212: Authentication Results
Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Support on Multiple-Authentication Ports When a port is configured on any host mode and the AAA server is unavailable, the port is then configured to multi-host mode and moved to the critical VLAN. To support this inaccessible bypass on multiple-authentication (multiauth) ports, use the authentication event server dead action reinitialize vlan vlan-id command.
Page 213 A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several IP phones are connected in series, the switch recognizes only the one directly connected to it.
Page 214 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication 802.1x Authentication with MAC Authentication Bypass You can configure the switch to authorize clients based on the client MAC address (see Figure 19 on page 191) by using the MAC authentication bypass feature.
Page 215: X User Distribution
Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication For more configuration information, see Authentication Manager, page 194. Cisco IOS Release 12.2(55)SE and later supports filtering of verbose MAB system messages. See Authentication Manager CLI Commands, page 195. 802.1x User Distribution You can configure 802.1x user distribution to load-balance users with the same group name across multiple different...
Page 216: Flexible Authentication Ordering
Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication  Set the action to be taken when the switch tries to reauthenticate the client by using the Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the session ends. If the value is RADIUS-Request, the reauthentication process starts.
Page 217  Auto enablement automatically enables trunk configuration on the authenticator switch, allowing user traffic from multiple VLANs coming from supplicant switches. Configure the cisco-av-pair as device-traffic-class=switch at the ACS. (You can configure this under the group or the user settings.)
Page 218 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication For more information, see Configuring an Authenticator, page 230. Using IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id Attribute The switch supports both IP standard and IP extended port access control lists (ACLs) applied to ingress ports. ...
Page 219 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Table 30 Default 802.1x Authentication Settings (continued) Feature Default Setting RADIUS server   IP address None specified.   UDP authentication port 1812.   None specified. Host mode Single-host mode.
Page 220 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication When the stop message is not sent successfully, this message appears: 00:09:55: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.20.246.201:1645,1646 is not responding. Note: You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and interim-update messages and time stamps.
Page 221 This is the maximum number of devices allowed on an 802.1x-enabled port:  In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN.
Page 222 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication  In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one IP phone is allowed for the voice VLAN.  In multiple-host mode, only one 802.1x supplicant is allowed on the port, but an unlimited number of non-802.1x hosts are allowed on the access VLAN.
Page 223 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Command Purpose aaa authorization network {default} (Optional) Configures the switch to use user-RADIUS authorization for all group radius network-related service requests, such as per-user ACLs or VLAN assignment. For per-user ACLs, single-host mode must be configured.
Page 224 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Command Purpose configure terminal Enters global configuration mode. radius-server host {hostname | Configures the RADIUS server parameters. ip-address} auth-port port-number key hostname | ip-address—Specifies the hostname or IP address of the string remote RADIUS server.
Page 225 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Enabling Voice Aware 802.1x Security Command Purpose configure terminal Enters global configuration mode. errdisable detect cause Shuts down any VLAN on which a security violation error occurs. security-violation shutdown vlan Note: If the shutdown vlan keywords are not included, the entire port enters the error-disabled state and shuts down.
Page 226: Configuring The Host Mode
 multi-domain—Allows both a host and a voice device, such as an IP phone (Cisco or non-Cisco), to be authenticated on an 802.1x-authorized port. Note: You must configure the voice VLAN for the IP phone when the host mode is set to multi-domain.
Page 227: Configuring Periodic Reauthentication
Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Command Purpose Returns to privileged EXEC mode. show authentication interface Verifies your entries. interface-id copy running-config startup-config (Optional) Saves your entries in the configuration file. Configuring Periodic Reauthentication You can enable periodic 802.1x client reauthentication and specify how often it occurs.
Page 228 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Configuring Optional 802.1x Authentication Features Command Purpose dot1x reauthenticate interface (Optional) Manually initiates a reauthentication of the specified IEEE interface-id 802.1x-enabled port. authentication mac-move permit (Optional) Enables MAC move on the switch. authentication violation {protect | (Optional) replace—Enables MAC replace on the interface.
Page 229 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Command Purpose authentication control-direction {both (Optional) Enables 802.1x authentication with WoL on the port, and uses | in} these keywords to configure the port as bidirectional or unidirectional. ...
Page 230: Configuring A Guest Vlan
Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Configuring a Guest VLAN When you configure a guest VLAN, clients that are not 802.1x-capable are put into the guest VLAN when the server does not receive a response to its EAP request/identity frame. Clients that are 802.1x-capable but that fail authentication are not granted network access.
Page 231 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Command Purpose Returns to privileged EXEC mode. show authentication interface (Optional) Verifies your entries. interface-id copy running-config startup-config (Optional) Saves your entries in the configuration file. Configuring the Maximum Number of Authentication Attempts Command Purpose configure terminal...
Page 232 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Command Purpose radius-server host (Optional) Configures the RADIUS server parameters by using these keywords: ip-address [acct-port  acct-port udp-port—Specifies the UDP port for the RADIUS accounting server. udp-port] [auth-port The range for the UDP port number is from 0 to 65536.
Page 233 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Command Purpose authentication server dead Authorizes the switch in access VLAN or configured VLAN (if the VLAN is specified) action authorize [vlan] when the ACS server is down. Returns to privileged EXEC mode.
Page 234 One switch outside a wiring closet must be configured as a supplicant and be connected to an authenticator switch. Note: The cisco-av-pairs must be configured as device-traffic-class=switch on the ACS, which sets the interface as a trunk after the supplicant is successfully authenticated.
Page 235: Configuring Downloadable Acls
Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs In addition to configuring 802.1x authentication on the switch, you need to configure the ACS. For more information, see Cisco Secure ACS configuration guides. Note: You must configure a downloadable ACL on the ACS before downloading it to the switch.
Page 236: Configuring A Downloadable Policy
Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Configuring a Downloadable Policy Command Purpose configure terminal Enters global configuration mode. access-list access-list-number deny Defines the default port ACL by using a source address and wildcard. source [source-wildcard log] The access-list-number is a decimal number from 1 to 99 or 1300 to 1999.
Page 237: Configuring Open1X
Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Command Purpose Returns to privileged EXEC mode. show ip device tracking all Displays information about the entries in the IP device tracking table. copy running-config startup-config (Optional) Saves your entries in the configuration file. Configuring Open1x Command Purpose...
Page 238 Configuring IEEE 802.1x Port-Based Authentication Monitoring and Maintaining IEEE 802.1x Port-Based Authentication IEEE 802.1x Port-Based Monitoring and Maintaining Authentication Command Purpose show dot1x all statistics Displays 802.1x statistics for all ports. show dot1x statistics interface interface-id Displays 802.1x statistics for a specific port. show dot1x all [details | statistics | summary] Displays the 802.1x administrative and operational status for the switch.
Page 239 Configuring IEEE 802.1x Port-Based Authentication Configuration Examples for Configuring IEEE 802.1x Port-Based Authentication You can verify your settings by entering the show errdisable detect privileged EXEC command. Configuring the Radius Server Parameters: Example This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server: Switch(config)# radius-server host 172.l20.39.46 auth-port 1612 key rad123 Configuring 802.1x Accounting: Example...
Page 240 This example shows how to clear all the VLAN groups: switch(config)# no vlan group end-dept vlan-list all switch(config)# show vlan-group all For more information about these commands, see the Cisco IOS Security Command Reference.
Page 241 Configuring IEEE 802.1x Port-Based Authentication Configuration Examples for Configuring IEEE 802.1x Port-Based Authentication Configuring NAC Layer 2 802.1x Validation: Example This example shows how to configure NAC Layer 2 802.1x validation: Switch# configure terminal Switch(config)# interface GigabitEthernet1/17 Switch(config-if)# authentication periodic Switch(config-if)# authentication timer reauthenticate Configuring an 802.1x Authenticator Switch: Example This example shows how to configure a switch as an 802.1x authenticator:...
Page 242 Configuring IEEE 802.1x Port-Based Authentication Additional References Switch# configure terminal Switch(config)# interface GigabitEthernet1/17 Switch(config)# authentication control-direction both Switch(config)# au ten tic at ion fallback profile1 Switch(config)# authentication host-mode multi-auth Switch(config)# authentication open Switch(config)# authentication order dot1x webauth Switch(config)# authentication periodic Switch(config)# authentication port-control auto Additional References The following sections provide references related to switch administration:...
Page 243 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 244 Configuring IEEE 802.1x Port-Based Authentication Additional References...
Page 245 Web-Based Authentication Use the web-based authentication feature, known as web authentication proxy, to authenticate end users on host systems that do not run the IEEE 802.1x supplicant. Note: You can configure web-based authentication on Layer 2 interfaces. Cisco Systems, Inc. www.cisco.com...
Page 246: Host Detection
Configuring Web-Based Authentication Information About Configuring Web-Based Authentication When you initiate an HTTP session, web-based authentication intercepts ingress HTTP packets from the host and sends an HTML login page to the users. The users enter their credentials, which the web-based authentication feature sends to the authentication, authorization, and accounting (AAA) server for authentication.
Page 247: Session Creation
Configuring Web-Based Authentication Information About Configuring Web-Based Authentication For Layer 2 interfaces, web-based authentication detects IP hosts by using these mechanisms:  ARP-based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static IP address or a dynamic IP address. ...
Page 248: Local Web Authentication Banner
You create a banner by using the ip admission auth-proxy-banner http global configuration command. The default banner Cisco Systems and Switch host-name Authentication appear on the Login Page. Cisco Systems appears on the authentication result pop-up page, as shown in Figure 25 on page 244.
Page 249 Figure 27. Figure 27 Login Screen with No Banner For more information, see the Cisco IOS Security Command Reference Configuring a Web Authentication Local Banner, page 252.
Page 250: Web Authentication Customizable Web Pages
You must include an HTML redirect command in the success page to access a specific URL.  The URL string must be a valid URL (for example, http://www.cisco.com). An incomplete URL might cause page not found error or similar errors on a web browser.
Page 251 Configuring Web-Based Authentication Information About Configuring Web-Based Authentication  Any images on the custom pages must be on an accessible HTTP server. Configure an intercept ACL within the admission rule.  Any external link from a custom page requires configuration of an intercept ACL within the admission rule. ...
Page 252 The GWIP policy overrides the web-based authentication host policy. ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface, the ACL is applied to the host traffic only after the web-based authentication host policy is applied.
Page 253: Configuring The Authentication Rule And Interfaces
Configuring Web-Based Authentication How to Configure Web-Based Authentication EtherChannel You can configure web-based authentication on a Layer 2 EtherChannel interface. The web-based authentication configuration applies to all member channels. Default Web-Based Authentication Settings Feature Default Settings Disabled RADIUS server  ...
Page 254: Configuring Aaa Authentication
Configuring Web-Based Authentication How to Configure Web-Based Authentication Command Purpose exit Returns to configuration mode. ip device tracking Enables the IP device tracking table. Returns to privileged EXEC mode. show ip admission configuration Displays the configuration. Configuring AAA Authentication Command Purpose aaa new-model Enables AAA functionality.
Page 255: Configuring The Http Server
Enables downloading of an ACL from the RADIUS server. This feature is supported in Cisco IOS Release 12.2(50)SG. radius-server dead-criteria tries num-tries Specifies the number of unanswered sent messages to a RADIUS server before considering the server to be inactive.
Page 256: Configuring A Web Authentication Local Banner
Configuring Web-Based Authentication How to Configure Web-Based Authentication Configuring the Web-Based Authentication Parameters You can configure the maximum number of failed login attempts before the client is placed in a watch list for a waiting period. Command Purpose ip admission max-login-attempts number Sets the maximum number of failed login attempts.
Page 257 Configuring Web-Based Authentication Monitoring and Maintaining Web-Based Authentication Command Purpose clear ip auth-proxy cache {* | host ip address} Clears authentication proxy entries from the switch. clear ip admission cache {* | host ip address} Clears IP admission cache entries from the switch. Monitoring and Maintaining Web-Based Authentication Command Purpose...
Page 258 Configuring a Redirection URL: Example This example shows how to configure a redirection URL for successful login: Switch(config)# ip admission proxy http success redirect www.cisco.com Verifying a Redirection URL: Example This example shows how to verify the redirection URL for successful login:...
Page 259 Configuring Web-Based Authentication Additional References Clearing the Web-Based Authentication Session: Example This example shows how to remove the web-based authentication session for the client at the IP address 209.165.201.1: Switch# clear ip auth-proxy cache 209.165.201.1 Additional References The following sections provide references related to switch administration:...
Page 260 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 261: Configuring Smartports Macros
This macro is automatically applied when you use Express Setup to initially configure the switch. Note: You must first apply the cisco-cg-global macro for the interface configuration macros to work properly. cisco-cg-password Use this global configuration macro to configure the password settings for the switch.
Page 262 Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Page 263: Applying Smartports Macros
Use this interface configuration macro when connecting the switch and a wireless access point. This macro is optimized for industrial automation traffic. Cisco-default Smartports macros vary, depending on the software version running on your switch. Smartports Configuration Guidelines ...
Page 264 Configuring Smartports Macros Monitoring and Maintaining Smartports Macros Command Purpose macro global {apply | trace} Applies each individual command defined in the macro to the switch by macro-name [parameter {value}] entering macro global apply macro-name. Specifies macro global [parameter {value}] [parameter {value}] trace macro-name to apply and to debug a macro to find any syntax or configuration errors.
Page 265 Configuration Examples for Smartports Macros Applying the Smartports Macro: Examples This example shows how to display the cisco-ie-desktop macro, how to apply the macro and to set the access VLAN ID to 25 on an interface: Switch# show parser macro name cisco-ie-desktop...
Page 266 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 267: Cisco Trustsec Sgt Exchange Protocol Feature Histories
You can use the SGT Exchange Protocol (SXP) to propagate the SGTs across network devices that do not have hardware support for Cisco TrustSec. This section describes how to configure Cisco TrustSec SXP on switches in your network. This section includes the following topics: ...
Page 268: Enabling Cisco Trustsec Sxp
Configuring SGT Exchange Protocol over TCP (SXP) and Layer 3 Transport Configuring Cisco TrustSec SXP Enabling Cisco TrustSec SXP You must enable Cisco TrustSec SXP before you can configure peer connections. To enable Cisco TrustSec SXP, perform this task: Command...
Page 269 Configuring SGT Exchange Protocol over TCP (SXP) and Layer 3 Transport Configuring Cisco TrustSec SXP Command Purpose Router# configure terminal Enters global configuration mode. Router(config)# cts sxp connection Configures the SXP address connection. peer peer-ipv4-addr [source src-ipv4-addr] The optional source keyword specifies the IPv4 password {default | none] mode {local | address of the source device.
Page 270: Configuring The Default Sxp Password
Configuring the Default SXP Password By default, SXP uses no password when setting up connections. You can configure a default SXP password for the switch. In Cisco IOS Release 12.2(50)SY and later releases, you can specify an encrypted password for the SXP default password.
Page 271: Changing The Sxp Retry Period
The SXP retry period determines how often the Cisco TrustSec software retries an SXP connection. When an SXP connection is not successfully set up, the Cisco TrustSec software makes a new attempt to set up the connection after the SXP retry period timer expires. The default value is 120 seconds. Setting the SXP retry period to 0 seconds disables the timer and retries are not attempted.
Page 272: Configuring Cisco Trustsec Caching
Cisco TrustSec connections. Caching allows Cisco TrustSec devices to use unexpired security information to restore links after an outage without requiring a full reauthentication of the Cisco TrustSec domain. The Cisco TrustSec devices will cache security information in DRAM. If non-volatile (NV) storage is also enabled, the DRAM cache information will also be stored to the NV memory.
Page 273: Clearing The Cisco Trustsec Cache
Also enables DRAM cache to be initially populated from non-volatile storage when the device boots. Router(config)# exit Exits configuration mode. This example shows how to configure Cisco TrustSec caching, including non-volatile storage: Router# configure terminal Router(config)# cts cache enable Router(config)# cts cache nv-storage bootdisk:...
Page 274 Configuring SGT Exchange Protocol over TCP (SXP) and Layer 3 Transport Configuring Cisco TrustSec Caching...
Page 275: Configuring Vlans
VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN. Interface VLAN membership on the switch is assigned manually on an interface-by-interface basis. When you assign switch interfaces to VLANs by using this method, it is known as interface-based, or static, VLAN membership. Cisco Systems, Inc. www.cisco.com...
Page 276: Supported Vlans
Configuring VLANs VLANs Traffic between VLANs must be routed or fallback bridged. The switch can route traffic between VLANs by using switch virtual interfaces (SVIs). An SVI must be explicitly configured and assigned an IP address to route traffic between VLANs. Note: If you plan to configure many VLANs on the switch and to not enable routing, you can use the sdm prefer vlan global configuration command to set the Switch Database Management (sdm) feature to the VLAN template, which...
Page 277 Dynamic-Access Ports on VMPS Clients, page 290. Voice VLAN A voice VLAN port is an access port attached to a Cisco VTP is not required; it has no effect on a IP Phone, configured to use one VLAN for voice traffic and voice VLAN.
Page 278: Token Ring Vlans
Configuring VLANs VLANs You use the interface configuration mode to define the port membership mode and to add and remove ports from VLANs. The results of these commands are written to the running-configuration file, and you can display the file by entering the show running-config privileged EXEC command.
Page 279: Default Ethernet Vlan Configuration
Configuring VLANs VLANs  Token Ring TrCRF VLANs For more information on configuring Token Ring VLANs, see the Catalyst 6500 Series Software Configuration Guide. Normal-Range VLAN Configuration Guidelines Follow these guidelines when creating and modifying normal-range VLANs in your network: ...
Page 280 Configuring VLANs VLANs Table 34 Ethernet VLAN Defaults and Ranges Parameter Default Range VLAN ID 1 to 4096. Note: Extended-range VLANs (VLAN IDs 1006 to 4096) are only saved in the VLAN database in VTP version 3. VLAN name VLANxxxx, where xxxx represents four numeric No range digits (including leading zeros) equal to the VLAN ID number...
Page 281: Default Vlan Configuration
Configuring VLANs VLANs Extended-Range VLANs With VTP version 1 and version 2, when the switch is in VTP transparent mode (VTP disabled), you can create extended-range VLANs (in the range 1006 to 4096). VTP version supports extended-range VLANs in server or transparent move.
Page 282: Trunking Overview
Configuring VLANs VLANs  Although the switch supports a total of 1005 (normal-range and extended-range) VLANs, the number of routed ports, SVIs, and other configured features affects the use of the switch hardware. If you try to create an extended-range VLAN and there are not enough hardware resources available, an error message is generated, and the extended-range VLAN is rejected.
Page 283 VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q switch.
Page 284 Note: VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.
Page 285 Configuring VLANs VLANs Load Sharing Using STP Port Priorities When two ports on the same switch form a loop, the switch uses the STP port priority to decide which port is enabled and which port is in a blocking state. You can set the priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN.
Page 286 Configuring VLANs VLANs Figure 31 Load-Sharing Trunks with Traffic Distributed by Path Cost Switch A Trunk port 1 Trunk port 2 VLANs 2 – 4 (path cost 30) VLANs 8 – 10 (path cost 30) VLANs 8 – 10 (path cost 19) VLANs 2 –...
Page 287: Vmps Configuration Guidelines
Configuring VLANs VLANs If there is a match, the VMPS sends the VLAN number for that port. If the client switch was not previously configured, it uses the domain name from the first VTP packet it receives on its trunk port from the VMPS. If the client switch was previously configured, it includes its domain name in the query packet to the VMPS to obtain its VLAN number.
Page 288: Creating Or Modifying An Ethernet Vlan
Configuring VLANs How to Configure VLANs  A dynamic-access port can participate in fallback bridging.  The VTP management domain of the VMPS client and the VMPS server must be the same.  The VLAN configured on the VMPS server should not be a voice VLAN. VMPS Reconfirmation Interval VMPS clients periodically reconfirm the VLAN membership information received from the VMPS.You can set the number of minutes after which reconfirmation occurs.
Page 289: Deleting A Vlan
Configuring VLANs How to Configure VLANs Deleting a VLAN Command Purpose configure terminal Enters global configuration mode. no vlan vlan-id Removes the VLAN by entering the VLAN ID. Returns to privileged EXEC mode. Assigning Static-Access Ports to a VLAN Command Purpose configure terminal Enters global configuration mode...
Page 290: Configuring An Ethernet Interface As A Trunk Port
Configuring VLANs How to Configure VLANs Creating an Extended-Range VLAN with an Internal VLAN ID Command Purpose show vlan internal usage Displays the VLAN IDs being used internally by the switch. If the VLAN ID that you want to use is an internal VLAN, the display shows the routed port that is using the VLAN ID.
Page 291: Defining The Allowed Vlans On A Trunk
Configuring VLANs How to Configure VLANs Defining the Allowed VLANs on a Trunk Command Purpose configure terminal Enters global configuration mode. interface interface-id Specifies the port to be configured, and enters interface configuration mode. switchport mode trunk Configures the interface as a VLAN trunk port. switchport trunk allowed vlan {add | all (Optional) Configures the list of VLANs allowed on the trunk.
Page 292 Configuring VLANs How to Configure VLANs Load Sharing Using STP Port Priorities Command Purpose configure terminal Enters global configuration mode on Switch A. vtp domain domain-name Configures a VTP administrative domain. The domain name can be 1 to 32 characters. vtp mode server Configures Switch A as the VTP server.
Page 293: Configuring The Vmps Client
Configuring VLANs How to Configure VLANs Command Purpose show running-config Verifies your entries. In the display, make sure that the interfaces are configured as trunk ports. show vlan When the trunk links come up, Switch A receives the VTP information from the other switches.
Page 294 Configuring VLANs Monitoring and Maintaining VLANs Configuring Dynamic-Access Ports on VMPS Clients Before You Begin If you are configuring a port on a cluster member switch as a dynamic-access port, first use the rcommand privileged EXEC command to log in to the cluster member switch. Caution: Dynamic-access port VLAN membership is for end stations or hubs connected to end stations.
Page 295 Configuring VLANs Configuration Examples for Configuring VLANs  The Catalyst 6500 series Switch C and Switch J are secondary VMPS servers.  End stations are connected to the clients, Switch B and Switch I.  The database configuration file is stored on the TFTP server with the IP address 172.20.22.7. Figure 32 Dynamic Port VLAN Membership Configuration TFTP server...
Page 296 Configuring VLANs Additional References Configuring an Access Port in a VLAN: Example This example shows how to configure a port as an access port in VLAN 2: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface GigabitEthernet1/17 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 2 Switch(config-if)# end...
Page 297 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 298 Configuring VLANs Additional References...
Page 299: Configuring Vtp
VTP of a new VLAN and the switch is already using the maximum available hardware resources, it sends a message that there are not enough hardware resources available and shuts down the VLAN. The output of the show vlan user EXEC command shows the VLAN in a suspended state. Cisco Systems, Inc. www.cisco.com...
Page 300: Vtp Domain
Configuring VTP Information About Configuring VTP VTP version 1 and version 2 support only normal-range VLANs (VLAN IDs 1 to 1005). VTP version 3 supports the entire VLAN range (VLANs 1 to 4096). Extended range VLANs (VLANs 1006 to 4096) are supported only in VTP version 3. You cannot convert from VTP version 3 to VTP version 2 if extended VLANs are configured in the domain.
Page 301: Vtp Modes
Configuring VTP Information About Configuring VTP VTP Modes Table 36 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as the VTP version) for the entire VTP domain. VTP servers advertise their VLAN configurations to other switches in the same VTP domain and synchronize their VLAN configurations with other switches based on advertisements received over trunk links.
Page 302: Vtp Advertisements
Configuring VTP Information About Configuring VTP  When a switch is in VTP server mode, you can change the VLAN configuration and have it propagated throughout the network.  When a switch is in VTP client mode, you cannot change its VLAN configuration. The client switch receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly.
Page 303: Vtp Version 3
Configuring VTP Information About Configuring VTP  Version-Dependent Transparent Mode—In VTP version 1, a VTP transparent switch inspects VTP messages for the domain name and version and forwards a message only if the version and domain name match. Although VTP version 2 supports only one domain, a VTP version 2 transparent switch forwards a message only when the domain name matches.
Page 304: Vtp Pruning
Configuring VTP Information About Configuring VTP  If a switch running VTP version 3 is connected to a switch running VTP version 1, the VTP version 1 switch moves to VTP version 2, and the VTP version 3 switch sends scaled-down versions of the VTP packets so that the VTP version 2 switch can update its database.
Page 305 Configuring VTP Information About Configuring VTP Figure 33 Flooding Traffic without VTP Pruning Switch D Port 2 Switch E Switch B VLAN Port 1 Switch F Switch C Switch A Figure 34 on page 301 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch A is not forwarded to Switches C, E, and F because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch B and Port 4 on Switch D).
Page 306: Vtp Configuration Guidelines
Configuring VTP Information About Configuring VTP  Turn off VTP pruning by making all VLANs on the trunk of the switch upstream to the VTP transparent switch pruning ineligible. To configure VTP pruning on an interface, use the switchport trunk pruning vlan interface configuration command. VTP pruning operates when an interface is trunking.
Page 307 Configuring VTP How to Configure VTP Passwords You can configure a password for the VTP domain, but it is not required. If you do configure a domain password, all domain switches must share the same password and you must configure the password on each switch in the management domain.
Page 308: Configuring A Vtp Version 3 Password
Configuring VTP How to Configure VTP Command Purpose vtp password password (Optional) Sets the password for the VTP domain. The password can be 8 to 64 characters. If you configure a VTP password, the VTP domain does not function properly if you do not assign the same password to each switch in the domain.
Page 309: Enabling The Vtp Version
Configuring VTP How to Configure VTP Enabling the VTP Version Command Purpose configure terminal Enters global configuration mode. vtp version {1 | 2 | 3} Enables the VTP version on the switch. The default is VTP version 1. Returns to privileged EXEC mode. show vtp status Verifies that the configured VTP version is enabled.
Page 310 Configuring VTP Monitoring and Maintaining VTP Command Purpose show vtp status Checks the VTP configuration revision number. If the number is 0, add the switch to the VTP domain. If the number is greater than 0, follow these steps: Write down the domain name. Write down the configuration revision number.
Page 311 Configuring VTP Configuration Examples for Configuring VTP Configuration Examples for Configuring VTP Configuring a VTP Server: Example This example shows how to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch(config)# vtp domain eng_group Setting VTP domain name to eng_group.
Page 312 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 313: Configuring Voice Vlan
Cisco 7960 IP Phone, the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service (CoS) values, which are both set to 5 by default. Because the sound quality of a Cisco IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p CoS.
Page 314: Cisco Ip Phone Voice Traffic
You can configure a port connected to the Cisco IP phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value.
Page 315: Default Voice Vlan Configuration
Port Fast feature is not automatically disabled.  If the Cisco IP phone and a device attached to the phone are in the same VLAN, they must be in the same IP subnet. These conditions indicate that they are in the same VLAN: —...
Page 316: Configuring The Priority Of Incoming Data Frames
Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.1p frames), you can configure the switch to send CDP packets to instruct the phone how to send data packets from the device attached to the access port on the Cisco IP phone.
Page 317 Configuring the Cisco IP Phone Priority of Incoming Data Frames: Example This example shows how to configure a port connected to a Cisco IP phone to not change the priority of frames received from the PC or the attached device:...
Page 318 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 319: Port-Based Vlans
This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.
Page 320 Configuring STP Information About Configuring STP Spanning tree forces redundant data paths into a standby (blocked) state. If a network segment in the spanning tree fails and a redundant path exists, the spanning-tree algorithm recalculates the spanning-tree topology and activates the standby path.
Page 321 Configuring STP Information About Configuring STP  A root port is selected for each switch (except the root switch). This port provides the best path (lowest cost) when the switch forwards packets to the root switch.  The shortest distance to the root switch is calculated for each switch based on the path cost. ...
Page 322 Configuring STP Information About Configuring STP  Learning—The interface prepares to participate in frame forwarding.  Forwarding—The interface forwards frames.  Disabled—The interface is not participating in spanning tree because of a shutdown port, no link on the port, or no spanning-tree instance running on the port.
Page 323: Blocking State
Configuring STP Information About Configuring STP When the forward-delay timer expires, spanning tree moves the interface to the forwarding state, where both learning and frame forwarding are enabled. Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each switch interface.
Page 324: Disabled State
Configuring STP Information About Configuring STP  Forwards frames switched from another interface  Learns addresses  Receives BPDUs Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational.
Page 325: Spanning Tree And Redundant Connectivity
Configuring STP Information About Configuring STP Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices, as shown in Figure 38 on page 321.
Page 326 The switch supports these spanning-tree modes and protocols:  PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
Page 327 When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+. The switch combines the spanning-tree instance of the IEEE 802.1Q VLAN of the trunk with the spanning-tree instance of the...
Page 328: Disabling Spanning Tree
Configuring STP Information About Configuring STP Default Spanning-Tree Settings Table 39 Default Spanning-Tree Settings Feature Default Setting Enable state Enabled on VLAN 1. Spanning-tree mode PVST+. (Rapid PVST+ and MSTP are disabled.) Switch priority 32768. Spanning-tree port priority (configurable on a per-interface basis) 128.
Page 329 Configuring STP Information About Configuring STP Note: The spanning-tree vlan vlan-id root global configuration command fails if the value necessary to be the root switch is less than 1. Note: If your network consists of switches that both do and do not support the extended system ID, it is unlikely that the switch with the extended system ID support will become the root switch.
Page 330 Configuring STP Information About Configuring STP Spanning-Tree Timers Table 40 Spanning-Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches. Forward-delay timer Controls how long each of the listening and learning states last before the interface begins forwarding.
