Page 1 Catalyst 3560 Switch Software Configuration Guide Cisco IOS Release 12.1(19)EA1 January 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7816156= Text Part Number: 78-16156-01...
Page 2 CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,...
Page 3: Table Of Contents
Documentation CD-ROM xxxvi Ordering Documentation xxxvi Documentation Feedback xxxvi Obtaining Technical Assistance xxxvi Cisco TAC Website xxxvii Opening a TAC Case xxxvii TAC Case Priority Definitions xxxvii Obtaining Additional Publications and Information xxxviii Overview C H A P T E R...
Page 4 Contents Using Command History Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features Enabling and Disabling Editing Features Editing Commands through Keystrokes Editing Command Lines that Wrap Searching and Filtering Output of show and more Commands Accessing the CLI Accessing the CLI through a Console Connection or through Telnet Accessing the CLI from a Browser...
Page 5 Contents Displaying CMS 3-11 Launching CMS 3-11 Front Panel View 3-14 Topology View 3-15 CMS Icons 3-16 Where to Go Next 3-16 Assigning the Switch IP Address and Default Gateway C H A P T E R Understanding the Boot Process Assigning Switch Information Default Switch Information Understanding DHCP-Based Autoconfiguration...
Page 6 Contents Clustering Switches C H A P T E R Understanding Switch Clusters Cluster Command Switch Characteristics Standby Cluster Command Switch Characteristics Candidate Switch and Cluster Member Switch Characteristics Planning a Switch Cluster Automatic Discovery of Cluster Candidates and Members Discovery Through CDP Hops Discovery Through Non-CDP-Capable and Noncluster-Capable Devices Discovery Through Different VLANs...
Page 7 Contents Administering the Switch C H A P T E R Managing the System Time and Date Understanding the System Clock Understanding Network Time Protocol Configuring NTP Default NTP Configuration Configuring NTP Authentication Configuring NTP Associations Configuring NTP Broadcast Service Configuring NTP Access Restrictions Configuring the Source IP Address for NTP Packets 6-10...
Page 8 Contents Adding and Removing Static Address Entries 6-25 Configuring Unicast MAC Address Filtering 6-26 Displaying Address Table Entries 6-28 Managing the ARP Table 6-28 Configuring SDM Templates C H A P T E R Understanding the SDM Templates Configuring the Switch SDM Template Default SDM Template SDM Template Configuration Guidelines Setting the SDM Template...
Page 9 Contents Controlling Switch Access with RADIUS 8-18 Understanding RADIUS 8-18 RADIUS Operation 8-19 Configuring RADIUS 8-20 Default RADIUS Configuration 8-20 Identifying the RADIUS Server Host 8-21 Configuring RADIUS Login Authentication 8-23 Defining AAA Server Groups 8-25 Configuring RADIUS Authorization for User Privileged Access and Network Services 8-27 Starting RADIUS Accounting 8-28...
Page 10 Contents Using 802.1X with Voice VLAN Ports Using 802.1X with VLAN Assignment Using 802.1X with Guest VLAN Using 802.1X with Per-User ACLs Configuring 802.1X Authentication Default 802.1X Configuration 9-10 802.1X Configuration Guidelines 9-11 Configuring 802.1X Authentication 9-11 Configuring the Switch-to-RADIUS-Server Communication 9-13 Configuring Periodic Re-Authentication 9-14...
Page 11 Contents Configuring IEEE 802.3X Flow Control 10-14 Configuring Auto-MDIX on an Interface 10-15 Configuring Power over Ethernet on an Interface 10-16 Adding a Description for an Interface 10-18 Configuring Layer 3 Interfaces 10-19 Configuring the System MTU 10-20 Monitoring and Maintaining the Interfaces 10-22 Monitoring Interface Status 10-22...
Page 12 Contents Configuring Extended-Range VLANs 12-12 Default VLAN Configuration 12-12 Extended-Range VLAN Configuration Guidelines 12-13 Creating an Extended-Range VLAN 12-14 Creating an Extended-Range VLAN with an Internal VLAN ID 12-15 Displaying VLANs 12-16 Configuring VLAN Trunks 12-16 Trunking Overview 12-16 Encapsulation Types 12-18 802.1Q Configuration Considerations 12-18...
Page 13 Configuring Voice VLAN 14-3 Default Voice VLAN Configuration 14-3 Voice VLAN Configuration Guidelines 14-3 Configuring a Port Connected to a Cisco 7960 IP Phone 14-4 Configuring IP Phone Voice Traffic 14-4 Configuring the Priority of Incoming Data Frames 14-5 Displaying Voice VLAN...
Page 14 Contents Configuring STP 15-1 C H A P T E R Understanding Spanning-Tree Features 15-1 STP Overview 15-2 Spanning-Tree Topology and BPDUs 15-3 Bridge ID, Switch Priority, and Extended System ID 15-4 Spanning-Tree Interface States 15-4 Blocking State 15-6 Listening State 15-6 Learning State 15-6...
Page 15 Contents Configuring MSTP 16-1 C H A P T E R Understanding MSTP 16-2 Multiple Spanning-Tree Regions 16-2 IST, CIST, and CST 16-3 Operations Within an MST Region 16-3 Operations Between MST Regions 16-4 Hop Count 16-5 Boundary Ports 16-5 Interoperability with 802.1D STP 16-5 Understanding RSTP...
Page 16 Contents Understanding UplinkFast 17-4 Understanding BackboneFast 17-5 Understanding Root Guard 17-7 Understanding Loop Guard 17-8 Configuring Optional Spanning-Tree Features 17-9 Default Optional Spanning-Tree Configuration 17-9 Optional Spanning-Tree Configuration Guidelines 17-9 Enabling Port Fast 17-10 Enabling BPDU Guard 17-11 Enabling BPDU Filtering 17-12 Enabling UplinkFast for Use with Redundant Links 17-13...
Page 17 Contents Configuring a Multicast Router Port 19-9 Configuring a Host Statically to Join a Group 19-10 Enabling IGMP Immediate-Leave Processing 19-10 Disabling IGMP Report Suppression 19-11 Displaying IGMP Snooping Information 19-12 Understanding Multicast VLAN Registration 19-13 Using MVR in a Multicast Television Application 19-14 Configuring MVR 19-15...
Page 18 Contents Configuration Guidelines 20-10 Enabling and Configuring Port Security 20-11 Enabling and Configuring Port Security Aging 20-14 Displaying Port-Based Traffic Control Settings 20-15 Configuring CDP 21-1 C H A P T E R Understanding CDP 21-1 Configuring CDP 21-2 Default CDP Configuration 21-2 Configuring the CDP Characteristics 21-2...
Page 19 Contents Destination Port 23-7 RSPAN VLAN 23-8 SPAN and RSPAN Interaction with Other Features 23-8 Configuring SPAN and RSPAN 23-9 Default SPAN and RSPAN Configuration 23-9 Configuring Local SPAN 23-10 SPAN Configuration Guidelines 23-10 Creating a Local SPAN Session 23-11 Creating a Local SPAN Session and Configuring Ingress Traffic 23-13 Specifying VLANs to Filter...
Page 20 Contents Limiting Syslog Messages Sent to the History Table and to SNMP 25-9 Configuring UNIX Syslog Servers 25-10 Logging Messages to a UNIX Syslog Daemon 25-10 Configuring the UNIX System Logging Facility 25-11 Displaying the Logging Configuration 25-12 Configuring SNMP 26-1 C H A P T E R Understanding SNMP...
Page 21 Contents Creating Named Standard and Extended ACLs 27-14 Using Time Ranges with ACLs 27-16 Including Comments in ACLs 27-18 Applying an IP ACL to a Terminal Line 27-18 Applying an IP ACL to an Interface 27-19 Hardware and Software Treatment of IP ACLs 27-21 IP ACL Configuration Examples 27-21...
Page 22 Contents Mapping Tables 28-10 Queueing and Scheduling Overview 28-11 Weighted Tail Drop 28-11 SRR Shaping and Sharing 28-12 Queueing and Scheduling on Ingress Queues 28-13 Queueing and Scheduling on Egress Queues 28-15 Packet Modification 28-17 Configuring Auto-QoS 28-18 Generated Auto-QoS Configuration 28-18 Effects of Auto-QoS on the Configuration 28-22...
Page 23 Contents Configuring Ingress Queue Characteristics 28-52 Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds 28-53 Allocating Buffer Space Between the Ingress Queues 28-54 Allocating Bandwidth Between the Ingress Queues 28-55 Configuring the Ingress Priority Queue 28-56 Configuring Egress Queue Characteristics 28-57...
Page 24 Contents Configuring IP Unicast Routing 30-1 C H A P T E R Understanding IP Routing 30-2 Types of Routing 30-2 Steps for Configuring Routing 30-3 Configuring IP Addressing 30-4 Default Addressing Configuration 30-4 Assigning IP Addresses to Network Interfaces 30-5 Use of Subnet Zero 30-6...
Page 25 Configuring BGP Route Reflectors 30-60 Configuring Route Dampening 30-61 Monitoring and Maintaining BGP 30-62 Configuring Protocol-Independent Features 30-63 Configuring Cisco Express Forwarding 30-63 Configuring the Number of Equal-Cost Routing Paths 30-64 Configuring Static Unicast Routes 30-65 Specifying Default Routes and Networks 30-66...
Page 26 Configuring HSRP Groups and Clustering 31-9 Displaying HSRP Configurations 31-10 Configuring IP Multicast Routing 32-1 C H A P T E R Understanding Cisco’s Implementation of IP Multicast Routing 32-2 Understanding IGMP 32-2 IGMP Version 1 32-3 IGMP Version 2...
Page 27 Contents Configuring a Rendezvous Point 32-11 Manually Assigning an RP to Multicast Groups 32-11 Configuring Auto-RP 32-13 Configuring PIMv2 BSR 32-17 Using Auto-RP and a BSR 32-21 Monitoring the RP Mapping Information 32-22 Troubleshooting PIMv1 and PIMv2 Interoperability Problems 32-22 Configuring Advanced PIM Features 32-22 Understanding PIM Shared Tree and Source Tree...
Page 28 Contents Disabling DVMRP Autosummarization 32-48 Adding a Metric Offset to the DVMRP Route 32-48 Monitoring and Maintaining IP Multicast Routing 32-49 Clearing Caches, Tables, and Databases 32-50 Displaying System and Network Statistics 32-50 Monitoring IP Multicast Routing 32-51 Configuring MSDP 33-1 C H A P T E R Understanding MSDP...
Page 29 Contents Adjusting BPDU Intervals 34-8 Disabling the Spanning Tree on an Interface 34-10 Monitoring and Maintaining Fallback Bridging 34-10 Troubleshooting 35-1 C H A P T E R Recovering from Corrupted Software By Using the XMODEM Protocol 35-2 Recovering from a Lost or Forgotten Password 35-4 Procedure with Password Recovery Enabled 35-5...
Page 30 A P P E N D I X MIB List Using FTP to Access the MIB Files Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System...
Page 31 Working with Software Images B-20 Image Location on the Switch B-20 tar File Format of Images on a Server or Cisco.com B-21 Copying Image Files By Using TFTP B-22 Preparing to Download or Upload an Image File By Using TFTP...
Page 32 Contents IP Multicast Routing Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands IP Unicast Routing Unsupported Privileged EXEC or User EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands Unsupported BGP Router Configuration Commands Unsupported VPN Configuration Commands Unsupported Route Map Commands MSDP Unsupported Privileged EXEC Commands...
Page 33 This guide is for the networking professional managing the Catalyst 3560 switch, hereafter referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.
Page 34 Preface Conventions Conventions This publication uses these conventions to convey instructions and information: Command descriptions use these conventions: Commands and keywords are in boldface text. • Arguments for which you supply values are in italic. • Square brackets ([ ]) mean optional elements. •...
Page 35: Related Publications
For upgrading information, refer to the “Downloading Software” section in the release notes. • You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Ordering Documentation” section on page xxxvi.
Page 36: Ordering Documentation
Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.
Page 37 The Cisco TAC website is located at this URL: http://www.cisco.com/tac Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL: http://tools.cisco.com/RPF/register/register.do...
Page 38: Obtaining Additional Publications And Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources. • The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL: http://www.cisco.com/en/US/products/products_catalog_links_launch.html Cisco Press publishes a wide range of general networking, training and certification titles.
Page 39: Features
Some features noted in this chapter are available only on the cryptographic (that is, supports encryption) versions of the SMI and EMI. You must obtain authorization to use this feature and to download the cryptographic version of the software from Cisco.com. For more information, refer to the release notes for this release.
Page 40: Chapter 1 Overview
Chapter 1 Overview Features The Catalyst 3560 switches have these features: • Ease-of-Use and Ease-of-Deployment Features, page 1-2 • Performance Features, page 1-3 • Management Options, page 1-4 Manageability Features, page 1-4 (includes a feature requiring the cryptographic [that is, supports •...
Page 41 Port blocking on forwarding unknown Layer 2 unknown unicast, multicast, and bridged broadcast traffic • Cisco Group Management Protocol (CGMP) server support and Internet Group Management Protocol (IGMP) snooping for IGMP versions 1, 2, and 3: – (For CGMP devices) CGMP for limiting multicast traffic to specified end stations and reducing overall network traffic –...
Page 42 • Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external source Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • • In-band management access through CMS over a Netscape Communicator or Microsoft Internet Explorer browser session •...
Page 43 Equal-cost routing for link-level and switch-level redundancy • RPS support through the Cisco RPS 300 and Cisco RPS 675 for enhancing power reliability VLAN Features Support for up to 1005 VLANs for assigning users to VLANs associated with appropriate network •...
Page 44 VLAN Trunking Protocol (VTP) and VTP pruning for reducing network traffic by restricting • flooded traffic to links destined for stations receiving the traffic Voice VLAN for creating subnets for voice traffic from Cisco IP Phones • VLAN1 minimization for reducing the risk of spanning-tree loops or storms by allowing VLAN 1 •...
Page 45 Trusted port states (CoS, DSCP, and IP precedence) within a QoS domain and with a port bordering another QoS domain – Trusted boundary for detecting the presence of a Cisco IP phone, trusting the CoS value received, and ensuring port security •...
Page 46 Power over Ethernet (PoE) Features • Ability to provide power to connected Cisco pre-standard and IEEE 802.3af-compliant powered devices from all 10/100 Ethernet ports if the switch senses that there is no power on the circuit 24-port PoE switch provides 15.4 W of power on each 10/100 port; 48-port PoE switch provides •...
Page 47: Default Settings After Initial Switch Configuration
Chapter 1 Overview Default Settings After Initial Switch Configuration Monitoring Features Switch LEDs that provide port- and switch-level status • MAC address notification traps and RADIUS accounting for tracking users on a network by storing • the MAC addresses that the switch has learned or removed Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) for traffic monitoring on any port or •...
Page 48 Chapter 1 Overview Default Settings After Initial Switch Configuration Table 1-1 Default Settings After Initial Switch Configuration (continued) Feature Default Setting More information in... Port parameters Operating mode Layer 2 (switchport) Chapter 10, “Configuring Interface Characteristics” Interface speed and duplex mode Autonegotiate Auto-MDIX Disabled...
Page 49: Network Configuration Examples
Chapter 1 Overview Network Configuration Examples Table 1-1 Default Settings After Initial Switch Configuration (continued) Feature Default Setting More information in... RMON Disabled Chapter 24, “Configuring RMON” Syslog messages Enabled; displayed on the console Chapter 25, “Configuring System Message Logging” SNMP Enabled;...
Page 50 Chapter 1 Overview Network Configuration Examples Table 1-2 Increasing Network Performance Network Demands Suggested Design Methods Too many users on a single network Create smaller network segments so that fewer users share the bandwidth, and use • segment and a growing number of VLANs and IP subnets to place the network resources in the same logical network users accessing the Internet as the users who access those resources most.