Page 331 Configuring STP How to Configure STP How to Configure STP Changing the Spanning-Tree Mode Command Purpose configure terminal Enters global configuration mode. spanning-tree mode {pvst | mst | Configures a spanning-tree mode. rapid-pvst}  pvst—Enables PVST+ (the default setting).  mst—Enables MSTP (and RSTP).
Page 332 Configuring STP How to Configure STP Configuring the Root Switch Command Purpose configure terminal Enters global configuration mode. spanning-tree vlan vlan-id root primary Configures a switch to become the root for the specified [diameter net-diameter [hello-time seconds]] VLAN.  vlan-id—Specifies a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma.
Page 333: Configuring Port Priority
Configuring STP How to Configure STP Configuring Port Priority Command Purpose configure terminal Enters global configuration mode. interface interface-id Specifies an interface to configure, and enters interface configuration mode. Valid interfaces include physical ports and port-channel logical interfaces (port-channel port-channel-number). spanning-tree port-priority priority Configures the port priority for an interface.
Page 334 Configuring STP Monitoring and Maintaining STP Command Purpose spanning-tree vlan vlan-id max-age seconds Configures the maximum-aging time of a VLAN. spanning-tree transmit hold-count value Configures the number of BPDUs that can be sent before pausing for 1 second. Note: Changing this parameter to a higher value can have a significant impact on CPU utilization, especially in Rapid-PVST mode.
Page 335 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 336 Configuring STP Additional References...
Page 337: Configuring Mstp
Configuring MSTP Information About Configuring M This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the switch. Note: The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard. The MSTP enables multiple VLANs to be mapped to the same spanning-tree instance, reducing the number of spanning-tree instances needed to support a large number of VLANs.
Page 338: Operations Within An Mst Region
Configuring MSTP Information About Configuring MSTP IST, CIST, and CST Unlike PVST+ and rapid PVST+ in which all the spanning-tree instances are independent, the MSTP establishes and maintains two types of spanning trees:  An internal spanning tree (IST), which is the spanning tree that runs in an MST region. Within each MST region, the MSTP maintains multiple spanning-tree instances.
Page 339 MSTP switches use MSTP BPDUs to communicate with MSTP switches. IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network.
Page 340: Hop Count
Boundary Ports In the Cisco prestandard implementation, a boundary port connects an MST region to a single spanning-tree region running RSTP, to a single spanning-tree region running PVST+ or rapid PVST+, or to another MST region with a different MST configuration.
Page 341: Port Role Naming Change
ID of root, whether or not A or B is designated for the segment. IEEE 802.1s Implementation The Cisco implementation of the IEEE MST standard includes features required to meet the standard, as well as some of the desirable prestandard functionality that is not yet incorporated into the published standard.
Page 342: Detecting Unidirectional Link Failure
Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
Page 343: Port Roles And The Active Topology
Enabled Blocking Discarding Enabled Listening Discarding Enabled Learning Learning Enabled Forwarding Forwarding Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of discarding. Designated ports start in the listening state.
Page 344: Switch Ports
Configuring MSTP Information About Configuring MSTP Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN. It provides rapid convergence for edge ports, new root ports, and ports connected through point-to-point links as follows: ...
Page 345: Synchronization Of Port Roles
Configuring MSTP Information About Configuring MSTP Figure 42 Proposal and Agreement Handshaking for Rapid Convergence Switch A Switch B Proposal Designated Root switch Agreement Designated Switch C switch Root Proposal Designated Root switch Agreement DP = designated port RP = root port F = forwarding Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new root port, the RSTP...
Page 346: Bridge Protocol Data Unit Format And Processing
Configuring MSTP Information About Configuring MSTP Figure 43 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5. Forward Edge port 2. Block 3. Block 9. Forward 11. Forward 8. Agreement 6. Proposal 7. Proposal 10. Agreement Root port Designated port Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802.1D BPDU format except that the protocol version is set to 2.
Page 347: Processing Superior Bpdu Information
Configuring MSTP Information About Configuring MSTP The RSTP does not have a separate topology change notification (TCN) BPDU. It uses the topology change (TC) flag to show the topology changes. However, for interoperability with IEEE 802.1D switches, the RSTP switch processes and generates TCN BPDUs.
Page 348: Mstp Configuration Guidelines
Configuring MSTP Information About Configuring MSTP If the switch receives an IEEE 802.1D BPDU after the port migration-delay timer has expired, it assumes that it is connected to an IEEE 802.1D switch and starts using only IEEE 802.1D BPDUs. However, if the RSTP switch is using IEEE 802.1D BPDUs on a port and receives an RSTP BPDU after the timer has expired, it restarts the timer and starts using RSTP BPDUs on that port.
Page 349 Configuring MSTP Information About Configuring MSTP  Partitioning the network into a large number of regions is not recommended. However, if this situation is unavoidable, we recommend that you partition the switched LAN into smaller LANs interconnected by routers or non-Layer 2 devices.
Page 350: Restarting The Protocol Migration Process
Configuring MSTP How to Configure MSTP Port Priority If a loop occurs, the MSTP uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last.
Page 351 Configuring MSTP How to Configure MSTP Command Purpose configure terminal Enters global configuration mode. spanning-tree mst configuration Enters MST configuration mode. instance instance-id vlan vlan-range Maps VLANs to an MST instance.  instance-id—range is 0 to 4096.  vlan vlan-range—range is 1 to 4096. When you map VLANs to an MST instance, the mapping is incremental, and the VLANs specified in the command are added to or removed from the VLANs that were previously mapped.
Page 352 Configuring MSTP How to Configure MSTP Command Purpose configure terminal Enters global configuration mode. spanning-tree mst instance-id root primary Configures a switch as the root switch. [diameter net-diameter [hello-time seconds]]  instance-id—Specifies a single instance, a range of instances separated by a hyphen, or a series of instances separated by a comma.
Page 353 Configuring MSTP How to Configure MSTP Command Purpose configure terminal Enters global configuration mode. spanning-tree mst instance-id priority priority Configures the switch priority.  instance-id—Specifies a single instance, a range of instances separated by a hyphen, or a series of instances separated by a comma.
Page 354 Configuring MSTP Monitoring and Maintaining MSTP Command Purpose spanning-tree mst instance-id port-priority Configures the port priority. priority  instance-id—Specifies a single instance, a range of instances separated by a hyphen, or a series of instances separated by a comma. The range is 0 to 4096.
Page 355 Configuring MSTP Configuration Examples for Configuring MSTP Configuration Examples for Configuring MSTP Configuring the MST Region: Example This example shows how to enter MST configuration mode, map VLANs 10 to 20 to MST instance 1, name the region region1, set the configuration revision to 1, display the pending configuration, apply the changes, and return to global configuration mode: Switch(config)# spanning-tree mst configuration Switch(config-mst)# instance 1 vlan 10-20...
Page 356 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 357 If you enable PortFast on an interface connecting to another switch, you risk creating a spanning-tree loop. You can enable this feature by using the spanning-tree portfast interface configuration or the spanning-tree portfast default global configuration command. Cisco Systems, Inc. www.cisco.com...
Page 358: Bpdu Guard
Configuring Optional Spanning-Tree Features Information About Configuring the Optional Spanning-Tree Features Figure 44 PortFast-Enabled Interfaces Server Port Fast-enabled port Port Fast-enabled ports Workstations Workstations BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per port, but the feature operates with some differences.
Page 359: Bpdu Filtering
Configuring Optional Spanning-Tree Features Information About Configuring the Optional Spanning-Tree Features Caution: Configure Port Fast only on ports that connect to end stations; otherwise, an accidental topology loop could cause a data packet loop and disrupt switch and network operation. You also can use the spanning-tree bpduguard enable interface configuration command to enable BPDU guard on any port without also enabling the Port Fast feature.
Page 360 Configuring Optional Spanning-Tree Features Information About Configuring the Optional Spanning-Tree Features Figure 45 Switches in a Hierarchical Network Backbone switches Root bridge Distribution switches Access switches Active link Blocked link If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port. By enabling UplinkFast with the spanning-tree uplinkfast global configuration command, you can accelerate the choice of a new root port when a link or switch fails or when the spanning tree reconfigures itself.
Page 361: Enabling Uplinkfast For Use With Redundant Links
Configuring Optional Spanning-Tree Features Information About Configuring the Optional Spanning-Tree Features Figure 46 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure 47 on page...
Page 362 Configuring Optional Spanning-Tree Features Information About Configuring the Optional Spanning-Tree Features BackboneFast BackboneFast detects indirect failures in the core of the backbone. BackboneFast is a complementary technology to the UplinkFast feature, which responds to failures on links directly connected to access switches. BackboneFast optimizes the maximum-age timer, which controls the amount of time the switch stores protocol information received on an interface.
Page 363: Enabling Backbonefast
Configuring Optional Spanning-Tree Features Information About Configuring the Optional Spanning-Tree Features if the default Forward Delay time of 15 seconds is set. Figure 49 on page 359 shows how BackboneFast reconfigures the topology to account for the failure of link L1. Figure 49 BackboneFast Example After Indirect Link Failure Switch A...
Page 364: Root Guard
Configuring Optional Spanning-Tree Features Information About Configuring the Optional Spanning-Tree Features EtherChannel Guard You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device. A misconfiguration can occur if the switch interfaces are configured in an EtherChannel, but the interfaces on the other device are not.
Page 365: Enabling Root Guard
Configuring Optional Spanning-Tree Features Information About Configuring the Optional Spanning-Tree Features Figure 51 Root Guard in a Service-Provider Network Customer network Service-provider network Potential spanning-tree root without root guard enabled Desired root switch Enable the root-guard feature on these interfaces to prevent switches in the customer network from becoming the root switch or being...
Page 366 Configuring Optional Spanning-Tree Features How to Configure the Optional Spanning-Tree Features Default Optional Spanning-Tree Settings Table 45 Default Optional Spanning-Tree Settings Feature Default Setting PortFast, BPDU filtering, BPDU guard Globally disabled (unless they are individually configured per interface). UplinkFast Globally disabled. BackboneFast Globally disabled.
Page 367 Configuring Optional Spanning-Tree Features Maintaining and Monitoring Optional Spanning-Tree Features Command Purpose spanning-tree portfast bpdufilter default Enables BPDU filtering. By default, BPDU filtering is disabled. spanning-tree uplinkfast [max-update-rate Enables UplinkFast. pkts-per-second] (Optional) pkts-per-second—The range is 0 to 32000 packets per second; the default is 150. If you set the rate to 0, station-learning frames are not generated, and the spanning-tree topology converges more slowly after a loss of connectivity.
Page 368 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 369 Configuring Resilient Ethernet Protocol Information About Configuring REP Resilient Ethernet Protocol (REP) is a Cisco proprietary protocol that provides an alternative to Spanning Tree Protocol (STP) to control network loops, handle link failures, and improve convergence time. REP controls a group of ports connected in a segment, ensures that the segment does not create any bridging loops, and responds to link failures within the segment.
Page 370 Configuring Resilient Ethernet Protocol Information About Configuring REP Figure 53 REP Ring Segment REP segments have these characteristics:  If all ports in the segment are operational, one port (referred to as the alternate port) is in the blocked state for each VLAN.
Page 371: Link Integrity
All other ports become unblocked. By default, REP packets are sent to a BPDU class MAC address. The packets can also be sent to the Cisco multicast address, which is used only to send blocked port advertisement (BPA) messages when there is a failure in the segment.
Page 372 Configuring Resilient Ethernet Protocol Information About Configuring REP  By entering the neighbor offset number of a port in the segment, which identifies the downstream neighbor port of an edge port. The neighbor offset number range is –256 to +256; a value of 0 is invalid. The primary edge port has an offset number of 1;...
Page 373: Spanning Tree Interaction
Configuring Resilient Ethernet Protocol REP Segments Reconfigure the primary edge port to reconfigure load balancing. When you change the load balancing configuration, the primary edge port again waits for the rep preempt segment command or for the configured preempt delay period after a port failure and recovery before executing the new configuration.
Page 374: Rep Configuration Guidelines
 REP sends all LSL PDUs in untagged frames on the native VLAN. The BPA message sent to the Cisco multicast address is sent on the administration VLAN, which is VLAN 1 by default.
Page 375: Configuring The Rep Administrative Vlan
Configuring Resilient Ethernet Protocol How to Configure REP — EtherChannel port channel interfaces do not support LSL age-timer values less than 1000 ms. If you try to configure a value less than 1000 ms on a port channel, you receive an error message and the command is rejected.
Page 376 Configuring Resilient Ethernet Protocol How to Configure REP Command Purpose configure terminal Enters global configuration mode. interface interface-id Specifies the interface, and enters interface configuration mode. The interface can be a physical Layer 2 interface or a port channel (logical interface). The port-channel range is 1 to 10. switchport mode trunk Configures the interface as a Layer 2 trunk port.
Page 377 The range is from 120 to 10000 ms in 40-ms increments. The default is 5000 ms (5 seconds). Note: If the neighbor device is not running Cisco IOS Release 12.2(52)SE or later, it only accepts values from 3000 to 10000 ms in 500-ms intervals. EtherChannel port channel interfaces do not support LSL age-timer values less than 1000 ms.
Page 378: Setting Manual Preemption For Vlan Load Balancing
Configuring Resilient Ethernet Protocol Monitoring and Maintaining REP Setting Manual Preemption for VLAN Load Balancing Before You Begin If you do not enter the rep preempt delay seconds interface configuration command on the primary edge port to configure a preemption time delay, the default is to manually trigger VLAN load balancing on the segment. Be sure that all other segment configuration has been completed before manually preempting VLAN load balancing.
Page 379 Configuring Resilient Ethernet Protocol Configuration Examples for Configuring REP GigabitEthernet1/17 REP enabled Segment-id: 2 (Edge) PortID: 00010019E7144680 Preferred flag: No Operational Link Status: TWO_WAY Current Key: 0002001121A2D5800E4D Port Role: Open Blocked Vlan: <empty> Admin-vlan: 100 Preempt Delay Timer: disabled LSL Ageout Timer: 5000 ms Configured Load-balancing Block Port: none Configured Load-balancing Block VLAN: none STCN Propagate to: none...
Page 380 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 381 1 comes back up and has more bandwidth than port 2, port 1 begins forwarding traffic after 60 seconds. Port 2 becomes the standby port. You do this by entering the interface configuration switchport backup interface preemption mode bandwidth and switchport backup interface preemption delay commands. Cisco Systems, Inc. www.cisco.com...
Page 382 Configuring FlexLinks and the MAC Address-Table Move Update Information About Configuring the FlexLinks and the MAC Address-Table Move Update Figure 57 FlexLinks Configuration Example Uplink Uplink switch B switch C Port 1 Port 2 Switch A If a primary (forwarding) link goes down, a trap notifies the network management stations. If the standby link goes down, a trap notifies the users.
Page 383: Generating Igmp Reports
Configuring FlexLinks and the MAC Address-Table Move Update Information About Configuring the FlexLinks and the MAC Address-Table Move Update Generating IGMP Reports When the backup link comes up after the changeover, the upstream new distribution switch does not start forwarding multicast data, because the port on the upstream router, which is connected to the blocked FlexLinks port, is not part of any multicast group.
Page 384 Configuring FlexLinks and the MAC Address-Table Move Update Information About Configuring the FlexLinks and the MAC Address-Table Move Update Figure 59 MAC Address-Table Move Update Example Server Switch C Port 3 Port 4 Switch B Switch D Port 1 Port 2 Switch A Default Settings for FlexLinks and MAC Address-Table Move Update Default Settings...
Page 385 Configuring FlexLinks and the MAC Address-Table Move Update How to Configure the FlexLinks and MAC Address-Table Move Update  Neither of the links can be a port that belongs to an EtherChannel. However, you can configure two port channels (EtherChannel logical interfaces) as FlexLinks, and you can configure a port channel and a physical interface as FlexLinks, with either the port channel or the physical interface as the active link.
Page 386 Configuring FlexLinks and the MAC Address-Table Move Update How to Configure the FlexLinks and MAC Address-Table Move Update Configuring a Preemption Scheme for FlexLinks Command Purpose configure terminal Enters global configuration mode. interface interface-id Specifies the interface, and enter interface configuration mode.
Page 387 Configuring FlexLinks and the MAC Address-Table Move Update How to Configure the FlexLinks and MAC Address-Table Move Update Configuring the MAC Address-Table Move Update Feature Command Purpose configure terminal Enters global configuration mode. interface interface-id Specifies the interface, and enters interface configuration mode.
Page 388 Configuring FlexLinks and the MAC Address-Table Move Update Maintaining and Monitoring the FlexLinks and MAC Address-Table Move Update Maintaining and Monitoring the FlexLinks and MAC Address-Table Move Update Command Purpose show interfaces [interface-id] switchport backup Displays the FlexLinks backup interface configured for an interface or all the configured FlexLinks and the state of each active and backup interface (up or standby mode).
Page 389 Configuring FlexLinks and the MAC Address-Table Move Update Configuration Examples for the FlexLinks and MAC Address-Table Move Update Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface GigabitEthernet1/17 Switch(config-if)# switchport backup interface GigabitEthernet1/18 multicast fast-convergence Switch(config-if)# exit Switch# show interfaces switchport backup detail Switch Backup Interface Pairs:...
Page 390 Configuring FlexLinks and the MAC Address-Table Move Update Configuration Examples for the FlexLinks and MAC Address-Table Move Update Active Interface Backup Interface State ------------------------------------------------------------------------ Vlans Preferred on Active Interface: 1-3,5-4096 Vlans Preferred on Backup Interface: 4 Configuring a Preemption Scheme: Example This example shows how to configure the preemption mode as forced for a backup interface pair and to verify the configuration: Switch# configure terminal...
Page 391 Configuring FlexLinks and the MAC Address-Table Move Update Configuration Examples for the FlexLinks and MAC Address-Table Move Update When a FlexLinks interface comes up, VLANs preferred on this interface are blocked on the peer interface and moved to the forwarding state on the interface that has just come up. In this example, if interface Gigabit Ethernet1/1 comes up, VLANs preferred on this interface are blocked on the peer interface Gigabit Ethernet1/2 and forwarded on Gigabit Ethernet1/1.
Page 392 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 393: Configuring Dhcp
Messages from unknown devices are untrusted because they can be sources of traffic attacks. Cisco Systems, Inc. www.cisco.com...
Page 394 Configuring DHCP Information About Configuring DHCP The DHCP snooping binding database has the MAC address, the IP address, the lease time, the binding type, the VLAN number, and the interface information that corresponds to the local untrusted interfaces of a switch. It does not have information regarding hosts interconnected with a trusted interface.
Page 395 Configuring DHCP Information About Configuring DHCP Figure 60 DHCP Relay Agent in a Metropolitan Ethernet Network DHCP server Catalyst switch Access layer (DHCP relay agent) VLAN 10 Subscribers Host A Host B (DHCP client) (DHCP client) When you enable the DHCP snooping information option-82 on the switch, this sequence of events occurs: ...
Page 396 Configuring DHCP Information About Configuring DHCP — Length of the remote-ID type In the port field of the circuit-ID suboption, the port numbers start at 3. Figure 61 on page 392 shows the packet formats for the remote-ID suboption and the circuit-ID suboption when the default suboption configuration is used. The switch uses the packet formats when you globally enable DHCP snooping and enter the ip dhcp snooping information option global configuration command.
Page 397: Cisco Ios Dhcp Server Database
It has IP addresses, address bindings, and configuration parameters, such as the boot file. An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address from a DHCP address pool.
Page 398 Default DHCP Snooping Settings Table 46 Default DHCP Snooping Settings Feature Default Setting DHCP server Enabled in Cisco IOS software, requires configuration DHCP relay agent Enabled DHCP packet forwarding address None configured Checking the relay agent information Enabled (invalid messages are dropped)2.
Page 399: Dhcp Snooping Configuration Guidelines
DHCP server. DHCP snooping binding database agent Enabled in Cisco IOS software, requires configuration. This feature is operational only when a destination is configured. The switch responds to DHCP requests only if it is configured as a DHCP server.
Page 400 In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP to the attached device. The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and not a third-party server.
Page 401: Configuring The Dhcp Relay Agent
Configuring DHCP How to Configure DHCP  Only one IP address can be assigned per port.  Reserved addresses (preassigned) cannot be cleared by using the clear ip dhcp binding global configuration command.  Preassigned addresses are automatically excluded from normal dynamic IP address assignment. Preassigned addresses cannot be used in host pools, but there can be multiple preassigned addresses per DHCP address pool.
Page 402: Enabling Dhcp Snooping And Option 82
Configuring DHCP How to Configure DHCP Command Purpose interface range port-range Configures multiple physical ports that are connected to the DHCP clients, and enters interface range configuration mode. interface interface-id Configures a single physical port that is connected to the DHCP client, and enters interface configuration mode.
Page 403: Enabling The Dhcp Snooping Binding Database Agent
Configuring DHCP How to Configure DHCP Command Purpose ip dhcp snooping vlan vlan information (Optional) Configures the circuit-ID suboption for the specified interface. option format-type circuit-id Specifies the VLAN and port identifier, using a VLAN ID in the range of [override] string ASCII-string 1 to 4096.
Page 404 Configuring DHCP How to Configure DHCP Command Purpose ip dhcp snooping database Specifies the duration for which the transfer should be delayed after the write-delay seconds binding database changes. The range is from 15 to 86400 seconds. The default is 300 seconds (5 minutes). Returns to privileged EXEC mode.
Page 405 Displays the DHCP address pools. show ip dhcp binding Displays address bindings on the Cisco IOS DHCP server. ip dhcp snooping database timeout seconds Specifies (in seconds) how long to wait for the database transfer process to finish before stopping.
Page 406 Configuring DHCP Additional References hostname switch no aaa new-model clock timezone EST 0 ip subnet-zero ip dhcp relay information policy removal pad no ip dhcp use vrf connected ip dhcp use subscriber-id client-id ip dhcp subscriber-id interface-name ip dhcp excluded-address 10.1.1.1 10.1.1.3 ip dhcp pool dhcppool network 10.1.1.0 255.255.255.0 address 10.1.1.7 client-id “Et1/0”...
Page 407 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 408 Configuring DHCP Additional References...
Page 409: Configuring Dynamic Arp Inspection
Host A needs to communicate to Host B at the IP layer, it broadcasts an ARP request for the MAC address associated with IP address IB. When the switch and Host B receive the ARP request, they populate their ARP caches with an ARP Cisco Systems, Inc. www.cisco.com...
Page 410: Interface Trust States And Network Security
Configuring Dynamic ARP Inspection Information About Dynamic ARP Inspection binding for a host with the IP address IA and a MAC address MA; for example, IP address IA is bound to MAC address MA. When Host B responds, the switch and Host A populate their ARP caches with a binding for a host with the IP address IB and the MAC address MB.
Page 411: Rate Limiting Of Arp Packets
Configuring Dynamic ARP Inspection Information About Dynamic ARP Inspection Figure 64 ARP Packet Validation on a VLAN Enabled for DAI DHCP server Switch A Switch B Port 1 Port 3 Host 1 Host 2 Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the network. If Switch A is not running DAI, Host 1 can easily poison the ARP cache of Switch B (and Host 2, if the link between the switches is configured as trusted).
Page 412: Logging Of Dropped Packets
Configuring Dynamic ARP Inspection Information About Dynamic ARP Inspection ARP ACLs take precedence over entries in the DHCP snooping binding database. The switch uses ACLs only if you configure them by using the ip arp inspection filter vlan global configuration command. The switch first compares ARP packets to user-configured ARP ACLs.
Page 413: Configuring Dynamic Arp Inspection In Dhcp Environments
Configuring Dynamic ARP Inspection How to Configure Dynamic ARP Inspection  DAI is not effective for hosts connected to switches that do not support DAI or that do not have this feature enabled. Because man-in-the-middle attacks are limited to a single Layer 2 broadcast domain, separate the domain with DAI checks from the one with no checking.
Page 414 Configuring Dynamic ARP Inspection How to Configure Dynamic ARP Inspection Command Purpose show cdp neighbors Verifies the connection between the switches. configure terminal Enters global configuration mode. ip arp inspection vlan vlan-range Enables DAI on a per-VLAN basis. By default, DAI is disabled on all VLANs.
Page 415 Configuring Dynamic ARP Inspection How to Configure Dynamic ARP Inspection Command Purpose configure terminal Enters global configuration mode. arp access-list acl-name Defines an ARP ACL, and enters ARP access-list configuration mode. By default, no ARP access lists are defined. Note: At the end of the ARP access list, there is an implicit deny ip any mac any command.
Page 416: Limiting The Rate Of Incoming Arp Packets
Configuring Dynamic ARP Inspection How to Configure Dynamic ARP Inspection Command Purpose interface interface-id Specifies the Switch A interface that is connected to Switch B, and enters interface configuration mode. no ip arp inspection trust Configures the Switch A interface that is connected to Switch B as untrusted.
Page 417: Performing Validation Checks
Configuring Dynamic ARP Inspection How to Configure Dynamic ARP Inspection Performing Validation Checks Command Purpose configure terminal Enters global configuration mode. ip arp inspection validate Performs a specific check on incoming ARP packets. By default, no checks are {[src-mac] [dst-mac] [ip]} performed.
Page 418: Configuring The Log Buffer
Configuring Dynamic ARP Inspection How to Configure Dynamic ARP Inspection Configuring the Log Buffer Command Purpose configure terminal Enters global configuration mode. ip arp inspection log-buffer {entries Configures the DAI logging buffer. number | logs number interval By default, when DAI is enabled, denied, or dropped, ARP packets are seconds} logged.
Page 419 Configuring Dynamic ARP Inspection Monitoring and Maintaining Dynamic ARP Inspection Monitoring and Maintaining Dynamic ARP Inspection Command Description clear ip arp inspection log Clears the DAI log buffer. clear ip arp inspection statistics Clears the DAI statistics. show arp access-list [acl-name] Displays detailed information about ARP ACLs.
Page 420 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 421: Configuring Ip Source Guard
When a DHCP snooping binding or static IP source binding is added, changed, or deleted on an interface, the switch modifies the port ACL by using the IP source binding changes and re-applies the port ACL to the interface. Cisco Systems, Inc. www.cisco.com...
Page 422: Source Ip And Mac Address Filtering
Configuring IP Source Guard Information About IP Source Guard If you enable IPSG on an interface on which IP source bindings (dynamically learned by DHCP snooping or manually configured) are not configured, the switch creates and applies a port ACL that denies all IP traffic on the interface. If you disable IPSG, the switch removes the port ACL from the interface.
Page 423: Enabling Ip Source Guard
Configuring IP Source Guard How to Configure IP Source Guard  When IP source guard with source IP filtering is enabled on an interface, DHCP snooping must be enabled on the access VLAN for that interface.  If you are enabling IP source guard on a trunk interface with multiple VLANs and DHCP snooping is enabled on all the VLANs, the source IP address filter is applied on all the VLANs.
Page 424: Configuring Ip Source Guard For Static Hosts On A Layer 2 Access Port
Configuring IP Source Guard How to Configure IP Source Guard Command Purpose exit Returns to global configuration mode. ip source binding mac-address vlan Adds a static IP source binding. vlan-id ip-address inteface interface-id Enter this command for each static binding. Returns to privileged EXEC mode.
Page 425 Configuring IP Source Guard Monitoring and Maintaining IP Source Guard Command Purpose Returns to privileged EXEC mode. show ip verify source interface interface-id Verifies the configuration and displays IPSG permit ACLs for static hosts. show ip device track all Verifies the configuration by displaying the IP-to-MAC [active | inactive] count binding for a given host on the switch interface.
Page 426 Configuring IP Source Guard Configuration Examples for IP Source Guard Enabling IPSG for Static Hosts: Examples This example shows how to enable IPSG with static hosts on a port: Switch(config)# ip device tracking Switch(config)# ip device tracking max 10 Switch(config-if)# ip verify source tracking port-security This example shows how to enable IPSG for static hosts with IP filters on a Layer 2 access port and to verify the valid IP bindings on the interface Gi0/3: Switch# configure terminal...
Page 427 Configuring IP Source Guard Configuration Examples for IP Source Guard IP Device Tracking Probe Interval = 30 --------------------------------------------------------------------- IP Address MAC Address Vlan Interface STATE --------------------------------------------------------------------- 200.1.1.8 0001.0600.0000 GigabitEthernet1/17 INACTIVE 200.1.1.9 0001.0600.0000 GigabitEthernet1/17 INACTIVE 200.1.1.10 0001.0600.0000 GigabitEthernet1/17 INACTIVE 200.1.1.1 0001.0600.0000 GigabitEthernet1/18 ACTIVE 200.1.1.1...
Page 428 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 429: Routed Ports
If you specify group membership for a multicast group address statically, your setting supersedes any automatic manipulation by IGMP snooping. Multicast group membership lists can consist of both user-defined and IGMP snooping-learned settings. Cisco Systems, Inc. www.cisco.com...
Page 430: Igmp Versions
Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR You can configure an IGMP snooping querier to support IGMP snooping in subnets without multicast interfaces because the multicast traffic does not need to be routed. For more information about the IGMP snooping querier, see Configuring the IGMP Snooping Querier, page 437.
Page 431 Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR Figure 65 Initial IGMP Join Message Router A IGMP report 224.1.2.3 VLAN Forwarding table Host 1 Host 2 Host 3 Host 4 Router A sends a general query to the switch, which forwards the query to ports 2 through 5, which are all members of the same VLAN.