Page 51: Small To Medium-Sized Network Using Catalyst 3560 Switches
Data and multimedia traffic are configured on the same VLAN. Voice traffic from the Cisco IP Phones are configured on separate VVIDs. If data, multimedia, and voice traffic are assigned to the same VLAN, only one VLAN can be configured per wiring closet.
Page 52: Large Network Using Catalyst 3560 Switches
Cisco CallManager controls call processing, routing, and IP phone features and configuration. Users with workstations running Cisco SoftPhone software can place, receive, and control calls from their PCs. Using Cisco IP Phones, Cisco CallManager software, and Cisco SoftPhone software integrates telephony and IP networks, and the IP network supports both voice and data.
Page 53 The routers and backbone switches have HSRP enabled for load balancing and redundant connectivity to guarantee mission-critical traffic. Figure 1-2 Catalyst 3560 Switches in Wiring Closets in a Backbone Configuration Cisco 7x00 routers Catalyst 6500 multilayer switches IEEE 802.3af-compliant IEEE 802.3af-compliant...
Page 54: Long-Distance, High-Bandwidth Transport Configuration
The CWDM OADM modules on the receiving end separate (or demultiplex) the different wavelengths. For more information about the CWDM SFP modules and CWDM OADM modules, refer to the Cisco CWDM GBIC and CWDM SFP Installation Note. Figure 1-3...
Page 55: Understanding Command Modes
C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your Catalyst 3560 switch. It contains these sections: Understanding Command Modes, page 2-1 •...
Page 56: C H A P T E R 2 Using The Command-Line Interface
Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with Enter logout or Use this mode to Switch> your switch. quit. Change terminal settings.
Page 57: Understanding The Help System
Chapter 2 Using the Command-Line Interface Understanding the Help System Understanding the Help System You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table 2-2.
Page 58: Understanding No And Default Forms Of Commands
Chapter 2 Using the Command-Line Interface Understanding no and default Forms of Commands Understanding no and default Forms of Commands Almost every configuration command also has a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface.
Page 59: Changing The Command History Buffer Size
Chapter 2 Using the Command-Line Interface Using Command History Changing the Command History Buffer Size By default, the switch records ten command lines in its history buffer. You can alter this number for a current terminal session or for all sessions on a particular line. These procedures are optional. Beginning in privileged EXEC mode, enter this command to change the number of command lines that the switch records during the current terminal session: Switch# terminal history...
Page 60: Using Editing Features
Chapter 2 Using the Command-Line Interface Using Editing Features Using Editing Features This section describes the editing features that can help you manipulate the command line. It contains these sections: • Enabling and Disabling Editing Features, page 2-6 (optional) • Editing Commands through Keystrokes, page 2-6 (optional) Editing Command Lines that Wrap, page 2-8...
Page 61 Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke Purpose Press Esc Y. Recall the next buffer entry. The buffer contains only the last 10 items that you have deleted or cut. If you press Esc Y more than ten times, you cycle to the first buffer entry.
Page 62: Editing Command Lines That Wrap
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Editing Command Lines that Wrap You can use a wraparound feature for commands that extend beyond a single line on the screen. When the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten characters of the line, but you can scroll back and check the syntax at the beginning of the command.
Page 63: Accessing The Cli
Step 2 In the URL field, enter the IP address of the switch or, if clustering, the command switch. Step 3 When the Cisco Systems Access page appears, click Telnet to start a Telnet session. Step 4 Enter the switch password.
Page 64 Access page. You can access the CLI by clicking Web Console - HTML access to the command line interface from a cached copy of the Cisco Systems Access page. To prevent unauthorized access to the CLI or to the Cluster Management Suite (CMS), exit your browser to end the browser session.
Page 65: Chapter 3 Getting Started With Cms
C H A P T E R Getting Started with CMS This chapter contains these sections that describe the Cluster Management Suite (CMS) on the Catalyst 3560 switch: “Understanding CMS” section on page 3-1 • • “Configuring CMS” section on page 3-8 “Displaying CMS”...
Page 66: Front Panel View
Chapter 3 Getting Started with CMS Understanding CMS Front Panel View The Front Panel view displays the Front Panel image of a specific set of switches in a cluster. From this view, you can select multiple ports or multiple switches and configure them with the same settings. For more information, see the “Displaying CMS”...
Page 67 Chapter 3 Getting Started with CMS Understanding CMS • The toolbar provides buttons for commonly used switch and cluster configuration options and information windows such as legends and online help. Table 3-1 lists the toolbar options from left to right on the toolbar. Table 3-1 Toolbar Buttons Toolbar Option...
Page 68 Chapter 3 Getting Started with CMS Understanding CMS • The feature bar shows the features available for the devices in your cluster. By default, the feature bar is in standard mode. In this mode, the feature bar is always visible, and you can reduce or increase the width of the feature bar.
Page 69: Online Help
You can send us feedback about the information provided in the online help. Click Feedback to display an online form. After completing the form, click Submit to send your comments to Cisco Systems Inc. We appreciate and value your comments.
Page 70: Expert Mode
Chapter 3 Getting Started with CMS Understanding CMS Figure 3-3 Guide Mode and Wizards Guide mode icon Wizards Guide mode is not available if your switch access level is read-only. For more information about the read-only access mode, see the “Privilege Levels”...
Page 71: Privilege Levels
If your cluster has these member switches running earlier software releases and if you have read-only access to these member switches, some configuration windows for those switches display incomplete information: Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS Release 12.0(5)WC2 • or earlier Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier...
Page 72: Configuring Cms
Chapter 3 Getting Started with CMS Configuring CMS Configuring CMS This section contains these topics that describe the requirements and configuration information for CMS: • “CMS Requirements” section on page 3-8 • “Cross-Platform Considerations” section on page 3-10 “Launching CMS” section on page 3-11 •...
Page 73: Operating System And Browser Support
For Solaris, Java plug-in 1.4.1 is required to run CMS. You can download the Java plug-in and installation instructions from this URL: http://www.cisco.com/pcgi-bin/tablebuild.pl/java On Solaris platforms, follow the instructions in the README_FIRST.txt file to install the Java plug-in. You need to close and restart your browser after installing a Java plug-in.
Page 74: Cross-Platform Considerations
CMS on the Catalyst 1900 and Catalyst 2820 switches is referred to as Switch Manager. Cluster • management options are not available on these switches. This is the earliest version of CMS. Refer to the documentation specific to the switch and its Cisco IOS release for descriptions of the CMS version. HTTP Access to CMS...
Page 75: Displaying Cms
• enable—Enable password, which is the default method of HTTP server user authentication. • local—Local user database as defined on the Cisco router or access server is used. • tacacs—TACACS server is used. Step 3 Return to privileged EXEC mode.
Page 76 Tools—Accesses diagnostic and monitoring tools, such as Telnet, Extended Ping, and the show • interfaces privileged EXEC command Help Resources—Provides links to the Cisco website, technical documentation, and the Cisco • Technical Assistance Center (TAC) Click Cluster Management Suite to launch the CMS interface. The CMS Startup Report runs and Step 3 verifies that your PC or workstation can correctly run CMS.
Page 77 Chapter 3 Getting Started with CMS Displaying CMS Figure 3-5 CMS Startup Report The CMS Startup Report has links that instruct you how to correctly configure your PC or workstation. If the CMS Startup Report appears, click the links, and follow the instructions to configure your PC or workstation.
Page 78: Front Panel View
Chapter 3 Getting Started with CMS Displaying CMS Front Panel View When CMS is launched from a noncommand switch, the Front Panel view displays by default, and the front-panel view displays only the front panel of the specific switch. When CMS is launched from a command switch, you can display the Front Panel view by clicking the Front Panel button on the tool bar, as shown in Figure 3-6.
Page 79: Topology View
Chapter 3 Getting Started with CMS Displaying CMS Note Figure 3-7 shows a cluster with a Catalyst 3550 switch as the command switch. Refer to the release notes for a list of switches that can be members of a cluster with a Catalyst 3560 switch as the command switch.
Page 80: Cms Icons
Chapter 3 Getting Started with CMS Where to Go Next Note Figure 3-8 shows multiple popup menus. Only one popup menu at a time appears in the CMS. The Topology view shows how the devices within a switch cluster are connected and how the switch cluster is connected to other clusters and devices.
Page 81: Chapter 4 Assigning The Switch Ip Address And Default Gateway
C H A P T E R Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assigning the switch IP address and default gateway information) for the Catalyst 3560 switch by using a variety of automatic and manual methods.
Page 82: Assigning Switch Information
For more information about the setup program, refer to the release notes on Cisco.com. Use a DHCP server for centralized control and automatic assignment of IP information after the server is configured.
Page 83: Default Switch Information
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information If you are an experienced user familiar with the switch configuration steps, manually configure the switch. Otherwise, use the setup program described earlier. This section contains this configuration information: •...
Page 84: Dhcp Client Request Process
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DHCP Client Request Process When you boot your switch, the DHCP client is invoked and automatically requests configuration information from a DHCP server when the configuration file is not present on the switch. Figure 4-1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server.
Page 85: Configuring The Dhcp Server
Example Configuration, page 4-8 If your DHCP server is a Cisco device, or if you are configuring the switch as a DHCP server, refer to the “IP Addressing and Services” section in the Cisco IOS IP and IP Routing Configuration Guide for Cisco IOS Release 12.1 for additional information about configuring DHCP.
Page 86: Configuring The Dns
TFTP packets. You must configure this relay device to forward received broadcast packets on an interface to the destination host. If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
Page 87: Obtaining Configuration Files
If the switch is acting as the relay device, configure the interface as a routed port. For more information, see the “Routed Ports” section on page 10-3 and the “Configuring Layer 3 Interfaces” section on page 10-19. Figure 4-2 Relay Device Used in Autoconfiguration Switch Cisco router (DHCP client) (Relay) 10.0.0.2 10.0.0.1 20.0.0.1 20.0.0.2 20.0.0.3 20.0.0.4 DHCP server...
Page 88: Example Configuration
Figure 4-3 DHCP-Based Autoconfiguration Network Example Switch A Switch B Switch C Switch D 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (maritsu) Table 4-2 shows the configuration of the reserved leases on the DHCP server or the DHCP server feature running on your switch.
Page 89: Manually Assigning Ip Information
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DNS Server Configuration The DNS server maps the TFTP server name maritsu to IP address 10.0.0.3. TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method.
Page 90: Checking And Saving The Running Configuration
Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Command Purpose Step 5 ip default-gateway ip-address Enter the IP address of the next-hop router interface that is directly connected to the switch where a default gateway is being configured. The default gateway receives IP packets with unresolved destination IP addresses from the switch.
Page 91: Modifying The Startup Configuration
Flash memory, use the show startup-config or more startup-config privileged EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Modifying the Startup Configuration This section describes how to modify the switch startup configuration.
Page 92: Default Boot Configuration
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot cycle.
Page 93: Booting Manually
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Booting Manually By default, the switch automatically boots; however, you can configure it to manually boot. Beginning in privileged EXEC mode, follow these steps to configure the switch to manually boot during the next boot cycle: Command Purpose...
Page 94: Controlling Environment Variables
Cisco IOS configuration file can be stored as an environment variable. You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
Page 95 BOOT filesystem:/file-url ... boot system filesystem:/file-url A semicolon-separated list of executable files to Specifies the Cisco IOS image to load during the try to load and execute when automatically next boot cycle. This command changes the booting. If the BOOT environment variable is not setting of the BOOT environment variable.
Page 96: Scheduling A Reload Of The Software Image
Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Scheduling a Reload of the Software Image You can schedule a reload of the software image to occur on the switch at a later time (for example, late at night or during the weekend when the switch is used less), or you can synchronize a reload network-wide (for example, to perform a software upgrade on all switches in the network).
Page 97: Displaying Scheduled Reload Information
Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image This example shows how to reload the software on the switch at a future time: Switch# reload at 02:00 jun 20 Reload scheduled for 02:00:00 UTC Thu Jun 20 1996 (in 344 hours and 53 minutes) Proceed with reload? [confirm] To cancel a previously scheduled reload, use the reload cancel privileged EXEC command.
Page 98 Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Catalyst 3560 Switch Software Configuration Guide 4-18 78-16156-01...
Page 99: Chapter 5 Clustering Switches
C H A P T E R Clustering Switches This chapter provides the concepts and procedures to create and manage Catalyst 3560 switch clusters. This chapter focuses on Catalyst 3560 switch clusters. It also includes guidelines and limitations for Note clusters mixed with other cluster-capable Catalyst switches, but it does not provide complete descriptions of the cluster features for these other switches.
Page 100: Understanding Switch Clusters
Chapter 5 Clustering Switches Understanding Switch Clusters Understanding Switch Clusters A switch cluster is a set of up to 16 connected, cluster-capable Catalyst switches that are managed as a single entity. The switches in the cluster use the switch clustering technology so that you can configure and troubleshoot a group of different Catalyst desktop switch platforms through a single IP address.
Page 101: Cluster Command Switch Characteristics
• It has an IP address. • It has Cisco Discovery Protocol (CDP) version 2 enabled (the default). It is not a command or cluster member switch of another cluster. • It is connected to the standby cluster command switches through the management VLAN and to the •...
Page 102: Candidate Switch And Cluster Member Switch Characteristics
Chapter 5 Clustering Switches Planning a Switch Cluster Candidate Switch and Cluster Member Switch Characteristics Candidate switches are cluster-capable switches that have not yet been added to a cluster. Cluster member switches are switches that have actually been added to a switch cluster. Although not required, a candidate or cluster member switch can have its own IP address and password (for related considerations, see the “IP Addresses”...
Page 103: Automatic Discovery Of Cluster Candidates And Members
Planning a Switch Cluster Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
Page 104: Discovery Through Non-Cdp-Capable And Noncluster-Capable Devices
Switch 15 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Page 105: Discovery Through Different Vlans
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery Through Different VLANs If the cluster command switch is a Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 switch, the cluster can have cluster member switches in different VLANs. As cluster member switches, they must be connected through at least one VLAN in common with the cluster command switch.
Page 106: Discovery Through Routed Ports
Chapter 5 Clustering Switches Planning a Switch Cluster The cluster command switch and standby command switch in Figure 5-4 (assuming they are Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 cluster command switches) have ports assigned to VLANs 9, 16, and 62. The management VLAN on the cluster command switch is VLAN 9. Each cluster command switch discovers the switches in the different management VLANs except these: Switches 7 and 10 (switches in management VLAN 4) because they are not connected through a •...
Page 107: Discovery Of Newly Installed Switches
Chapter 5 Clustering Switches Planning a Switch Cluster Figure 5-5 Discovery Through Routed Ports Command switch VLAN 9 VLAN 62 VLAN VLAN 62 VLAN 9 Member (management VLAN 62) switch 7 VLAN 4 Discovery of Newly Installed Switches To join a cluster, the new, out-of-the-box switch must be connected to the cluster through one of its access ports.
Page 108: Hsrp And Standby Cluster Command Switches
Chapter 5 Clustering Switches Planning a Switch Cluster HSRP and Standby Cluster Command Switches The switch supports Hot Standby Router Protocol (HSRP) so that you can configure a group of standby cluster command switches. Because a cluster command switch manages the forwarding of all communication and configuration information to all the cluster member switches, we strongly recommend the following: For a cluster command switch stack, a standby cluster command switch is necessary if the entire...
Page 109: Virtual Ip Addresses
Chapter 5 Clustering Switches Planning a Switch Cluster Virtual IP Addresses You need to assign a unique virtual IP address and group number and name to the cluster standby group. This information must be configured on a specific VLAN or routed port on the active cluster command switch.
Page 110: Automatic Recovery Of Cluster Configuration
Chapter 5 Clustering Switches Planning a Switch Cluster Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL cluster member switches must be connected to the cluster standby group through their management VLANs. For more information about VLANs in switch clusters, see these sections: “Discovery Through Different VLANs”...
Page 111: Ip Addresses
Chapter 5 Clustering Switches Planning a Switch Cluster When the previously active cluster command switch resumes its active role, it receives a copy of the latest cluster configuration from the active cluster command switch, including members that were added while it was down. The active cluster command switch sends a copy of the cluster configuration to the cluster standby group.
Page 112: Passwords
Chapter 5 Clustering Switches Planning a Switch Cluster Passwords You do not need to assign passwords to an individual switch if it will be a cluster member. When a switch joins a cluster, it inherits the command-switch password and retains it when it leaves the cluster. If no command-switch password is configured, the cluster member switch inherits a null password.
Page 113: Access Modes In Cms
If your cluster has these cluster member switches running earlier software releases and if you have read-only access to these cluster member switches, some configuration windows for those switches display incomplete information: Catalyst 2900 XL or Catalyst 3500 XL cluster member switches running Cisco IOS • Release 12.0(5)WC2 or earlier Catalyst 2950 cluster member switches running Cisco IOS Release 12.0(5)WC2 or earlier...
Page 114: Creating A Switch Cluster
Chapter 5 Clustering Switches Creating a Switch Cluster Creating a Switch Cluster Using CMS to create a cluster is easier than using the CLI commands. This section provides this information: • Enabling a Cluster Command Switch, page 5-16 • Adding Cluster Member Switches, page 5-17 Creating a Cluster Standby Group, page 5-19 •...
Page 115: Adding Cluster Member Switches
Chapter 5 Clustering Switches Creating a Switch Cluster Adding Cluster Member Switches As explained in the “Automatic Discovery of Cluster Candidates and Members” section on page 5-5, the cluster command switch automatically discovers candidate switches. When you add new cluster-capable switches to the network, the cluster command switch discovers them and adds them to a list of candidate switches.
Page 116 Chapter 5 Clustering Switches Creating a Switch Cluster Figure 5-9 Add to Cluster Window Select a switch, and click 3750G-24T Add. Press Ctrl and left- click to select more than one switch. Enter the password of the candidate switch. If no password exists for the switch, leave this field blank.
Page 117: Creating A Cluster Standby Group
Chapter 5 Clustering Switches Creating a Switch Cluster Creating a Cluster Standby Group The cluster standby group members must meet the requirements described in the “Standby Cluster Command Switch Characteristics” section on page 5-3 “HSRP and Standby Cluster Command Switches” section on page 5-10.
Page 118: Verifying A Switch Cluster
Chapter 5 Clustering Switches Verifying a Switch Cluster Figure 5-11 Standby Command Configuration Window stack10 (cisco WS-C3750-24TS, HC, .. stack1 (cisco WS-3750-48, CC, 0) Active command switch. TRS (cisco WS-C37xx-24, HC, ...) G-M-C3550-24 (cisco WS-C3550-24, H Standby command switch. Must be a valid IP...
Page 119: Using The Cli To Manage Switch Clusters
Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
Page 120: Catalyst 1900 And Catalyst 2820 Cli Considerations
Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters Catalyst 1900 and Catalyst 2820 CLI Considerations If your switch cluster has Catalyst 1900 and Catalyst 2820 switches running standard edition software, the Telnet session accesses the management console (a menu-driven interface) if the cluster command switch is at privilege level 15.
Page 121 Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters Figure 5-13 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 Member 1 Member 2 Member 3 Catalyst 3560 Switch Software Configuration Guide 5-23 78-16156-01...
Page 122 Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters Catalyst 3560 Switch Software Configuration Guide 5-24 78-16156-01...
Page 123: Managing The System Time And Date
You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Note Configuration Fundamentals Command Reference for Release 12.1.
Page 124: Chapter 6 Administering The Switch
Chapter 6 Administering the Switch Managing the System Time and Date Understanding the System Clock The heart of the time service is the system clock. This clock runs from the moment the system starts up and keeps track of the date and time. The system clock can then be set from these sources: •...
Page 125 Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Page 126: Configuring Ntp
Chapter 6 Administering the Switch Managing the System Time and Date Configuring NTP The switch does not have a hardware-supported clock and cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available. The switch also has no hardware support for a calendar.
Page 127: Configuring Ntp Authentication
Chapter 6 Administering the Switch Managing the System Time and Date Configuring NTP Authentication This procedure must be coordinated with the administrator of the NTP server; the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server. Beginning in privileged EXEC mode, follow these steps to authenticate the associations (communications between devices running NTP that provide for accurate timekeeping) with other devices for security purposes:...
Page 128: Configuring Ntp Associations
Chapter 6 Administering the Switch Managing the System Time and Date Configuring NTP Associations An NTP association can be a peer association (this switch can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this switch synchronizes to the other device, and not the other way around).
Page 129: Configuring Ntp Broadcast Service
Chapter 6 Administering the Switch Managing the System Time and Date Configuring NTP Broadcast Service The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association.
Page 130: Configuring Ntp Access Restrictions
Chapter 6 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure the switch to receive NTP broadcast packets from connected peers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to receive NTP broadcast packets, and enter interface...
Page 131 Chapter 6 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1...
Page 132: Configuring The Source Ip Address For Ntp Packets
Chapter 6 Administering the Switch Managing the System Time and Date To remove access control to the switch NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command. This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99.
Page 133: Displaying The Ntp Configuration
[detail] • show ntp status For detailed information about the fields in these displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted.
Page 134: Displaying The Time And Date Configuration
Chapter 6 Administering the Switch Managing the System Time and Date Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command. The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate).
Page 135: Configuring Summer Time (Daylight Saving Time)
Chapter 6 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1...
Page 136 Chapter 6 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1...
Page 137: Configuring A System Name And Prompt
Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP and IP Routing Command Reference for Release 12.1.
Page 138: Configuring A System Prompt
Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.
Page 139: Default Dns Configuration
Chapter 6 Administering the Switch Configuring a System Name and Prompt Default DNS Configuration Table 6-2 shows the default DNS configuration. Table 6-2 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
Page 140: Displaying The Dns Configuration
If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
Page 141: Configuring A Message-Of-The-Day Login Banner
Chapter 6 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1...
Page 142: Configuring A Login Banner
Chapter 6 Administering the Switch Creating a Banner Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1...
Page 143: Managing The Mac Address Table
Chapter 6 Administering the Switch Managing the MAC Address Table Managing the MAC Address Table The MAC address table contains address information that the switch uses to forward traffic between ports. All MAC addresses in the address table are associated with one or more ports. The address table includes these types of addresses: •...
Page 144: Mac Addresses And Vlans
Chapter 6 Administering the Switch Managing the MAC Address Table MAC Addresses and VLANs All addresses are associated with a VLAN. An address can exist in more than one VLAN and have different destinations in each. Unicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 1 in VLAN 5.
Page 145: Removing Dynamic Address Entries
Chapter 6 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the dynamic address table aging time: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table aging-time [0 | Set the length of time that a dynamic entry remains in the MAC 10-1000000] [vlan vlan-id] address table after the entry is used or updated.
Page 146 Chapter 6 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message.
Page 147: Adding And Removing Static Address Entries
Chapter 6 Administering the Switch Managing the MAC Address Table Command Purpose Step 9 show mac address-table notification interface Verify your entries. show running-config Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the switch from sending MAC address notification traps, use the no snmp-server enable traps mac-notification global configuration command.
Page 148: Configuring Unicast Mac Address Filtering
Chapter 6 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to add a static address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table static mac-addr Add a static address to the MAC address table. vlan vlan-id interface interface-id •...
Page 149 Chapter 6 Administering the Switch Managing the MAC Address Table • If you add a unicast MAC address as a static address and configure unicast MAC address filtering, the switch either adds the MAC address as a static address or drops packets with that MAC address, depending on which command was entered last.
Page 150: Displaying Address Table Entries
(represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, refer to the Cisco IOS Release 12.1 documentation on Cisco.com. Catalyst 3560 Switch Software Configuration Guide...
Page 151: Chapter 7 Configuring Sdm Templates
C H A P T E R Configuring SDM Templates This chapter describes how to configure the Switch Database Management (SDM) templates on the Catalyst 3560 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Page 152: Configuring The Switch Sdm Template
Chapter 7 Configuring SDM Templates Configuring the Switch SDM Template Table 7-1 Approximate Number of Feature Resources Allowed by Each Template (continued) Resource Default Routing VLAN Unicast routes 11 K Directly connected hosts • • Indirect routes Policy-based routing ACEs QoS classification ACEs Security ACEs Layer 2 VLANs...
Page 153: Setting The Sdm Template
Chapter 7 Configuring SDM Templates Configuring the Switch SDM Template Setting the SDM Template Beginning in privileged EXEC mode, follow these steps to use the SDM template to maximize feature usage: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 sdm prefer {default | routing | vlan} Specify the SDM template to be used on the switch:...
Page 154: Displaying The Sdm Templates
Chapter 7 Configuring SDM Templates Displaying the SDM Templates Displaying the SDM Templates Use the show sdm prefer privileged EXEC command with no parameters to display the active template. Use the show sdm prefer [default | routing | vlan] privileged EXEC command to display the resource numbers supported by the specified template.
Page 155: Preventing Unauthorized Access To Your Switch
C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 3560 switch. This chapter consists of these sections: • Preventing Unauthorized Access to Your Switch, page 8-1 Protecting Access to Privileged EXEC Commands, page 8-2 •...
Page 156: C H A P T E R 8 Configuring Switch-Based Authentication
Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.1. This section describes how to control access to the configuration file and privileged EXEC commands.
Page 157: Setting Or Changing A Static Enable Password
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1...
Page 158: Protecting Enable And Enable Secret Passwords With Encryption
By default, no password is defined. • (Optional) For encryption-type, only type 5, a Cisco proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password that you...
Page 159: Disabling Password Recovery
Disable password recovery. This setting is saved in an area of the Flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
Page 160: Setting A Telnet Password For A Terminal Line
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands To re-enable password recovery, use the service password-recovery global configuration command. Note Disabling password recovery will not work if you have set the switch to boot manually by using the boot manual global configuration command.
Page 161: Configuring Username And Password Pairs
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Configuring Username and Password Pairs You can configure username and password pairs, which are locally stored on the switch. These pairs are assigned to lines or ports and authenticate each user before that user can access the switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.
Page 162: Configuring Multiple Privilege Levels
Protecting Access to Privileged EXEC Commands Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Page 163: Changing The Default Privilege Level For Lines
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip traffic command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.
Page 164: Logging Into And Exiting A Privilege Level
(AAA) and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.1. This section contains this configuration information: •...
Page 165 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 8-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ Catalyst 6500 server 1) series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) 171.20.10.8 Configure the switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers).
Page 166: Tacacs+ Operation
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user.
Page 167: Configuring Tacacs
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Configuring TACACS+ This section describes how to configure your switch to support TACACS+. At a minimum, you must identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+ authentication.
Page 168: Configuring Tacacs+ Login Authentication
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to identify the IP host or host maintaining TACACS+ server and optionally set the encryption key: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 169 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted.
Page 170: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 5 login authentication {default | Apply the authentication list to a line or set of lines. list-name} • If you specify default, use the default list created with the aaa authentication login command.
Page 171: Starting Tacacs+ Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco IOS privilege level and for network services:...
Page 172: Controlling Switch Access With Radius
RADIUS is facilitated through AAA and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.1. This section contains this configuration information: •...
Page 173: Radius Operation
• Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
Page 174: Configuring Radius
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication.
Page 175: Identifying The Radius Server Host
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Identifying the RADIUS Server Host Switch-to-RADIUS-server communication involves several components: Host name or IP address • Authentication destination port • • Accounting destination port • Key string • Timeout period •...
Page 176 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or host name of the remote RADIUS server host.
Page 177: Configuring Radius Login Authentication
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2...
Page 178 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA.
Page 179: Defining Aaa Server Groups
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 5 login authentication {default | Apply the authentication list to a line or set of lines. list-name} • If you specify default, use the default list created with the aaa authentication login command.
Page 180 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or host name of the remote RADIUS server host.
Page 181: Configuring Radius Authorization For User Privileged Access And Network Services
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 8-23.
Page 182: Starting Radius Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
Page 183: Configuring Settings For All Radius Servers
1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Page 184 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“...
Page 185: Configuring The Switch For Vendor-Proprietary Radius Server Communication
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Page 186: Controlling Switch Access With Kerberos
• Configuring Kerberos, page 8-36 For Kerberos configuration examples, refer to the “Kerberos Configuration Examples” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.1, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt2/. For complete syntax and usage information for the commands used in this section, refer to the “Kerberos Note Commands”...
Page 187 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts (such as UNIX servers and PCs).
Page 188: Kerberos Operation
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 8-2 Kerberos Terms (continued) Term Definition KEYTAB A password that a network service shares with the KDC. In Kerberos 5 and later Kerberos versions, the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it.
Page 189: Authenticating To A Boundary Switch
KDC and obtain a TGT from the KDC to access network services. For instructions about how to authenticate to a KDC, refer to the “Obtaining a TGT from a KDC” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.1, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt2/scdkerb.htm...
Page 190: Configuring Kerberos
• Configure the switch to use the Kerberos protocol. For instructions, refer to the “Kerberos Configuration Task List” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.1, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt2/scdkerb.htm #xtocid154007. Configuring the Switch for Local Authentication and...
Page 191: Configuring The Switch For Secure Shell
For complete syntax and usage information for the commands used in this section, refer to the command Note reference for this release and the command reference for Cisco IOS Release 12.2 at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Catalyst 3560 Switch Software Configuration Guide...
Page 192: Understanding Ssh
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
Page 193: Configuring Ssh
Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: Download the cryptographic software image from Cisco.com. This step is required. For more information, refer to the release notes for this release.
Page 194: Configuring The Ssh Server
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Command Purpose Step 4 crypto key generate rsa Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair. We recommend that a minimum modulus size of 1024 bits. When you generate RSA keys, you are prompted to enter a modulus length.
Page 195: Displaying The Ssh Configuration And Status
Shows the status of the SSH server. For more information about these commands, refer to the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fothercr/...
Page 196 Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Catalyst 3560 Switch Software Configuration Guide 8-42 78-16156-01...
Page 197 Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
Page 198: Understanding 802.1X Port-Based Authentication
(RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 199: Authentication Initiation And Message Exchange
Chapter 9 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Authentication Initiation and Message Exchange The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto interface configuration command, the switch must initiate authentication when the link state transitions from down to up.
Page 200: Ports In Authorized And Unauthorized States
Chapter 9 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Ports in Authorized and Unauthorized States Depending on the switch port state, the switch can grant a client access to the network. The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1X, CDP, and STP protocol packets.
Page 201: Using 802.1X With Port Security
Chapter 9 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication In a point-to-point configuration (see Figure 9-1 on page 9-2), only one client can be connected to the 802.1X-enabled switch port. The switch detects the client when the port link state changes to the up state. If a client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state.
Page 202: Using 802.1X With Voice Vlan Ports
A voice VLAN port becomes active when there is link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several IP phones are connected in series, the switch recognizes only the one directly connected to it.
Page 203 Chapter 9 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication When configured on the switch and the RADIUS server, 802.1X with VLAN assignment has these characteristics: • If no VLAN is supplied by the RADIUS server or if 802.1X authorization is disabled, the port is configured in its access VLAN after successful authentication.
Page 204: Using 802.1X With Guest Vlan
If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
Page 205: Configuring 802.1X Authentication
Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Only one 802.1X-authenticated user is supported on a port. If the multiple-hosts mode is enabled on the port, the per-user ACL attribute is disabled for the associated port. The maximum size of the per-user ACL is 4000 ASCII characters. For examples of vendor-specific attributes, see the “Configuring the Switch to Use Vendor-Specific RADIUS Attributes”...
Page 206: Default 802.1X Configuration
Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Default 802.1X Configuration Table 9-1 shows the default 802.1X configuration. Table 9-1 Default 802.1X Configuration Feature Default Setting Authentication, authorization, and Disabled. accounting (AAA) RADIUS server • IP address • None specified. UDP authentication port 1812.