Page 432: Leaving A Multicast Group
Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR Figure 66 Second Host Joining a Multicast Group Router A VLAN Forwarding table Host 1 Host 2 Host 3 Host 4 Destination Address Type of Packet Ports 224.1.2.3 IGMP 1, 2, 5 Leaving a Multicast Group The router sends periodic multicast general queries, and the switch forwards these queries through all ports in the VLAN.
Page 433 Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR IGMP Configurable-Leave Timer You can configure the time that the switch waits after sending a group-specific query to determine if hosts are still interested in a specific multicast group. The IGMP leave response time can be configured from 100 to 5000 milliseconds. The default leave time is 1000 milliseconds.
Page 434 Snooping on IGMP queries, Protocol Independent Multicast (PIM) packets, and Distance Vector Multicast Routing Protocol (DVMRP) packets  Listening to Cisco Group Management Protocol (CGMP) packets from other routers  Statically connecting to a multicast router port with the ip igmp snooping mrouter global configuration command You can configure the switch either to snoop on IGMP queries and PIM/DVMRP packets or to listen to CGMP self-join or proxy-join packets.
Page 435: Multicast Vlan Registration
Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR  The IGMP snooping querier supports IGMP Versions 1 and 2.  When administratively enabled, the IGMP snooping querier moves to the nonquerier state if it detects the presence of a multicast router in the network.
Page 436: Switch Ports
VLAN. Uplink ports that send and receive multicast data to and from the multicast VLAN are called MVR source ports. Figure 67 Multicast VLAN Registration Example Multicast VLAN Cisco router Multicast server Switch B Multicast...
Page 437: Mvr Configuration Guidelines And Limitations
Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR Without Immediate Leave, when the switch receives an IGMP leave message from a subscriber on a receiver port, it sends out an IGMP query on that port and waits for IGMP group membership reports. If no reports are received in a configured time period, the receiver port is removed from multicast group membership.
Page 438: Igmp Filtering And Throttling
Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR  MVR data received on an MVR receiver port is not forwarded to MVR source ports.  MVR does not support IGMPv3 messages. IGMP Filtering and Throttling In some environments, for example, metropolitan or multiple-dwelling unit (MDU) installations, you might want to control the set of multicast groups to which a user on a switch port can belong.
Page 439: Etherchannel Port Groups
Configuring IGMP Snooping and MVR How to Configure IGMP Snooping and MVR  permit—Specifies that matching addresses are permitted.  range—Specifies a range of IP addresses for the profile. You can enter a single IP address or a range with a start and an end address.
Page 440: Vlan
Configuring IGMP Snooping and MVR How to Configure IGMP Snooping and MVR Command Purpose configure terminal Enters global configuration mode. ip igmp snooping Globally enables IGMP snooping in all existing VLAN interfaces. ip igmp snooping vlan vlan-id Enables IGMP snooping on the VLAN interface. The VLAN ID range is 1 to 1001 and 1006 to 4096.
Page 441: Vlan
Configuring IGMP Snooping and MVR How to Configure IGMP Snooping and MVR Command Purpose ip igmp snooping (Optional) Configures the IGMP leave timer globally. The range is 100 last-member-query-interval time to 32768 milliseconds. The default is 1000 seconds. ip igmp snooping vlan vlan-id (Optional) Configures the IGMP leave time on the VLAN interface.
Page 442: Vlan
Configuring IGMP Snooping and MVR How to Configure IGMP Snooping and MVR Command Purpose ip igmp snooping querier timer expiry (Optional) Sets the length of time until the IGMP querier expires. The timeout range is 60 to 300 seconds. ip igmp snooping querier version version (Optional) Selects the IGMP version number that the querier feature uses.
Page 443: Vlan
Configuring IGMP Snooping and MVR How to Configure IGMP Snooping and MVR Command Purpose mvr vlan vlan-id (Optional) Specifies the VLAN in which multicast data is received; all source ports must belong to this VLAN. The VLAN range is 1 to 1001 and 1006 to 4096.
Page 444: Configuring Igmp
Configuring IGMP Snooping and MVR How to Configure IGMP Snooping and MVR Configuring IGMP Configuring IGMP Profiles Command Purpose configure terminal Enters global configuration mode. ip igmp profile profile number Assigns a number to the profile you are configuring, and enter IGMP profile configuration mode.
Page 445: Vlan
Configuring IGMP Snooping and MVR Monitoring and Maintaining IGMP Snooping and MVR Monitoring and Maintaining IGMP Snooping and MVR Command Purpose show ip igmp snooping [vlan vlan-id] Displays the snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.
Page 446 Configuring IGMP Snooping and MVR Configuration Examples for IGMP Snooping Command Purpose show mvr interface [interface-id] [members Displays all MVR interfaces and their MVR configurations. [vlan vlan-id]] When a specific interface is entered, displays this information:  Type—Receiver or Source ...
Page 447 Configuring IGMP Snooping and MVR Configuration Examples for IGMP Snooping Enabling IGMP Immediate Leave: Example This example shows how to enable IGMP Immediate Leave on VLAN 130: Switch# configure terminal Switch(config)# ip igmp snooping vlan 130 immediate-leave Switch(config)# end Setting the IGMP Snoopng Querier Parameters: Examples This example shows how to set the IGMP snooping querier source address to 10.0.0.64: Switch# configure terminal Switch(config)# ip igmp snooping querier 10.0.0.64...
Page 448 Configuring IGMP Snooping and MVR Additional References ---- ---- ------- --------------- Gi1/18 RECEIVER ACTIVE/DOWN ENABLED Creating an IGMP Profile: Example This example shows how to create IGMP profile 4 allowing access to the single IP multicast address and how to verify the configuration.
Page 449 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 450 Configuring IGMP Snooping and MVR Additional References...
Page 451: Storm Control
When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. However, the switch does not differentiate between routing updates, such as OSPF, and regular multicast data traffic, so both types of traffic are blocked.
Page 452: Default Storm Control Configuration
Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by the switch, but they do not cause the switch storm-control counters to increment. In Cisco IOS Release 12.2(44)SE and later, you can configure a port to be error disabled if small frames arrive at a specified rate (threshold).
Page 453: Protected Ports
Configuring Port-Based Traffic Control Information About Port-Based Traffic Control Protected Ports Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.
Page 454: Security Violations
Configuring Port-Based Traffic Control Information About Port-Based Traffic Control  Static secure MAC addresses—These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.  Dynamic secure MAC addresses—These are dynamically configured, stored only in the address table, and removed when the switch restarts.
Page 455: Default Port Security Configuration
When you enable port security on an interface that is also configured with a voice VLAN, set the maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address.
Page 456 Configuring Port-Based Traffic Control Information About Port-Based Traffic Control  When a trunk port configured with port security and assigned to an access VLAN for data traffic and to a voice VLAN for voice traffic, entering the switchport voice and switchport priority extend interface configuration commands has no effect.
Page 457: Port Security And Private Vlans
Configuring Port-Based Traffic Control Information About Port-Based Traffic Control  Inactivity—The secure addresses on the port are deleted only if the secure addresses are inactive for the specified aging time. Use this feature to remove and add devices on a secure port without manually deleting the existing secure MAC addresses and to still limit the number of secure addresses on a port.
Page 458: Configuring Storm Control
Configuring Port-Based Traffic Control How to Configure Port-Based Traffic Control How to Configure Port-Based Traffic Control Configuring Storm Control Configuring Storm Control and Threshold Levels Command Purpose configure terminal Enters global configuration mode. interface interface-id Specifies the interface to be configured, and enters interface configuration mode.
Page 459: Configuring Protected Ports
Configuring Port-Based Traffic Control How to Configure Port-Based Traffic Control Command Purpose  pps pps—Specifies the rising threshold level for broadcast, multicast, or unicast traffic in packets per second (up to one decimal place). The port blocks traffic when the rising threshold is reached. The range is 0.0 to 10000000000.0.
Page 460: Configuring Port Blocking
Configuring Port-Based Traffic Control How to Configure Port-Based Traffic Control Configuring Port Blocking Blocking Flooded Traffic on an Interface Note: The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group. Command Purpose configure terminal...
Page 461 Configuring Port-Based Traffic Control How to Configure Port-Based Traffic Control Command Purpose switchport port-security (Optional) maximum—Specifies the maximum number of secure MAC [maximum value [vlan {vlan-list | addresses on the port. By default only 1 MAC address is allowed. {access | voice}}]] The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system.
Page 462 Configuring Port-Based Traffic Control How to Configure Port-Based Traffic Control Command Purpose switchport port-security [violation (Optional) Sets the violation mode, the action to be taken when a security {protect | restrict | shutdown | violation is detected, as one of these: shutdown vlan}] ...
Page 463: Enabling And Configuring Port Security Aging
Configuring Port-Based Traffic Control How to Configure Port-Based Traffic Control Command Purpose switchport port-security (Optional) Enables sticky learning on the interface. mac-address sticky switchport port-security (Optional) Enters a sticky secure MAC address, repeating the command as mac-address sticky [mac-address many times as necessary. If you configure fewer secure MAC addresses than | vlan {vlan-id | {access | voice}}] the maximum, the remaining MAC addresses are dynamically learned, are converted to sticky secure MAC addresses, and are added to the running...
Page 464 Configuring Port-Based Traffic Control How to Configure Port-Based Traffic Control Command Purpose interface interface-id Specifies the interface to be configured, and enters interface configuration mode. switchport port-security aging {static | time time | Enables or disables static aging for the secure port, or sets type {absolute | inactivity}} the aging time or type.
Page 465 Configuring Port-Based Traffic Control Monitoring and Maintaining Port-Based Traffic Control Monitoring and Maintaining Port-Based Traffic Control Command Purpose show interfaces [interface-id] switchport Displays the administrative and operational status of all switching (nonrouting) ports or the specified port, including port blocking and port protection settings.
Page 466 Configuring Port-Based Traffic Control Configuration Examples for Port-Based Traffic Control Enabling Small-Frame Arrival Rate: Example This example shows how to enable the small-frame arrival-rate feature, configure the port recovery time, and configure the threshold for error-disabling a port: Switch# configure terminal Switch# errdisable detect cause small-frame Switch# errdisable recovery cause small-frame Switch(config)# interface GigabitEthernet1/17...
Page 467 Configuring Port-Based Traffic Control Additional References Switch(config-if)# switchport port-security violation restrict Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0002 Switch(config-if)# switchport port-security mac-address 0000.0000.0003 Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0001 vlan voice Switch(config-if)# switchport port-security mac-address 0000.0000.0004 vlan voice Switch(config-if)# switchport port-security maximum 10 vlan access Switch(config-if)# switchport port-security maximum 10 vlan voice Configuring Port Security Aging: Examples...
Page 468 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 469: Configuring Span And Rspan
You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device can send TCP reset packets to close down the TCP session of a suspected attacker.
Page 470: Remote Span
Configuring SPAN and RSPAN Information About SPAN and RSPAN Figure 69 Example of Local SPAN Configuration on a Single Switch Port 5 traffic mirrored 1 2 3 4 5 6 7 8 9 10 11 12 on Port 10 Network analyzer Remote SPAN RSPAN supports source ports, source VLANs, and destination ports on different switches, enabling remote monitoring of multiple switches across your network.
Page 471: Span Sessions
Configuring SPAN and RSPAN Information About SPAN and RSPAN Figure 70 Example of RSPAN Configuration RSPAN destination ports RSPAN Switch C destination session Intermediate switches must support RSPAN VLAN RSPAN VLAN Switch A Switch B RSPAN RSPAN source source session A session B RSPAN RSPAN...
Page 472 Configuring SPAN and RSPAN Information About SPAN and RSPAN There can be more than one source session and more than one destination session active in the same RSPAN VLAN. There can also be intermediate switches separating the RSPAN source and destination sessions. These switches need not be capable of running RSPAN, but they must respond to the requirements of the RSPAN VLAN (see RSPAN VLAN, page...
Page 473: Source Ports
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
Page 474: Source Vlans
Configuring SPAN and RSPAN Information About SPAN and RSPAN Source VLANs VLAN-based SPAN (VSPAN) is the monitoring of the network traffic in one or more VLANs. The SPAN or RSPAN source interface in VSPAN is a VLAN ID, and traffic is monitored on all the ports for that VLAN. VSPAN has these characteristics: ...
Page 475: Rspan Vlan
Configuring SPAN and RSPAN Information About SPAN and RSPAN  It cannot be a source port.  It cannot be an EtherChannel group or a VLAN.  It can participate in only one SPAN session at a time (a destination port in one SPAN session cannot be a destination port for a second SPAN session).
Page 476: Span And Rspan Interaction With Other Features
Configuring SPAN and RSPAN Information About SPAN and RSPAN SPAN and RSPAN Interaction with Other Features  Routing—SPAN does not monitor routed traffic. VSPAN only monitors traffic that enters or exits the switch, not traffic that is routed between VLANs. For example, if a VLAN is being Rx-monitored and the switch routes traffic from another VLAN to the monitored VLAN, that traffic is not monitored and not received on the SPAN destination port.
Page 477: Rspan Configuration Guidelines
Configuring SPAN and RSPAN Information About SPAN and RSPAN  When you configure a switch port as a SPAN destination port, it is no longer a normal switch port; only monitored traffic passes through the SPAN destination port.  Entering SPAN configuration commands does not remove previously configured SPAN parameters. You must enter the no monitor session {session_number | all | local | remote} global configuration command to delete configured SPAN parameters.
Page 478: Default Span And Rspan Settings
Configuring SPAN and RSPAN How to Configure SPAN and RSPAN Default SPAN and RSPAN Settings Feature Default Setting SPAN state (SPAN and RSPAN) Disabled. Source port traffic to monitor Both received and sent traffic (both). Encapsulation type (destination port) Native form (untagged packets). Ingress forwarding (destination port) Disabled, VLAN filtering...
Page 479 Configuring SPAN and RSPAN How to Configure SPAN and RSPAN Command Purpose monitor session session_number source Specifies the SPAN session and the source port (monitored port). {interface interface-id | vlan vlan-id} [, | -] session_number—The range is 1 to 68. [both | rx | tx] interface-id—Specifies the source port or source VLAN to monitor.
Page 480: Creating A Local Span Session And Configuring Incoming Traffic
Configuring SPAN and RSPAN How to Configure SPAN and RSPAN Command Purpose monitor session session_number Specifies the SPAN session and the destination port (monitoring destination {interface interface-id [, | -] port). [encapsulation replicate]} session_number—Specifies the session number entered in step 3. Note: For local SPAN, you must use the same session number for the source and destination interfaces.
Page 481 Configuring SPAN and RSPAN How to Configure SPAN and RSPAN Command Purpose monitor session session_number source Specifies the SPAN session and the source port (monitored port). {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx] monitor session session_number Specifies the SPAN session, the destination port, the packet destination {interface interface-id [, | -] encapsulation, and the ingress VLAN and encapsulation.
Page 482: Configuring A Vlan As An Rspan Vlan
Configuring SPAN and RSPAN How to Configure SPAN and RSPAN Command Purpose monitor session session_number filter vlan Limits the SPAN source traffic to specific VLANs. vlan-id [, | -] session_number—Enters the session number specified in Step 3. vlan-id—The range is 1 to 4096. (Optional) Use a comma (,) to specify a series of VLANs, or use a hyphen (-) to specify a range of VLANs.
Page 483: Creating An Rspan Source Session
Configuring SPAN and RSPAN How to Configure SPAN and RSPAN Creating an RSPAN Source Session Command Purpose configure terminal Enters global configuration mode. no monitor session {session_number | all | Removes any existing RSPAN configuration for the session. local | remote} session_number—The range is 1 to 68.
Page 484: Creating An Rspan Destination Session
Configuring SPAN and RSPAN How to Configure SPAN and RSPAN Creating an RSPAN Destination Session Command Purpose configure terminal Enters global configuration mode. vlan vlan-id Enters the VLAN ID of the RSPAN VLAN created from the source switch, and enters VLAN configuration mode. If both switches are participating in VTP and the RSPAN VLAN ID is from 2 to 1005, Steps 2 through 4 are not required because the RSPAN VLAN ID is propagated through the VTP network.
Page 485 Configuring SPAN and RSPAN How to Configure SPAN and RSPAN Command Purpose monitor session session_number source Specifies the RSPAN session and the source RSPAN VLAN. remote vlan vlan-id session_number—The range is 1 to 68. vlan-id—Specifies the source RSPAN VLAN to monitor. monitor session session_number Specifies the SPAN session, the destination port, the packet destination {interface interface-id [, | -]...
Page 486 Configuring SPAN and RSPAN Monitoring and Maintaining SPAN and RSPAN Specifying VLANs to Filter Command Purpose configure terminal Enters global configuration mode. no monitor session {session_number | all | Removes any existing SPAN configuration for the session. local | remote} session_number—The range is 1 to 68.
Page 487 Configuring SPAN and RSPAN Configuration Examples for SPAN and RSPAN Switch(config)# monitor session 1 destination interface GigabitEthernet1/18 encapsulation replicate Switch(config)# end Modifying Local SPAN Sessions: Examples This example shows how to remove port 1 as a SPAN source for SPAN session 1: Switch(config)# no monitor session 1 source interface GigabitEthernet1/17 Switch(config)# end This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional...
Page 488 Configuring SPAN and RSPAN Additional References Configuring a VLAN for a SPAN Session: Example This example shows how to configure VLAN 901 as the source remote VLAN and port 1 as the destination interface: Switch(config)# monitor session 1 source remote vlan 901 Switch(config)# monitor session 1 destination interface GigabitEthernet1/17 Switch(config)# end Modifying RSPAN Sessions: Examples...
Page 489 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 490 Configuring SPAN and RSPAN Additional References...
Page 491 Information About LLDP, LLDP-MED, and Wired Location Service The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches). CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network.
Page 492: Wired Location Service
The switch uses the wired location service feature to send location and attachment tracking information for its connected devices to a Cisco Mobility Services Engine (MSE). The tracked device can be a wireless endpoint, a wired endpoint, or a wired switch or controller. The switch notifies the MSE of device link up and link down events through the Network Mobility Services Protocol (NMSP) location and attachment notifications.
Page 493 Configuring LLDP, LLDP-MED, and Wired Location Service Information About LLDP, LLDP-MED, and Wired Location Service  MAC address specified in the client MAC address  IP address specified in port connection  802.1X username if applicable  Device category is specified as a wired station ...
Page 494: Default Lldp Configuration
Configuring LLDP, LLDP-MED, and Wired Location Service Information About LLDP, LLDP-MED, and Wired Location Service Default LLDP Configuration Feature Default Setting LLDP global state Disabled. LLDP holdtime (before discarding) 120 seconds. LLDP timer (packet update frequency) 30 seconds. LLDP reinitialization delay 2 seconds.
Page 495: Enabling Lldp
Configuring LLDP, LLDP-MED, and Wired Location Service How to Configure LLDP, LLDP-MED, and Wired Location Service LLDP-MED TLV Description inventory-management LLDP-MED inventory management TLV location LLDP-MED location TLV network-policy LLDP-MED network policy TLV power-management LLDP-MED power management TLV How to Configure LLDP, LLDP-MED, and Wired Location Service Enabling LLDP Command Purpose...
Page 496 Configuring LLDP, LLDP-MED, and Wired Location Service How to Configure LLDP, LLDP-MED, and Wired Location Service Configuring LLDP-MED TLVs Command Purpose configure terminal Enters global configuration mode. interface interface-id Specifies the interface on which you are configuring an LLDP-MED TLV, and enters interface configuration mode. lldp med-tlv-select tlv Specifies the TLV to enable.
Page 497: Configuring Location Tlv And Wired Location Service
Configuring LLDP, LLDP-MED, and Wired Location Service How to Configure LLDP, LLDP-MED, and Wired Location Service Configuring Location TLV and Wired Location Service This task explains how to configure location information for an endpoint and to apply it to an interface. Command Purpose configure terminal...
Page 498 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Command Description clear lldp counters Resets the traffic counters to zero. clear lldp table Deletes the LLDP neighbor information table. clear nmsp statistics Clears the NMSP statistic counters.
Page 499 Configuring Civic Location Information: Example This example shows how to configure civic location information on the switch: Switch(config)# location civic-location identifier 1 Switch(config-civic)# number 3550 Switch(config-civic)# primary-road-name "Cisco Way" Switch(config-civic)# city "San Jose" Switch(config-civic)# state CA Switch(config-civic)# building 19 Switch(config-civic)# room C6 Switch(config-civic)# county "Santa Clara"...
Page 500 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 501 Layer 2 NAT is a hardware based implementation that provides the same high level of (bump-on-the-wire) wire-speed performance. This implementation also supports multiple VLANs through the NAT boundary for enhanced network segmentation. For information about configuring Layer 2 NAT on a Cisco Industrial Ethernet Switch, see Layer 2 NAT Software Configuration Guide for Cisco Industrial Ethernet Switches.
Page 502 Configuring Layer 2 NAT...
Page 503: Configuring Cdp
Configuring CDP Information About CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices.
Page 504: Default Cdp Configuration
This is the default state. Returns to privileged EXEC mode. Disabling CDP CDP is enabled by default. Note: Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Disabling CDP can interrupt cluster discovery and device connectivity.
Page 505: Monitoring And Maintaining Cdp
Configuring CDP Monitoring and Maintaining CDP Command Purpose configure terminal Enters global configuration mode. no cdp run Disables CDP globally. interface interface-id Specifies the interface on which you are disabling CDP, and enters interface configuration mode. no cdp enable Disables CDP on the interface. Returns to privileged EXEC mode.
Page 506 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 507: Configuring Udld
UDLD, the Layer 1 and Layer 2 detections work together to prevent physical and logical unidirectional connections and the malfunctioning of other protocols. A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. Cisco Systems, Inc. www.cisco.com...
Page 508: Methods To Detect Unidirectional Links
Configuring UDLD Information About UDLD In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection. If the ports are connected correctly but the traffic is one way, UDLD does not detect the unidirectional link because the Layer 1 mechanism, which is supposed to detect this condition, does not do so.
Page 509: Enabling Udld Globally
Configuring UDLD How to Configure UDLD If you enable aggressive mode when all the neighbors of a port have aged out either in the advertisement or in the detection phase, UDLD restarts the link-up sequence to resynchronize with any potentially out-of-sync neighbor. UDLD shuts down the port if, after the fast train of messages, the link state is still undetermined.
Page 510: Enabling Udld On An Interface
Configuring UDLD How to Configure UDLD Command Purpose configure terminal Enters global configuration mode. udld {aggressive | enable | message Specifies the UDLD mode of operation: time message-timer-interval}  aggressive—Enables UDLD in aggressive mode on all fiber-optic ports.  enable—Enables UDLD in normal mode on all fiber-optic ports on the switch.
Page 511 Configuring UDLD Maintaining and Monitoring UDLD Setting and Resetting UDLD Parameters Command Purpose configure terminal Enters global configuration mode. udld reset (Optional) Resets all ports disabled by UDLD. no udld {aggressive | enable} (Optional) Disables the UDLD ports. udld {aggressive | enable} (Optional) Reenables the disabled ports.
Page 512 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 513: Configuring Rmon
You can use the RMON feature with the Simple Network Management Protocol (SNMP) agent in the switch to monitor all the traffic flowing among switches on all connected LAN segments as shown in Figure 72 on page 510. Cisco Systems, Inc. www.cisco.com...
Page 514: Configuring Rmon Alarms And Events
Configuring RMON How to Configure RMON Figure 72 Remote Monitoring Example Network management station with generic RMON console application RMON alarms and events configured. SNMP configured. RMON history and statistic collection enabled. Workstations Workstations The switch supports these RMON groups (defined in RFC 1757): ...
Page 515: Collecting Group History Statistics On An Interface
Configuring RMON How to Configure RMON Command Purpose configure terminal Enters global configuration mode. rmon alarm number variable interval {absolute | delta} Sets an alarm on a MIB object. rising-threshold value [event-number]  number—Specifies the alarm number. The falling-threshold value [event-number] range is 1 to 65535.
Page 516: Collecting Group Ethernet Statistics On An Interface
Configuring RMON How to Configure RMON Command Purpose configure terminal Enters global configuration mode. interface interface-id Specifies the interface on which to collect history, and enters interface configuration mode. rmon collection history index Enables history collection for the specified number of buckets [buckets bucket-number] [interval seconds] and time period.
Page 517 Configuring RMON Monitoring and Maintaining RMON Monitoring and Maintaining RMON Command Purpose show rmon Displays general RMON statistics. show rmon alarms Displays the RMON alarm table. show rmon events Displays the RMON event table. show rmon history Displays the RMON history table. show rmon statistics Displays the RMON statistics table.
Page 518 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 519: Configuring System Message Logging
The part of the message preceding the percent sign depends on the setting of the service sequence-numbers, service timestamps log datetime, service timestamps log datetime [localtime] [msec] [show-timezone], or service timestamps log uptime global configuration command. Cisco Systems, Inc. www.cisco.com...
Page 520: Log Messages
Configuring System Message Logging Information About System Message Logging Table 48 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. For more information, see Enabling and Disabling Sequence Numbers in Log Messages, page 522.
Page 521: Configuring Unix Syslog Servers
Create the log file by entering these commands at the UNIX shell prompt: $ touch /var/log/cisco.log $ chmod 666 /var/log/cisco.log Make sure the syslog daemon reads the new changes:...
Page 522 Configuring System Message Logging Information About System Message Logging $ kill -HUP `cat /etc/syslog.pid` For more information, see the man syslog.conf and man syslogd commands on your UNIX system. Table 50 on page 518 lists the UNIX system facilities supported by the software. For more information about these facilities, consult the operator’s manual for your UNIX operating system.
Page 523: Default System Message Logging Configuration
Configuring System Message Logging How to Configure System Message Logging Default System Message Logging Configuration Feature Default Setting System message logging to the console Enabled. Console severity Debugging (and numerically lower levels). Logging file configuration No filename specified. Logging buffer size 4096 bytes.
Page 524 Configuring System Message Logging How to Configure System Message Logging Command Purpose configure terminal Enters global configuration mode. logging buffered [size] Logs messages to an internal buffer on the switch. The range is 4096 to 2147483647 bytes. The default buffer size is 4096 bytes. If the switch fails, the log file is lost unless you had previously saved it to flash memory.
Page 525: Synchronizing Log Messages
Configuring System Message Logging How to Configure System Message Logging Synchronizing Log Messages Command Purpose configure terminal Enters global configuration mode. line [console | vty] line-number Specifies the line to be configured for synchronous logging of [ending-line-number] messages.  Use the console keyword for configurations that occur through the switch console port.
Page 526: Enabling And Disabling Time Stamps On Log Messages
Configuring System Message Logging How to Configure System Message Logging Enabling and Disabling Time Stamps on Log Messages Command Purpose configure terminal Enters global configuration mode. service timestamps log uptime Enables log time stamps. The first command enables time stamps on log messages, showing the time since the system was rebooted.
Page 527: Limiting Syslog Messages Sent To The History Table And To Snmp
Configuring System Message Logging How to Configure System Message Logging Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the switch history table.
Page 528 Configuring System Message Logging Monitoring and Maintaining the System Message Log Command Purpose configure terminal Enters global configuration mode. logging host Logs messages to a UNIX syslog server host by entering its IP address. To build a list of syslog servers that receive logging messages, enter this command more than once.
Page 529 Configuring System Message Logging Additional References 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Enabling the Logger: Example This example shows how to enable the configuration-change logger and to set the number of entries in the log to 500. Switch(config)# archive Switch(config-archive)# log config Switch(config-archive-log-cfg)# logging enable Switch(config-archive-log-cfg)# logging size 500...
Page 530 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 531: Configuring Snmp
Modifying the group's notify view affects all users associated with that group. See the Cisco IOS Network Management Command Reference for information about when you should configure notify views.
Page 532: Information About Snmp
Configuring SNMP Information About SNMP Information About SNMP SNMP The Simple Network Management Protocol (SNMP) is an application-layer protocol that provides a message format for communication between managers and agents. The SNMP system consists of an SNMP manager, an SNMP agent, and a MIB.
Page 533: Snmp Manager Functions
Configuring SNMP Information About SNMP SNMPv3 provides for both security models and security levels. A security model is an authentication strategy set up for a user and the group within which the user resides. A security level is the permitted level of security within a security model.
Page 534: Snmp Agent Functions
Configuring SNMP Information About SNMP With this operation, an SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from within a table. The get-bulk command only works with SNMPv2 or later. SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: ...
Page 535: Snmp Notifications
Configuring SNMP Information About SNMP Figure 73 SNMP Network Get-request, Get-next-request, Network device Get-bulk, Set-request Get-response, traps SNMP Agent SNMP Manager SNMP Notifications SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP notifications can be sent as traps or inform requests.
Page 536: Community Strings
A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Note: Many commands use the word traps in the command syntax.
Page 537 Configuring SNMP Information About SNMP Table 54 Switch Notification Types (continued) Notification Type Description Keyword port-security Generates SNMP port security traps. You can also set a maximum trap rate per second. The range is from 0 to 1000; the default is 0, which means that there is no rate limit. Note: When you configure a trap by using the notification type port-security, configure the port security trap first, and then configure the port security trap rate:...
Page 538: Default Snmp Settings
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
Page 539: Configuring Snmp Groups And Users
Configuring SNMP How to Configure SNMP Command Purpose configure terminal Enters global configuration mode. snmp-server community string Configures the community string. [view view-name] [ro | rw] Note: The @ symbol is used for delimiting the context information. Avoid [access-list-number] using the @ symbol as part of the SNMP community string when configuring this command.
Page 540 Configuring SNMP How to Configure SNMP Command Purpose configure terminal Enters global configuration mode. snmp-server engineID {local engineid-string Configures a name for either the local or remote copy of SNMP. | remote ip-address [udp-port port-number]  The engineid-string is a 24-character ID string with the name engineid-string} of the copy of SNMP.