Page 207: 802.1X Configuration Guidelines
Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication 802.1X Configuration Guidelines These are the 802.1X authentication configuration guidelines: – Trunk port—If you try to enable 802.1X on a trunk port, an error message appears, and 802.1X is not enabled. If you try to change the mode of an 802.1X-enabled port to trunk, an error message appears, and the port mode is not changed.
Page 208 Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Beginning in privileged EXEC mode, follow these steps to configure 802.1X port-based authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA.
Page 209: Configuring The Switch-To-Radius-Server Communication
Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Configuring the Switch-to-RADIUS-Server Communication RADIUS security servers are identified by their host name or IP address, host name and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address.
Page 210: Configuring Periodic Re-Authentication
Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, refer to the RADIUS server documentation.
Page 211: Changing The Quiet Period
Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Changing the Quiet Period When the switch cannot authenticate the client, the switch remains idle for a set period of time and then tries again. The dot1x timeout quiet-period interface configuration command controls the idle period. A failed authentication of the client might occur because the client provided an invalid password.
Page 212: Setting The Switch-To-Client Frame-Retransmission Number
Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show dot1xinterface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default retransmission time, use the no dot1x timeout tx-period interface configuration command.
Page 213: Configuring The Host Mode
Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Configuring the Host Mode You can configure an 802.1X port for single-host or for multiple-hosts mode. In single-host mode, only one host is allowed on an 802.1X port. When the host is authenticated, the port is placed in the authorized state.
Page 214: Configuring A Guest Vlan
Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Configuring a Guest VLAN When you configure a guest VLAN, clients that are not 802.1X-capable are put into the guest VLAN when the server does not receive a response to its EAPOL request/identity frame. Clients that are 802.1X-capable but fail authentication are not granted access to the network.
Page 215: Displaying 802.1X Statistics And Status
Chapter 9 Configuring 802.1X Port-Based Authentication Displaying 802.1X Statistics and Status Displaying 802.1X Statistics and Status To display 802.1X statistics for all ports, use the show dot1x all statistics privileged EXEC command. To display 802.1X statistics for a specific port, use the show dot1x statistics interface interface-id privileged EXEC command.
Page 216 Chapter 9 Configuring 802.1X Port-Based Authentication Displaying 802.1X Statistics and Status Catalyst 3560 Switch Software Configuration Guide 9-20 78-16156-01...
Page 217: Understanding Interface Types
• For complete syntax and usage information for the commands used in this chapter, refer to the switch Note command reference for this release and the online Cisco IOS Interface Command Reference for Release 12.1. Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface types.
Page 218: C H A P T E R 10 Configuring Interface Characteristics
Chapter 10 Configuring Interface Characteristics Understanding Interface Types Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 12, “Configuring VLANs.”...
Page 219: Trunk Ports
Catalyst 6500 series switch; the Catalyst 3560 switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 14, “Configuring Voice VLAN.”...
Page 220: Switch Virtual Interfaces
Chapter 10 Configuring Interface Characteristics Understanding Interface Types The number of routed ports that you can configure is not limited by software. However, the interrelationship between this number and the number of other features being configured might impact CPU performance because of hardware limitations. See the “Configuring Layer 3 Interfaces”...
Page 221: Etherchannel Port Groups
Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. Exceptions are the DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP), which operate only on physical ports.
Page 222: Using Interface Configuration Mode
Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode Figure 10-2 Connecting VLANs with the Catalyst 3560 Switch Layer 3 switch with routing enabled 172.20.128.1 SVI 1 SVI 2 172.20.129.1 Host A Host B VLAN 20 VLAN 30 When the EMI is running on the switch, the switch supports two methods of forwarding traffic between interfaces: routing and fallback bridging.
Page 223: Procedures For Configuring Interfaces
You can identify physical interfaces by physically checking the interface location on the switch. You can also use the Cisco IOS show privileged EXEC commands to display information about a specific interface or all the interfaces on the switch. The remainder of this chapter primarily provides physical interface configuration procedures.
Page 224: Configuring A Range Of Interfaces
Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode Configuring a Range of Interfaces You can use the interface range global configuration command to configure multiple interfaces with the same configuration parameters. When you enter the interface range configuration mode, all command parameters that you enter are attributed to all interfaces within that range until you exit this mode.
Page 225: Configuring And Using Interface Range Macros
Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode • All interfaces defined as in a range must be the same type (all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs), but you can enter multiple ranges in a command.
Page 226 Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode Use the no define interface-range macro_name global configuration command to delete a macro. When using the define interface-range global configuration command, note these guidelines: • Valid entries for interface-range: – vlan vlan-ID - vlan-ID, where the VLAN ID is from 1 to 4094 fastethernet module/{first port} - {last port}, where the module is always 0 –...
Page 227: Configuring Ethernet Interfaces
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Ethernet Interfaces These sections describe the default interface configuration and the optional features that you can configure on most physical interfaces: • Default Ethernet Interface Configuration, page 10-11 • Configuring Interface Speed and Duplex Mode, page 10-12 Configuring IEEE 802.3X Flow Control, page 10-14 •...
Page 228: Configuring Interface Speed And Duplex Mode
Disabled. Note The switch might not support a pre-standard powered device—such as Cisco IP phones and access points that do not fully support IEEE 802.3af—if that powered device is connected to the switch through a crossover cable. This is regardless of whether Auto-MIDX is enabled on the switch port.
Page 229: Configuration Guidelines
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuration Guidelines When configuring an interface speed and duplex mode, note these guidelines: If both ends of the line support autonegotiation, we highly recommend the default setting of auto • negotiation. If one interface supports autonegotiation and the other end does not, configure duplex and speed on •...
Page 230: Configuring Ieee 802.3X Flow Control
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Command Purpose Step 3 speed {10 | 100 | 1000 | auto | nonegotiate} Enter the appropriate speed parameter for the interface: • Enter 10 or 100 to set a specific speed for the interface. The 1000 keyword is available only for SFP module ports with a 1000BASE-T SFP module.
Page 231: Configuring Auto-Mdix On An Interface
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces When set to desired, an interface can operate with an attached device that is required to send flow-control packets or with an attached device that is not required to but can send flow-control packets. These rules apply to flow control settings on the device: •...
Page 232: Configuring Power Over Ethernet On An Interface
Switch(config-if)# end Configuring Power over Ethernet on an Interface The switch supports both the Cisco pre-standard PoE method and the IEEE 802.3af PoE standard. The switches automatically supply power to connected pre-standard powered devices (such as Cisco IP Phones and Cisco Aironet Access Points), and IEEE 802.3af-compliant powered devices if the switch senses that there is no power on the circuit.
Page 233 After power is applied to an interface, the switch uses Cisco Discovery Protocol (CDP) to determine the power requirement of the connected Cisco PoE (standard and pre-standard) devices, and the switch adjusts the power budget accordingly.
Page 234: Adding A Description For An Interface
Configuring Ethernet Interfaces This example shows how to enable automatic PoE on a port and the response from the show power inline command for the interface when a Cisco IEEE-compliant IP Phone is being supplied with power: Switch# configure terminal...
Page 235: Configuring Layer 3 Interfaces
Chapter 10 Configuring Interface Characteristics Configuring Layer 3 Interfaces Configuring Layer 3 Interfaces The Catalyst 3560 switch supports these types of Layer 3 interfaces: • SVIs: You should configure SVIs for any VLANs for which you want to route traffic. SVIs are created when you enter a VLAN ID following the interface vlan global configuration command.
Page 236: Configuring The System Mtu
Chapter 10 Configuring Interface Characteristics Configuring the System MTU Command Purpose Step 3 no switchport For physical ports only, enter Layer 3 mode. Step 4 ip address ip_address subnet_mask Configure the IP address and IP subnet. Step 5 no shutdown Enable the interface.
Page 237 Chapter 10 Configuring Interface Characteristics Configuring the System MTU Beginning in privileged EXEC mode, follow these steps to change MTU size for all 10/100 or Gigabit Ethernet interfaces: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 system mtu bytes (Optional) Change the MTU size for all interfaces on the switch that are operating at 10 or 100 Mbps.
Page 238: Monitoring And Maintaining The Interfaces
(You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference for Release 12.1. Table 10-3 Show Commands for Interfaces...
Page 239: Clearing And Resetting Interfaces And Counters
Chapter 10 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Clearing and Resetting Interfaces and Counters Table 10-4 lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces. Table 10-4 Clear Commands for Interfaces Command Purpose clear counters [interface-id]...
Page 240 Chapter 10 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 3560 Switch Software Configuration Guide 10-24 78-16156-01...
Page 241: Chapter 11 Configuring Smartport Macros
C H A P T E R Configuring SmartPort Macros This chapter describes how to configure and apply SmartPort macros on the Catalyst 3560 switch. For complete syntax and usage information for the commands used in this chapter, refer to the command Note reference for this release.
Page 242: Configuring Smart-Port Macros
Chapter 11 Configuring SmartPort Macros Configuring Smart-Port Macros Configuring Smart-Port Macros You can create a new SmartPort macro or use an existing macro as a template to create a new macro that is specific to your application. After you create the macro, you can apply it to an interface or range of interfaces.
Page 243: Creating And Applying Smartport Macros
Chapter 11 Configuring SmartPort Macros Configuring Smart-Port Macros Creating and Applying SmartPort Macros Beginning in privileged EXEC mode, follow these steps to create and apply a SmartPort macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro name macro-name Create a macro definition, and enter a macro name.
Page 244: Displaying Smartport Macros
Chapter 11 Configuring SmartPort Macros Displaying SmartPort Macros This example shows how to define the desktop-config macro for an access switch interface, apply the macro to Gigabit Ethernet port 2, add a description to the interface, and verify the configuration. Switch(config)# macro name desktop-config # Put the switch in access mode switchport mode access...
Page 245: Chapter 12 Configuring Vlans
C H A P T E R Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 3560 switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS).
Page 246 Figure 12-1 VLANs as Logically Defined Networks Engineering Marketing Accounting VLAN VLAN VLAN Cisco router Floor 3 Gigabit Ethernet Floor 2 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Page 247: Supported Vlans
Chapter 12 Configuring VLANs Understanding VLANs Supported VLANs The switch supports 1005 VLANs in VTP client, server, and transparent modes. VLANs are identified with a number from 1 to 4094. VLAN IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs.
Page 248: Configuring Normal-Range Vlans
Dynamic-Access Ports on VMPS Clients” section on page 12-30. Voice VLAN A voice VLAN port is an access port attached to a Cisco VTP is not required; it has no affect on IP Phone, configured to use one VLAN for voice traffic voice VLAN.
Page 249: Token Ring Vlans
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs You can set these parameters when you create a new normal-range VLAN or modify an existing VLAN in the VLAN database: • VLAN ID • VLAN name • VLAN type (Ethernet, Fiber Distributed Data Interface [FDDI], FDDI network entity title [NET], TrBRF, or TrCRF, Token Ring, Token Ring-Net) •...
Page 250: Normal-Range Vlan Configuration Guidelines
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Normal-Range VLAN Configuration Guidelines Follow these guidelines when creating and modifying normal-range VLANs in your network: • The switch supports 1005 VLANs in VTP client, server, and transparent modes. • Normal-range VLANs are identified with a number between 1 and 1001. VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs.
Page 251: Vlan Configuration In Config-Vlan Mode
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs VLAN Configuration in config-vlan Mode To access config-vlan mode, enter the vlan global configuration command with a VLAN ID. Enter a new VLAN ID to create a VLAN, or enter an existing VLAN ID to modify the VLAN. You can use the default VLAN configuration (Table 12-2) or enter multiple commands to configure the VLAN.
Page 252: Default Ethernet Vlan Configuration
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Default Ethernet VLAN Configuration Table 12-2 shows the default configuration for Ethernet VLANs. Note The switch supports Ethernet interfaces exclusively. Because FDDI and Token Ring VLANs are not locally supported, you only configure FDDI and Token Ring media-specific characteristics for VTP global advertisements to other switches.
Page 253 Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Beginning in privileged EXEC mode, follow these steps to use config-vlan mode to create or modify an Ethernet VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan vlan-id Enter a VLAN ID, and enter config-vlan mode.
Page 254: Deleting A Vlan
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Beginning in privileged EXEC mode, follow these steps to use VLAN database configuration mode to create or modify an Ethernet VLAN: Command Purpose Step 1 vlan database Enter VLAN database configuration mode. Step 2 vlan vlan-id name vlan-name Add an Ethernet VLAN by assigning a number to it.
Page 255: Assigning Static-Access Ports To A Vlan
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch by using global configuration mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no vlan vlan-id Remove the VLAN by entering the VLAN ID.
Page 256: Configuring Extended-Range Vlans
Chapter 12 Configuring VLANs Configuring Extended-Range VLANs To return an interface to its default configuration, use the default interface interface-id interface configuration command. This example shows how to configure a port as an access port in VLAN 2: Switch# configure terminal Enter configuration commands, one per line.
Page 257: Extended-Range Vlan Configuration Guidelines
Chapter 12 Configuring VLANs Configuring Extended-Range VLANs Extended-Range VLAN Configuration Guidelines Follow these guidelines when creating extended-range VLANs: • To add an extended-range VLAN, you must use the vlan vlan-id global configuration command and access config-vlan mode. You cannot add extended-range VLANs in VLAN database configuration mode (accessed by entering the vlan database privileged EXEC command).
Page 258: Creating An Extended-Range Vlan
Chapter 12 Configuring VLANs Configuring Extended-Range VLANs Creating an Extended-Range VLAN You create an extended-range VLAN in global configuration mode by entering the vlan global configuration command with a VLAN ID from 1006 to 4094. This command accesses the config-vlan mode.
Page 259: Creating An Extended-Range Vlan With An Internal Vlan Id
Chapter 12 Configuring VLANs Configuring Extended-Range VLANs This example shows how to create a new extended-range VLAN with all default characteristics, enter config-vlan mode, and save the new VLAN in the switch startup configuration file: Switch(config)# vtp mode transparent Switch(config)# vlan 2000 Switch(config-vlan)# end Switch# copy running-config startup config Creating an Extended-Range VLAN with an Internal VLAN ID...
Page 260: Displaying Vlans
Ethernet trunks carry the traffic of multiple VLANs over a single link, and you can extend the VLANs across an entire network. Two trunking encapsulations are available on all Ethernet interfaces: Inter-Switch Link (ISL)—ISL is Cisco-proprietary trunking encapsulation. • 802.1Q—802.1Q is industry-standard trunking encapsulation.
Page 261 Chapter 12 Configuring VLANs Configuring VLAN Trunks Figure 12-2 Switches in an ISL Trunking Environment Catalyst 6500 series switch trunk trunk trunk trunk Switch Switch Switch Switch VLAN1 VLAN3 VLAN2 VLAN2 VLAN1 VLAN3 You can configure a trunk on a single Ethernet interface or on an EtherChannel bundle. For more information about EtherChannel, see Chapter 29, “Configuring EtherChannels.”...
Page 262: Encapsulation Types
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco 802.1Q switch.
Page 263: Default Layer 2 Ethernet Interface Vlan Configuration
Chapter 12 Configuring VLANs Configuring VLAN Trunks • Make sure the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. If the native VLAN on one end of the trunk is different from the native VLAN on the other end, spanning-tree loops might result.
Page 264: Interaction With Other Features
Chapter 12 Configuring VLANs Configuring VLAN Trunks Interaction with Other Features Trunking interacts with other features in these ways: A trunk port cannot be a secure port. • Trunk ports can be grouped into EtherChannel port groups, but all trunks in the group must have the •...
Page 265: Defining The Allowed Vlans On A Trunk
VLANs from the allowed list. VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a Note requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning tree advertisements) is sent or received on VLAN 1.
Page 266: Changing The Pruning-Eligible List
Chapter 12 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to modify the allowed list of an ISL or 802.1Q trunk: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode and the port to be configured.
Page 267: Configuring The Native Vlan For Untagged Traffic
Chapter 12 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 3 switchport trunk pruning vlan {add | Configure the list of VLANs allowed to be pruned from the trunk. (See except | none | remove} vlan-list “VTP Pruning” section on page 13-4).
Page 268: Configuring Trunk Ports For Load Sharing
Chapter 12 Configuring VLANs Configuring VLAN Trunks To return to the default native VLAN, VLAN 1, use the no switchport trunk native vlan interface configuration command. If a packet has a VLAN ID that is the same as the outgoing port native VLAN ID, the packet is sent untagged;...
Page 269 Chapter 12 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 12-3. Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A. Step 2 vtp domain domain-name Configure a VTP administrative domain.
Page 270: Load Sharing Using Stp Path Cost
Chapter 12 Configuring VLANs Configuring VLAN Trunks Load Sharing Using STP Path Cost You can configure parallel trunks to share VLAN traffic by setting different path costs on a trunk and associating the path costs with different sets of VLANs, blocking different ports for different VLANs. The VLANs keep the traffic separate and maintain redundancy in the event of a lost link.
Page 271: Configuring Vmps
Chapter 12 Configuring VLANs Configuring VMPS Command Purpose Step 11 interface gigabitethernet0/1 Enter interface configuration mode, and define the interface on which to set the STP cost. Step 12 spanning-tree vlan 2-4 cost 30 Set the spanning-tree path cost to 30 for VLANs 2 through 4. Step 13 Return to global configuration mode.
Page 272: Dynamic-Access Port Vlan Membership
Chapter 12 Configuring VLANs Configuring VMPS If the port is currently unassigned (that is, it does not yet have a VLAN assignment), the VMPS provides one of these responses: • If the host is allowed on the port, the VMPS sends the client a vlan-assignment response containing the assigned VLAN name and allowing access to the host.
Page 273: Default Vmps Client Configuration
Chapter 12 Configuring VLANs Configuring VMPS Default VMPS Client Configuration Table 12-7 shows the default VMPS and dynamic-access port configuration on client switches. Table 12-7 Default VMPS Client and Dynamic-Access Port Configuration Feature Default Setting VMPS domain server None VMPS reconfirm interval 60 minutes VMPS server retry count Dynamic-access ports...
Page 274: Entering The Ip Address Of The Vmps
Chapter 12 Configuring VLANs Configuring VMPS Entering the IP Address of the VMPS You must first enter the IP address of the server to configure the switch as a client. If the VMPS is being defined for a cluster of switches, enter the address on the command switch. Note Beginning in privileged EXEC mode, follow these steps to enter the IP address of the VMPS: Command...
Page 275: Reconfirming Vlan Memberships
Chapter 12 Configuring VLANs Configuring VMPS Command Purpose Step 6 show interfaces interface-id switchport Verify your entries in the Operational Mode field of the display. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To return an interface to its default configuration, use the default interface interface-id interface configuration command.
Page 276: Changing The Retry Count
Chapter 12 Configuring VLANs Configuring VMPS Changing the Retry Count Beginning in privileged EXEC mode, follow these steps to change the number of times that the switch attempts to contact the VMPS before querying the next server: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 277: Troubleshooting Dynamic-Access Port Vlan Membership
Chapter 12 Configuring VLANs Configuring VMPS Troubleshooting Dynamic-Access Port VLAN Membership The VMPS shuts down a dynamic-access port under these conditions: • The VMPS is in secure mode, and it does not allow the host to connect to the port. The VMPS shuts down the port to prevent the host from connecting to the network.
Page 278 Chapter 12 Configuring VLANs Configuring VMPS Figure 12-5 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6500 series switch A Primary VMPS Router Server 1 172.20.26.150 172.20.22.7 Client switch B Dynamic-access port 172.20.26.151 station 1 Trunk port Switch C Catalyst 6500 series 172.20.26.152 Secondary VMPS Server 2...
Page 279: Chapter 13 Configuring Vtp
C H A P T E R Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the Catalyst 3560 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Page 280: The Vtp Domain
Chapter 13 Configuring VTP Understanding VTP This section contains information about these VTP parameters and characteristics. • The VTP Domain, page 13-2 • VTP Modes, page 13-3 • VTP Advertisements, page 13-3 VTP Version 2, page 13-4 • VTP Pruning, page 13-4 •...
Page 281: Vtp Modes
Chapter 13 Configuring VTP Understanding VTP VTP Modes You can configure a supported switch to be in one of the VTP modes listed in Table 13-1. Table 13-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
Page 282: Vtp Version 2
Chapter 13 Configuring VTP Understanding VTP VTP advertisements distribute this VLAN information for each configured VLAN: • VLAN IDs (ISL and 802.1Q) • VLAN name • VLAN type VLAN state • Additional VLAN configuration information specific to the VLAN type •...
Page 283 Chapter 13 Configuring VTP Understanding VTP Figure 13-1 Flooding Traffic without VTP Pruning Switch D Port 2 Switch E Switch B VLAN Port 1 Switch F Switch C Switch A Figure 13-2 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch A is not forwarded to Switches C, E, and F because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch B and Port 4 on Switch D).
Page 284: Default Vtp Configuration
Chapter 13 Configuring VTP Configuring VTP VTP pruning is not designed to function in VTP transparent mode. If one or more switches in the network are in VTP transparent mode, you should do one of these: • Turn off VTP pruning in the entire network. •...
Page 285: Vtp Configuration Options
Chapter 13 Configuring VTP Configuring VTP VTP Configuration Options You can configure VTP by using these configuration modes. • VTP Configuration in Global Configuration Mode, page 13-7 • VTP Configuration in VLAN Database Configuration Mode, page 13-7 You access VLAN database configuration mode by entering the vlan database privileged EXEC command.
Page 286: Vtp Configuration Guidelines
Chapter 13 Configuring VTP Configuring VTP VTP Configuration Guidelines These sections describe guidelines you should follow when implementing VTP in your network. Domain Names When configuring VTP for the first time, you must always assign a domain name. You must configure all switches in the VTP domain with the same domain name.
Page 287: Vtp Version
Chapter 13 Configuring VTP Configuring VTP VTP Version Follow these guidelines when deciding which VTP version to implement: All switches in a VTP domain must run the same VTP version. • A VTP version 2-capable switch can operate in the same VTP domain as a switch running VTP •...
Page 288 Chapter 13 Configuring VTP Configuring VTP Command Purpose Step 4 vtp password password (Optional) Set the password for the VTP domain. The password can be from 8 to 64 characters. If you configure a VTP password, the VTP domain does not function properly if you do not assign the same password to each switch in the domain.
Page 289: Configuring A Vtp Client
Chapter 13 Configuring VTP Configuring VTP This example shows how to use VLAN database configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# vlan database Switch(vlan)# vtp server Switch(vlan)# vtp domain eng_group Switch(vlan)# vtp password mypassword Switch(vlan)# exit APPLY completed.
Page 290: Disabling Vtp (Vtp Transparent Mode)
Chapter 13 Configuring VTP Configuring VTP Note You can also configure a VTP client by using the vlan database privileged EXEC command to enter VLAN database configuration mode and entering the vtp client command, similar to the second procedure under “Configuring a VTP Server”...
Page 291: Enabling Vtp Version 2
Chapter 13 Configuring VTP Configuring VTP transparent VLAN database configuration command to return the switch to VTP server mode. If extended-range VLANs are configured on the switch, you cannot change VTP mode to server. You receive an error message, and the configuration is not allowed. Enabling VTP Version 2 VTP version 2 is disabled by default on VTP version 2-capable switches.
Page 292: Adding A Vtp Client Switch To A Vtp Domain
Chapter 13 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to enable VTP pruning in the VTP domain: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp pruning Enable pruning in the VTP administrative domain. By default, pruning is disabled.
Page 293: Monitoring Vtp
Chapter 13 Configuring VTP Monitoring VTP Command Purpose Step 3 vtp domain domain-name Change the domain name from the original one displayed in Step 1 to a new name. Step 4 The VLAN information on the switch is updated and the configuration revision number is reset to 0.
Page 294 Chapter 13 Configuring VTP Monitoring VTP Catalyst 3560 Switch Software Configuration Guide 13-16 78-16156-01...
Page 295: Chapter 14 Configuring Voice Vlan
The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. When the switch is connected to a Cisco 7960 IP Phone, the IP Phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service (CoS) values, which are both set to 5 by default. Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1P CoS.
Page 296: Cisco Ip Phone Voice Traffic
Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports on...
Page 297: Configuring Voice Vlan
• voice VLAN, the Port Fast feature is not automatically disabled. If the Cisco IP Phone and a device attached to the Cisco IP Phone are in the same VLAN, they must • be in the same IP subnet. These conditions indicate that they are in the same VLAN: They both use 802.1p or untagged frames.
Page 298: Configuring A Port Connected To A Cisco 7960 Ip Phone
Configuring a Port Connected to a Cisco 7960 IP Phone Because a Cisco 7960 IP Phone also supports a connection to a PC or other device, a port connecting the switch to a Cisco IP Phone can carry mixed traffic. You can configure a port to determine how the IP phone carries voice traffic and data traffic.
Page 299: Configuring The Priority Of Incoming Data Frames
Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in 802.1Q or 802.1P frames), you can configure the switch to send CDP packets to instruct the IP phone how to send data packets from the device attached to the access port on the Cisco IP Phone.
Page 300: Displaying Voice Vlan
Chapter 14 Configuring Voice VLAN Displaying Voice VLAN Beginning in privileged EXEC mode, follow these steps to set the priority of data traffic received from the nonvoice port on the Cisco IP Phone: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 301 This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the Catalyst 3560 switch. The switch uses the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or it can use the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1W standard.
Page 302: Configuring Stp
Chapter 15 Configuring STP Understanding Spanning-Tree Features • Spanning-Tree Interoperability and Backward Compatibility, page 15-10 • STP and IEEE 802.1Q Trunks, page 15-10 • VLAN-Bridge Spanning Tree, page 15-11 For configuration information, see the “Configuring Spanning-Tree Features” section on page 15-11.
Page 303: Spanning-Tree Topology And Bpdus
Chapter 15 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch.
Page 304: Bridge Id, Switch Priority, And Extended System Id
Chapter 15 Configuring STP Understanding Spanning-Tree Features Bridge ID, Switch Priority, and Extended System ID The IEEE 802.1D standard requires that each switch has an unique bridge identifier (bridge ID), which controls the selection of the root switch. Because each VLAN is considered as a different logical bridge with PVST+ and rapid PVST+, the same switch must have as many different bridge IDs as VLANs configured on it.
Page 305 Chapter 15 Configuring STP Understanding Spanning-Tree Features An interface moves through these states: • From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled From learning to forwarding or to disabled •...
Page 306: Blocking State
Chapter 15 Configuring STP Understanding Spanning-Tree Features Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each switch interface. A switch initially functions as the root until it exchanges BPDUs with other switches.
Page 307: Disabled State
Chapter 15 Configuring STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational. A disabled interface performs these functions: Discards frames received on the interface •...
Page 308: Spanning Tree And Redundant Connectivity
Chapter 15 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices, as shown in Figure 15-3. Spanning tree automatically disables one interface but enables it if the other one fails.
Page 309: Spanning-Tree Modes And Protocols
Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary • extensions. It is the default spanning-tree mode used on all Ethernet, Fast Ethernet, and Gigabit Ethernet port-based VLANs.
Page 310: Spanning-Tree Interoperability And Backward Compatibility
VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.
Page 311: Vlan-Bridge Spanning Tree
Configuring Spanning-Tree Features VLAN-Bridge Spanning Tree Cisco VLAN-bridge spanning tree is used with the fallback bridging feature (bridge groups), which forwards non-IP protocols such as DECnet between two or more VLAN bridge domains or routed ports. The VLAN-bridge spanning tree allows the bridge groups to form a spanning tree on top of the individual VLAN spanning trees to prevent loops from forming if there are multiple connections among VLANs.
Page 312: Spanning-Tree Configuration Guidelines
Chapter 15 Configuring STP Configuring Spanning-Tree Features Table 15-3 Default Spanning-Tree Configuration (continued) Feature Default Setting Spanning-tree port cost (configurable on a per-interface basis) 1000 Mbps: 4. 100 Mbps: 19. 10 Mbps: 100. Spanning-tree VLAN port priority (configurable on a per-VLAN basis) 128.
Page 313: Changing The Spanning-Tree Mode
Chapter 15 Configuring STP Configuring Spanning-Tree Features Spanning-tree commands control the configuration of VLAN spanning-tree instances. You create a spanning-tree instance when you assign an interface to a VLAN. The spanning-tree instance is removed when the last interface is moved to another VLAN. You can configure switch and port parameters before a spanning-tree instance is created;...
Page 314: Disabling Spanning Tree
Chapter 15 Configuring STP Configuring Spanning-Tree Features Command Purpose Step 7 show spanning-tree summary Verify your entries. show spanning-tree interface interface-id Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree mode global configuration command. To return the port to its default setting, use the no spanning-tree link-type interface configuration command.
Page 315 Chapter 15 Configuring STP Configuring Spanning-Tree Features If any root switch for the specified VLAN has a switch priority lower than 24576, the switch sets its own priority for the specified VLAN to 4096 less than the lowest switch priority. (4096 is the value of the least-significant bit of a 4-bit switch priority value as shown in Table 15-1 on page 15-4.)
Page 316: Configuring A Secondary Root Switch
Chapter 15 Configuring STP Configuring Spanning-Tree Features Command Purpose Step 4 show spanning-tree detail Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id root global configuration command.
Page 317: Configuring Port Priority
Chapter 15 Configuring STP Configuring Spanning-Tree Features Configuring Port Priority If a loop occurs, spanning tree uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last.
Page 318: Configuring Path Cost
Chapter 15 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree [vlan vlan-id] port-priority interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree port priorities, see the “Configuring Trunk Ports for Load Sharing”...
Page 319: Configuring The Switch Priority Of A Vlan
Chapter 15 Configuring STP Configuring Spanning-Tree Features Note The show spanning-tree interface interface-id privileged EXEC command displays information only for ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. To return to the default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command.
Page 320: Configuring Spanning-Tree Timers
Chapter 15 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 15-4 describes the timers that affect the entire spanning-tree performance. Table 15-4 Spanning-Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches. Forward-delay timer Controls how long each of the listening and learning states last before the interface begins forwarding.
Page 321: Configuring The Forwarding-Delay Time For A Vlan
Chapter 15 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 322: Displaying The Spanning-Tree Status
Chapter 15 Configuring STP Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 15-5: Table 15-5 Commands for Displaying Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information on active interfaces only.
Page 323: Chapter 16 Configuring Mstp
C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1S Multiple STP (MSTP) on the Catalyst 3560 switch. The MSTP enables multiple VLANs to be mapped to the same spanning-tree instance, thereby reducing the number of spanning-tree instances needed to support a large number of VLANs.
Page 324: Understanding Mstp
Chapter 16 Configuring MSTP Understanding MSTP Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning-tree instances required to support a large number of VLANs.
Page 325: Ist, Cist, And Cst
Chapter 16 Configuring MSTP Understanding MSTP IST, CIST, and CST Unlike PVST+ and rapid PVST+ in which all the spanning-tree instances are independent, the MSTP establishes and maintains two types of spanning trees: • An internal spanning tree (IST), which is the spanning tree that runs in an MST region. Within each MST region, the MSTP maintains multiple spanning-tree instances.
Page 326: Operations Between Mst Regions
Chapter 16 Configuring MSTP Understanding MSTP Operations Between MST Regions If there are multiple regions or legacy 802.1D switches within the network, MSTP establishes and maintains the CST, which includes all MST regions and all legacy STP switches in the network. The MST instances combine with the IST at the boundary of the region to become the CST.