Page 541 Configuring SNMP How to Configure SNMP Command Purpose snmp-server group groupname {v1 | v2c | v3 Configures a new SNMP group on the remote device. {auth | noauth | priv}} [read readview] [write  groupname—Specifies the name of the group. writeview] [notify notifyview] [access access-list] ...
Page 542: Configuring Snmp Notifications
Configuring SNMP How to Configure SNMP Command Purpose snmp-server user username groupname Adds a new user for an SNMP group. {remote host [udp-port port]} {v1 [access  username—Specifies a name of the user on the host that access-list] | v2c [access access-list] | v3 connects to the agent.
Page 543 Configuring SNMP How to Configure SNMP Command Purpose snmp-server group groupname {v1 | Configures an SNMP group. v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] [access access-list] snmp-server host host-addr Specifies the recipient of an SNMP trap operation. [informs | traps] [version {1 | 2c | 3 ...
Page 544: Setting The Cpu Threshold Notification Types And Values
Configuring SNMP How to Configure SNMP Command Purpose snmp-server queue-length length (Optional) Establishes the message queue length for each trap host. The range is 1 to 1000; the default is 10. snmp-server trap-timeout seconds (Optional) Defines how often to resend trap messages. The range is 1 to 1000;...
Page 545: Limiting Tftp Servers Used Through Snmp
Configuring SNMP Monitoring and Maintaining SNMP Limiting TFTP Servers Used Through SNMP Command Purpose configure terminal Enters global configuration mode. snmp-server tftp-server-list Limits TFTP servers used for configuration file copies through access-list-number SNMP to the servers in the access list. access-list-number—Enters an IP standard access list numbered from 1 to 99 and 1300 to 1999.
Page 546 Configure SNMP Traps: Examples This example shows how to send entity MIB traps to the host cisco.com. The community string is restricted. The first line enables the switch to send entity MIB traps in addition to any traps previously enabled. The second line specifies the destination of these traps and overwrites any previous snmp-server host commands for the host cisco.com.
Page 547 Configuring SNMP Additional References Switch(config)# snmp-server enable traps Switch(config)# snmp-server inform retries 0 Assigning a String to SNMP: Example This example shows how to assign the string comaccess to SNMP, to allow read-only access, and to specify that IP access list 4 can use the community string to gain access to the switch SNMP agent: Switch(config)# snmp-server community comaccess ro 4 Additional References The following sections provide references related to switch administration:...
Page 548 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 549: Supported Acls
Port ACLs access-control traffic entering a Layer 2 interface. The switch does not support port ACLs in the outbound direction. You can apply only one IP access list and one MAC access list to a Layer 2 interface. For more information, see Port ACLs, page 546. Cisco Systems, Inc. www.cisco.com...
Page 550: Port Acls
Configuring Network Security with ACLs Information About Network Security with ACLs If IEEE 802.1Q tunneling is configured on an interface, any IEEE 802.1Q encapsulated IP packets received on the tunnel port can be filtered by MAC ACLs, but not by IP ACLs. This is because the switch does not recognize the protocol inside the IEEE 802.1Q header.
Page 551: Handling Fragmented And Unfragmented Traffic
10.1.1.3, and the earlier permit ACEs were checking different hosts. IPv4 ACLs Configuring IPv4 ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. Create an ACL by specifying an access list number or name and the access conditions.
Page 552: Access List Numbers
Configuring Network Security with ACLs Information About Network Security with ACLs Standard and Extended IPv4 ACLs This section describes IP ACLs. An ACL is a sequential collection of permit and deny conditions. One by one, the switch tests packets against the conditions in an access list. The first match determines whether the switch accepts or rejects the packet.
Page 553: Acl Logging
Configuring Network Security with ACLs Information About Network Security with ACLs Table 55 Access List Number Support Access List Number Type Supported 1–99 IP standard access list 100–199 IP extended access list 200–299 Protocol type-code access list 300–399 DECnet access list 400–499 XNS standard access list 500–599...
Page 554: Resequencing Aces In An Acl
Configuring Network Security with ACLs Information About Network Security with ACLs  Authentication Header Protocol (ahp)  Enhanced Interior Gateway Routing Protocol (eigrp)  Encapsulation Security Payload (esp)  generic routing encapsulation (gre)  Internet Control Message Protocol (icmp)  Internet Group Management Protocol (igmp) ...
Page 555 Configuring Network Security with ACLs Information About Network Security with ACLs Consider these guidelines and limitations before configuring named ACLs:  Not all commands that accept a numbered ACL accept a named ACL. ACLs for packet filters and route filters on interfaces can use a name.
Page 556 Configuring Network Security with ACLs Information About Network Security with ACLs IPv4 ACL to a Terminal Line You can use numbered ACLs to control access to one or more terminal lines. You cannot apply named ACLs to lines. You must set identical restrictions on all the virtual terminal lines because a user can attempt to connect to any of them. For procedures for applying ACLs to interfaces, see Applying an IPv4 ACL to an Interface, page 560.
Page 557: Troubleshooting Acls
Configuring Network Security with ACLs Information About Network Security with ACLs Note: If an ACL configuration cannot be implemented in hardware due to an out-of-resource condition on a switch, then only the traffic in that VLAN arriving on that switch is affected (forwarded in software). Software forwarding of packets might adversely impact the performance of the switch, depending on the number of CPU cycles that this consumes.
Page 558: Creating A Numbered Standard Acl
Configuring Network Security with ACLs How to Configure Network Security with ACLs MAC ACL to a Layer 2 Interface After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that interface. When you apply the MAC ACL, consider these guidelines: ...
Page 559: Creating A Numbered Extended Acl
Configuring Network Security with ACLs How to Configure Network Security with ACLs Creating a Numbered Extended ACL...
Page 560 Configuring Network Security with ACLs How to Configure Network Security with ACLs Command Purpose configure terminal Enters global configuration mode. access-list access-list-number Defines an extended IPv4 access list and the access conditions. {deny | permit} protocol source access-list-number—Specifies a decimal number from 100 to 199 or 2000 to source-wildcard destination 2699.
Page 561 To see TCP port names, use the ? or see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2. Use only TCP port numbers or names when filtering TCP.
Page 562 ICMP message type and code name. To see a list of ICMP message type names and code names, use the ?, or see the “Configuring IP Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. Step access-list access-list-number (Optional) Defines an extended IGMP access list and the access conditions.
Page 563: Creating Named Standard And Extended Acls
Configuring Network Security with ACLs How to Configure Network Security with ACLs Creating Named Standard and Extended ACLs Command Purpose configure terminal Enters global configuration mode. ip access-list standard name Defines a standard IPv4 access list using a name, and enters access-list configuration mode.
Page 564: Applying An Ipv4 Acl To A Terminal Line
Configuring Network Security with ACLs How to Configure Network Security with ACLs Command Purpose configure terminal Enters global configuration mode. time-range time-range-name Assigns a meaningful name (for example, workhours) to the time range to be created, and enters time-range configuration mode. The name cannot contain a space or quotation mark and must begin with a letter.
Page 565: Creating Named Mac Extended Acls
Configuring Network Security with ACLs How to Configure Network Security with ACLs Creating Named MAC Extended ACLs Command Purpose configure terminal Enters global configuration mode. mac access-list extended name Defines an extended MAC access list using a name. {deny | permit} {any | host source MAC In extended MAC access-list configuration mode, specifies to address | source MAC address mask} {any | permit or deny any source MAC address, a source MAC address...
Page 566 Configuring Network Security with ACLs Monitoring and Maintaining Network Security with ACLs Monitoring and Maintaining Network Security with ACLs Command Purpose show access-lists [number | name] Displays the contents of one or all current IP and MAC address access lists or a specific access list (numbered or named). show ip access-lists [number | name] Displays the contents of all current IP access lists or a specific IP access list (numbered or named).
Page 567 Configuring Network Security with ACLs Configuration Examples for Network Security with ACLs Configuring Time Ranges: Examples This example shows how to configure time ranges for workhours and to configure January 1, 2006, as a company holiday and to verify your configuration. Switch(config)# time-range workhours Switch(config-time-range)# periodic weekdays 8:00 to 12:00 Switch(config-time-range)# periodic weekdays 13:00 to 17:00...
Page 568 Configuring Network Security with ACLs Configuration Examples for Network Security with ACLs For an entry in a named IP ACL, use the remark access-list configuration command. To remove the remark, use the no form of this command. In this example, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet...
Page 569 Configuring Network Security with ACLs Configuration Examples for Network Security with ACLs Routed ACLs: Examples Figure 75 on page 565 shows a small networked office environment with routed Port 2 connected to Server A, containing benefits and other information that all employees can access, and routed Port 1 connected to Server B, containing confidential payroll data.
Page 570 Configuring Network Security with ACLs Configuration Examples for Network Security with ACLs permit ip any 172.20.128.64 0.0.0.31 Switch(config)# interface GigabitEthernet1/17 Switch(config-if)# ip access-group 106 in Configuring Numbered ACLs: Example In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0.
Page 571 Configuring Network Security with ACLs Configuration Examples for Network Security with ACLs The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.255 and denies any other TCP traffic. It permits ICMP traffic, denies UDP traffic from any source to the destination address range 171.69.0.0 through 179.69.255.255 with a destination port less than 1024, denies any other IP traffic, and provides a log of the result.
Page 572 Configuring Network Security with ACLs Configuration Examples for Network Security with ACLs Switch(config-std-nacl)# remark Do not allow Jones subnet through Switch(config-std-nacl)# deny 171.69.0.0 0.0.255.255 In this example of a named ACL, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out Switch(config-ext-nacl)# deny tcp 171.69.0.0 0.0.255.255 any eq telnet...
Page 573 Configuring Network Security with ACLs Additional References Switch # show access-lists Extended MAC access list mac1 10 deny any any decnet-iv 20 permit any any This example shows how to apply MAC access list mac1 to a port to filter packets entering the port: Switch(config)# interface GigabitEthernet1/17 Switch(config-if)# mac access-group mac1 in Note:...
Page 574 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 575 This chapter describes how to configure quality of service (QoS) by using the modular QoS command-line interface (CLI), or MQC, commands on the Cisco IE switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. When QoS is not configured, the switch offers best-effort service to each packet, regardless of the packet contents or size.
Page 576: Modular Qos Cli
Configuring QoS Understanding QoS  Packet classification organizes traffic on the basis of whether or not the traffic matches a specific criteria. When a packet is received, the switch identifies all key packet fields: class of service (CoS), Differentiated Services Code Point (DSCP), or IP precedence.
Page 577: Input And Output Policies
Configuring QoS Understanding QoS  You can optionally include keywords to evaluate these match commands by entering class-map match-any or class-map match-all. If you specify match-any, the traffic being evaluated must match one of the specified criteria. If you specify match-all, the traffic being evaluated must match all of the specified criteria. A match-all class map can contain only one match statement, but a match-any class map can contain multiple match statements.
Page 578: Input Policy Maps
Configuring QoS Understanding QoS When CPU protection is enabled (the default), you can configure 45 ingress policers per port. If you disable CPU protection by entering the no policer cpu uni all global configuration command and reloading the switch, you can configure a maximum of 63 policers per port (62 on every 4th port) for user-defined classes and one for class-default.
Page 579 Configuring QoS Understanding QoS output policy maps can contain only three unique configurations of queue limits. These three unique queue-limit configurations can be included in as many output policy maps as there are ports on the switch. There are no limitations on the configurations of bandwidth, priority, or shaping.
Page 580: Class Maps
Configuring QoS Understanding QoS Figure 78 QoS Classification Layers in Frames and Packets Layer 2 IEEE 802.1Q and IEEE 802.1p Frame Start frame Preamble Type Data delimiter 2 Bytes 3 bits used for CoS (IEEE 802.1p user priority) VLAN ID Layer 3 IPv4 Packet Version Offset...
Page 581: The Match Command
Configuring QoS Understanding QoS You can match more than one criterion for classification. You can also create a class map that requires that all matching criteria in the class map be in the packet header by using the class map match-all class-map name global configuration command to enter class map configuration mode.
Page 582: Classification Based On Ip Dscp
Configuring QoS Understanding QoS This example shows how to create a class map to match an IP precedence value of 4: Switch(config)# class-map sample Switch(config-cmap)# match ip precedence 4 Switch(config-cmap)# exit Classification Based on IP DSCP When you classify IPv4 traffic based on IP DSCP value, and enter the match ip dscp class-map configuration command, you have several classification options: ...
Page 583: Classification Comparisons
Configuring QoS Understanding QoS 802.1Q Tunneling CoS Mapping The switch supports VLAN mapping from the customer VLAN-ID (C-VLAN) to a service-provider VLAN-ID (S-VLAN). For QoS, the switch can set the service-provider CoS (S-CoS) from either the customer CoS (C-CoS) or the customer DSCP (C-DSCP) value, and can map the inner CoS to the outer CoS for any traffic with traditional 802.1Q tunneling (QinQ) or selective QinQ VLAN mapping.
Page 584: Classification Based On Qos Acls
Configuring QoS Understanding QoS Table 56 Typical Traffic Classifications (continued) Traffic Type DSCP DSCP per-hop (decimal) Precedence Mission critical date (gold data)—delay-sensitive applications critical to the operation of an enterprise. Level 1 AF21 Level 2 AF22 Level 3 AF23 Less critical data (silver data)—noncritical, but relatively important data.
Page 585: Classification Based On Vlan Ids
Configuring QoS Understanding QoS Figure 79 QoS Groups Switching 1. Classify traffic 1. Match qos-group functions 2. Set qos-group 2. Output policy You can use QoS groups to aggregate multiple input streams across input classes and policy maps for the same QoS treatment on the egress port.
Page 586 Configuring QoS Understanding QoS The switch supports two policy levels: a parent level and a child level. With the QoS parent-child structure, you can reference a child policy in a parent policy to provide additional control of a specific traffic type. For per-port, per-VLAN QoS, the parent-level class map specifies only the VLAN match criteria, and the child-level class maps provide more detailed classification for frames matching the parent-level class map.You can configure multiple service classes at the parent level to match different combinations of VLANs, and you can apply independent QoS policies to each parent...
Page 587: Table Maps
Configuring QoS Understanding QoS Switch(config-pmap)# class customer-1-vlan Switch(config-pmap-c)# service-policy ingress-policy-1 Switch(config-pmap-c)# exit Switch(config)# interface fastethernet0/1 Switch(config-if)# switchport mode trunk Switch(config-if)# service-policy input customer-1-ingress Switch(config-pmap-c)# exit Note: Each per-port, per-VLAN parent policy class, except class-default, can have a child policy association. Configuring Per-Port Per-VLAN QoS with Hierarchical Input Policy Maps, page 623 for configuration information, including configuration guidelines and limitations.
Page 588: Individual Policing
Individual policing applies only to input policy maps. In policy-map configuration mode, you enter the class command followed by class-map name, and enter policy-map class configuration mode. Cisco Industrial Ethernet Switches support 1-rate, 2-color ingress policing and 2-rate, 3-color policing for individual or aggregate policing.
Page 589 Configuring QoS Understanding QoS For 1-rate, 2-color policing, youYou use the police policy-map class configuration command to define the policer, the committed rate limitations of the traffic, committed burst size limitations of the traffic, and the action to take for a class of traffic that is below the limits (conform-action) and above the limits (exceed-action).
Page 590: Aggregate Policing
Aggregate policing applies only to input policy maps. An aggregate policer differs from an individual policer because it is shared by multiple traffic classes within a policy map. Cisco Industrial Ethernet Switches support 1-rate, 2-color ingress policing and 2-rate, 3-color policing for aggregate policing.
Page 591 Configuring QoS Understanding QoS action to be taken when the packet conforms to or exceeds the specified traffic rates. Conform, exceed, and violate actions are to drop the packet, to send the packet without modifications, to set a new CoS, DSCP, or IP precedence value, or to set a QoS group value for classification at the egress.
Page 592: Unconditional Priority Policing
Configuring QoS Understanding QoS Switch(config)# policer aggregate agg1 cir 23000 bc 10000 conform-action set-dscp-transmit af31 set-cos-transmit 3 exceed-action set-dscp-transmit af11 set-cos-transmit 1 Switch(config)# class-map video-provider-1 Switch(config-cmap)# match access-group 1 Switch(config-cmap)# exit Switch(config)# class-map video-provider-2 Switch(config-cmap)# match access-group 2 Switch(config-cmap)# exit Switch(config)# class-map match-any customer1-provider-100 Switch(config-cmap)# match vlan 100 Switch(config-cmap)# exit...
Page 593 Configuring QoS Understanding QoS Switch(config)# policy-map policy1 Switch(config-pmap)# class out-class1 Switch(config-pmap-c)# priority Switch(config-pmap-c)# police 200000000 Switch(config-pmap-c)# exit Switch(config-pmap)# class out-class2 Switch(config-pmap-c)# bandwidth 500000 Switch(config-pmap-c)# exit Switch(config-pmap)# class out-class3 Switch(config-pmap-c)# bandwidth 200000 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface GigabitEthernet1/17 Switch(config-if)# service-policy output policy1 Switch(config-if)# exit Marking You can use packet marking in input policy maps to set or modify the attributes for traffic belonging to a specific class.
Page 594 Configuring QoS QoS Treatment for Performance-Monitoring Protocols Figure 81 Marking of Classified Traffic Unconditionally Queuing, Receive Classify mark traffic for scheduling, reclassification and shaping This example uses a policy map to remark a packet. The first marking (the set command) applies to the QoS default class map that matches all traffic not matched by class AF31-AF33 and sets all traffic to an IP DSCP value of 1.
Page 595 Configuring QoS QoS Treatment for Performance-Monitoring Protocols Queuing The CFM traffic (including IP SLAs using CFM probes) is queued according to its CoS value and the output policy map configured on the egress port, similar to normal traffic. This feature cannot change this behavior. IP traffic (including IP SLA and TWAMP probes) is queued according to the markings specified in the cpu traffic qos global configuration command and the output policy map on the egress port.
Page 596 Configuring QoS QoS Treatment for Performance-Monitoring Protocols QoS Queuing for CPU-Generated Traffic You can use the QoS markings established for the CPU-generated traffic by the cpu traffic qos global configuration command as packet identifiers in the class-map of an output policy-map to map CPU traffic to class-queues in the output policy-map on the egress port.
Page 597: Congestion Management And Scheduling
CPU-generated traffic only for a specific QoS group. The table-map option is not available. Congestion Management and Scheduling Cisco Modular QoS CLI (MQC) provides several related mechanisms to control outgoing traffic flow. They are implemented in output policy maps to control output traffic queues. The scheduling stage holds packets until the appropriate time to send them to one of the four traffic queues.
Page 598: Traffic Shaping
Configuring QoS QoS Treatment for Performance-Monitoring Protocols You use the shape average policy map class configuration command to specify that a class of traffic should have a maximum permitted average rate. You specify the maximum rate in bits per second. ...
Page 599 Configuring QoS QoS Treatment for Performance-Monitoring Protocols This example shows how to configure a policy map that shapes a port to 90 Mbps, allocated according to the out-policy policy map configured in the previous example. The service-policy policy map class command is used to create a child policy to the parent: Switch(config)# policy-map out-policy-parent Switch(config-pmap)# class class-default...
Page 600: Priority Queuing
Configuring QoS QoS Treatment for Performance-Monitoring Protocols  When you use the bandwidth policy-map class configuration command to configure a class of traffic as an absolute rate (kilobits per second) or a percentage of total bandwidth, this represents the minimum bandwidth guarantee (CIR) for that traffic class.
Page 601: Congestion Avoidance And Queuing
Configuring QoS QoS Treatment for Performance-Monitoring Protocols  You cannot configure priority queuing for the class-default of an output policy map. For more information, see Configuring Output Policy Maps with Class-Based Priority Queuing, page 633. This example shows how to configure the class out-class1 as a strict priority queue so that all packets in that class are sent before any other class of traffic.
Page 602 Configuring QoS QoS Treatment for Performance-Monitoring Protocols Figure 82 on page 598 shows an example of WTD operating on a queue of 1000 frames. Three drop percentages are configured: 40 percent (400 frames), 60 percent (600 frames), and 100 percent (1000 frames). These percentages mean that traffic reclassified to the 40-percent threshold is dropped when the queue depth exceeds 400 frames, traffic reclassified to 60 percent is dropped when the queue depth exceeds 600 frames, and traffic up to 400 frames can be queued at the 40-percent threshold, up to 600 frames at the 60-percent threshold, and up to 1000 frames at the...
Page 603 Configuring QoS QoS Treatment for Performance-Monitoring Protocols Switch(config-if)# exit You can use these same queue-limit values in multiple output policy maps on the switch. However, changing one of the queue-limit values in a class creates a new, unique queue-limit configuration. You can attach only three unique queue-limit configurations in output policy maps to interfaces at any one time.
Page 604: Default Qos Configuration
Configuring QoS Configuring QoS Switch(config-pmap-c)# bandwidth percent 20 Switch(config-pmap-c)# queue-limit 32 Switch(config-pmap-c)# exit Switch(config-pmap)# class outclass3 Switch(config-pmap-c)# bandwidth percent 10 Switch(config-pmap-c)# queue-limit 16 Switch(config-pmap-c)# exit Switch(config-pmap)# class class-default Switch(config-pmap-c)# bandwidth percent 10 Switch(config-pmap-c)# queue-limit 272 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet 0/1 Switch(config-if)# service-policy output out-policy Switch(config-if)# exit You can configure and attach as many output policy maps as there are switch ports, but only three unique queue-limit...
Page 605: Qos Configuration Guidelines
Configuring QoS Configuring QoS The packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode without any rewrites and classified as best effort without any policing. QoS Configuration Guidelines ...
Page 606: Using Acls To Classify Traffic
Configuring QoS Configuring QoS  If the number of internal QoS labels exceeds 256, you receive an error message.  Table maps are not supported for violate-action for aggregate policing unless you configure a table map for exceed-action and no explicit action is configured for violate-action. For both individual and aggregate policers, if you do not configure a violate-action, by default the violate class is assigned the same action as the exceed-action.
Page 607: Creating Ip Extended Acls
Configuring QoS Configuring QoS Command Purpose configure terminal Enter global configuration mode. access-list access-list-number Create an IP standard ACL, repeating the command as many times as permit source [source-wildcard] necessary.  For access-list-number, enter the access list number. The range is 1 to 99 and 1300 to 1999.
Page 608 Configuring QoS Configuring QoS Command Purpose configure terminal Enter global configuration mode. access-list access-list-number permit Create an IP extended ACL. Repeat the step as many times as necessary. protocol {source source-wildcard  For access-list-number, enter the access list number. The range is destination destination-wildcard} 100 to 199 and 2000 to 2699.
Page 609: Creating Layer 2 Mac Acls
Configuring QoS Configuring QoS This example shows how to create an ACL that permits IP traffic from any source to any destination that has the DSCP value set to 32: Switch(config)# access-list 100 permit ip any any dscp 32 This example shows how to create an ACL that permits IP traffic from a source host at 10.1.1.1 to a destination host at 10.1.1.2 with a precedence value of 5: Switch(config)# access-list 100 permit ip host 10.1.1.1 host 10.1.1.2 precedence 5 Creating Layer 2 MAC ACLs...
Page 610: Using Class Maps To Define A Traffic Class
Configuring QoS Configuring QoS Using Class Maps to Define a Traffic Class You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. A class map defines the criteria to use to match against a specific traffic flow to further classify it. Match statements can include criteria such as an ACL, CoS value, DSCP value, IP precedence values, QoS group values, or VLAN IDs.
Page 611 Configuring QoS Configuring QoS Command Purpose configure terminal Enter global configuration mode. class-map [match-all | match-any] Create a class map, and enter class-map configuration mode. By default, no class-map-name class maps are defined.  (Optional) Use the match-all keyword to perform a logical-AND of all matching statements under this class map.
Page 612: Configuring Table Maps
Configuring QoS Configuring QoS Use the no form of the appropriate command to delete an existing class map or remove a match criterion. This example shows how to create access list 103 and configure the class map called class1. The class1 has one match criterion, which is access list 103.
Page 613: Attaching A Traffic Policy To An Interface
Configuring QoS Configuring QoS Command Purpose configure terminal Enter global configuration mode. table-map table-map-name Create a table map by entering a table-map name and entering table-map configuration mode. map from from-value to to-value Enter the mapping values to be included in the table. For example, if the table map is a DSCP-to-CoS table map, the from-value would be the DSCP value and the to_value would be the CoS value.
Page 614: Configuring Input Policy Maps
Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to attach a policy map to a port: Command Purpose configure terminal Enter global configuration mode. interface interface-id Specify the port to attach to the policy map, and enter interface configuration mode.
Page 615: Configuring Input Policy Maps With Individual Policing
Configuring QoS Configuring QoS  On an 802.1Q tunnel port, you can use only an input policy map with Layer 2 classification based on MAC ACLs to classify traffic. Input policy maps with Layer 3 classification or with Layer 2 classification based on CoS or VLAN ID are not supported on tunnel ports.
Page 616 Configuring QoS Configuring QoS Command Purpose configure terminal Enter global configuration mode. policy-map policy-map-name Create a policy map by entering the policy map name, and enter policy-map configuration mode. By default, no class maps are defined. class {class-map-name | class-default} Enter a class-map name or class-default to match all unclassified packets, and enter policy-map class configuration mode.
Page 617 Configuring QoS Configuring QoS Command Purpose exceed-action cos {cos_value | cos [table (Optional) Enter the action to be taken for packets that do not table-map-name] | dscp [table conform to the CIR. table-map-name] | precedence [table  For cos cos_value, enter a new CoS value to be assigned to the table-map-name]} classified traffic.
Page 618 Configuring QoS Configuring QoS Command Purpose configure terminal Enter global configuration mode. policy-map policy-map-name Create a policy map by entering the policy map name, and enter policy-map configuration mode. By default, no class maps are defined. class {class-map-name | class-default} Enter a class-map name or class-default to match all unclassified packets, and enter policy-map class configuration mode.
Page 619 Configuring QoS Configuring QoS Command Purpose conform-action [drop | set-cos-transmit (Optional) Enter the action to be taken on packets, depending on {cos_value | [cos | dscp | precedence] [table whether or not they conform to the CIR and PIR. table-map name]} | set-dscp-transmit ...
Page 620 Configuring QoS Configuring QoS Command Purpose Return to privileged EXEC mode. show policy-map [policy-map-name| Verify your entries. interface] copy running-config startup-config (Optional) Save your entries in the configuration file. After you have created an input policy map, you attach it to an interface in the input direction. See Attaching a Traffic Policy to an Interface, page 609.
Page 621: Configuring Input Policy Maps With Aggregate Policing
Configuring QoS Configuring QoS Switch(config-pmap-c)# police 230000 8000 conform-action set-dscp-transmit 33 exceed-action drop Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface fastethernet0/1 Switch(config-if)# service-policy input in-policy Switch(config-if)# exit This example shows how to use policy-map class police configuration mode to set multiple conform actions and an exceed action.
Page 622 Configuring QoS Configuring QoS  When CPU protection is enabled (the default), you can configure 45 ingress policers per port. If you disable CPU protection by entering the no policer cpu uni all global configuration command and reloading the switch, you can configure a maximum of 63 policers per port (62 on every 4th port) for user-defined classes and one for class-default.
Page 623 Configuring QoS Configuring QoS Command Purpose configure terminal Enter global configuration mode. policer aggregate aggregate-policer-name Define the policer parameters that can be applied to multiple traffic {rate-bps | cir cir-bps} [bc burst- value] classes within the same policy map. [conform-action [set-cos-transmit ...
Page 624 Configuring QoS Configuring QoS Command Purpose configure terminal Enter global configuration mode. policer aggregate aggregate-policer-name Define the policer parameters that can be applied to multiple traffic {rate-bps | cir cir-bps} [burst-bytes] [bc classes within the same policy map. [conform-burst] [pir pir-bps [be peak-burst]] ...
Page 625 Configuring QoS Configuring QoS Command Purpose class {class-map-name | class-default} Enter a class-map name or class-default to match all unclassified packets, and enter policy-map class configuration mode. If you enter a class-map name, you must have already created the class map by using the class-map global configuration command. police aggregate aggregate-policer-name Apply an aggregate policer to multiple classes in the same policy map.
Page 626: Configuring Input Policy Maps With Marking
Configuring QoS Configuring QoS Switch(config-cmap)# exit Switch(config)# class-map testclass2 Switch(config-cmap)# match access-group 2 Switch(config-cmap)# exit Switch(config)# policy-map testexample Switch(config-pmap)# class testclass Switch(config-pmap-c)# police aggregate example Switch(config-pmap-c)# exit Switch(config-pmap)# class testclass2 Switch(config-pmap-c)# police aggregate example Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface fastethernet0/1 Switch(config-if)# service-policy input testexample Switch(config-if)# exit Configuring Input Policy Maps with Marking...
Page 627 Configuring QoS Configuring QoS Command Purpose exit Return to policy-map configuration mode. exit Return to global configuration mode. interface interface-id Enter interface configuration mode for the interface to which you want to attach the policy. service-policy input policy-map-name Attach the policy map (created in Step 2) to the ingress interface. Return to privileged EXEC mode.
Page 628 Configuring QoS Configuring QoS  You cannot configure a mixture of Layer 2 and Layer 3 class maps in a child policy map. When you attempt to associate such a child policy map with a parent policy, the configuration is rejected. However, you can associate Layer 2 child policies and Layer 3 child policies with different parent-level class maps.