Page 327: Hop Count
Chapter 16 Configuring MSTP Understanding MSTP Hop Count The IST and MST instances do not use the message-age and maximum-age information in the configuration BPDU to compute the spanning-tree topology. Instead, they use the path cost to the root and a hop-count mechanism similar to the IP time-to-live (TTL) mechanism. By using the spanning-tree mst max-hops global configuration command, you can configure the maximum hops inside the region and apply it to the IST and all MST instances in that region.
Page 328: Understanding Rstp
Chapter 16 Configuring MSTP Understanding RSTP However, the switch does not automatically revert to the MSTP mode if it no longer receives 802.1D BPDUs because it cannot detect whether the legacy switch has been removed from the link unless the legacy switch is the designated switch.
Page 329: Rapid Convergence
Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide documents the port state as blocking instead of discarding. Designated ports start in the listening state. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN.
Page 330: Synchronization Of Port Roles
Chapter 16 Configuring MSTP Understanding RSTP When Switch C is connected to Switch B, a similar set of handshaking messages are exchanged. Switch C selects the port connected to Switch B as its root port, and both ends immediately transition to the forwarding state. With each iteration of this handshaking process, one more switch joins the active topology.
Page 331: Bridge Protocol Data Unit Format And Processing
Chapter 16 Configuring MSTP Understanding RSTP Figure 16-3 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5. Forward Edge port 2. Block 3. Block 9. Forward 11. Forward 8. Agreement 6. Proposal 7. Proposal 10. Agreement Root port Designated port Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802.1D BPDU format except that the protocol version...
Page 332: Processing Superior Bpdu Information
Chapter 16 Configuring MSTP Understanding RSTP The RSTP does not have a separate topology change notification (TCN) BPDU. It uses the topology change (TC) flag to show the topology changes. However, for interoperability with 802.1D switches, the RSTP switch processes and generates TCN BPDUs. The learning and forwarding flags are set according to the state of the sending port.
Page 333: Configuring Mstp Features
Chapter 16 Configuring MSTP Configuring MSTP Features • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them.
Page 334: Default Mstp Configuration
Chapter 16 Configuring MSTP Configuring MSTP Features Default MSTP Configuration Table 16-3 shows the default MSTP configuration. Table 16-3 Default MSTP Configuration Feature Default Setting Spanning-tree mode PVST+ (Rapid PVST+ and MSTP are disabled). Switch priority (configurable on a per-CIST port basis) 32768.
Page 335: Specifying The Mst Region Configuration And Enabling Mstp
Chapter 16 Configuring MSTP Configuring MSTP Features • All MST boundary ports must be forwarding for load balancing between a PVST+ and an MST cloud or between a rapid-PVST+ and an MST cloud. For this to occur, the IST master of the MST cloud should also be the root of the CST.
Page 336: Configuring The Root Switch
Chapter 16 Configuring MSTP Configuring MSTP Features Command Purpose Step 8 spanning-tree mode mst Enable MSTP. RSTP is also enabled. Changing spanning-tree modes can disrupt traffic because all Caution spanning-tree instances are stopped for the previous mode and restarted in the new mode. You cannot run both MSTP and PVST+ or both MSTP and rapid PVST+ at the same time.
Page 337 Chapter 16 Configuring MSTP Configuring MSTP Features If any root switch for the specified instance has a switch priority lower than 24576, the switch sets its own priority to 4096 less than the lowest switch priority. (4096 is the value of the least-significant bit of a 4-bit switch priority value as shown in Table 15-1 on page 15-4.)
Page 338: Configuring A Secondary Root Switch
Chapter 16 Configuring MSTP Configuring MSTP Features Configuring a Secondary Root Switch When you configure a Catalyst 3560 switch with the extended system ID support as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified instance if the primary root switch fails.
Page 339: Configuring Port Priority
Chapter 16 Configuring MSTP Configuring MSTP Features Configuring Port Priority If a loop occurs, the MSTP uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last.
Page 340: Configuring Path Cost
Chapter 16 Configuring MSTP Configuring MSTP Features Configuring Path Cost The MSTP path cost default value is derived from the media speed of an interface. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Page 341: Configuring The Switch Priority
Chapter 16 Configuring MSTP Configuring MSTP Features Configuring the Switch Priority You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority.
Page 342: Configuring The Forwarding-Delay Time
Chapter 16 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the hello time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst hello-time seconds Configure the hello time for all MST instances.
Page 343: Configuring The Maximum-Aging Time
Chapter 16 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Aging Time Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-age seconds Configure the maximum-aging time for all MST instances.
Page 344: Specifying The Link Type To Ensure Rapid Transitions
Chapter 16 Configuring MSTP Configuring MSTP Features Specifying the Link Type to Ensure Rapid Transitions If you connect a port to another port through a point-to-point link and the local port becomes a designated port, the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the “Rapid Convergence”...
Page 345: Displaying The Mst Configuration And Status
Chapter 16 Configuring MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 16-4: Table 16-4 Commands for Displaying MST Status Command Purpose show spanning-tree mst configuration...
Page 346 Chapter 16 Configuring MSTP Displaying the MST Configuration and Status Catalyst 3560 Switch Software Configuration Guide 16-24 78-16156-01...
Page 347 C H A P T E R Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Catalyst 3560 switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+).
Page 348: Understanding Optional Spanning-Tree Features
Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. You can use Port Fast on interfaces connected to a single workstation or server, as shown in Figure 17-1, to allow those devices to...
Page 349: Understanding Bpdu Guard
Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences. At the global level, you enable BPDU guard on Port Fast-enabled interfaces by using the spanning-tree portfast bpduguard default global configuration command.
Page 350: Understanding Uplinkfast
Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding UplinkFast Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 17-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops. Figure 17-2 Switches in a Hierarchical Network Backbone switches Root bridge...
Page 351: Understanding Backbonefast
Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 17-3 shows an example topology with no link failures. Switch A, the root switch, is connected directly to Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in a blocking state.
Page 352 Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features the designated switch. When a switch receives an inferior BPDU, it means that a link to which the switch is not directly connected (an indirect link) has failed (that is, the designated switch has lost its connection to the root switch).
Page 353: Understanding Root Guard
Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 17-6 BackboneFast Example After Indirect Link Failure Switch A (Root) Switch B Link failure BackboneFast changes port through listening and learning states to forwarding state. Switch C If a new switch is introduced into a shared-medium topology as shown in Figure 17-7, BackboneFast is not activated because the inferior BPDUs did not come from the recognized designated switch...
Page 354: Understanding Loop Guard
Chapter 17 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If a switch outside the SP network becomes the root switch, the interface is blocked (root-inconsistent state), and spanning tree selects a new root switch. The customer’s switch does not become the root switch and is not in the path to the root.
Page 355: Default Optional Spanning-Tree Configuration
Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features When the switch is operating in MST mode, BPDUs are not sent on nonboundary ports only if the interface is blocked by loop guard in all MST instances. On a boundary port, loop guard blocks the interface in all MST instances.
Page 356: Enabling Port Fast
Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Port Fast An interface with the Port Fast feature enabled is moved directly to the spanning-tree forwarding state without waiting for the standard forward-time delay. Use Port Fast only when connecting a single end station to an access or trunk port. Enabling this feature Caution on an interface connected to a switch or hub could prevent spanning tree from detecting and disabling loops in your network, which could cause broadcast storms and address-learning problems.
Page 357: Enabling Bpdu Guard
Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BPDU Guard When you globally enable BPDU guard on interfaces that are Port Fast-enabled (the interfaces are in a Port Fast-operational state), spanning tree shuts down Port Fast-enabled interfaces that receive BPDUs. In a valid configuration, Port Fast-enabled interfaces do not receive BPDUs.
Page 358: Enabling Bpdu Filtering
Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BPDU Filtering When you globally enable BPDU filtering on Port Fast-enabled interfaces, it prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs.
Page 359: Enabling Uplinkfast For Use With Redundant Links
Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling UplinkFast for Use with Redundant Links UplinkFast cannot be enabled on VLANs that have been configured with a switch priority. To enable UplinkFast on a VLAN with switch priority configured, first restore the switch priority on the VLAN to the default value by using the no spanning-tree vlan vlan-id priority global configuration command.
Page 360: Enabling Root Guard
Chapter 17 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features The BackboneFast feature is supported only when the switch is running PVST+. It is not supported when the switch is running rapid PVST+ or MSTP. Beginning in privileged EXEC mode, follow these steps to enable BackboneFast. This procedure is optional.
Page 361: Enabling Loop Guard
Chapter 17 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Enabling Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. This feature is most effective when it is configured on the entire switched network.
Page 362 Chapter 17 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, refer to the command reference for this release. Catalyst 3560 Switch Software Configuration Guide 17-16 78-16156-01...
Page 363: Chapter 18 Configuring Dhcp Features
For complete syntax and usage information for the commands used in this chapter, see the command reference for this release, and refer to the “IP Addressing and Services” section in the Cisco IOS IP and IP Routing Command Reference for Release 12.1.
Page 364: Option-82 Data Insertion
Chapter 18 Configuring DHCP Features Understanding DHCP Features Option-82 Data Insertion In residential, metropolitan Ethernet-access environments, DHCP can centrally manage the IP address assignments for a large number of subscribers. When the DHCP option-82 feature is enabled on the switch, a subscriber is identified by the switch port through which it connects to the network (in addition to its MAC address).
Page 365: Configuring Dhcp Features
– If your DHCP server is a Cisco device, refer to the “IP Addressing and Services” section in the “Configuring DHCP” chapter of the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1. Otherwise, refer to the documentation that shipped with the server.
Page 366: Enabling Dhcp Snooping And Option 82
Chapter 18 Configuring DHCP Features Configuring DHCP Features Enabling DHCP Snooping and Option 82 Beginning in privileged EXEC mode, follow these steps to enable DHCP snooping on the switch. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip dhcp snooping Enable DHCP snooping globally.
Page 367: Displaying Dhcp Information
Chapter 18 Configuring DHCP Features Displaying DHCP Information Displaying DHCP Information You can display a DHCP snooping binding table and configuration information for all interfaces on a switch. Displaying a Binding Table The DHCP snooping binding table for each switch has binding entries that correspond to untrusted ports. The table does not have information about hosts interconnected with a trusted port because each interconnected switch has its own DHCP snooping binding table.
Page 368: Displaying The Dhcp Snooping Configuration
Chapter 18 Configuring DHCP Features Displaying DHCP Information Displaying the DHCP Snooping Configuration This example shows how to display the DHCP snooping configuration for a switch. Switch# show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 40-42 Insertion of option 82 is enabled Interface...
Page 369 Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and the Cisco IOS Release Network Protocols Command Reference, Part 1, for Release 12.1. This chapter consists of these sections: Understanding IGMP Snooping, page 19-2 •...
Page 370: Chapter 19 Configuring Igmp Snooping And Mvr
Chapter 19 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Understanding IGMP Snooping Layer 2 switches can use IGMP snooping to constrain the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with IP multicast devices.
Page 371: Igmp Versions
An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast (SSM) feature. For more information, refer to the “Configuring IP Multicast Layer 3 Switching” chapter in the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, Cisco IOS Release 12.1(12c)EW at this URL: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_12/config/mcastmls.htm...
Page 372 Chapter 19 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 19-1 Initial IGMP Join Message Router A IGMP report 224.1.2.3 VLAN Switching engine Forwarding table Host 1 Host 2 Host 3 Host 4 Router A sends a general query to the switch, which forwards the query to ports 2 through 5, all members of the same VLAN.
Page 373: Leaving A Multicast Group
Chapter 19 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 19-2 Second Host Joining a Multicast Group Router A VLAN Switching engine Forwarding table Host 1 Host 2 Host 3 Host 4 Table 19-2 Updated IGMP Snooping Forwarding Table Destination Address Type of Packet Ports...
Page 374: Immediate-Leave Processing
Chapter 19 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Immediate-Leave Processing Immediate Leave is only supported with IGMP version 2 hosts. The switch uses IGMP snooping Immediate-Leave processing to remove from the forwarding table an interface that sends a leave message without the switch sending MAC-based general queries to the interface.
Page 375: Default Igmp Snooping Configuration
Chapter 19 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Default IGMP Snooping Configuration Table 19-3 shows the default IGMP snooping configuration. Table 19-3 Default IGMP Snooping Configuration Feature Default Setting IGMP snooping Enabled globally and per VLAN Multicast routers None configured Multicast router learning (snooping) method PIM-DVMRP...
Page 376: Setting The Snooping Method
Snooping on IGMP queries, Protocol Independent Multicast (PIM) packets, and Distance Vector Multicast Routing Protocol (DVMRP) packets • Listening to Cisco Group Management Protocol (CGMP) packets from other routers • Statically connecting to a multicast router port with the ip igmp snooping mrouter global...
Page 377: Configuring A Multicast Router Port
Chapter 19 Configuring IGMP Snooping and MVR Configuring IGMP Snooping This example shows how to configure IGMP snooping to use CGMP packets as the learning method and verify the configuration: Switch# configure terminal Switch(config)# ip igmp snooping vlan 1 mrouter learn cgmp Switch(config)# end Switch# show ip igmp snooping vlan 1 Global IGMP Snooping configuration:...
Page 378: Configuring A Host Statically To Join A Group
Chapter 19 Configuring IGMP Snooping and MVR Configuring IGMP Snooping This example shows how to enable a static connection to a multicast router and verify the configuration: Switch# configure terminal Switch(config)# ip igmp snooping vlan 200 mrouter interface gigabitethernet0/2 Switch(config)# end Switch# show ip igmp snooping mrouter vlan 200 Vlan ports...
Page 379: Disabling Igmp Report Suppression
Chapter 19 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Note Immediate Leave is supported with only IGMP version 2 hosts. Beginning in privileged EXEC mode, follow these steps to enable IGMP Immediate-Leave processing: Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan-id...
Page 380: Displaying Igmp Snooping Information
Chapter 19 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Displaying IGMP Snooping Information You can display IGMP snooping information for dynamically learned and statically configured router ports and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for IGMP snooping.
Page 381: Understanding Multicast Vlan Registration
Chapter 19 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service provider network (for example, the broadcast of multiple television channels over a service-provider network).
Page 382: Using Mvr In A Multicast Television Application
VLAN as a forwarding destination of the specified multicast stream when it is received from the multicast VLAN. Uplink ports that send and receive multicast data to and from the multicast VLAN are called MVR source ports. Figure 19-3 Multicast VLAN Registration Example Multicast VLAN Cisco router Multicast server Switch B Multicast...
Page 383: Configuring Mvr
Chapter 19 Configuring IGMP Snooping and MVR Configuring MVR When a subscriber changes channels or turns off the television, the set-top box sends an IGMP leave message for the multicast stream. The switch CPU sends a MAC-based general query through the receiver port VLAN.
Page 384: Default Mvr Configuration
Chapter 19 Configuring IGMP Snooping and MVR Configuring MVR Default MVR Configuration Table 19-5 shows the default MVR configuration. Table 19-5 Default MVR Configuration Feature Default Setting Disabled globally and per interface Multicast addresses None configured Query response time 0.5 second Multicast VLAN VLAN 1 Mode...
Page 385: Configuring Mvr Global Parameters
Chapter 19 Configuring IGMP Snooping and MVR Configuring MVR Configuring MVR Global Parameters You do not need to set the optional MVR parameters if you choose to use the default settings. If you do want to change the default parameters (except for the MVR VLAN), you must first enable MVR. Note For complete syntax and usage information for the commands used in this section, refer to the command reference for this release.
Page 386: Configuring Mvr Interfaces
Chapter 19 Configuring IGMP Snooping and MVR Configuring MVR To return the switch to its default settings, use the no mvr [mode | group ip-address | querytime | vlan] global configuration commands. This example shows how to enable MVR, configure the group address, set the query time to 1 second (10 tenths), specify the MVR multicast VLAN as VLAN 22, and set the MVR mode as dynamic: Switch(config)# mvr Switch(config)# mvr group 228.1.23.4...