Page 629 Configuring QoS Configuring QoS Command Purpose configure terminal Enter global configuration mode. class-map [match-all | match-any] Create a class map, and enter class-map configuration mode. By default, child-class-map-name no class maps are defined.  (Optional) Use the match-all keyword to perform a logical-AND of all matching statements under this class map.
Page 630 Configuring QoS Configuring QoS Command Purpose Return to privileged EXEC mode. show class-map Verify your entries. copy running-config startup-config (Optional) Save your entries in the configuration file. Creating Parent-Policy Class Maps Beginning in privileged EXEC mode, follow these steps to create one or more parent-policy class maps: Command Purpose configure terminal...
Page 631 Configuring QoS Configuring QoS Creating a Parent Policy Map Beginning in privileged EXEC mode, follow these steps to create a parent policy map and attach it to an interface: Command Purpose configure terminal Enter global configuration mode. policy-map parent-policy-map-name Create a parent policy map by entering the policy map name, and enter policy-map configuration mode.
Page 632: Configuring Output Policy Maps
Configuring QoS Configuring QoS Switch(config-cmap)# exit Switch(config)# policy-map child-policy-1 Switch(config-pmap)# class voice Switch(config-pmap-c)# police cir 10000000 bc 50000 Switch(config-pmap-c-police)# conform-action set-cos-transmit 5 Switch(config-pmap-c-police)# exceed-action drop Switch(config-pmap-c-police)# exit Switch(config-pmap-c)# exit Switch(config-pmap)# class video Switch(config-pmap-c)# set cos 4 Switch(config-pmap-c)# exit Switch(config-pmap)# class class-default Switch(config-pmap-c)# set cos 0 Switch(config-pmap-c)# exit Switch(config)# policy-map child-policy-2...
Page 633 Configuring QoS Configuring QoS  All output policy maps must have the same number of defined class-maps defined, either 1, 2, or 3.  All output policy maps must use the same set of classes, although the actions for each class can differ for each output policy map.
Page 634 Configuring QoS Configuring QoS Configuring Output Policy Maps with Class-Based-Weighted-Queuing You use the bandwidth policy-map class configuration command to configure class-based weighted fair queuing (CBWFQ). CBWFQ sets the relative precedence of a queue by allocating a portion of the total bandwidth that is available for the port.
Page 635 Configuring QoS Configuring QoS Command Purpose interface interface-id Enter interface configuration mode for the interface to which you want to attach the policy. service-policy output policy-map-name Attach the policy map (created in Step 2) to the egress interface. Return to privileged EXEC mode. show policy-map [policy-map-name [class Verify your entries.
Page 636: Configuring Output Policy Maps With Port Shaping
Configuring QoS Configuring QoS Command Purpose configure terminal Enter global configuration mode. policy-map policy-map-name Create a policy map by entering the policy map name, and enter policy-map configuration mode. class {class-map-name | class-default} Enter a child class-map name or class-default to match all unclassified packets, and enter policy-map class configuration mode.
Page 637 Configuring QoS Configuring QoS Command Purpose service-policy policy-map-name Specify the child policy-map to be used in the hierarchical policy map if required. exit Return to policy-map configuration mode. exit Return to global configuration mode. interface interface-id Enter interface configuration mode for the interface to which you want to attach the policy.
Page 638 Configuring QoS Configuring QoS  You cannot configure priority queuing without policing for a traffic class when class-based shaping (shape average) or CBWFQ (bandwidth) is configured for another class within the output policy-map.  When you configure priority queuing without policing for a traffic class, you can only configure the other queues for sharing by using the bandwidth remaining percent policy-map class configuration command to allocate excess bandwidth.
Page 639 Configuring QoS Configuring QoS Switch(config-pmap-c)# exit Switch(config-pmap)# class out-class2 Switch(config-pmap-c)# bandwidth remaining percent 50 Switch(config-pmap-c)# exit Switch(config-pmap)# class out-class3 Switch(config-pmap-c)# bandwidth remaining percent 20 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface GigabitEthernet1/17 Switch(config-if)# service-policy output policy1 Switch(config-if)# exit Configuring Priority With Police You can use the priority with police feature and configure an unconditional priority policer to limit the bandwidth used by the priority queue and allocate bandwidth or shape other queues.
Page 640 Configuring QoS Configuring QoS Command Purpose police {rate-bps | cir cir-bps} Define a policer for the priority class of traffic.  For rate-bps, specify average traffic rate in bits per second (bps). The range is 64000 to 1000000000. Note: When you use the police command with the priority command in an output policy, the police rate range and the CIR range is 64000 to 1000000000 bps, even though the range that appears in the CLI help is 8000 to 1000000000.
Page 641: Configuring Output Policy Maps With Weighted Tail Drop
Configuring QoS Configuring QoS Command Purpose exit Return to global configuration mode. interface interface-id Enter interface configuration mode for the interface to which you want to attach the policy. service-policy output policy-map-name Attach the policy map (created in Step 3) to the egress interface. Return to privileged EXEC mode.
Page 642 Configuring QoS Configuring QoS  You cannot configure more than two unique threshold values for the WTD qualifiers (cos, dscp, precedence, or qos-group) in the queue-limit command. However, there is no limit to the number of qualifiers that you can map to those thresholds.
Page 643 Configuring QoS Configuring QoS Command Purpose queue-limit [cos value | dscp value | Specify the queue size for the traffic class. precedence value | qos-group value]  (Optional) For cos value, specify a CoS value. The range is number-of-packets [packets]} from 0 to 7.
Page 644 Configuring QoS Configuring QoS Switch(config-pmap)# class traffic Switch(config-pmap-c)# bandwidth percent 50 Switch(config-pmap-c)# queue-limit 112 Switch(config-pmap-c)# queue-limit dscp 30 48 Switch(config-pmap-c)# queue-limit dscp 10 32 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config-pmap)# class class-default Switch(config-pmap-c)# bandwidth percent 10 Switch(config-pmap-c)# queue-limit 256 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface GigabitEthernet1/17 Switch(config-if)# service-policy output gold-policy...
Page 645 Configuring QoS Configuring QoS Command Purpose cpu traffic qos precedence Mark traffic by setting a new precedence value or by specifying a table {precedence_value | cos [table-map map. table-map-name] | dscp [table-map  For precedence new-precedence, enter a new IP-precedence table-map-name] | prec [table-map value as a number from 0 to 7 or by name: routine (0), priority (1), table-map-name]}...
Page 646 Configuring QoS Configuring QoS  All CFM traffic is queued to the default class because there is no class based on CoS. Switch(config)# cpu traffic qos dscp dscp Class: Switch(config)# class-map match-any video Switch(config-cmap)# match ip dscp af41 af42 af43 Switch(config-cmap)# exit Switch(config)# class-map match-any voice Switch(config-cmap)# match ip dscp ef...
Page 647 Configuring QoS Configuring QoS  All CPU-generated non-IP traffic with CoS 6 and 7 is assigned to the network-internetwork-control class.  All CFM traffic with CoS 5 is assigned to the voice class.  All CFM traffic with CoS 3 is assigned to the video class. ...
Page 648 Configuring QoS Configuring QoS Switch(config)# interface fastethernet0/1 Switch(config-if)# service-policy output output-policy Switch(config-pmap-c)# exit Example 3 This example shows how to:  Mark the DSCP value of CPU-generated IP traffic (including IP-SLA and TWAMP) based on the DSCP value in the packet.
Page 649: Displaying Qos Information
Configuring QoS Displaying QoS Information Switch(config)# cpu traffic qos dscp dscp table-map dscp-to-dscp Switch(config)# cpu traffic qos cos dscp table dscp-to-cos Switch(config)# cpu traffic qos cos cos table cos-to-cos Switch(config)# cpu traffic qos qos-group 50 Class: Switch(config)# class-map match-any cpu-traffic Switch(config-cmap)# match qos-group 50 Switch(config-cmap)# exit Switch(config)# class-map match-any user-video...
Page 650: Qos Statistics
Configuration Examples for Policy Maps This section includes configuration examples for configuring QoS policies on the Cisco IE switch, including configuration limitations and restrictions. The sections are broken into different configurations actions that a customer might do. Each section provides the exact sequence of steps that you must follow for successful configuration or modification.
Page 651: Qos Configuration For Customer A
Configuring QoS Configuration Examples for Policy Maps QoS Configuration for Customer A This section provides examples of the initial configuration and activation of QoS policies for a customer switch. Input and output QoS service policies are configured based on the requirements and attached to relevant ports. In the initial configuration for Customer A, Gigabit Ethernet ports 1 and 2 are network node interfaces (NNIs) and are enabled by default.
Page 652: Qos Configuration For Customer B
Configuring QoS Configuration Examples for Policy Maps This example configures classes for output service policies with three classes of service: gold, silver, and bronze. The gold class is configured to match the marked value in the input service policy. Because a match-all classification (the default) can have only single classification criterion, the match-any classification is used so that you can add classification criteria in the future.
Page 653: Modifying Output Policies And Adding Or Deleting Classification Criteria
Configuring QoS Configuration Examples for Policy Maps  The number of defined classes in each output policy map must be same.  You must assign an action to each class; that is, there can be no empty class.  Each class configuration must be based on the classification/marking done in the input policy-map. Modifying Output Policies and Adding or Deleting Classification Criteria This section provides examples of updating an existing set of output policy maps to add or delete classification criteria.
Page 654: Modifying Output Policies And Adding Or Deleting Configured Actions
Configuring QoS Configuration Examples for Policy Maps  Each class configuration must be based on the classification or marking done in the input policy-map. Modifying Output Policies and Adding or Deleting Configured Actions This section provides examples of updating an existing set of output policy maps to add or delete queuing and scheduling actions.
Page 655: Modifying Output Policies And Adding Or Deleting A Class
Configuring QoS Configuration Examples for Policy Maps These steps activate all Gigabit Ethernet ports: Switch(config)# interface range GigabitEthernet1/17-18 Switch(config-if-range)# no shutdown Switch(config-if-range)# exit Modifying Output Policies and Adding or Deleting a Class This section provides examples of updating an existing set of output policy maps to add or delete entire classes. The modification in the output policy map might be required due to a change in the service provisioning requirements or a change in the input service policy.
Page 656 Configuring QoS Configuration Examples for Policy Maps Switch(config-if-range)# exit These steps activate all applicable Ethernet ports: Switch(config)# interface range GigabitEthernet1/17-18 Switch(config-if-range)# no shutdown Switch(config-if-range)# exit You should use the same procedure when adding a class to an attached output service policy. Note: Problems can occur if you do not follow the previous sequence.
Page 657 VLAN 20 interface to Switch B. Switch B receives the packet and forwards it to Host C. When static routing is enabled on Switch A and B, the router device is no longer needed to route packets. Cisco Systems, Inc. www.cisco.com...
Page 658 Configuring Static IP Unicast Routing How to Configure Static IP Unicast Routing Types of Routing Routers and Layer 3 switches can route packets in these ways:  Using default routing to send traffic with a destination unknown to the router to a default outlet or destination ...
Page 659 Configuring Static IP Unicast Routing Configuring Static Unicast Routes An IP address identifies a destination for IP packets. Some IP addresses are reserved for special uses and cannot be used for host, subnet, or network addresses. RFC 1166, “Internet Numbers,” contains the official description of these IP addresses.
Page 660 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 661 The IPv6 address space reduces the need for private addresses and Network Address Translation (NAT) processing by border routers at network edges. For information about how Cisco Systems implements IPv6, go to this URL: http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html For information about IPv6 and other features in this chapter ...
Page 662: Bit Wide Unicast Addresses
For more information about IPv6 address formats, address types, and the IPv6 packet header, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter of Cisco IOS IPv6 Configuration Library on Cisco.com. In the “Implementing Addressing and Basic Connectivity” chapter, these sections apply to the switch: ...
Page 663 For more information, see the section about IPv6 unicast addresses in the “Implementing IPv6 Addressing and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. DNS for IPv6 IPv6 supports Domain Name System (DNS) record types in the DNS name-to-address and address-to-name lookup processes.
Page 664 Cisco Discovery Protocol (CDP) support for IPv6 addresses For more information about managing these applications, see the “Managing Cisco IOS Applications over IPv6” chapter and the “Implementing IPv6 Addressing and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
Page 665 For more information about static routes, see the “Implementing Static Routes for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
Page 666 FF02::1  all-routers link-local multicast group FF02::2 For more information about configuring IPv6, see the “Implementing Addressing and Basic Connectivity for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. Command Purpose configure terminal Enters global configuration mode.
Page 667 Configuring IPv6 Host Functions How to Configure IPv6 Hosting Command Purpose  ipv6 address ipv6-prefix/prefix length eui-64 Specifies a global IPv6 address with an extended unique identifier (EUI) in the low-order 64 bits of the IPv6 address.  Specifies only the network prefix; the last 64 bits are automatically computed from the switch MAC address.
Page 668 Configuring IPv6 Host Functions Monitoring and Maintaining IPv6 Host Information Command Purpose configure terminal Enters global configuration mode. ipv6 icmp error-interval interval [bucketsize] Configures the interval and bucket size for IPv6 ICMP error messages:  interval—The interval (in milliseconds) between tokens being added to the bucket.
Page 669 Configuring IPv6 Host Functions Configuration Examples for IPv6 Host Functions Switch# show ipv6 interface gigabitethernetfastethernet1/0/11 GigabitEthernetFastEthernet1/0/11 is up, line protocol is up IPv6 is enabled, link-local address is FE80::20B:46FF:FE2F:D940 Global unicast address(es): 2001:0DB8:c18:1:20B:46FF:FE2F:D940, subnet is 2001:0DB8:c18:1::/64 [EUI] Joined group address(es): FF02::1 FF02::2 FF02::1:FF2F:D940...
Page 670 Configuring IPv6 Host Functions Configuration Examples for IPv6 Host Functions ND router advertisements live for 1800 seconds <output truncated> This is an example of the output from the show ipv6 protocols privileged EXEC command: Switch# show ipv6 protocols IPv6 Routing Protocol is “connected” IPv6 Routing Protocol is “static”...
Page 671 Configuring IPv6 Host Functions Additional References 0 hopcount expired, 0 reassembly timeout,0 too big 0 echo request, 0 echo reply 0 group query, 0 group report, 0 group reduce 0 router solicit, 9944 router advert, 0 redirects 84 neighbor solicit, 84 neighbor advert UDP statistics: Rcvd: 0 input, 0 checksum errors, 0 length errors 0 no port, 0 dropped...
Page 672 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 673 1, and port 2 is connected to server 2. Port 1 and port 2 are the downstream interfaces in link state group — Port 5 and port 6 are connected to distribution switch 1 through link state group 1. Port 5 and port 6 are the upstream interfaces in link state group 1. Cisco Systems, Inc. www.cisco.com...
Page 674 Configuring Link State Tracking Link State Tracking  Link state group 2 on switch A — Switch A provides secondary links to server 3 and server 4 through link state group 2. Port 3 is connected to server 3, and port 4 is connected to server 4. Port 3 and port 4 are the downstream interfaces in link state group —...
Page 675 Configuring Link State Tracking Link State Tracking Figure 85 Typical Link State Tracking Configuration Network Layer 3 link Distribution Distribution switch 1 switch 2 Link-state Link-state group 1 group 2 Link-state Link-state group 1 group 2 Port Port Port Port Port Port Port...
Page 676 Configuring Link State Tracking How to Configure Link State Tracking How to Configure Link State Tracking Configuring Link State Tracking Command Purpose configure terminal Enters global configuration mode. link state track number Creates a link state group, and enables link state tracking. The group number can be 1 to 2;...
Page 677 Configuring Link State Tracking Additional References (Up):Interface up (Dwn):Interface Down (Dis):Interface disabled Creating a Link State Group: Example This example shows how to create a link state group and configure the interfaces: Switch# configure terminal Switch(config)# link state track 1 Switch(config)# interface range GigabitEthernet1/17 -2 Switch(config-if)# link state group 1 upstream Switch(config-if)# interface GigabitEthernet1/17...
Page 678 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 679 Configuring IP Multicast Routing This chapter describes how to configure IP multicast routing on the Cisco Industrial Ethernet switch, hereafter referred to as switch. IP multicasting is a more efficient way to use network resources, especially for bandwidth-intensive services such as audio and video. IP multicast routing enables a host (source) to send packets to a group of hosts (receivers) anywhere within the IP network by using a special form of IP address called the IP multicast group address.
Page 680: Igmp Version 1
Configuring IP Multicast Routing Information About Cisco’s Implementation of IP Multicast Routing  If the packet has a multicast IP address and a unicast MAC address, the packet is forwarded in software. This can occur because some protocols on legacy devices use unicast MAC addresses with multicast IP addresses.
Page 681: Igmp Version 2
Configuring IP Multicast Routing Information About Cisco’s Implementation of IP Multicast Routing IGMP Version 2 IGMPv2 extends IGMP functionality by providing such features as the IGMP leave process to reduce leave latency, group-specific queries, and an explicit maximum query response time. IGMPv2 also adds the capability for routers to elect the IGMP querier without depending on the multicast protocol to perform this task.
Page 682: Pim Modes
Configuring IP Multicast Routing Information About Cisco’s Implementation of IP Multicast Routing  PIM packets are no longer inside IGMP packets; they are standalone packets. PIM Modes PIM can operate in dense mode (DM), sparse mode (SM), or in sparse-dense mode (PIM DM-SM), which handles both sparse groups and dense groups at the same time.
Page 683: Igmp Helper
This proprietary feature eliminates the need to manually configure the RP information in every router and multilayer switch in the network. For Auto-RP to work, you configure a Cisco router or multilayer switch as the mapping agent. It uses IP multicast to learn which routers or switches in the network are possible candidate RPs to receive candidate RP announcements.
Page 684: Bootstrap Router
Configuring IP Multicast Routing Information About Cisco’s Implementation of IP Multicast Routing Bootstrap Router PIMv2 BSR is another method to distribute group-to-RP mapping information to all PIM routers and multilayer switches in the network. It eliminates the need to manually configure RP information in every router and switch in the network.
Page 685: Ssm Components Overview
SSM is a datagram delivery model that best supports one-to-many applications, also known as broadcast applications. SSM is a core networking technology for the Cisco implementation of IP multicast solutions targeted for audio and video broadcast application environments. The switch supports these components that support the implementation of SSM: ...
Page 686: How Ssm Differs From Internet Standard Multicast
Configuring IP Multicast Routing Information About Cisco’s Implementation of IP Multicast Routing To run SSM with IGMPv3, SSM must be supported in the Cisco IOS router, the host where the application is running, and the application itself. How SSM Differs from Internet Standard Multicast The current IP multicast infrastructure in the Internet and many enterprise intranets is based on the PIM-SM protocol and Multicast Source Discovery Protocol (MSDP).
Page 687: Igmpv3 Host Signalling
Configuring IP Multicast Routing Information About Cisco’s Implementation of IP Multicast Routing IGMPv3 Host Signalling In IGMPv3, hosts signal membership to last hop routers of multicast groups. Hosts can signal group membership with filtering capabilities with respect to sources. A host can either signal that it wants to receive traffic from all sources sending to a group except for some specific sources (called exclude mode), or that it wants to receive traffic only from some specific sources sending to the group (called include mode).
Page 688 Configuring IP Multicast Routing Information About Cisco’s Implementation of IP Multicast Routing Figure 88 DNS-Based SSM-Mapping Source (S, G) Join (S, G) Join DNS server DNS response Reverse DNS lookup IGMPv2 membership report STB host 1 STB host 2 STB host 3 The SSM mapping mechanism that enables the last hop router to join multiple sources for a group can provide source redundancy for a TV broadcast.
Page 689 Configuring IP Multicast Routing Prerequisites Figure 89 Shared Tree and Source Tree (Shortest-Path Tree) Source Router A Router B Source tree Shared tree (shortest from RP path tree) Router C Receiver If the data rate warrants, leaf routers (routers without any downstream connections) on the shared tree can use the data distribution tree rooted at the source.
Page 690 Auto-RP and BSR. If your network includes routers from other vendors, configure the Auto-RP mapping agent and the BSR on a Cisco PIMv2 device. Ensure that no PIMv1 device is located in the path a between the BSR and a non-Cisco PIMv2 device.
Page 691 If you have non-Cisco PIMv2 routers that need to interoperate with Cisco PIMv1 routers and multilayer switches, both Auto-RP and a BSR are required. We recommend that a Cisco PIMv2 device be both the Auto-RP mapping agent and the BSR. For more information, see Using Auto-RP and a BSR, page 709.
Page 692 (required if the interface is in sparse-dense mode, and you want to treat the group as a sparse group)  Using Auto-RP and a BSR, page 709 (required for non-Cisco PIMv2 devices to interoperate with Cisco PIM v1 devices))  Monitoring the RP Mapping Information, page 709 (optional) ...
Page 693: Configuring Basic Multicast Routing
Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Basic Multicast Routing You must enable IP multicast routing and configure the PIM version and the PIM mode. Then the software can forward multicast packets, and the switch can populate its multicast routing table. Note: To enable IP multicast routing, the switch must be running the IP services image.
Page 694 Configuring IP Multicast Routing Configuring IP Multicast Routing DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. ip multicast-routing distributed Enable IP multicast distributed switching. interface interface-id Specify the Layer 3 interface on which you want to enable multicast routing, and enter interface configuration mode. The specified interface must be one of the following: ...
Page 695: Configuring Pim Stub Routing
Configuring IP Multicast Routing Configuring IP Multicast Routing EXAMPLE This example enables IP multicast distributed switching and specifies the PIM mode: Switch# configure terminal Switch(config)# ip multicast-routing distributed Switch(config)# interface Gigabitethernet 1/0/0 Switch(config-if)# ip pim sparse-dense-mode Switch(config-if)# end Configuring PIM Stub Routing The PIM Stub routing feature supports multicast routing between the distribution layer and the access layer.
Page 696 Configuring IP Multicast Routing Configuring IP Multicast Routing Switch(config-if)# ip pim passive Switch(config-if)# exit Switch(config)# interface GigabitEthernet0/20 Switch(config-if)# ip pim passive Switch(config-if)# exit Switch(config)# interface vlan100 Switch(config-if)# ip address 100.1.1.1 255.255.255.0 Switch(config-if)# ip pim passive Switch(config-if)# exit Switch(config)# interface GigabitEthernet0/20 Switch(config-if)# no switchport Switch(config-if)# ip address 10.1.1.1 255.255.255.0 Switch(config-if)# ip pim passive...
Page 697: Configuring Ssm Mapping
Configuring IP Multicast Routing Configuring IP Multicast Routing interface GigabitEthernet3/1/0 ip address 172.21.200.203 255.255.255.0 description backbone interface ip pim sparse-mode interface GigabitEthernet3/2/0 ip address 131.108.1.2 255.255.255.0 ip pim sparse-mode description ethernet connected to hosts ip igmp version 3 Verifying SSM Configuration Command Purpose show ip igmp groups detail...
Page 698 Configuring IP Multicast Routing Configuring IP Multicast Routing DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. ip igmp ssm-map enable Enable SSM mapping for groups in the configured SSM range. Note: By default, this command enables DNS-based SSM mapping.
Page 699 Before you can configure and use SSM mapping with DNS lookups, you must be able to add records to a running DNS server. If you do not already have a DNS server running, you need to install one. You can use a product such as Cisco Network Registrar. Go to this URL for more information: http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/index.html...
Page 700 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Static Traffic Forwarding with SSM Mapping Use static traffic forwarding with SSM mapping to statically forward SSM traffic for certain groups. When static traffic forwarding with SSM mapping is configured, the last hop router uses Domain Name System (DNS)-based SSM mapping to determine the sources associated with a group.
Page 701: Configuring A Rendezvous Point
 Manually Assigning an RP to Multicast Groups, page 697  Configuring Auto-RP, page 699 (a standalone, Cisco-proprietary protocol separate from PIMv1)  Configuring PIMv2 BSR, page 704 (a standards track protocol in the Internet Engineering Task Force (IETF) You can use Auto-RP, BSR, or a combination of both, depending on the PIM version you are running and the types of routers in your network.
Page 702 Configuring IP Multicast Routing Configuring IP Multicast Routing DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. ip pim rp-address ip-address Configure the address of a PIM RP. [access-list-number] [override] By default, no PIM RP address is configured. You must configure the IP address of RPs on all routers and multilayer switches (including the RP).
Page 703 Switch(config)# access-list 1 permit 225.2.2.2 0.0.0.0 Switch(config)# ip pim rp-address 147.106.6.22 1 Configuring Auto-RP Auto-RP uses IP multicast to automate the distribution of group-to-RP mappings to all Cisco routers and multilayer switches in a PIM network. It has these benefits: ...
Page 704 Configuring IP Multicast Routing Configuring IP Multicast Routing DETAILED STEPS Command Purpose show running-config Verify that a default RP is already configured on all PIM devices and the RP in the sparse-mode network. It was previously configured with the ip pim rp-address global configuration command.
Page 705 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose ip pim send-rp-discovery scope Find a switch whose connectivity is not likely to be interrupted, and assign it the role of RP-mapping agent. For scope ttl, specify the time-to-live value in hops to limit the RP discovery packets.
Page 706 Configuring IP Multicast Routing Configuring IP Multicast Routing BEFORE YOU BEGIN  This command should only be configured on RP mapping agents.  If you use more than one RP-mapping agent, you must configure the same filters on all mapping agents to avoid inconsistencies in Auto-RP operations.
Page 707 Configuring IP Multicast Routing Configuring IP Multicast Routing DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. ip pim rp-announce-filter rp-list Filter incoming RP announcement messages. access-list-number group-list Enter this command on each mapping agent in the network. access-list-number Without this command, all incoming RP-announce messages are accepted by default.
Page 708: Configuring Pimv2 Bsr
Configuring IP Multicast Routing Configuring IP Multicast Routing EXAMPLE This example shows a sample configuration on an Auto-RP mapping agent that is used to prevent candidate RP announcements from being accepted from unauthorized candidate RPs: Switch(config)# ip pim rp-announce-filter rp-list 10 group-list 20 Switch(config)# access-list 10 permit host 172.16.5.1 Switch(config)# access-list 10 permit host 172.16.2.1 Switch(config)# access-list 20 deny 239.0.0.0 0.0.255.255...
Page 709 Configuring IP Multicast Routing Configuring IP Multicast Routing DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. interface interface-id Specify the interface to be configured, and enter interface configuration mode. no shutdown Enable the port, if necessary. By default, UNIs and ENIs are disabled, and NNIs are enabled.
Page 710 Configuring IP Multicast Routing Configuring IP Multicast Routing DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. access-list access-list-number Create a standard access list, repeating the command as many deny source [source-wildcard] times as necessary.  For access-list-number, the range is 1 to 99. ...
Page 711 Candidate RPs send candidate RP advertisements to the BSR. When deciding which devices should be RPs, consider these options:  In a network of Cisco routers and multilayer switches where only Auto-RP is used, any device can be configured as an RP. ...
Page 712 Configuring IP Multicast Routing Configuring IP Multicast Routing BEFORE YOU BEGIN Enable PIM on the interface using the ip pim command as described in the Configuring Basic Multicast Routing, page 689. DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. ip pim rp-candidate interface-id Configure your switch to be a candidate RP.
Page 713: Monitoring The Rp Mapping Information
Configuring IP Multicast Routing Using Auto-RP and a BSR If there are only Cisco devices in you network (no routers from other vendors), there is no need to configure a BSR. Configure Auto-RP in a network that is running both PIMv1 and PIMv2.
Page 714: Troubleshooting Pimv1 And Pimv2 Interoperability Problems
Configuring IP Multicast Routing Configuring Advanced PIM Features Troubleshooting PIMv1 and PIMv2 Interoperability Problems When debugging interoperability problems between PIMv1 and PIMv2, check these in the order shown: Verify RP mapping with the show ip pim rp-hash privileged EXEC command, making sure that all systems agree on the same RP for the same group.
Page 715 Configuring IP Multicast Routing Configuring Advanced PIM Features DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. access-list access-list-number {deny Create a standard access list. | permit} source [source-wildcard]  For access-list-number, the range is 1 to 99.  The deny keyword denies access if the conditions are matched.
Page 716: Configuring Optional Igmp Features
Configuring IP Multicast Routing Configuring Optional IGMP Features Modifying the PIM Router-Query Message Interval PIM routers and multilayer switches send PIM router-query messages to find which device will be the DR for each LAN segment (subnet). The DR is responsible for sending IGMP host-query messages to all hosts on the directly connected LAN.
Page 717: Default Igmp Configuration
Configuring IP Multicast Routing Configuring Optional IGMP Features  Changing the IGMP Version, page 715 (optional)  Modifying the IGMP Host-Query Message Interval, page 716 (optional)  Changing the IGMP Query Timeout for IGMPv2, page 718 (optional)  Changing the Maximum Query Response Time for IGMPv2, page 719 (optional) ...
Page 718: Controlling Access To Ip Multicast Groups
Configuring IP Multicast Routing Configuring Optional IGMP Features DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. interface interface-id Specify the interface to be configured, and enter interface configuration mode. no shutdown Enable the port, if necessary. By default, UNIs and ENIs are disabled, and NNIs are enabled.
Page 719: Changing The Igmp Version
Configuring IP Multicast Routing Configuring Optional IGMP Features DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. interface interface-id Specify the interface to be configured, and enter interface configuration mode. no shutdown Enable the port, if necessary. By default, UNIs and ENIs are disabled, and NNIs are enabled.
Page 720 Configuring IP Multicast Routing Configuring Optional IGMP Features All systems on the subnet must support the same version. The switch does not automatically detect Version 1 systems and switch to Version 1. You can mix Version 1 and Version 2 hosts on the subnet because Version 2 routers or switches always work correctly with IGMPv1 hosts.