Page 387 Chapter 19 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 6 mvr immediate (Optional) Enable the Immediate Leave feature of MVR on the port. Note This command applies to only receiver ports and should only be enabled on receiver ports to which a single receiver device is connected.
Page 388: Displaying Mvr Information
Chapter 19 Configuring IGMP Snooping and MVR Displaying MVR Information Displaying MVR Information You can display MVR information for the switch or for a specified interface. Beginning in privileged EXEC mode, use the commands in Table 19-6 to display MVR configuration: Table 19-6 Commands for Displaying MVR Information Command Purpose...
Page 389: Default Igmp Filtering And Throttling Configuration
Chapter 19 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling You can also set the maximum number of IGMP groups that a Layer 2 interface can join. With the IGMP throttling feature, you can also set the maximum number of IGMP groups that a Layer 2 interface can join.
Page 390: Configuring Igmp Profiles
Chapter 19 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Configuring IGMP Profiles To configure an IGMP profile, use the ip igmp profile global configuration command with a profile number to create an IGMP profile and to enter IGMP profile configuration mode. From this mode, you can specify the parameters of the IGMP profile to be used for filtering IGMP join requests from a port.
Page 391: Applying Igmp Profiles
Chapter 19 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling This example shows how to create IGMP profile 4 allowing access to the single IP multicast address and how to verify the configuration. If the action was to deny (the default), it would not appear in the show ip igmp profile output display.
Page 392: Setting The Maximum Number Of Igmp Groups
Chapter 19 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Setting the Maximum Number of IGMP Groups You can set the maximum number of IGMP groups that a Layer 2 interface can join by using the ip igmp max-groups interface configuration command.
Page 393 Chapter 19 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling • If you configure the throttling action and set the maximum group limitation after an interface has added multicast entries to the forwarding table, the forwarding-table entries are either aged out or removed, depending on the throttling action.
Page 394: Displaying Igmp Filtering And Throttling Configuration
Chapter 19 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Displaying IGMP Filtering and Throttling Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface. You can also display the IGMP throttling configuration for all interfaces on the switch or for a specified interface.
Page 395: Configuring Storm Control
C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Catalyst 3560 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Page 396: Understanding Storm Control
When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. However, the switch does not differentiate between routing updates, such as OSPF, and regular multicast data traffic, so both types of traffic are blocked.
Page 397: C H A P T E R 20 Configuring Port-Based Traffic Control
Chapter 20 Configuring Port-Based Traffic Control Configuring Storm Control Note Because packets do not arrive at uniform intervals, the 200-millisecond time interval during which traffic activity is measured can affect the behavior of storm control. The switch continues to monitor traffic on the port, and when the utilization level is below the threshold level, the type of traffic that was dropped is forwarded again.
Page 398 Chapter 20 Configuring Port-Based Traffic Control Configuring Storm Control Command Purpose Step 4 storm-control multicast level level [.level] Specify the multicast traffic suppression level for an interface as a percentage of total bandwidth. The level can be from 1 to 100; the optional fraction of a level can be from 0 to 99.
Page 399: Configuring Protected Ports
Chapter 20 Configuring Port-Based Traffic Control Configuring Protected Ports Configuring Protected Ports Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.
Page 400: Configuring Port Blocking
Chapter 20 Configuring Port-Based Traffic Control Configuring Port Blocking This example shows how to configure a port as a protected port: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport protected Switch(config-if)# end Configuring Port Blocking By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues.
Page 401: Configuring Port Security
Chapter 20 Configuring Port-Based Traffic Control Configuring Port Security This example shows how to block unicast and multicast flooding on a port: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport block multicast Switch(config-if)# switchport block unicast Switch(config-if)# end Configuring Port Security You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port.
Page 402: Secure Mac Addresses
Chapter 20 Configuring Port-Based Traffic Control Configuring Port Security Secure MAC Addresses You configure the maximum number of secure addresses allowed on a port by using the switchport port-security maximum value interface configuration command. If you try to set the maximum value to a number less than the number of secure addresses already Note configured on an interface, the command is rejected.
Page 403: Security Violations
Chapter 20 Configuring Port-Based Traffic Control Configuring Port Security Security Violations It is a security violation when one of these situations occurs: The maximum number of secure MAC addresses have been added to the address table, and a station • whose MAC address is not in the address table attempts to access the interface.
Page 404: Default Port Security Configuration
VLAN. When the port is connected to a Cisco IP phone, the IP phone requires up to two MAC addresses. The IP phone address is learned on the voice VLAN and might also be learned on the access VLAN.
Page 405: Enabling And Configuring Port Security
Chapter 20 Configuring Port-Based Traffic Control Configuring Port Security Enabling and Configuring Port Security Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port: Command Purpose Step 1...
Page 406 Chapter 20 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 6 switchport port-security violation (Optional) Set the violation mode, the action to be taken when a security {protect | restrict | shutdown} violation is detected, as one of these: •...
Page 407 Chapter 20 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 11 show port-security Verify your entries. Step 12 copy running-config (Optional) Save your entries in the configuration file. startup-config To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command.
Page 408: Enabling And Configuring Port Security Aging
Chapter 20 Configuring Port-Based Traffic Control Configuring Port Security Enabling and Configuring Port Security Aging You can use port security aging to set the aging time for all secure addresses on a port. Two types of aging are supported per port: •...
Page 409: Displaying Port-Based Traffic Control Settings
Chapter 20 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings This example shows how to set the aging time as 2 hours for the secure addresses on a port: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport port-security aging time 120 This example shows how to set the aging time as 2 minutes for the inactivity aging type with aging enabled for the configured secure addresses on the interface: Switch(config-if)# switchport port-security aging time 2 Switch(config-if)# switchport port-security aging type inactivity...
Page 410 Chapter 20 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Catalyst 3560 Switch Software Configuration Guide 20-16 78-16156-01...
Page 411: Chapter 21 Configuring Cdp
Monitoring and Maintaining CDP, page 21-5 Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
Page 412: Configuring Cdp
Chapter 21 Configuring CDP Configuring CDP Configuring CDP These sections include CDP configuration information and procedures: • Default CDP Configuration, page 21-2 Configuring the CDP Characteristics, page 21-2 • Disabling and Enabling CDP, page 21-3 • Disabling and Enabling CDP on an Interface, page 21-4 •...
Page 413: Disabling And Enabling Cdp
Disabling and Enabling CDP CDP is enabled by default. Note Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Disabling CDP can interrupt cluster discovery and device connectivity. For more information, see Chapter 5, “Clustering Switches.”...
Page 414: Disabling And Enabling Cdp On An Interface
Chapter 21 Configuring CDP Configuring CDP Beginning in privileged EXEC mode, follow these steps to enable CDP when it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cdp run Enable CDP after disabling it. Step 3 Return to privileged EXEC mode.
Page 415: Monitoring And Maintaining Cdp
Chapter 21 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors.
Page 416 Chapter 21 Configuring CDP Monitoring and Maintaining CDP Catalyst 3560 Switch Software Configuration Guide 21-6 78-16156-01...
Page 417: Chapter 22 Configuring Udld
C H A P T E R Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 3560 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Page 418: Methods To Detect Unidirectional Links
Chapter 22 Configuring UDLD Understanding UDLD A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection.
Page 419 Chapter 22 Configuring UDLD Understanding UDLD • Event-driven detection and echoing UDLD relies on echoing as its detection mechanism. Whenever a UDLD device learns about a new neighbor or receives a resynchronization request from an out-of-sync neighbor, it restarts the detection window on its side of the connection and sends echo messages in reply.
Page 420: Configuring Udld
Chapter 22 Configuring UDLD Configuring UDLD Configuring UDLD This section describes how to configure UDLD on your switch. It contains this configuration information: • Default UDLD Configuration, page 22-4 • Configuration Guidelines, page 22-4 Enabling UDLD Globally, page 22-5 • Enabling UDLD on an Interface, page 22-6 •...
Page 421: Enabling Udld Globally
Chapter 22 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch: Command Purpose Step 1...
Page 422: Enabling Udld On An Interface
Chapter 22 Configuring UDLD Configuring UDLD Enabling UDLD on an Interface Beginning in privileged EXEC mode, follow these steps either to enable UDLD in the aggressive or normal mode or to disable UDLD on a port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 423: Displaying Udld Status
Chapter 22 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, refer to the command reference for this release.
Page 424 Chapter 22 Configuring UDLD Displaying UDLD Status Catalyst 3560 Switch Software Configuration Guide 22-8 78-16156-01...
Page 425: Chapter 23 Configuring Span And Rspan
You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device can send TCP reset packets to close down the TCP session of a suspected attacker.
Page 426: Local Span
Chapter 23 Configuring SPAN and RSPAN Understanding SPAN and RSPAN This section includes these topics: • Local SPAN, page 23-2 • Remote SPAN, page 23-2 • SPAN and RSPAN Concepts and Terminology, page 23-3 SPAN and RSPAN Interaction with Other Features, page 23-8 •...
Page 427: Span And Rspan Concepts And Terminology
Chapter 23 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 23-2 Example of RSPAN Configuration RSPAN destination ports RSPAN Switch C destination session Intermediate switches must support RSPAN VLAN RSPAN VLAN Switch A Switch B RSPAN RSPAN source source session A session B RSPAN...
Page 428: Monitored Traffic
Chapter 23 Configuring SPAN and RSPAN Understanding SPAN and RSPAN An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed over normal trunk ports to the destination switch.
Page 429: Source Ports
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
Page 430: Source Vlans
Chapter 23 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • It can be any port type (for example, EtherChannel, Fast Ethernet, and so forth). • For EtherChannel sources, you can monitor traffic for the entire EtherChannel or individually on a physical port as it participates in the port channel.
Page 431: Destination Port
Chapter 23 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Destination Port Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user, usually a network analyzer.
Page 432: Rspan Vlan
On a source port, SPAN does not affect the STP status. STP can be active on trunk ports carrying an RSPAN VLAN. Cisco Discovery Protocol (CDP)—A SPAN destination port does not participate in CDP while the •...
Page 433: Configuring Span And Rspan
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN A physical port that belongs to an EtherChannel group can be configured as a SPAN source port and still be a part of the EtherChannel. In this case, data from the physical port is monitored as it participates in the EtherChannel.
Page 434: Configuring Local Span
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Configuring Local SPAN This section describes how to configure Local SPAN on your switch. It contains this configuration information: • SPAN Configuration Guidelines, page 23-10 • Creating a Local SPAN Session, page 23-11 •...
Page 435 Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating a Local SPAN Session Beginning in privileged EXEC mode, follow these steps to create a SPAN session and specify the source (monitored) ports or VLANs and the destination (monitoring) ports: Command Purpose Step 1...
Page 436 Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 4 monitor session session_number Specify the SPAN session and the destination port (monitoring port). destination {interface interface-id [, | -] For session_number, specify the session number entered in step 3. [encapsulation replicate]} Note For local SPAN, you must use the same session number for...
Page 437 Beginning in privileged EXEC mode, follow these steps to create a SPAN session, to specify the source ports or VLANs and the destination ports, and to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). Refer to the “Creating a Local SPAN Session”...
Page 438 Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 4 monitor session session_number Specify the SPAN session, the destination port, the packet destination {interface interface-id [, | -] encapsulation, and the ingress VLAN and encapsulation. [encapsulation replicate] [ingress {dot1q For session_number, specify the session number entered in step 3.
Page 439: Specifying Vlans To Filter
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to limit SPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | Remove any existing SPAN configuration for the session.
Page 440: Configuring Rspan
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor traffic received on Gigabit Ethernet trunk port 2, and send traffic for only VLANs 1 through 5 and VLAN 9 to destination Gigabit Ethernet port 1.
Page 441: Configuring A Vlan As An Rspan Vlan
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • We recommend that you configure an RSPAN VLAN before you configure an RSPAN source or a destination session. • If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted flooding of RSPAN traffic across the network for VLAN IDs that are lower than 1005.
Page 442: Creating An Rspan Source Session
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating an RSPAN Source Session Beginning in privileged EXEC mode, follow these steps to start an RSPAN source session and to specify the monitored source and the destination RSPAN VLAN: Command Purpose Step 1...
Page 443: Creating An Rspan Destination Session
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN To remove a source port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command. To remove the RSPAN VLAN from the session, use the no monitor session session_number destination remote vlan vlan-id.
Page 444: Creating An Rspan Destination Session And Configuring Ingress Traffic
Beginning in privileged EXEC mode, follow these steps to create an RSPAN destination session, to specify the source RSPAN VLAN and the destination port, and to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). Refer to the “Creating an RSPAN Destination Session”...
Page 445 Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 3 monitor session session_number source Specify the RSPAN session and the source RSPAN VLAN. remote vlan vlan-id For session_number, the range is from 1 to 66. For vlan-id, specify the source RSPAN VLAN to monitor. Step 4 monitor session session_number Specify the SPAN session, the destination port, the packet...
Page 446: Specifying Vlans To Filter
Chapter 23 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to configure the RSPAN source session to limit RSPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 447: Displaying Span And Rspan Status
Chapter 23 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions.
Page 448 Chapter 23 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Catalyst 3560 Switch Software Configuration Guide 23-24 78-16156-01...
Page 449: Chapter 24 Configuring Rmon
RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Configuration Fundamentals Command Reference for Release 12.1.
Page 450: Configuring Rmon
Chapter 24 Configuring RMON Configuring RMON Figure 24-1 Remote Monitoring Example Network management station with generic RMON console application RMON alarms and events configured. SNMP configured. RMON history and statistic collection enabled. Workstations Workstations The switch supports these RMON groups (defined in RFC 1757): Statistics (RMON group 1)—Collects Ethernet statistics (including Fast Ethernet and Gigabit •...
Page 451: Default Rmon Configuration
Chapter 24 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station.
Page 452 Chapter 24 Configuring RMON Configuring RMON Command Purpose Step 3 rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535.
Page 453: Collecting Group History Statistics On An Interface
Chapter 24 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface. This procedure is optional.
Page 454: Collecting Group Ethernet Statistics On An Interface
Displays the RMON history table. show rmon statistics Displays the RMON statistics table. For information about the fields in these displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. Catalyst 3560 Switch Software Configuration Guide 24-6...
Page 455: Chapter 25 Configuring System Message Logging
Configuring System Message Logging This chapter describes how to configure system message logging on the Catalyst 3560 switch. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Configuration Fundamentals Command Reference for Release 12.1.
Page 456: Configuring System Message Logging
Chapter 25 Configuring System Message Logging Configuring System Message Logging Configuring System Message Logging These sections describe how to configure system message logging: • System Log Message Format, page 25-2 Default System Message Logging Configuration, page 25-3 • Disabling Message Logging, page 25-4 (optional) •...
Page 457: Default System Message Logging Configuration
Chapter 25 Configuring System Message Logging Configuring System Message Logging Table 25-1 System Log Message Elements (continued) Element Description MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported. This example shows a partial switch system message: 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up...
Page 458: Disabling Message Logging
Chapter 25 Configuring System Message Logging Configuring System Message Logging Disabling Message Logging Message logging is enabled by default. It must be enabled to send messages to any destination other than the console. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages.
Page 459: Synchronizing Log Messages
Chapter 25 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 3 logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server.
Page 460 Chapter 25 Configuring System Message Logging Configuring System Message Logging When synchronous logging of unsolicited messages and debug command output is enabled, unsolicited device output appears on the console or printed after solicited device output appears or is printed. Unsolicited messages and debug command output appears on the console after the prompt for user input is returned.
Page 461: Enabling And Disabling Time Stamps On Log Messages
Chapter 25 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Time Stamps on Log Messages By default, log messages are not time-stamped. Beginning in privileged EXEC mode, follow these steps to enable time-stamping of log messages. This procedure is optional.
Page 462: Defining The Message Severity Level
Chapter 25 Configuring System Message Logging Configuring System Message Logging To disable sequence numbers, use the no service sequence-numbers global configuration command. This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message, which are described in...