Page 721 Configuring IP Multicast Routing Configuring Optional IGMP Features BEFORE YOU BEGIN We recommend that you do not modify the IGMP query interval and IGMP querier timeout values. However, if you configure the appropriate commands to change the query interval and querier timeout default values, the following conditions apply: ...
Page 722: Changing The Igmp Query Timeout For Igmpv2
Configuring IP Multicast Routing Configuring Optional IGMP Features The following example shows how to configure the switch to wait 250 seconds from the time it received the last query until the time that it triggers the IGMP election process. When the timeout value is explicitly configured, the query interval does not automatically adjust.
Page 723: Changing The Maximum Query Response Time For Igmpv2
Configuring IP Multicast Routing Configuring Optional IGMP Features DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. interface interface-id Specify the interface to be configured, and enter interface configuration mode. no shutdown Enable the port, if necessary. By default, UNIs and ENIs are disabled, and NNIs are enabled.
Page 724: Configuring The Switch As A Statically Connected Member
Configuring IP Multicast Routing Configuring Optional IGMP Features DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. interface interface-id Specify the interface to be configured, and enter interface configuration mode. no shutdown Enable the port, if necessary. By default, UNIs and ENIs are disabled, and NNIs are enabled.
Page 725: Configuring Optional Multicast Routing Features
Configuring IP Multicast Routing Configuring Optional Multicast Routing Features DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. interface interface-id Specify the interface to be configured, and enter interface configuration mode. no shutdown Enable the port, if necessary. By default, UNIs and ENIs are disabled, and NNIs are enabled.
Page 726 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Enabling Listening to Session Directory Announcements By default, the switch does not listen to session directory advertisements. Follow this procedure to enable the switch to join the default session directory group (224.2.127.254) on the interface and listen to session directory advertisements. This procedure is optional.
Page 727: Configuring An Ip Multicast Boundary
Configuring IP Multicast Routing Configuring Optional Multicast Routing Features DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. ip sap cache-timeout minutes Limit how long an SAP cache entry stays active in the cache. By default, session announcements remain for 1440 minutes (24 hours) in the cache.
Page 728 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Figure 91 Administratively-Scoped Boundaries Company XYZ Engineering Marketing 239.128.0.0/16 239.0.0.0/8 You can define an administratively-scoped boundary on a routed interface for multicast group addresses. A standard access list defines the range of addresses affected. When a boundary is defined, no multicast data packets are allowed to flow across the boundary from either direction.
Page 729 Configuring IP Multicast Routing Verifying Configuration DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. access-list access-list-number Create a standard access list, repeating the command as many {deny | permit} source times as necessary. [source-wildcard]  For access-list-number, the range is 1 to 99. ...
Page 730: Displaying System And Network Statistics
Configuring IP Multicast Routing Verifying Configuration Clearing Caches, Tables, and Databases You can remove all contents of a particular cache, table, or database. Clearing a cache, table, or database might be necessary when the contents of the particular structure are or suspected to be invalid. Command Purpose clear ip igmp group [group-name |...
Page 731: Monitoring Ip Multicast Routing
Configuring IP Multicast Routing Configuration Example Command Purpose ping [group-name | group-address] Send an ICMP Echo Request to a multicast group address. show ip igmp groups [group-name | Display the multicast groups that are directly connected to the switch group-address | type number] and that were learned through IGMP.
Page 732 Configuring IP Multicast Routing Configuration Example Switch(config)# interface vlan100 Switch(config-if)# ip pim passive Switch(config-if)# exit Switch(config)# interface GigabitEthernet0/20 Switch(config-if)# ip pim passive Switch(config-if)# exit Switch(config)# interface vlan100 Switch(config-if)# ip address 100.1.1.1 255.255.255.0 Switch(config-if)# ip pim passive Switch(config-if)# exit Switch(config)# interface GigabitEthernet0/20 Switch(config-if)# no switchport Switch(config-if)# ip address 10.1.1.1 255.255.255.0 Switch(config-if)# ip pim passive...
Page 733 Configuring IP Multicast Routing Configuration Example Switch(config)# access-list 1 permit 225.2.2.2 0.0.0.0 Switch(config)# ip pim rp-address 147.106.6.22 1 This example shows how to send RP announcements out all PIM-enabled interfaces for a maximum of 31 hops. The IP address of port 1 is the RP. Access list 5 describes the group for which this switch serves as RP: Switch(config)# ip pim send-rp-announce gigabitethernet0/1 scope 31 group-list 5 Switch(config)# access-list 5 permit 224.0.0.0 15.255.255.255 This example shows a sample configuration on an Auto-RP mapping agent that is used to prevent candidate RP...
Page 734 Switch(config)# access-list 1 permit 224.0.0.0 15.255.255.255 Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ip multicast boundary 1 Related Documents  Cisco IOS IP Multicast Command Reference  IP Multicast Configuration Guide Library, Cisco IOS Release 15M&T  Cisco IOS Master Command List, All Releases...
Page 735 Configuring MSDP This chapter describes how to configure Multicast Source Discovery Protocol (MSDP) on the Cisco Industrial Ethernet Switches, hereafter referred to as switch. MSDP connects multiple Protocol-Independent Multicast sparse-mode (PIM-SM) domains. MSDP is not fully supported in this software release because of a lack of support for Multicast Border Gateway Protocol (MBGP), which works closely with MSDP.
Page 736: Msdp Operation
Configuring MSDP Information About MSDP MSDP Operation Figure 92 on page 732 shows MSDP operating between two MSDP peers. PIM uses MSDP as the standard mechanism to register a source with the RP of a domain. When MSDP is configured, this sequence occurs. When a source sends its first multicast packet, the first-hop router (designated router or RP) directly connected to the source sends a PIM register message to the RP.
Page 737: Msdp Benefits
Configuring MSDP Prerequisites MSDP Benefits MSDP has these benefits:  It breaks up the shared multicast distribution tree. You can make the shared tree local to your domain. Your local members join the local tree, and join messages for the shared tree never need to leave your domain. ...
Page 738: Configuring A Default Msdp Peer
Configuring MSDP Configuring MSDP Configuring a Default MSDP Peer In this software release, because BGP and MBGP are not supported, you cannot configure an MSDP peer on the local switch by using the ip msdp peer global configuration command. Instead, you define a default MSDP peer (by using the ip msdp default-peer global configuration command) from which to accept all SA messages for the switch.
Page 739 Configuring MSDP Configuring MSDP DETAILED STEPS Table 0-1 Command Purpose configure terminal Enter global configuration mode. ip msdp default-peer ip-address | Define a default peer from which to accept all MSDP SA name [prefix-list list] messages.  For ip-address | name, enter the IP address or Domain Name System (DNS) server name of the MSDP default peer.
Page 740 Configuring MSDP Configuring MSDP To remove the default peer, use the no ip msdp default-peer ip-address | name global configuration command. EXAMPLE This example shows a partial configuration of Router A and Router C in Figure 93 on page 734. Each of these ISPs have more than one customer (like the customer in Figure 93 on page 734) who use default peering (no BGP or MBGP).
Page 741 Configuring MSDP Configuring MSDP DETAILED STEPS Table 0-2 Command Purpose configure terminal Enter global configuration mode. ip msdp cache-sa-state [list Enable the caching of source/group pairs (create an SA state). access-list-number] Those pairs that pass the access list are cached. For list access-list-number, the range is 100 to 199.
Page 742: Requesting Source Information From An Msdp Peer
Configuring MSDP Configuring MSDP Requesting Source Information from an MSDP Peer Local RPs can send SA requests and get immediate responses for all active sources for a given group. By default, the switch does not send any SA request messages to its MSDP peers when a new member joins a group and wants to receive multicast traffic.
Page 743 Configuring MSDP Configuring MSDP BEFORE YOU BEGIN For best practice information related to configuring MSDP SA message filters, see the Multicast Source Discovery Protocol SA Filter Recommendations tech note. DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. ip msdp redistribute [list Configure which (S,G) entries from the multicast routing table access-list-name] [asn are advertised in SA messages.
Page 744 Configuring MSDP Configuring MSDP Command Purpose access-list access-list-number Create an IP standard access list, repeating the command as {deny | permit} source many times as necessary. [source-wildcard] Create an IP extended access list, repeating the command as access-list access-list-number many times as necessary. {deny | permit} protocol source ...
Page 745 Configuring MSDP Configuring MSDP However, you can configure the switch to ignore all SA requests from an MSDP peer. You can also honor only those SA request messages from a peer for groups described by a standard access list. If the groups in the access list pass, SA request messages are accepted.
Page 746: Controlling Source Information That Your Switch Forwards
Configuring MSDP Configuring MSDP Controlling Source Information that Your Switch Forwards By default, the switch forwards all SA messages it receives to all its MSDP peers. However, you can prevent outgoing messages from being forwarded to a peer by using a filter or by setting a time-to-live (TTL) value. These methods are described in the next sections.
Page 747 Configuring MSDP Configuring MSDP DETAILED STEPS Table 0-5 Command Purpose configure terminal Enter global configuration mode. ip msdp sa-filter out ip-address | Filter all SA messages to the specified MSDP peer. name To the specified peer, pass only those SA messages that pass ip msdp sa-filter out {ip-address | the IP extended access list.
Page 748: Using Ttl To Limit The Multicast Data Sent In Sa Messages
This example shows how to allow only (S,G) pairs that pass access list 100 to be forwarded in an SA message to the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet0/1 Switch(config)# ip msdp sa-filter out switch.cisco.com list 100 Switch(config)# access-list 100 permit ip 171.69.0.0 0.0.255.255 224.20 0 0.0.255.255 Using TTL to Limit the Multicast Data Sent in SA Messages You can use a TTL value to control what data is encapsulated in the first SA message for every source.
Page 749 Configuring MSDP Configuring MSDP  Filter all incoming SA messages from an MSDP peer  Specify an IP extended access list to pass certain source/group pairs  Filter based on match criteria in a route map Follow this procedure to apply a filter. This procedure is optional. BEFORE YOU BEGIN For best practice information related to configuring MSDP SA message filters, see the Multicast Source Discovery...
Page 750 Configuring MSDP Configuring MSDP DETAILED STEPS Table 0-7 Command Purpose configure terminal Enter global configuration mode. ip msdp sa-filter in ip-address | Filter all SA messages from the specified MSDP peer. name From the specified peer, pass only those SA messages that ip msdp sa-filter in {ip-address | pass the IP extended access list.
Page 751: Configuring An Msdp Mesh Group
To remove the filter, use the no ip msdp sa-filter in {ip-address | name} [list access-list-number] [route-map map-tag] global configuration command. EXAMPLE This example shows how to filter all SA messages from the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet0/1 Switch(config)# ip msdp sa-filter in switch.cisco.com Configuring an MSDP Mesh Group An MSDP mesh group is a group of MSDP speakers that have fully meshed MSDP connectivity among one another.
Page 752: Shutting Down An Msdp Peer
Configuring MSDP Configuring MSDP Shutting Down an MSDP Peer If you want to configure many MSDP commands for the same peer and you do not want the peer to become active, you can shut down the peer, configure it, and later bring it up. When a peer is shut down, the TCP connection is terminated and is not restarted.
Page 753: Configuring An Originating Address Other Than The Rp Address
Configuring MSDP Configuring MSDP DETAILED STEPS Table 0-10 Command Purpose configure terminal Enter global configuration mode. ip msdp border sa-address Configure the switch on the border between a dense-mode interface-id and sparse-mode region to send SA messages about active sources in the dense-mode region. For interface-id, specify the interface from which the IP address is derived and used as the RP address in SA messages.
Page 754 Configuring MSDP Configuring MSDP DETAILED STEPS Table 0-11 Command Purpose configure terminal Enter global configuration mode. ip msdp originator-id interface-id Configures the RP address in SA messages to be the address of the originating device interface. For interface-id, specify the interface on the local switch. Return to privileged EXEC mode.
Page 755 Configuring MSDP Verifying Configuration Verifying Configuration Table 45-58 Command Purpose debug ip msdp [peer-address | name] [detail] Debugs an MSDP activity. [routes] debug ip msdp resets Debugs MSDP peer reset reasons. show ip msdp count Displays the number of sources and groups [autonomous-system-number] originated in SA messages from each autonomous system.
Page 756 The following example shows how to configure a TTL threshold of 8 hops: Switch(config)# ip msdp ttl-threshold 192.168.1.5 8 This example shows how to filter all SA messages from the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet0/1 Switch(config)# ip msdp sa-filter in switch.cisco.com...
Page 757 Configuring IPv6 MLD Snooping This chapter describes how to configure Multicast Listener Discovery (MLD) snooping on the Cisco Industrial Ethernet Switches, hereafter referred to as switch. When the switch is running the IP services image, you can use MLD snooping to enable efficient distribution of IP version 6 (IPv6) multicast data to clients and routers in a switched network.
Page 758: Mld Messages
Configuring IPv6 MLD Snooping Information About MLD Snooping Note: The switch does not support MLDv2 enhanced snooping (MESS), which sets up IPv6 source and destination multicast address-based forwarding. MLD snooping can be enabled or disabled globally or per VLAN. When MLD snooping is enabled, a per-VLAN IPv6 multicast MAC address table is constructed in software and a per-VLAN IPv6 multicast address table is constructed in software and hardware.
Page 759: Multicast Client Aging Robustness
Configuring IPv6 MLD Snooping Information About MLD Snooping When a host wants to leave a multicast group, it can send out an MLD Done message (equivalent to IGMP Leave message). When the switch receives an MLDv1 Done message, if Immediate- Leave is not enabled, the switch sends an MASQ to the port from which the message was received to determine if other devices connected to the port should remain in the multicast group.
Page 760: Topology Change Notification Processing
Configuring IPv6 MLD Snooping Prerequisites MLD Done Messages and Immediate-Leave When the Immediate-Leave feature is enabled and a host sends an MLDv1 Done message (equivalent to an IGMP leave message), the port on which the Done message was received is immediately deleted from the group.You enable Immediate-Leave on VLANs and (as with IGMP snooping), you should only use the feature on VLANs where a single host is connected to the port.
Page 761: Enabling Or Disabling Mld Snooping
Configuring IPv6 MLD Snooping Default Settings Default Settings Table 46-60 Feature Default Setting MLD snooping (Global) Disabled. MLD snooping (per VLAN) Enabled. MLD snooping must be globally enabled for VLAN MLD snooping to take place. IPv6 Multicast addresses None configured. IPv6 Multicast router ports None configured.
Page 762 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping You can enable and disable MLD snooping on a per-VLAN basis or for a range of VLANs, but if you globally disable MLD snooping, it is disabled in all VLANs. If global snooping is enabled, you can enable or disable VLAN snooping. Enabling MLD Snooping DETAILED STEPS Table 46-12...
Page 763: Configuring A Static Multicast Group
Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Switch(config)# ipv6 mld snooping vlan 100 Configuring a Static Multicast Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure an IPv6 multicast address and member ports for a VLAN. Follow this procedure to add a Layer 2 port as a member of a multicast group. DETAILED STEPS Table 46-14 Command...
Page 764: Enabling Mld Immediate Leave
Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping DETAILED STEPS Table 46-15 Command Purpose configure terminal Enter global configuration mode. ipv6 mld snooping vlan vlan-id mrouter Specify the multicast router VLAN ID, and specify the interface interface-id interface to the multicast router. ...
Page 765: Configuring Mld Snooping Queries
Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping EXAMPLE This example shows how to enable MLD Immediate Leave on VLAN 130: Switch# configure terminal Switch(config)# ipv6 mld snooping vlan 130 immediate-leave Switch(config)# exit Configuring MLD Snooping Queries When Immediate Leave is not enabled and a port receives an MLD Done message, the switch generates MASQs on the port and sends them to the IPv6 multicast address for which the Done message was sent.
Page 766 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping DETAILED STEPS Table 46-17 Command Purpose configure terminal Enter global configuration mode. ipv6 mld snooping (Optional) Set the number of queries that are sent before robustness-variable value switch will deletes a listener (port) that does not respond to a general query.
Page 767: Disabling Mld Listener Message Suppression
Configuring IPv6 MLD Snooping Verifying Configuration This example shows how to set the MLD snooping last-listener query interval (maximum response time) to 2000 (2 seconds): Switch# configure terminal Switch(config)# ipv6 mld snooping last-listener-query-interval 2000 Switch(config)# exit Disabling MLD Listener Message Suppression MLD snooping listener message suppression is enabled by default.
Page 768 Configuring IPv6 MLD Snooping Configuration Example Table 46-61 Command Purpose show ipv6 mld snooping [vlan vlan-id] Display the MLD snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.
Page 769 Switch(config)# ipv6 mld snooping last-listener-query-interval 2000 Switch(config)# exit This example shows how to disable MLD message suppression: Switch# configure terminal Switch(config)# no ipv6 mld snooping listener-message-suppression Switch(config)# end Related Documents  Cisco IOS IPv6 Command Reference  Cisco IOS Master Command List, All Releases...
Page 770 Configuring IPv6 MLD Snooping Related Documents...
Page 771: Understanding Hsrp
For complete syntax and usage information for the commands used in this chapter, see these documents: • Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 at http://www.cisco.com/en/US/docs/ios/12_2/ipaddr/command/reference/fipras_r.html Hot Standby Router Protocol Version 2 feature module at •...
Page 772 Host B. Figure 47-94 Typical HSRP Configuration Host B 172.20.130.5 Active Virtual Standby router router router 172.20.128.1 172.20.128.3 172.20.128.2 Router A Router B 172.20.128.55 172.20.128.32 Host C Host A Cisco Industrial Ethernet 4000 Series Switch Software Configuration Guide -768...
Page 773: Hsrp Versions
– HSRPv1 uses the multicast address 224.0.0.2 to send hello packets, which can conflict with – Cisco Group Management Protocol (CGMP) leave processing. You cannot enable HSRPv1 and CGMP at the same time; they are mutually exclusive. • HSRPv2—Version 2 of the HSRP has these features: –...
Page 774: Configuring Hsrp
Troubleshooting HSRP, page -777 • Default HSRP Configuration Table 47-62 shows the default HSRP configuration. Table 47-62 Default HSRP Configuration Feature Default Setting HSRP version Version 1 HSRP groups None configured Cisco Industrial Ethernet 4000 Series Switch Software Configuration Guide -770...
Page 775: Hsrp Configuration Guidelines
If you configure groups with the numbers 2, 150, and 225, you cannot configure another group – with the number 3850. It is not in the range of 0 to 255. Cisco Industrial Ethernet 4000 Series Switch Software Configuration Guide -771...
Page 776: Enabling Hsrp
Step 5 Return to privileged EXEC mode. Step 6 show standby [interface-id [group]] Verify the configuration. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Industrial Ethernet 4000 Series Switch Software Configuration Guide -772...
Page 777: Configuring Hsrp Priority
To solve this problem, configure a delay time to allow the router to update its routing table. Cisco Industrial Ethernet 4000 Series Switch Software Configuration Guide -773...
Page 778 Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify the configuration of the standby groups. Step 8 copy running-config (Optional) Save your entries in the configuration file. startup-config Cisco Industrial Ethernet 4000 Series Switch Software Configuration Guide -774...
Page 779: Configuring Mhsrp
Switch(config-if)# ip address 10.0.0.2 255.255.255.0 Switch(config-if)# standby 1 ip 10.0.0.3 Switch(config-if)# standby 1 preempt Switch(config-if)# standby 2 ip 10.0.0.4 Switch(config-if)# standby 2 priority 110 Switch(config-if)# standby 2 preempt Switch(config-if)# end Cisco Industrial Ethernet 4000 Series Switch Software Configuration Guide -775...
Page 780: Configuring Hsrp Authentication And Timers
This example shows how to configure word as the authentication string required to allow Hot Standby routers in group 1 to interoperate: Cisco Industrial Ethernet 4000 Series Switch Software Configuration Guide -776...
Page 781: Enabling Hsrp Support For Icmp Redirect Messages
Troubleshooting HSRP If one of the situations in Table 47-63 occurs, this message appears: %FHRP group not consistent with already configured groups on the switch stack - virtual MAC reservation failed Cisco Industrial Ethernet 4000 Series Switch Software Configuration Guide -777...
Page 782: Displaying Hsrp Configurations
LAN. In a VRRP configuration, one router is elected as the virtual router master, with the other routers acting as backups in case the virtual router master fails. Cisco Industrial Ethernet 4000 Series Switch Software Configuration Guide -778...
Page 783 The VRRP implementation on the switch does not support the MIB specified in RFC 2787. • The VRRP implementation on the switch supports only text-based authentication. • You cannot enable VRRP for IPv4 and IPv6 groups simultaneously. Cisco Industrial Ethernet 4000 Series Switch Software Configuration Guide -779...
Page 784 Chapter Configuring HSRP and VRRP Configuring VRRP Cisco Industrial Ethernet 4000 Series Switch Software Configuration Guide -780...
Page 785 Configuring IPv6 ACLs This chapter provides details about configuring IPv6 access control lists (ACLs) on the Cisco Industrial Ethernet Switches, hereafter referred to as switch. When the switch is running the IP services image:  You can filter IPv6 traffic by creating IPv6 ACLs and applying them to interfaces ...
Page 786: Supported Acl Features
You cannot apply IPv6 port ACLs to Layer 2 EtherChannels.  The switch does not support output port ACLs. Cisco IOS IPv6 ACLs Functions Not Supported  The switch does not support matching on these keywords: flowlabel, routing header, and undetermined-transport.
Page 787: Creating Ipv6 Acls
Configuring IPv6 ACLs Default Settings  You can create both IPv4 and IPv6 ACLs on a switch, and you can apply both IPv4 and IPv6 ACLs to the same interface. — Each ACL must have a unique name; and, an error message appears if you try to use a name that already exists on the switch.
Page 788 Configuring IPv6 ACLs Configuring IPv6 ACLs DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. ipv6 access-list access-list-name Define an IPv6 access list using a name, and enter IPv6 access-list configuration mode. {deny | permit} protocol Deny or permit the packet, when specified conditions are {source-ipv6-prefix/prefix-length | any | matched.
Page 789 Configuring IPv6 ACLs Configuring IPv6 ACLs Command Purpose  (Optional) port-number– Value of 0 to 65535 or TCP or UDP port name. Use TCP port names only when filtering TCP. Use UDP port names only when filtering UDP.  (Optional) dscp value–Match a differentiated services code point value against the traffic class value in the Traffic Class field of each IPv6 packet header.
Page 790 EXAMPLE The following example:  Creates an IPv6 ACL named CISCO.  Defines one deny entry that denies all packets that have a destination TCP port number greater than 5000 and a second deny entry that denies packets that have a source UDP port number less than 5000. The second deny entry also logs all matches to the console.
Page 791: Applying An Ipv6 Acl To An Interface
(Optional) Save your entries in the configuration file. EXAMPLE This example shows how to apply the access list CISCO to outbound traffic on a Layer 3 interface: Switch(config)# interface gigabitethernet 0/3 Switch(config-if)# no switchport Switch(config-if)# ipv6 address 2001::/64 eui-64...
Page 792 IPv6 access list.  Applies the access list CISCO to outbound traffic on a Layer 3 interface. Switch(config)# ipv6 access-list CISCO Switch(config-ipv6-acl)# deny tcp any any gt 5000...
Page 793 An EEM policy defines an event and the actions to be taken when that event occurs. This chapter describes how to configure EEM and how to use it to monitor and manage the Cisco Industrial Ethernet Switches, hereafter referred to as switch.
Page 794: Event Detectors
Event Subscribes to receive events subscribers and implements policy actions EEM APPLET EEM SCRIPT EEM Configuration for Cisco Integrated Services Router Platforms Guide for examples of EEM deployment. This section includes the following topics:  Event Detectors, page 790 ...
Page 795: Embedded Event Manager Actions
Information About Embedded Event Manager  Interface counter event detector—Publishes an event when a generic Cisco IOS interface counter for a specified interface crosses a defined threshold. A threshold can be specified as an absolute value or an incremental value. For example, if the incremental value is set to 50, an event would be published when the interface counter increases by This detector also publishes an event about an interface based on the rate of change for the entry and exit values.
Page 796: Embedded Event Manager Policies
Cisco built-in variables (available in EEM applets) Defined by Cisco and can be read-only or read-write. The read-only variables are set by the system before an applet starts to execute. The single read-write variable, _exit_status, allows you to set the exit status for policies triggered from synchronous events.
Page 797: Registering And Defining An Embedded Event Manager Applet
If the action snmp-trap command is used, the snmp-server enable traps event-manager command must be enabled to permit SNMP traps to be sent from the Cisco IOS device to the SNMP server. Other relevant snmp-server commands must also be configured; for details see the action snmp-trap command page.
Page 798: Registering And Defining An Embedded Event Manager Tcl Script
Configuring Embedded Event Manager Configuring Embedded Event Manager Command Purpose configure terminal Enter global configuration mode. event manager applet Register the applet with EEM and enter applet configuration applet-name mode. event snmp oid oid-value Specify the event criteria that causes the EEM applet to run. get-type {exact | next} entry-op (Optional) Exit criteria.
Page 799 This example shows the sample EEM policy named tm_cli_cmd.tcl registered as a system policy. The system policies are part of the Cisco IOS image. User-defined TCL scripts must first be copied to flash memory. Switch (config)# event manager policy tm_cli_cmd.tcl type system...
Page 800 This example shows the sample EEM policy named tm_cli_cmd.tcl registered as a system policy. The system policies are part of the Cisco IOS image. User-defined TCL scripts must first be copied to flash memory. Switch (config)# event manager policy tm_cli_cmd.tcl type system Related Documents ...
Page 801: Configuring Ip Unicast Routing
Configuring IP Unicast Routing This chapter describes how to configure IP Version 4 (IPv4) unicast routing on the Cisco Industrial Ethernet Switches, hereafter referred to as switch. Note: Dynamic routing protocols are only supported on switches running IP Services feature set. Static routing is supported on Lan Base feature set.
Page 802 Configuring IP Unicast Routing Prerequisites Figure 97 Routing Topology Example VLAN 10 VLAN 20 Switch A Switch B Host Host Host ISL Trunks When Host A in VLAN 10 needs to communicate with Host B in VLAN 10, it sends a packet addressed to that host. Switch A forwards the packet directly to Host B, without sending it to the router.
Page 803: Configuring Ip Addressing
Configuring IP Unicast Routing Configuring IP Addressing — A switch virtual interface (SVI): a VLAN interface created by using the interface vlan vlan_id global configuration command and by default a Layer 3 interface. — An EtherChannel port channel in Layer 3 mode: a port-channel logical interface created by using the interface port-channel port-channel-number global configuration command and binding the Ethernet interface into the channel group.
Page 804: Default Addressing Configuration
Configuring IP Unicast Routing Configuring IP Addressing Default Addressing Configuration Feature Default Setting IP address None defined. No permanent entries in the Address Resolution Protocol (ARP) cache. Encapsulation: Standard Ethernet-style ARP. Timeout: 14400 seconds (4 hours). IP broadcast address 255.255.255.255 (all ones). IP classless routing Enabled.
Page 805 Configuring IP Unicast Routing Configuring IP Addressing DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure. no shutdown Enable the interface if necessary. User network interfaces (UNIs) and enhanced network interfaces (ENIs) are disabled by default;...
Page 806: Classless Routing
Configuring IP Unicast Routing Configuring IP Addressing DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. ip subnet-zero Enable the use of subnet zero for interface addresses and routing updates. Return to privileged EXEC mode. show running-config Verify your entry. copy running-config (Optional) Save your entry in the configuration file.
Page 807: Configuring Address Resolution Methods
Configuring IP Unicast Routing Configuring IP Addressing Figure 99 No IP Classless Routing 128.0.0.0/8 128.20.4.1 128.20.0.0 Bit bucket 128.20.1.0 128.20.3.0 128.20.2.0 128.20.4.1 Host To prevent the switch from forwarding packets destined for unrecognized subnets to the best supernet route possible, you can disable classless routing behavior.
Page 808 Use the ip rarp-server address interface configuration command to identify the server. For more information on RARP, see IP Addressing: ARP Configuration Guide, Cisco IOS Release 15M&T. You can perform these tasks to configure address resolution: ...
Page 809 Configuring IP Unicast Routing Configuring IP Addressing DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. arp ip-address hardware-address type Globally associate an IP address with a MAC (hardware) address in the ARP cache, and specify encapsulation type as one of these: ...
Page 810: Enabling Proxy Arp
Configuring IP Unicast Routing Configuring IP Addressing DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure. no shutdown Enable the interface if necessary. By default, UNIs and ENIs are disabled and NNIs are enabled.
Page 811: Routing Assistance When Ip Routing Is Disabled
Configuring IP Unicast Routing Configuring IP Addressing EXAMPLE Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gi0/2 Switch(config-if)# ip proxy-arp Switch(config-if)# end Routing Assistance When IP Routing is Disabled These mechanisms allow the switch to learn about routes to other networks when it does not have IP routing enabled: ...
Page 812 Configuring IP Unicast Routing Configuring IP Addressing Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ip default-gateway 192.31.7.18 Switch(config)# end ICMP Router Discovery Protocol (IRDP) Router discovery allows the switch to dynamically learn about routes to other networks using IRDP. IRDP allows hosts to locate routers.
Page 813 Configuring IP Unicast Routing Configuring IP Addressing DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure. no shutdown Enable the interface if necessary. By default, UNIs and ENIs are disabled and NNIs are enabled.
Page 814: Configuring Broadcast Packet Handling
Configuring IP Unicast Routing Configuring IP Addressing Configuring Broadcast Packet Handling After configuring an IP interface address, you can enable routing and configure one or more routing protocols, or you can configure the way the switch responds to network broadcasts. A broadcast is a data packet destined for all hosts on a physical network.
Page 815 Configuring IP Unicast Routing Configuring IP Addressing DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. interface interface-id Enter interface configuration mode, and specify the interface to configure. no shutdown Enable the interface if necessary. By default, UNIs and ENIs are disabled and NNIs are enabled.
Page 816: Forwarding Udp Broadcast Packets And Protocols
BEFORE YOU BEGIN See the description for the ip forward-protocol interface configuration command in the Cisco IOS IP Application Services Command Reference for the list of ports that are forwarded by default if you do not specify any UDP ports.
Page 817: Establishing An Ip Broadcast Address
Configuring IP Unicast Routing Configuring IP Addressing Switch(config)# ip forward-protocol udp Switch(config)# end Establishing an IP Broadcast Address The most popular IP broadcast address (and the default) is an address consisting of all ones (255.255.255.255). However, the switch can be configured to generate any form of IP broadcast address. DETAILED STEPS Command Purpose...
Page 818 Configuring IP Unicast Routing Configuring IP Addressing  The packet must be a TFTP, DNS, Time, NetBIOS, ND, or BOOTP packet, or a UDP specified by the ip forward-protocol udp global configuration command.  The time-to-live (TTL) value of the packet must be at least two. A flooded UDP datagram is given the destination address specified with the ip broadcast-address interface configuration command on the output interface.
Page 819: Monitoring And Maintaining Ip Addressing
Configuring IP Unicast Routing Configuring IP Addressing DETAILED STEPS Command Purpose configure terminal Enter global configuration mode ip forward-protocol turbo-flood Use the spanning-tree database to speed up flooding of UDP datagrams. Return to privileged EXEC mode. show running-config Verify your entry. copy running-config (Optional) Save your entry in the configuration file.
Page 820: Enabling Ipv4 Unicast Routing
Configuring IP Unicast Routing Enabling IPv4 Unicast Routing Command Purpose show arp Display the entries in the ARP table. show hosts Display the default domain name, style of lookup service, name server hosts, and the cached list of hostnames and addresses. show ip aliases Display IP addresses mapped to TCP ports (aliases).
Page 821: Configuring Rip
User Datagram Protocol (UDP) data packets to exchange routing information. You can find detailed information about RIP in IP Routing Fundamentals, published by Cisco Press. Using RIP, the switch sends routing information updates (advertisements) every 30 seconds. If a router does not receive an update from another router for 180 seconds or more, it marks the routes served by that router as unusable.
Page 822: Default Rip Configuration
Configuring IP Unicast Routing Configuring RIP Default RIP Configuration Feature Default Setting Auto summary Enabled. Default-information originate Disabled. Default metric Built-in; automatic metric translations. IP RIP authentication key-chain No authentication. Authentication mode: clear text. IP RIP receive version According to the version router configuration command. IP RIP send version According to the version router configuration command.
Page 823 Configuring IP Unicast Routing Configuring RIP DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. ip routing Enable IP routing. (Required only if IP routing is disabled.) router rip Enable a RIP routing process, and enter router configuration mode. network network number Associate a network with a RIP routing process.
Page 824: Configuring Rip Authentication
Configuring IP Unicast Routing Configuring RIP Command Purpose Return to privileged EXEC mode. show ip protocols Verify your entries. copy running-config (Optional) Save your entries in the configuration file. startup-config To turn off the RIP routing process, use the no router rip global configuration command. To display the parameters and current state of the active routing protocol process, use the show ip protocols privileged EXEC command.
Page 825: Configuring Split Horizon
This feature can optimize communication among multiple routers when links are broken. BEFORE YOU BEGIN In general, Cisco does not recommend disabling split horizon unless you are certain that your application requires disabling it to properly advertise routes.
Page 826: Configuring Summary Addresses
Configuring IP Unicast Routing Configuring RIP DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. interface interface-id Enter interface configuration mode, and specify the interface to configure. no shutdown Enable the interface if necessary. By default, UNIs and ENIs are disabled and NNIs are enabled.
Page 827: Configuring Ospf
OSPF classifies different media into broadcast, nonbroadcast multiaccess (NBMA), or point-to-point networks. Broadcast and nonbroadcast networks can also be configured as point-to-multipoint networks. The switch supports all these network types. The Cisco implementation conforms to the OSPF Version 2 specifications with these key features:  Definition of stub areas is supported.
Page 828 Configuring IP Unicast Routing Configuring OSPF  Routes learned through any IP routing protocol can be redistributed into another IP routing protocol. At the intradomain level, this means that OSPF can import routes learned through EIGRP and RIP. OSPF routes can also be exported into RIP.
Page 829: Default Ospf Configuration
Configuring IP Unicast Routing Configuring OSPF Default OSPF Configuration Feature Default Setting Interface parameters Cost: No default cost predefined. Retransmit interval: 5 seconds. Transmit delay: 1 second. Priority: 1. Hello interval: 10 seconds. Dead interval: 4 times the hello interval. No authentication.
Page 830 This feature cannot be disabled. For more information about this feature, see the “Configuring Nonstop Forwarding” chapter in the High Availability Configuration Guide, Cisco IOS Release 15S. Configuring Basic OSPF Parameters Enabling OSPF requires that you create an OSPF routing process, specify the range of IP addresses to be associated with the routing process, and assign area IDs to be associated with that range.
Page 831: Configuring Ospf Interfaces
Configuring IP Unicast Routing Configuring OSPF DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. router ospf process-id Enable OSPF routing, and enter router configuration mode. The process ID is an internally used identification parameter that is locally assigned and can be any positive integer.
Page 832 Configuring IP Unicast Routing Configuring OSPF DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure. no shutdown Enable the interface if necessary. By default, UNIs and ENIs are disabled and NNIs are enabled.
Page 833: Configuring Ospf Network Types
Configuring IP Unicast Routing Configuring OSPF Command Purpose show ip ospf interface Display OSPF-related interface information. [interface-name] show ip ospf neighbor detail Display NSF awareness status of neighbor switch. The output matches one of these examples:  Options is 0x52 LLS Options is 0x1 (LR) When both of these lines appear, the neighbor switch is NSF aware.
Page 834: Configuring Network Types For Ospf Interfaces
Configuring IP Unicast Routing Configuring OSPF DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. router ospf process-id Configure an OSPF routing process and enter router configuration mode. neighbor ip-address [priority number] Specify an OSPF neighbor with neighbor parameters as [poll-interval seconds] required.
Page 835 Configuring IP Unicast Routing Configuring OSPF DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure. no shutdown Enable the interface if necessary. By default, UNIs and ENIs are disabled and NNIs are enabled.
Page 836: Configuring Ospf Area Parameters
Configuring IP Unicast Routing Configuring OSPF EXAMPLE The following example sets your OSPF network as a broadcast network: interface serial 0 ip address 192.168.77.17 255.255.255.0 ip ospf network broadcast encapsulation frame-relay The following example illustrates a point-to-multipoint network with broadcast: interface serial 0 ip address 10.0.1.1 255.255.255.0 encapsulation frame-relay...
Page 837 Configuring IP Unicast Routing Configuring OSPF DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. router ospf process-id Enable OSPF routing, and enter router configuration mode. area area-id authentication (Optional) Allow password-based protection against unauthorized access to the identified area. The identifier can be either a decimal value or an IP address.
Page 838: Configuring Other Ospf Parameters
Configuring IP Unicast Routing Configuring OSPF network 192.168.0.0 0.0.255.255 area 0 area 10.0.0.0 authentication area 0 authentication Configuring Other OSPF Parameters You can optionally configure other OSPF parameters in router configuration mode.  Route summarization: When redistributing routes from other protocols as described in the Using Route Maps to Redistribute Routing Information, page 911, each route is advertised individually in an external LSA.
Page 839 Configuring IP Unicast Routing Configuring OSPF DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. router ospf process-id Enable OSPF routing, and enter router configuration mode. summary-address address mask (Optional) Specify an address and IP subnet mask for redistributed routes so that only one summary route is advertised.
Page 840: Changing Lsa Group Pacing
Configuring IP Unicast Routing Configuring OSPF Switch(config)# router ospf 201 Switch(config-router)# summary-address 10.1.0.0 255.255.0.0 Switch(config-router)# end Changing LSA Group Pacing The OSPF LSA group pacing feature allows the router to group OSPF LSAs and pace the refreshing, check-summing, and aging functions for more efficient router use. This feature is enabled by default with a 4-minute default pacing interval, and you will not usually need to modify this parameter.
Page 841: Monitoring Ospf
You can display specific statistics such as the contents of IP routing tables, caches, and databases. Following are some of the privileged EXEC commands for displaying OSPF statistics. For more show ip ospf database privileged EXEC command options and for explanations of fields in the resulting display, see Cisco IOS IP Routing: OSPF Command Reference.
Page 842: Configuring Eigrp
Configuring EIGRP Configuring EIGRP Enhanced IGRP (EIGRP) is a Cisco proprietary enhanced version of the Interior Gateway Routing Protocol (IGRP). EIGRP uses the same distance vector algorithm and distance information as IGRP; however, the convergence properties and the operating efficiency of EIGRP are significantly improved.
Page 843: Default Eigrp Configuration
Configuring IP Unicast Routing Configuring EIGRP Default EIGRP Configuration Feature Default Setting Auto summary Enabled. Subprefixes are summarized to the classful network boundary when crossing classful network boundaries. Default-information Exterior routes are accepted and default information is passed between EIGRP processes when doing redistribution.
Page 844: Configuring Basic Eigrp Parameters
This feature cannot be disabled. For more information on this feature, see the “Configuring Nonstop Forwarding” chapter in the High Availability Configuration Guide, Cisco IOS Release 15S. Configuring Basic EIGRP Parameters In this procedure, configuring the routing process is required; other steps are optional.
Page 845: Configuring Eigrp Interfaces
Configuring IP Unicast Routing Configuring EIGRP DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. router eigrp autonomous-system Enable an EIGRP routing process, and enter router configuration mode. The AS number identifies the routes to other EIGRP routers and is used to tag routing information.
Page 846: Configuring Eigrp Route Authentication
The default is 180 seconds for low-speed NBMA networks and 15 seconds for all other networks. Caution: Do not adjust the hold time without consulting Cisco technical support. no ip split-horizon eigrp (Optional) Disable split horizon to allow route autonomous-system-number information to be advertised by a router out any interface from which that information originated.
Page 847 Configuring IP Unicast Routing Configuring EIGRP BEFORE YOU BEGIN Enable EIGRP as described in the Configuring Basic EIGRP Parameters, page 840. DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure. no shutdown Enable the interface if necessary.
Page 848: Configuring Eigrp Stub Routing
Switch B Switch C Host A Host B Host C For more information about EIGRP stub routing, see IP Routing: EIGRP Configuration Guide, Cisco IOS Release 15M&T. BEFORE YOU BEGIN Complete the EIGRP network strategy and planning for your network.
Page 849: Monitoring And Maintaining Eigrp
Configuring IP Unicast Routing Configuring EIGRP DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. router eigrp 1 Configure a remote or distribution router to run an EIGRP process and enter router configuration mode. network network-number Associate networks with an EIGRP routing process. eigrp stub [receive-only | Configure a remote router as an EIGRP stub router.
Page 850: Configuring Bgp
Configuring IP Unicast Routing Configuring BGP Command Purpose clear ip eigrp neighbors [if-address | interface] Delete neighbors from the neighbor table. show ip eigrp interface [interface] [as number] Display information about interfaces configured for EIGRP. show ip eigrp neighbors [type-number] Display EIGRP discovered neighbors.
Page 851 AS connectivity, to prune routing loops, and to enforce AS-level policy decisions. A router or switch running Cisco IOS does not select or use an IBGP route unless it has a route available to the next-hop router and it has received synchronization from an IGP (unless IGP synchronization is disabled).
Page 852: Default Bgp Configuration
Number: None defined. When you permit a value for the community number, the list defaults to an implicit deny for everything else that has not been permitted.  Format: Cisco default format (32-bit number).  BGP confederation Identifier: None configured.
Page 853 Configuring IP Unicast Routing Configuring BGP Feature Default Setting  Multi exit discriminator (MED) Always compare: Disabled. Does not compare MEDs for paths from neighbors in different autonomous systems.  Best path compare: Disabled.  MED missing as worst path: Disabled. ...
Page 854: Enabling Bgp Routing
Processor (RP) in a router failing and the backup RP taking over, or while the primary RP is manually reloaded for a nondisruptive software upgrade. For more information, see IP Routing: BGP Configuration Guide, Cisco IOS Release 15M&T. Enabling BGP Routing To enable BGP routing, you establish a BGP routing process and define the local network.
Page 855 Configuring IP Unicast Routing Configuring BGP DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. ip routing Enable IP routing (required only if IP routing is disabled). router bgp autonomous-system Enable a BGP routing process, assign it an AS number, and enter router configuration mode.
Page 856 Configuring IP Unicast Routing Configuring BGP Command Purpose Return to privileged EXEC mode. show ip bgp network network-number Verify the configuration. Verify that NSF awareness (Graceful Restart) is show ip bgp neighbor enabled on the neighbor. If NSF awareness is enabled on the switch and the neighbor, this message appears: Graceful Restart Capability: advertised and received...
Page 857: Managing Routing Policy Changes
Configuring IP Unicast Routing Configuring BGP Received 2828 messages, 0 notifications, 0 in queue Sent 2826 messages, 0 notifications, 0 in queue Connections established 11; dropped 10 Anything other than state = established means that the peers are not running. The remote router ID is the highest IP address on that router (or the highest loopback interface).
Page 858: Configuring Bgp Decision Attributes
Prefer the path with the largest weight (a Cisco proprietary parameter). The weight attribute is local to the router and not propagated in routing updates. By default, the weight attribute is 32768 for paths that the router originates and zero for other paths.
Page 859 Configuring IP Unicast Routing Configuring BGP Prefer the route with the highest local preference. Local preference is part of the routing update and exchanged among routers in the same AS. The default value of the local preference attribute is 100. You can set local preference by using the bgp default local-preference router configuration command or by using a route map.
Page 860 Configuring IP Unicast Routing Configuring BGP DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. router bgp autonomous-system Enable a BGP routing process, assign it an AS number, and enter router configuration mode. bgp best-path as-path ignore (Optional) Configure the router to ignore AS path length in selecting a route.
Page 861: Configuring Bgp Filtering With Route Maps
Configuring IP Unicast Routing Configuring BGP Use the no form of each command to return to the default state. EXAMPLE The following example forces all updates destined for 10.108.1.1 to advertise this router as the next hop: Switch(config)# router bgp 109 Switch(config-router)# neighbor 10.108.1.1 next-hop-self In the following example, the local BGP routing process is configured to compare the MED from alternative paths, regardless of the autonomous system from which the paths are received:...
Page 862: Configuring Bgp Filtering By Neighbor
Configuring IP Unicast Routing Configuring BGP Configuring BGP Filtering by Neighbor You can filter BGP advertisements by using AS-path filters, such as the as-path access-list global configuration command and the neighbor filter-list router configuration command. You can also use access lists with the neighbor distribute-list router configuration command.
Page 863: Configuring Prefix Lists For Bgp Filtering
Configuring IP Unicast Routing Configuring BGP BEFORE YOU BEGIN Enable BGP routing as described in the Enabling BGP Routing, page 850. DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. ip as-path access-list Define a BGP-related access list. access-list-number {permit | deny} as-regular-expressions router bgp autonomous-system Enter BGP router configuration mode.
Page 864 Configuring IP Unicast Routing Configuring BGP Before using a prefix list in a command, you must set up the prefix list. BEFORE YOU BEGIN Enable BGP routing as described in the Enabling BGP Routing, page 850. DETAILED STEPS Command Purpose configure terminal Enter global configuration mode.
Page 865: Configuring Bgp Community Filtering
Configuring IP Unicast Routing Configuring BGP In the following example, a prefix list is configured to permit routes from any network that have a mask length from 8 to 24 bits: Switch(config)# ip prefix-list GREEN permit 0.0.0.0/0 ge 8 le 24 In the following example, a prefix list is configured to deny any route with any mask length from the 10.0.0.0/8 network: Switch(config)# ip prefix-list ORANGE deny 10.0.0.0/8 le 32 Configuring BGP Community Filtering...
Page 866 AA:NN. A BGP community is displayed in a two-part format 2 bytes long. The Cisco default community format is in the format NNAA. In the most recent RFC for BGP, a community takes the form AA:NN, where the first part is the AS number and the second part is a 2-byte number.
Page 867: Configuring Bgp Neighbors And Peer Groups
Configuring IP Unicast Routing Configuring BGP 10.0.33.35 from 10.0.33.35 (192.168.3.3) Origin incomplete, metric 10, localpref 100, valid, external Community: 1:1 Local 0.0.0.0 from 0.0.0.0 (10.0.33.34) Origin incomplete, metric 0, localpref 100, weight 32768, valid, sourced, best Configuring BGP Neighbors and Peer Groups Often many BGP neighbors are configured with the same update policies (that is, the same outbound route maps, distribute lists, filter lists, update source, and so on).
Page 868 Configuring IP Unicast Routing Configuring BGP DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. router bgp autonomous-system Enter BGP router configuration mode. neighbor peer-group-name peer-group Create a BGP peer group. neighbor ip-address peer-group Make a BGP neighbor a member of the peer group. peer-group-name neighbor {ip-address | peer-group-name} Specify a BGP neighbor.
Page 869: Configuring Aggregate Addresses
Configuring IP Unicast Routing Configuring BGP Command Purpose neighbor {ip-address | peer-group-name} (Optional) Set timers for the neighbor or peer group. timers keepalive holdtime  The keepalive interval is the time within which keepalive messages are sent to peers. The range is 1 to 4294967295 seconds;...
Page 870 Configuring IP Unicast Routing Configuring BGP BEFORE YOU BEGIN Enable BGP routing as described in the Enabling BGP Routing, page 850. DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. router bgp autonomous-system Enter BGP router configuration mode. aggregate-address address mask Create an aggregate entry in the BGP routing table.
Page 871: Configuring Routing Domain Confederations
Configuring IP Unicast Routing Configuring BGP Switch(config-router-af)# aggregate-address 10.0.0.0 255.0.0.0 as-set advertise-map MAP-ONE Switch(config-router-af)# end Configuring Routing Domain Confederations One way to reduce the IBGP mesh is to divide an autonomous system into multiple subautonomous systems and to group them into a single confederation that appears as a single autonomous system. Each autonomous system is fully meshed within itself and has a few connections to other autonomous systems in the same confederation.
Page 872: Configuring Bgp Route Reflectors
Configuring IP Unicast Routing Configuring BGP Configuring BGP Route Reflectors BGP requires that all of the IBGP speakers be fully meshed. When a router receives a route from an external neighbor, it must advertise it to all internal neighbors. To prevent a routing information loop, all IBPG speakers must be connected. The internal neighbors do not send routes learned from internal neighbors to other internal neighbors.
Page 873: Configuring Route Dampening
Configuring IP Unicast Routing Configuring BGP router bgp 5 neighbor 172.16.70.24 route-reflector-client Configuring Route Dampening Route flap dampening minimizes the propagation of flapping routes across an internetwork. A route is considered to be flapping when it is repeatedly available, then unavailable, then available, then unavailable, and so on. When route dampening is enabled, a numeric penalty value is assigned to a route when it flaps.
Page 874: Monitoring And Maintaining Bgp
Configuring IP Unicast Routing Configuring BGP Switch(config)# router bgp 50000 Switch(config-router)# address-family ipv4 Switch(config-router-af)# bgp dampening route-map BLUE Switch(config-router-af)# end Monitoring and Maintaining BGP You can remove all contents of a particular cache, table, or database. This might be necessary when the contents of the particular structure have become or are suspected to be invalid.
Page 875: Configuring Iso Clns Routing
Level 1 areas (area routing). A single Cisco router can participate in routing in up to 29 areas and can perform Level 2 routing in the backbone. In general, each routing process corresponds to an area. By default, the first instance of the routing process configured performs both Level 1and Level 2 routing.
Page 876 Configuring IP Unicast Routing Configuring ISO CLNS Routing  Configuring IS-IS Interface Parameters, page 879 Default IS-IS Configuration Feature Default Setting Ignore link-state PDU (LSP) errors Enabled. IS-IS type Conventional IS-IS: the router acts as both a Level 1 (station) and a Level 2 (area) router.
Page 877 This feature is automatically enabled and requires no configuration. For more information on this feature, see the “Configuring Nonstop Forwarding” chapter in the High Availability Configuration Guide, Cisco IOS Release 15S. Enabling IS-IS Routing To enable IS-IS, you specify a name and NET for each routing process. You then enable IS-IS routing on the interface and specify the area for each instance of the routing process.
Page 878 Configuring IP Unicast Routing Configuring ISO CLNS Routing DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. clns routing Enable ISO connectionless routing on the switch. router isis [area tag] Enable the IS-IS routing for the specified routing process and enter IS-IS routing configuration mode.
Page 879 Configuring IP Unicast Routing Configuring ISO CLNS Routing Router A: Switch(config)# clns routing Switch(config)# router isis Switch(config-router)# net 49.0001.0000.0000.000a.00 Switch(config-router)# exit Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ip router isis Switch(config-if)# clns router isis Switch(config)# interface gigabitethernet0/2 Switch(config-if)# ip router isis Switch(config-if)# clns router isis Switch(config-router)# exit Router B: Switch(config)# clns routing...
Page 880 Configuring IP Unicast Routing Configuring ISO CLNS Routing  You can configure the LSP refresh interval and the maximum time that an LSP can remain in the router database without a refresh  You can set the throttling timers for LSP generation, shortest path first computation, and partial route computation. ...
Page 881 Configuring IP Unicast Routing Configuring ISO CLNS Routing DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. clns routing Enable ISO connectionless routing on the switch. router isis Specify the IS-IS routing protocol and enter router configuration mode. default-information originate (Optional) Force a default route into the IS-IS routing domain.
Page 882 Configuring IP Unicast Routing Configuring ISO CLNS Routing Command Purpose lsp-gen-interval [level-1 | (Optional) Set the IS-IS LSP generation throttling timers: level-2] lsp-max-wait  lsp-max-wait—the maximum interval (in seconds) between [lsp-initial-wait lsp-second-wait] two consecutive occurrences of an LSP being generated. The range is 1 to 120, the default is 5.
Page 883 Configuring IP Unicast Routing Configuring ISO CLNS Routing Command Purpose Return to privileged EXEC mode. show clns Verify your entries. copy running-config (Optional) Save your entries in the configuration file. startup-config To disable default route generation, use the no default-information originate router configuration command. Use the no area-password or no domain-password router configuration command to disable passwords.
Page 884 Configuring IP Unicast Routing Configuring ISO CLNS Routing  Designated router election priority, which allows you to reduce the number of adjacencies required on a multiaccess network, which in turn reduces the amount of routing protocol traffic and the size of the topology database. ...
Page 885 Configuring IP Unicast Routing Configuring ISO CLNS Routing DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. interface interface-id Specify the interface to be configured and enter interface configuration mode. If the interface is not already configured as a Layer 3 interface, enter the no switchport command to put it into Layer 3 mode.
Page 886 Configuring IP Unicast Routing Configuring ISO CLNS Routing Command Purpose isis circuit-type {level-1 | (Optional) Configure the type of adjacency desired for neighbors level-1-2 | level-2-only} on the specified interface (specify the interface circuit type).  level-1—a Level 1 adjacency is established if there is at least one area address common to both this node and its neighbors.
Page 887: Configuring Bfd
Configuring IP Unicast Routing Configuring BFD Command Purpose clear clns cache Clear and reinitialize the CLNS routing cache. clear clns es-neighbors Remove end system (ES) neighbor information from the adjacency database. clear clns is-neighbors Remove intermediate system (IS) neighbor information from the adjacency database.
Page 888 Configuring IP Unicast Routing Configuring BFD To create a BFD session, you must configure BFD on both systems (BFD peers). Enabling BFD at the interface and routing protocol level on BFD peers creates a BFD session. BFD timers are negotiated and the BFD peers send control packets to each other at the negotiated intervals.
Page 889: Default Bfd Configuration
To run BFD on a switch, you need to configure basic BFD interval parameters on BFD interfaces, enable routing on the switch, and enable one or more one routing protocol clients for BFD. You also need to confirm that Cisco Express Forwarding (CEF) is enabled (the default) on participating switches.
Page 890: Configuring Bfd Session Parameters On An Interface
Configuring IP Unicast Routing Configuring BFD When using BFD echo mode (the default), you should disable sending of ICMP redirect messages by entering the no ip redirects interface configuration command on the BFD interface. Configuring BFD Session Parameters on an Interface Before you can start a BFD session on an interface, you must put the interface into Layer 3 mode and set the baseline BFD parameters on it.
Page 891: Enabling Bfd Routing Protocol Clients
Configuring IP Unicast Routing Configuring BFD Enabling BFD Routing Protocol Clients After you configure BFD parameters on an interface, you can start a BFD session for one or more routing protocols. You must first enable routing by entering the ip routing global configuration command on the switch. Note that there can be more than one way to start a BFD session on an interface, depending on the routing protocol.
Page 892 Configuring IP Unicast Routing Configuring BFD Note: If you try to configure OSPF BFD on a Layer 2 interface, the configuration is not recognized. EXAMPLE This is an example of enabling BFD for OSPF on all OSPF interfaces: Switch(config)# router ospf 109 Switch(config-router)# bfd all-interfaces Switch(config-router)# exit Configuring BFD for OSPF on an Interface...
Page 893 Configuring IP Unicast Routing Configuring BFD  Configure IS-IS as described in the Configuring IS-IS Dynamic Routing, page 871. DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. router is-is area-tag Specify an IS-IS process and enter router configuration mode. bfd all-interfaces Enable BFD globally on all interfaces associated with the IS-IS routing process.
Page 894: Configuring Bfd For Bgp
Configuring IP Unicast Routing Configuring BFD DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. router is-is area-tag Specify an IS-IS process and enter router configuration mode. exit Return to global configuration mode. interface interface-id Specify an interface, and enter interface configuration mode. isis bfd Enable BFD on the specified IS-IS interface.
Page 895: Configuring Bfd For Eigrp
Configuring IP Unicast Routing Configuring BFD DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. router bgp as-tag Specify a BGP autonomous system, and enter router configuration mode. neighbor ip-address fall-over Enable BFD support for fallover on the BFD neighbor. Return to privileged EXEC mode.
Page 896: Configuring Bfd For Hsrp
Configuring IP Unicast Routing Configuring BFD DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. router eigrp as-number Specify an EIGRP autonomous system number, and enter router configuration mode. log-adjacency changes [detail] Configure the switch to send a system logging message when an EIGRP neighbor goes up or down.
Page 897: Disabling Bfd Echo Mode
Configuring IP Unicast Routing Configuring BFD DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. interface interface-id Specify an interface for a BFD session, and enter interface configuration mode. Only physical interfaces support BFD. ip address ip-address Configure the IP address and IP subnet mask for the interface. subnet-mask standby [group-number] ip Activate HSRP.
Page 898 CE). With multi-VRF CE, a service provider can support two or more VPNs with overlapping IP addresses. Note: The switch does not use Multiprotocol Label Switching (MPLS) to support VPNs. For information about MPLS VRF, refer to the MPLS: Layer 3 VPNs Configuration Guide, Cisco IOS Release 15M&T.  Information About Multi-VRF CE, page 895 ...
Page 899 VPN service, for example, small companies. In this case, multi-VRF CE support is required in the Cisco Connected Grid switches. Because multi-VRF CE is a Layer 3 feature, each interface in a VRF must be a Layer 3 interface.
Page 900 Configuring IP Unicast Routing Configuring Multi-VRF CE  The global routing section contains routes to non-VPN networks, such as the Internet. VLAN IDs from different VRFs are mapped into different policy labels, which are used to distinguish the VRFs during processing.
Page 901: Configuring Vrfs
Configuring IP Unicast Routing Configuring Multi-VRF CE  Multi-VRF CE does not support all MPLS-VRF functionality. It does not support label exchange, LDP adjacency, or labeled packets.  For the PE router, there is no difference between using multi-VRF CE or using multiple CEs. In Figure 104 on page 895, multiple virtual Layer 3 interfaces are connected to the multi-VRF CE device.
Page 902 VRF-aware. Any configured VRF in the system can be specified for a VRF-aware service. VRF-aware services are implemented in platform-independent modules. VRF means multiple routing instances in Cisco IOS. Each platform has its own limit on the number of VRFs it supports.
Page 903: User Interface For Arp
Configuring IP Unicast Routing Configuring Multi-VRF CE  ARP entries are learned in separate VRFs. The user can display Address Resolution Protocol (ARP) entries for specific VRFs. These services are VRF-aware:   Ping  Simple Network Management Protocol (SNMP) ...
Page 904: User Interface For Snmp
Configuring IP Unicast Routing Configuring Multi-VRF CE BEFORE YOU BEGIN Configure a VRF as described in the Configuring VRFs, page 897. DETAILED STEPS Command Purpose ping vrf vrf-name ip-host Tests a connection in the context of a specific VPN connection. EXAMPLE In the following example, the target host in the domain 209.165.201.1 is pinged (using IP/ICMP) in the context of the “CustomerA”...
Page 905: User Interface For Hsrp
Configuring IP Unicast Routing Configuring Multi-VRF CE The following example shows how to send all SNMP notifications to example.com over the VRF named trap-vrf using the community string public: Switch(config)# snmp-server host example.com vrf trap-vrf public User Interface for HSRP Hot Standby Router Protocol HSRP) support for VRFs ensures that HSRP virtual IP addresses are added to the correct IP routing table.
Page 906: User Interface For Traceroute
Configuring IP Unicast Routing Configuring Multi-VRF CE DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. logging on Enable or temporarily disable logging of storage router event message. logging host ip address vrf vrf Specify the host address of the syslog server where logging name messages are to be sent.
Page 907: User Interface For Ftp And Tftp
In this configuration, FTP looks for the destination IP address for file transfer in the specified VRF table. If the specified source interface is not up, Cisco IOS software selects the address of the interface closest to the destination as the source address.
Page 908: Configuring Bgp Pe To Ce Routing Sessions
Configuring IP Unicast Routing Configuring Multi-VRF CE Note: To configure an EIGRP routing process to run within a VRF instance, you must configure an autonomous-system number by entering the autonomous-system autonomous-system-number address-family configuration mode command. BEFORE YOU BEGIN Configure a VRF as described in the Configuring VRFs, page 897.
Page 909 Configuring IP Unicast Routing Configuring Multi-VRF CE DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. router bgp Configure the BGP routing process with the AS number passed autonomous-system-number to other BGP routers, and enter router configuration mode. network network-number mask Specify a network and mask to announce using BGP.
Page 910: Configuring Cisco Express Forwarding
Managing Authentication Keys, page 922 Configuring Cisco Express Forwarding Cisco Express Forwarding (CEF) is a Layer 3 IP switching technology used to optimize network performance. CEF implements an advanced IP look-up and forwarding algorithm to deliver maximum Layer 3 switching performance. CEF is less CPU-intensive than fast switching route caching, allowing more CPU processing power to be dedicated to packet forwarding.
Page 911  If you enable Cisco Express Forwarding and then create an access list that uses the log keyword, the packets that match the access list are not Cisco Express Forwarding switched. They are process switched. Logging disables Cisco Express Forwarding.
Page 912 Configuring IP Unicast Routing Configuring Protocol-Independent Features Configuring the Number of Equal-Cost Routing Paths When a router has two or more routes to the same network with the same metrics, these routes can be thought of as having an equal cost. The term parallel path is another way to see occurrences of equal-cost routes in a routing table. If a router has two or more equal-cost paths to a network, it can use them concurrently.
Page 913 Configuring IP Unicast Routing Configuring Protocol-Independent Features Table 65 Default Administrative Distance Values Route Source Default Distance Connected interface Static route Enhanced IRGP summary route External BGP Internal Enhanced IGRP IGRP OSPF Internal BGP Unknown Static routes that point to an interface are advertised through RIP, IGRP, and other dynamic routing protocols, whether or not static redistribute router configuration commands were specified for those routing protocols.
Page 914: Specifying Default Routes And Networks
In IGRP networks, there might be several candidate networks for the system default. Cisco routers use administrative distance and metric information to set the default route or the gateway of last resort.
Page 915: Using Route Maps To Redistribute Routing Information
The switch supports the continue clause for outbound policies. For more information about using the route map continue clause, see the “BGP Route-Map Continue” section in the IP Routing: BGP Configuration Guide, Cisco IOS Release 15M&T. Note: Although each of Steps 3 through 14 in the following section is optional, you must enter at least one match route-map configuration command and one set route-map configuration command.
Page 916 Configuring IP Unicast Routing Configuring Protocol-Independent Features DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. route-map map-tag [permit | deny] [sequence Define any route maps used to control number] redistribution and enter route-map configuration mode.  map-tag—A meaningful name for the route map.
Page 917 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose set dampening halflife reuse suppress Set BGP route dampening factors. max-suppress-time set local-preference value Assign a value to a local BGP path. set origin {igp | egp as | incomplete} Set the BGP origin code. set as-path {tag | prepend as-path-string} Modify the BGP autonomous system path.
Page 918 RIP can automatically redistribute static routes. It assigns static routes a metric of 1 (directly connected).  Any protocol can redistribute other routing protocols if a default mode is in effect. BEFORE YOU BEGIN Review the usage guidelines and additional examples for the redistribute command in the Cisco IOS IP Routing: Protocol-Independent Command Reference.
Page 919 Configuring IP Unicast Routing Configuring Protocol-Independent Features DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. router {bgp | rip | ospf | eigrp} Enter router configuration mode. redistribute protocol [process-id] {level-1 | Redistribute routes from one routing protocol level-1-2 | level-2} [metric metric-value] to another routing protocol.
Page 920: Pbr Configuration Guidelines
If match clauses are satisfied, you can use a set clause to specify the IP addresses identifying the next hop router in the path. For details about PBR commands and keywords, see IP Routing: Protocol-Independent Configuration Guide, Cisco IOS Release 15M&T. PBR Configuration Guidelines Before configuring PBR, you should be aware of this information: ...
Page 921: Enabling Pbr
Configuring IP Unicast Routing Configuring Protocol-Independent Features  The number of TCAM entries used by PBR depends on the route map itself, the ACLs used, and the order of the ACLs and route-map entries.  Policy-based routing based on packet length, IP precedence and TOS, set interface, set default next hop, or set default interface are not supported.
Page 922 Configuring IP Unicast Routing Configuring Protocol-Independent Features DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. route-map map-tag [permit] [sequence Define any route maps used to control where packets are number] output, and enter route-map configuration mode.  map-tag—A meaningful name for the route map. The ip policy route-map interface configuration command uses this name to reference the route map.
Page 923: Filtering Routing Information
Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Return to privileged EXEC mode. show route-map [map-name] (Optional) Display all route maps configured or only the one specified to verify configuration. show ip policy (Optional) Display policy route maps attached to interfaces.
Page 924: Controlling Advertising And Processing In Routing Updates
Configuring IP Unicast Routing Configuring Protocol-Independent Features DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. router {bgp | rip | ospf | eigrp} Enter router configuration mode. passive-interface interface-id Suppress sending routing updates through the specified Layer 3 interface. passive-interface default (Optional) Set all interfaces as passive by default.
Page 925: Filtering Sources Of Routing Information
Because each network has its own requirements, there are no general guidelines for assigning administrative distances. BEFORE YOU BEGIN  Always set the administrative distance from the least to the most specific network.  Review the usage guidelines and additional examples for the distance command in the Cisco IOS IP Routing: Protocol-Independent Command Reference.
Page 926: Managing Authentication Keys
Configuring IP Unicast Routing Configuring Protocol-Independent Features DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. router {bgp | rip | ospf | eigrp} Enter router configuration mode. distance weight {ip-address {ip-address mask}} Define an administrative distance. [ip access list] ...
Page 927 Configuring IP Unicast Routing Configuring Protocol-Independent Features To manage authentication keys, define a key chain, identify the keys that belong to the key chain, and specify how long each key is valid. Each key has its own key identifier (specified with the key number key chain configuration command), which is stored locally.
Page 928 Display all route maps configured or only the one specified. Related Documents  Cisco IOS Master Command List, All Releases  IP Addressing: ARP Configuration Guide, Cisco IOS Release 15M&T  Cisco IOS IP Routing: RIP Command Reference  IP Routing: RIP Configuration Guide, Cisco IOS Release 15M&T ...
Page 929 Configuring IP Unicast Routing Related Documents  Cisco IOS IP Routing: EIGRP Command Reference  IP Routing: EIGRP Configuration Guide, Cisco IOS Release 15M&T  Cisco IOS IP Routing: BGP Command Reference  IP Routing: BGP Configuration Guide, Cisco IOS Release 15M&T ...
Page 930 Configuring IP Unicast Routing Related Documents...
Page 931 Configuring IPv6 Unicast Routing This chapter describes how to configure IPv6 unicast routing on the Cisco Industrial Ethernet Switches, hereafter referred to as “switch.” To use this feature, the switch must be running the IP services image. To enable IPv6 routing, you must configure the switch to use a dual IPv4 and IPv6 switch database management (SDM) template.
Page 932: Supported Ipv6 Unicast Routing Features
2031:0:130F::09C0:080F:130B For more information about IPv6 address formats, address types, and the IPv6 packet header, see IPv6 Addressing and Basic Connectivity Configuration Guide, Cisco IOS Release 15M&T in the IPv6 Configuration Library, Cisco IOS Release 15M&T.
Page 933: Bit Unicast Addresses
Configuring IPv6 Unicast Routing Information About IPv6  EIGRP IPv6, page 931  Multiprotocol BGP for IPv6, page 931  SNMP and Syslog Over IPv6, page 932  HTTP(S) Over IPv6, page 932 128-Bit Unicast Addresses The switch supports aggregatable global unicast addresses and link-local unicast addresses. It does not support site-local unicast addresses.
Page 934 DNS resolver for AAAA over IPv4 transport  Cisco Discovery Protocol (CDP) support for IPv6 addresses Dual IPv4 and IPv6 Protocol Stacks You must use the dual IPv4 and IPv6 template to allocate hardware memory usage to both IPv4 and IPv6 protocols.
Page 935: Dhcp For Ipv6 Address Assignment
Configuring IPv6 Unicast Routing Information About IPv6  If you try to configure IPv6 without first selecting a dual IPv4 and IPv6 template, a warning message appears.  In IPv4-only environments, the switch routes IPv4 packets and applies IPv4 QoS and ACLs in hardware. IPv6 packets are not supported.
Page 936: Unsupported Ipv6 Unicast Routing Features
Configuring IPv6 Unicast Routing Information About IPv6 SNMP and Syslog Over IPv6 To support both IPv4 and IPv6, IPv6 network management requires both IPv6 and IPv4 transports. Syslog over IPv6 supports address data types for these transports. SNMP and syslog over IPv6 provide these features: ...
Page 937 Configuring IPv6 Unicast Routing Prerequisites  HSRP for IPv6 Prerequisites Select a dual IPv4 and IPv6 template as described in the Dual IPv4 and IPv6 Protocol Stacks, page 930. Guidelines and Limitations Because IPv6 is implemented in switch hardware, some limitations occur due to the IPv6 compressed addresses in the hardware memory.
Page 938: Configuring Ipv6
 all-routers link-local multicast group FF02::2 For more information about configuring IPv6 routing, see the “Implementing Addressing and Basic Connectivity for IPv6” chapter in the IPv6 Implementation Guide, Cisco IOS Release 15.2M&T. BEFORE YOU BEGIN  Be sure to select a dual IPv4 and IPv6 SDM template.
Page 939 Configuring IPv6 Unicast Routing Configuring IPv6  In the ipv6 address interface configuration command, you must enter the ipv6-address and ipv6-prefix variables with the address specified in hexadecimal using 16-bit values between colons. The prefix-length variable (preceded by a slash [/]) is a decimal value that shows how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address).
Page 940 Configuring IPv6 Unicast Routing Configuring IPv6 DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. sdm prefer dual-ipv4-and-ipv6 {default | Select an SDM template that supports IPv4 and IPv6. routing | vlan}  default—Set the switch to the default template to balance system resources.
Page 941 Configuring IPv6 Unicast Routing Configuring IPv6 EXAMPLE This example shows how to enable IPv6 with both a link-local address and a global address based on the IPv6 prefix 2001:0DB8:c18:1::/64. The EUI-64 interface ID is used in the low-order 64 bits of both addresses. Output from the show ipv6 interface EXEC command is included to show how the interface ID (20B:46FF:FE2F:D940) is appended to the link-local prefix FE80::/64 of the interface.
Page 942: Configuring Ipv4 And Ipv6 Protocol Stacks
Configuring IPv6 Unicast Routing Configuring IPv6 DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. interface interface-id Enter interface configuration mode, and enter the Layer 3 interface on which you want to specify the DRP. ipv6 nd router-preference {high | Specify a DRP for the router on the switch interface.
Page 943 Configuring IPv6 Unicast Routing Configuring IPv6 DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. sdm prefer dual-ipv4-and-ipv6 {default | Select an SDM template that supports IPv4 and IPv6. routing | vlan}  default—Set the switch to the default template to balance system resources.
Page 944: Configuring Dhcp For Ipv6 Address Assignment
This document describes only the DHCPv6 address assignment. For more information about configuring the DHCPv6 client, server, or relay agent functions, see the “Implementing DHCP for IPv6” chapter in the IPv6 Implementation Guide, Cisco IOS Release 15.2M&T.  Default DHCPv6 Address Assignment Configuration, page 940 ...
Page 945 Configuring IPv6 Unicast Routing Configuring IPv6 DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. ipv6 dhcp pool poolname Enter DHCP pool configuration mode, and define the name for the IPv6 DHCP pool. The pool name can be a symbolic string (such as Engineering) or an integer (such as 0).
Page 946 Configuring IPv6 Unicast Routing Configuring IPv6 Command Purpose ipv6 dhcp server [poolname | automatic] Enable the DHCPv6 server function on an interface. [rapid-commit] [preference value]  poolname—(Optional) User-defined name for the [allow-hint] IPv6 DHCP pool. The pool name can be a symbolic string (such as Engineering) or an integer (such as 0).
Page 947: Enabling The Dhcpv6 Client Function
Configuring IPv6 Unicast Routing Configuring IPv6 Switch# configure terminal Switch(config)# ipv6 dhcp pool 350 Switch(config-dhcpv6)# address prefix 2001:1005::0/48 Switch(config-dhcpv6)# vendor-specific 9 Switch(config-dhcpv6-vs)# suboption 1 address 1000:235D::1 Switch(config-dhcpv6-vs)# suboption 2 ascii "IP-Phone" Switch(config-dhcpv6-vs)# end Enabling the DHCPv6 Client Function BEFORE YOU BEGIN DHCPv6 Address Assignment Configuration Guidelines, page 940.
Page 948: Configuring Cef For Ipv6
Configuring CEF for IPv6 Cisco Express Forwarding (CEF) is a Layer 3 IP switching technology, allowing more CPU processing power to be dedicated to packet forwarding. IPv4 CEF is enabled by default. IPv6 CEF is disabled by default, but automatically enabled when you configure IPv6 routing.
Page 949 Configuring IPv6 Unicast Routing Configuring IPv6 DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. ipv6 route ipv6-prefix/prefix Configure a static IPv6 route. length {ipv6-address |  ipv6-prefix—The IPv6 network that is the destination of the interface-id [ipv6-address]} static route. It can also be a hostname when static host routes [administrative distance] are configured.
Page 950: Configuring Rip For Ipv6
To remove a configured static route, use the no ipv6 route ipv6-prefix/prefix length {ipv6-address | interface-id [ipv6-address]} [administrative distance] global configuration command. For more information about configuring static IPv6 routing, see the “Implementing Static Routes for IPv6” chapter in the IPv6 Implementation Guide, Cisco IOS Release 15.2M&T. EXAMPLE This example shows how to configure a floating static route to an interface.
Page 951 Implementation Guide, Cisco IOS Release 15.2M&T. EXAMPLE This example shows how to enable the RIP routing process cisco with a maximum of eight equal-cost routes and to enable it on an interface: Switch(config)# ipv6 router rip cisco Switch(config-router)# maximum-paths 8...
Page 952: Configuring Ospf For Ipv6
Configuring IPv6 Unicast Routing Configuring IPv6 Switch(config-if)# ipv6 rip cisco enable Configuring OSPF for IPv6 You can customize OSPF for IPv6 for your network. However, the defaults are set to meet the requirements of most customers and features. Be careful when changing the defaults for IPv6 commands. Doing so might adversely affect OSPF for the IPv6 network.
Page 953 Configuring IPv6 Unicast Routing Configuring IPv6 DETAILED STEPS Command Purpose configure terminal Enter global configuration mode. ipv6 router ospf process-id Enable OSPF router configuration mode for the process. The process ID is the number assigned administratively when enabling the OSPF for IPv6 routing process. It is locally assigned and can be a positive integer from 1 to 65535.
Page 954: Configuring Eigrp For Ipv6
For more information about configuring OSPF routing for IPv6, see the “Implementing OSPF for IPv6” chapter in the IPv6 Implementation Guide, Cisco IOS Release 15.2M&T. Configuring EIGRP for IPv6 By default, EIGRP for IPv6 is disabled. You can configure EIGRP for IPv6 on an interface. After configuring the router and the interface for EIGRP, enter the no shutdown privileged EXEC command to start EIGRP.
Page 955 (Optional) Save your entries in the configuration file. For more configuration procedures, see the “Implementing Multiprotocol BGP for IPv6” chapter in the IPv6 Implementation Guide, Cisco IOS Release 15.2M&T. The switch does not support multicast IPv6 BGP, nonstop forwarding (NSF) for IPv6 BGP, 6PE multipath (EoMPLS), or IPv6 VRF.
Page 956 Configuring IPv6 Unicast Routing Configuring IPv6 network 2010:AB8:2::/48 network 2010:AB8:3::/48 exit-address-family...
Page 957 Display BGP IPv6 configuration and routing tables. show ipv6 access-list Display IPv6 access lists. show ipv6 cef Display Cisco Express Forwarding for IPv6. show ipv6 interface interface-id Display IPv6 interface status and configuration. show ipv6 mtu Display IPv6 MTU per destination cache.
Page 958 Configuring IPv6 Unicast Routing Configuration Example IPv6 is enabled, link-local address is FE80::20B:46FF:FE2F:D940 Global unicast address(es): 3FFE:C000:0:1:20B:46FF:FE2F:D940, subnet is 3FFE:C000:0:1::/64 [EUI] Joined group address(es): FF02::1 FF02::2 FF02::1:FF2F:D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds...
Page 959 Configuring IPv6 Unicast Routing Configuration Example RIP process "fer", port 521, multicast-group FF02::9, pid 190 Administrative distance is 120. Maximum paths is 16 Updates every 30 seconds, expire after 180 Holddown lasts 0 seconds, garbage collect after 120 Split horizon is on; poison reverse is off Default routes are not generated Periodic updates 9040, trigger updates 60 Interfaces:...
Page 960 Sent: 26749 output TCP statistics: Rcvd: 0 input, 0 checksum errors Sent: 0 output, 0 retransmitted Related Documents For information about how Cisco Systems implements IPv6:  http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html For information about IPv6 and other features in this chapter:  IPv6 Configuration Library, Cisco IOS Release 15M&T ...
Page 961 Unicast Overview This document describes how to configure unicast routing on the Cisco Industrial Ethernet Switches, hereafter referred to as switch. To use unicast routing, the switch must be running the IP services image. This chapter provides an overview of the following unicast routing features: ...
Page 962 Unicast Overview Enhanced Object Tracking Enhanced Object Tracking Enhanced object tracking on the switch provides a more complete alternative to the Hot Standby Routing Protocol (HSRP) tracking mechanism, which allows you to track the line-protocol state of an interface. If the line protocol state of an interface goes down, the HSRP priority of the interface is reduced and another HSRP device with a higher priority becomes active.
Page 963 Information About Configuring Cisco IOS IP SLAs Operations This chapter describes how to use Cisco IOS IP Service Level Agreements (SLAs) on the switch. Cisco IP SLAs is a part of Cisco IOS software that allows Cisco customers to analyze IP service levels for IP applications and services by using active traffic monitoring—the generation of traffic in a continuous, reliable, and predictable manner—for measuring...
Page 964  Server or website download time Because Cisco IOS IP SLAs is SNMP-accessible, it can also be used by performance-monitoring applications like CiscoWorks Internetwork Performance Monitor (IPM) and other third-party Cisco partner performance management products. Using IP SLAs can provide these benefits: ...
Page 965: Ip Slas Responder And Ip Slas Control Protocol
The responder uses the Cisco IOS IP SLAs Control Protocol to provide a mechanism through which it can be notified on which port it should listen and respond. Only a Cisco IOS device can be a source for a destination IP SLAs Responder.
Page 966: Response Time Computation For Ip Slas
You can schedule several IP SLAs operations on a switch running the IP services image by using a single command through the Cisco IOS CLI or the CISCO RTTMON-MIB. Scheduling the operations to run at evenly distributed times allows you to control the amount of IP SLAs monitoring traffic. This distribution of IP SLAs operations helps minimize the CPU utilization and thus improves network scalability.
Page 967 Configuring Cisco IOS IP SLAs Operations Information About Configuring Cisco IOS IP SLAs Operations  Average jitter threshold  One-way packet loss  One-way jitter  One-way mean opinion score (MOS)  One-way latency An IP SLAs threshold violation can also trigger another IP SLAs operation for further analysis. For example, the frequency could be increased or an ICMP path echo or ICMP path jitter operation could be initiated for troubleshooting.
Page 968: Configuring The Ip Slas Responder
IP Service Levels by Using the ICMP Echo Operation The ICMP echo operation measures end-to-end response time between a Cisco device and any devices using IP. Response time is computed by measuring the time taken between sending an ICMP echo request message to the destination and receiving an ICMP echo reply.
Page 969 Configuring Cisco IOS IP SLAs Operations How to Configure Cisco IOS IP SLAs Operations Command Purpose configure terminal Enters global configuration mode. ip sla operation-number Creates an IP SLAs operation, and enters IP SLAs configuration mode. udp-jitter {destination-ip-address Configures the IP SLAs operation as a UDP jitter operation, and enters UDP | destination-hostname} jitter configuration mode.
Page 970: Analyzing Ip Service Levels By Using The Icmp Echo Operation
Configuring Cisco IOS IP SLAs Operations How to Configure Cisco IOS IP SLAs Operations Command Purpose exit Exits UDP jitter configuration mode, and returns to global configuration mode. ip sla schedule operation-number Configures the scheduling parameters for an individual IP SLAs operation.
Page 971 Monitoring and Maintaining Cisco IP SLAs Operations Command Purpose show ip sla application Displays global information about Cisco IOS IP SLAs. show ip sla authentication Displays IP SLAs authentication information. show ip sla configuration [entry-number] Displays configuration values including all defaults for all IP SLAs operations or a specific operation.
Page 972 Configuring Cisco IOS IP SLAs Operations Configuration Examples for Configuring Cisco IP SLAs Operations Command Purpose show ip sla mpls-lsp-monitor Displays MPLS label switched path (LSP) Health Monitor operations. {collection-statistics | configuration | ldp operational-state | scan-queue | summary [entry-number] | neighbors}...
Page 973 Configuring Cisco IOS IP SLAs Operations Configuration Examples for Configuring Cisco IP SLAs Operations Number of history Lives kept: 0 Number of history Buckets kept: 15 History Filter Type: None Enhanced History: Sample Output for Show IP SLA Command: Example...
Page 974 Configuring Cisco IOS IP SLAs Operations Additional References Entry number: 10 Owner: Tag: Type of operation to perform: udp-jitter Target address/Source address: 1.1.1.1/0.0.0.0 Target port/Source port: 2/0 Request size (ARR data portion): 32 Operation timeout (milliseconds): 5000 Packet Interval (milliseconds)/Number of packets: 20/10...
Page 975 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 976 Configuring Cisco IOS IP SLAs Operations Additional References...
Page 977: Dying Gasp
Dying Gasp This chapter describes the Dying-Gasp feature for the Cisco Industrial Ethernet series switches. Dying Gasp resides on a hardware component on the High-performance WAN Interface Card (HWIC) and supports Gigabit Ethernet interfaces. The networking devices rely on a temporary back-up power supply on a capacitor, that allows for a graceful shutdown and the generation of the dying-gasp message.
Page 978 Dying Gasp...
Page 979: Understanding Enhanced Object Tracking
Tracking Interface Line-Protocol or IP Routing State, page 976  Configuring a Tracked List, page 977  Configuring HSRP Object Tracking, page 980  Configuring Other Tracking Characteristics, page 981  Configuring IP SLAs Object Tracking, page 981 Cisco Systems, Inc. www.cisco.com...
Page 980 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features  Configuring Static Routing Support, page 983 Default Configuration No type of object tracking is configured. Tracking Interface Line-Protocol or IP Routing State You can track either the interface line protocol state or the interface IP routing state. When you track the IP routing state, these three conditions are required for the object to be up: ...
Page 981: Configuring A Tracked List
Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Interface GigabitEthernet1/17 line-protocol Line protocol is Down (hw down) 1 change, last change 00:18:28 Configuring a Tracked List You can configure a tracked list of objects with a Boolean expression, a weight threshold, or a percentage threshold. A tracked list contains one or more objects.
Page 982: Configuring A Tracked List With A Weight Threshold
Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features This example configures track list 4 with a Boolean AND expression that contains two objects with one object state negated. If the list is up, the list detects that object 2 is down: Switch(config)# track 4 list boolean and Switch(config-track)# object 1 Switch(config-track)# object 2 not...
Page 983: Configuring A Tracked List With A Percentage Threshold
Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Switch(config-track)# threshold weight up 30 down 10 Switch(config-track)# exit This configuration can be useful if object 1 and object 2 represent two small bandwidth connections and object 3 represents one large bandwidth connection. The configured down 10 value means that once the tracked object is up, it will not go down until the threshold value is equal to or lower than 10, which in this example means that all connections are down.
Page 984: Configuring Hsrp Object Tracking
Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring HSRP Object Tracking Beginning in privileged EXEC mode, follow these steps to configure a standby HSRP group to track an object and change the HSRP priority based on the object state: Command Purpose configure terminal...
Page 985: Configuring Other Tracking Characteristics
Cisco IP SLAs operations collects real-time metrics that you can use for network troubleshooting, design, and analysis. For IP SLAs command information see the Cisco IOS IP SLAs Command Reference Guide, Release 12.4T at this URL: http://www.cisco.com/en/US/docs/ios/ipsla/configuration/guide/12_4t/sla_12_4t_book.html Object tracking of IP SLAs operations allows clients to track the output from IP SLAs objects and use this information to trigger an action.
Page 986 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Beginning in privileged EXEC mode, follow these steps to track the state of an IP SLAs operation or the reachability of an IP SLAs IP host: Command Purpose configure terminal Enter global configuration mode. track object-number rtr Enter tracking configuration mode to track the state of an IP SLAs operation.
Page 987: Configuring Static Routing Support
DHCP route goes down. When tracking is enabled, the system tracks the state of the route and informs the client when that state changes. Static route object tracking uses Cisco IP SLAs to generate ICMP pings to monitor the state of the connection to the primary gateway.
Page 988: Configuring A Cisco Ip Slas Monitoring Agent And Track Object
Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring a Cisco IP SLAs Monitoring Agent and Track Object Beginning in privileged EXEC mode, follow these steps to configure network monitoring with Cisco IP SLAs: configure terminal Enter global configuration mode.
Page 989: Monitoring Enhanced Object Tracking
Display information about the IP route track table. copy running-config startup-config (Optional) Save your entries in the configuration file. For configuration examples, see this URL: http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html Monitoring Enhanced Object Tracking Use the following privileged EXEC or User EXEC commands ito display enhanced object tracking information. Command...
Page 990 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking...
Page 991 Use Modicon Communication Bus (MODBUS) TCP over an Ethernet network when connecting the switch to devices such as intelligent electronic devices (IEDs), distributed controllers, substation routers, Cisco IP Phones, Cisco Wireless Access Points, and other network devices such as redundant substation switches.
Page 992 Configuring MODBUS TCP Configuring the Switch as the MODBUS TCP Server access-list 101 permit tcp 10.1.1.0 0.0.0.255 any eq 502 Multiple Request Messages The switch can receive multiple request messages from clients and respond to them simultaneously. You can set the number of client connections from 1 to 5. The default is 1. Configuring the Switch as the MODBUS TCP Server ...
Page 993 Configuring MODBUS TCP Displaying MODBUS TCP Information To add security when using MODBUS TCP, configure an ACL to permit traffic from specific clients or configure QoS to rate-limit traffic. Displaying MODBUS TCP Information Command Purpose show scada modbus tcp server Displays the server information and statistics.
Page 994 Configuring MODBUS TCP Displaying MODBUS TCP Information...
Page 995 Ethernet CFM Cisco Industrial Ethernet switches supports Ethernet CFM. Ethernet CFM is an end-to-end per-service-instance (per VLAN) Ethernet layer OAM protocol that includes proactive connectivity monitoring, fault verification, and fault isolation. End-to-end can be provider-edge-to-provider-edge (PE-to-PE) device or customer-edge-to-customer-edge (CE-to-CE) device. Ethernet CFM, as specified by 802.1ag, is the standard for Layer 2 ping, Layer 2 traceroute, and end-to-end connectivity check of the Ethernet network.
Page 996 Ethernet CFM...
Page 997: Working With The Flash File System
The switch has a removable compact flash card that stores the Cisco IOS software image and configuration files. Removing the compact flash card does not interrupt switch operation unless you need to reload the Cisco IOS software. However, if you remove the compact flash card, you do not have access to the flash file system, and any attempt to access it generates an error message.
Page 998 Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System network scp: network https: opaque cns: Switch# Detecting an Unsupported SD Flash Memory Card When the switch starts and detects an unsupported Secure Digital (SD) flash memory card, or when you insert an unsupported SD flash memory card while the switch is running, the following warning message is displayed: WARNING: Non-IT SD flash detected.
Page 999: Sd Flash Memory Card Led
Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System SD Flash Memory Card LED Color System Status Off / blinking green SD flash memory card transfer in progress. Slow blinking amber SD flash memory card is unsupported.
Page 1000: Displaying Information About Files On A File System
Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System privileged EXEC command. You can set the default file system to omit the filesystem: argument from related commands. For example, for all privileged EXEC commands that have the optional filesystem: argument, the system uses the file system specified by the cd command.

This manual is also suitable for:

Ie-5000 Ie-4010

Cisco IE-4000 Software Configuration Manual

Configuring Interfaces

Table of Contents

Quick Links

Chapters

Troubleshooting

Related Manuals for Cisco IE-4000

Summary of Contents for Cisco IE-4000