Page 463: Limiting Syslog Messages Sent To The History Table And To Snmp
Chapter 25 Configuring System Message Logging Configuring System Message Logging Table 25-3 Message Logging Level Keywords Level Keyword Level Description Syslog Definition emergencies System unstable LOG_EMERG alerts Immediate action needed LOG_ALERT critical Critical conditions LOG_CRIT errors Error conditions LOG_ERR warnings Warning conditions LOG_WARNING notifications...
Page 464: Configuring Unix Syslog Servers
Chapter 25 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to change the level and history table size defaults. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 logging history level Change the default level of syslog messages stored in the history file and...
Page 465: Configuring The Unix System Logging Facility
Configuring System Message Logging Configuring System Message Logging Step 1 Add a line such as the following to the file /etc/syslog.conf: cisco.log local7.debug /usr/adm/logs/ The local7 keyword specifies the logging facility to be used; see Table 25-4 on page 25-12 information on the facilities.
Page 466: Displaying The Logging Configuration
Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
Page 467: Chapter 26 Configuring Snmp
Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This chapter consists of these sections: Understanding SNMP, page 26-1 •...
Page 468: Snmp Versions
Chapter 26 Configuring SNMP Understanding SNMP This section includes information about these topics: • SNMP Versions, page 26-2 • SNMP Manager Functions, page 26-3 • SNMP Agent Functions, page 26-4 SNMP Community Strings, page 26-4 • Using SNMP to Access MIB Variables, page 26-5 •...
Page 469: Snmp Manager Functions
Chapter 26 Configuring SNMP Understanding SNMP Table 26-1 identifies the characteristics of the different combinations of security models and levels. Table 26-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No...
Page 470: Snmp Agent Functions
Chapter 26 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. •...
Page 471: Using Snmp To Access Mib Variables
Chapter 26 Configuring SNMP Understanding SNMP Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software. CiscoWorks 2000 software uses the switch MIB variables to set device variables and to poll devices on the network for specific information.
Page 472: Snmp Ifindex Mib Object Values
Chapter 26 Configuring SNMP Configuring SNMP SNMP ifIndex MIB Object Values In an NMS, the IF-MIB generates and assigns an interface index (ifIndex) object value that is a unique number greater than zero to identify a physical or a logical interface. When the switch reboots or the switch software is upgraded, the switch uses this same value for the interface.
Page 473: Default Snmp Configuration
Modifying the group's notify view affects all users associated with that group. Refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1 for information about when you should configure notify views.
Page 474: Disabling The Snmp Agent
Chapter 26 Configuring SNMP Configuring SNMP Disabling the SNMP Agent Beginning in privileged EXEC mode, follow these steps to disable the SNMP agent: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no snmp-server Disable the SNMP agent operation. Step 3 Return to privileged EXEC mode.
Page 475: Configuring Snmp Groups And Users
Chapter 26 Configuring SNMP Configuring SNMP Command Purpose Step 3 access-list access-list-number {deny | (Optional) If you specified an IP standard access list number in permit} source [source-wildcard] Step 2, then create the list, repeating the command as many times as necessary.
Page 476 Chapter 26 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure SNMP on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID {local engineid-string Configure a name for either the local or remote copy of SNMP. | remote ip-address [udp-port port-number] •...
Page 477: Configuring Snmp Notifications
Chapter 26 Configuring SNMP Configuring SNMP Command Purpose Step 4 snmp-server user username groupname Configure a new user to an SNMP group. [remote host [udp-port port]] {v1 | v2c | v3 • The username is the name of the user on the host that connects [auth {md5 | sha} auth-password]} to the agent.
Page 478 Chapter 26 Configuring SNMP Configuring SNMP Table 26-5 Switch Notification Types Notification Type Keyword Description Generates BGP state change traps. This option is only available when the enhanced multilayer image is installed. bridge Generates STP bridge MIB traps. cluster Generates a trap when the cluster configuration changes. config Generates a trap for SNMP configuration changes.
Page 479 Chapter 26 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure the switch to send traps or informs to a host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID remote Specify the engine ID for the remote host.
Page 480: Setting The Agent Contact And Location Information
Chapter 26 Configuring SNMP Configuring SNMP Command Purpose Step 9 Return to privileged EXEC mode. Step 10 show running-config Verify your entries. Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file. The snmp-server host command specifies which hosts receive the notifications. The snmp-server enable trap command globally enables the mechanism for the specified notification (for traps and informs).
Page 481: Limiting Tftp Servers Used Through Snmp
Chapter 26 Configuring SNMP Configuring SNMP Limiting TFTP Servers Used Through SNMP Beginning in privileged EXEC mode, follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP to the servers specified in an access list: Command Purpose Step 1...
Page 482: Displaying Snmp Status
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
Page 483: Chapter 27 Configuring Network Security With Acls
For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release and the “Configuring IP Services” section of the Cisco IOS IP and IP Routing Configuration Guide and the Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1.
Page 484: Supported Acls
Chapter 27 Configuring Network Security with ACLs Understanding ACLs You configure access lists on a router or Layer 3 switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network.
Page 485: Port Acls
Chapter 27 Configuring Network Security with ACLs Understanding ACLs • When a VLAN map, input router ACL, and input port ACL exist in an SVI, incoming packets received on the ports to which a port ACL is applied are only filtered by the port ACL. Incoming routed IP packets received on other ports are filtered by both the VLAN map and the router ACL.
Page 486: Router Acls
Chapter 27 Configuring Network Security with ACLs Understanding ACLs When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
Page 487: Handling Fragmented And Unfragmented Traffic
Chapter 27 Configuring Network Security with ACLs Understanding ACLs Figure 27-2 Using VLAN Maps to Control Traffic Host A Host B (VLAN 10) (VLAN 10) = VLAN map denying specific type of traffic from Host A = Packet Handling Fragmented and Unfragmented Traffic IP packets can be fragmented as they cross the network.
Page 488: Configuring Ip Acls
ACEs were checking different hosts. Configuring IP ACLs Configuring IP ACLs on the switch is the same as configuring IP ACLs on other Cisco switches and routers. The process is briefly described here. For more detailed information on configuring ACLs, refer to the “Configuring IP Services”...
Page 489: Creating Standard And Extended Ip Acls
Chapter 27 Configuring Network Security with ACLs Configuring IP ACLs Creating Standard and Extended IP ACLs This section describes IP ACLs. An ACL is a sequential collection of permit and deny conditions. The switch tests packets against the conditions in an access list one by one. The first match determines whether the switch accepts or rejects the packet.
Page 490: Creating A Numbered Standard Acl
Chapter 27 Configuring Network Security with ACLs Configuring IP ACLs Table 27-1 Access List Numbers (continued) Access List Number Type Supported 1300–1999 IP standard access list (expanded range) 2000–2699 IP extended access list (expanded range) Note In addition to numbered standard and extended ACLs, you can also create standard and extended named IP ACLs using the supported numbers.
Page 491 Chapter 27 Configuring Network Security with ACLs Configuring IP ACLs Use the no access-list access-list-number global configuration command to delete the entire ACL. You cannot delete individual ACEs from numbered access lists. Note When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny statement for all packets that it did not find a match for before reaching the end.
Page 492: Creating A Numbered Extended Acl
ICMP echo-reply cannot be filtered. All other ICMP codes or types can be filtered. Note For more details on the specific keywords relative to each protocol, refer to Cisco IP and IP Routing Command Reference for IOS Release 12.1. Note The switch does not support dynamic or reflexive access lists.
Page 493 Chapter 27 Configuring Network Security with ACLs Configuring IP ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2a access-list access-list-number Define an extended IP access list and the access conditions. {deny | permit} protocol The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
Page 494 TCP port. To see TCP port names, use the ? or refer to “Configuring IP Services” section of Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1. Use only TCP port numbers or names when filtering TCP.
Page 495 ICMP message type and code name. To see a list of ICMP message type names and ICMP message type and code names, use the ? or refer to the “Configuring IP Services” section of Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1.
Page 496: Creating Named Standard And Extended Acls
Chapter 27 Configuring Network Security with ACLs Configuring IP ACLs After creating a numbered extended ACL, you can apply it to terminal lines (see the “Applying an IP ACL to a Terminal Line” section on page 27-18), to interfaces (see the “Applying an IP ACL to an Interface”...
Page 497 Chapter 27 Configuring Network Security with ACLs Configuring IP ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL using names: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip access-list extended name Define an extended IP access list using a name and enter access-list configuration mode.
Page 498: Using Time Ranges With Acls
Chapter 27 Configuring Network Security with ACLs Configuring IP ACLs Using Time Ranges with ACLs You can selectively apply extended ACLs based on the time of day and week by using the time-range global configuration command. First, define a time-range name and set the times and the dates or the days of the week in the time range.
Page 499 Chapter 27 Configuring Network Security with ACLs Configuring IP ACLs To remove a configured time-range limitation, use the no time-range time-range-name global configuration command. This example shows how to configure time ranges for workhours and for company holidays and to verify your configuration.
Page 500: Including Comments In Acls
Chapter 27 Configuring Network Security with ACLs Configuring IP ACLs Including Comments in ACLs You can use the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.
Page 501: Applying An Ip Acl To An Interface
Chapter 27 Configuring Network Security with ACLs Configuring IP ACLs Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 502 Chapter 27 Configuring Network Security with ACLs Configuring IP ACLs Beginning in privileged EXEC mode, follow these steps to control access to an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Identify a specific interface for configuration, and enter interface configuration mode.
Page 503: Hardware And Software Treatment Of Ip Acls
This section provides examples of configuring and applying IP ACLs. For detailed information about compiling ACLs, refer to the Security Configuration Guide and the “IP Services” chapter of the Cisco IOS IP and IP Routing Configuration Guide for IOS Release 12.1.
Page 504 Chapter 27 Configuring Network Security with ACLs Configuring IP ACLs Use router ACLs to do this in one of two ways: • Create a standard ACL, and filter traffic coming to the server from Port 1. • Create an extended ACL, and filter traffic coming from the server into Port 1. Figure 27-3 Using Router ACLs to Control Traffic Server A Server B...
Page 505: Numbered Acls
Chapter 27 Configuring Network Security with ACLs Configuring IP ACLs Numbered ACLs In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host.
Page 506: Named Acls
Chapter 27 Configuring Network Security with ACLs Configuring IP ACLs Named ACLs This example creates a standard ACL named internet_filter and an extended ACL named marketing_group. The internet_filter ACL allows all traffic from the source address 1.2.3.4. Switch(config)# ip access-list standard Internet_filter Switch(config-ext-nacl)# permit 1.2.3.4 Switch(config-ext-nacl)# exit The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard...
Page 507: Commented Ip Acl Entries
Chapter 27 Configuring Network Security with ACLs Configuring IP ACLs Commented IP ACL Entries In this example of a numbered ACL, the workstation belonging to Jones is allowed access, and the workstation belonging to Smith is not allowed access: Switch(config)# access-list 1 remark Permit only Jones workstation through Switch(config)# access-list 1 permit 171.69.2.88 Switch(config)# access-list 1 remark Do not allow Smith workstation through Switch(config)# access-list 1 deny 171.69.3.13...
Page 508: Creating Named Mac Extended Acls
Chapter 27 Configuring Network Security with ACLs Creating Named MAC Extended ACLs This example is a named extended access list ext1 that permits ICMP packets from any source to 10.1.1.0 0.0.0.255 and denies all UDP packets. Switch(config)# ip access-list extended ext1 Switch(config-ext-nacl)# permit icmp any 10.1.1.0 0.0.0.255 log Switch(config-ext-nacl)# deny udp any any log Switch(config-std-nacl)# exit...
Page 509 Chapter 27 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Define an extended MAC access list using a name.
Page 510: Applying A Mac Acl To A Layer 2 Interface
Chapter 27 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Applying a MAC ACL to a Layer 2 Interface After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that interface.
Page 511: Configuring Vlan Maps
Chapter 27 Configuring Network Security with ACLs Configuring VLAN Maps Configuring VLAN Maps This section describes how to configure VLAN maps, which is the only way to control filtering within a VLAN. VLAN maps have no direction. To filter traffic in a specific direction by using a VLAN map, you need to include an ACL with specific source or destination addresses.
Page 512: Creating A Vlan Map
Chapter 27 Configuring Network Security with ACLs Configuring VLAN Maps • If the VLAN map has at least one match clause for the type of packet (IP or MAC) and the packet does not match any of these match clauses, the default is to drop the packet. If there is no match clause for that type of packet in the VLAN map, the default is to forward the packet.
Page 513: Examples Of Acls And Vlan Maps
Chapter 27 Configuring Network Security with ACLs Configuring VLAN Maps VLAN maps do not use the specific permit or deny keywords. To deny a packet by using VLAN maps, create an ACL that would match the packet, and set the action to drop. A permit in the ACL counts as a match.
Page 514 Chapter 27 Configuring Network Security with ACLs Configuring VLAN Maps Switch(config-access-map)# action drop Switch(config-access-map)# exit Switch(config)# vlan access-map drop-ip-default 30 Switch(config-access-map)# match ip address tcp-match Switch(config-access-map)# action forward Example 3 In this example, the VLAN map has a default action of drop for MAC packets and a default action of forward for IP packets.
Page 515: Applying A Vlan Map To A Vlan
Chapter 27 Configuring Network Security with ACLs Configuring VLAN Maps Applying a VLAN Map to a VLAN Beginning in privileged EXEC mode, follow these steps to apply a VLAN map to one or more VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 516 Chapter 27 Configuring Network Security with ACLs Configuring VLAN Maps Figure 27-4 Wiring Closet Configuration Switch B Switch A Switch C VLAN map: Deny HTTP from X to Y. HTTP is dropped at entry point. Host X Host Y 10.1.1.32 10.1.1.34 VLAN 1 VLAN 2...
Page 517: Denying Access To A Server On Another Vlan
Chapter 27 Configuring Network Security with ACLs Configuring VLAN Maps Denying Access to a Server on Another VLAN You can restrict access to a server on another VLAN. For example, server 10.1.1.100 in VLAN 10 needs to have access denied to these hosts (see Figure 27-5): Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access.
Page 518: Using Vlan Maps With Router Acls
Chapter 27 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Using VLAN Maps with Router ACLs To access control both bridged and routed traffic, you can use VLAN maps only or a combination of router ACLs and VLAN maps. You can define router ACLs on both input and output routed VLAN interfaces, and you can define a VLAN map to access control the bridged traffic.
Page 519: Examples Of Router Acls And Vlan Maps Applied To Vlans
Chapter 27 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs • To define multiple actions in an ACL (permit, deny), group each action type together to reduce the number of entries. • Avoid including Layer 4 information in an ACL; adding this information complicates the merging process.
Page 520: Acls And Bridged Packets
Chapter 27 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs ACLs and Bridged Packets Figure 27-7 shows how an ACL is applied on fallback-bridged packets. For bridged packets, only Layer 2 ACLs are applied to the input VLAN. Only non-IP, non-ARP packets can be fallback-bridged. Figure 27-7 Applying ACLs on Bridged Packets VLAN 10 VLAN 20...
Page 521: Acls And Multicast Packets
Chapter 27 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 27-8 Applying ACLs on Routed Packets Input Output VLAN 10 router router VLAN 20 Frame Host A Host B (VLAN 10) (VLAN 20) Routing function VLAN 10 VLAN 20 Packet ACLs and Multicast Packets...
Page 522: Displaying Acl Configuration
Chapter 27 Configuring Network Security with ACLs Displaying ACL Configuration Displaying ACL Configuration You can display the ACLs that are configured on the switch, and you can display the ACLs that have been applied to interfaces and VLANs. When you use the ip access-group interface configuration command to apply ACLs to a Layer 2 or 3 interface, you can display the access groups on the interface.
Page 523: Chapter 28 Configuring Qos
C H A P T E R Configuring QoS This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the Catalyst 3560 switch. With QoS, you can provide preferential treatment to certain traffic at the expense of others.
Page 524 Chapter 28 Configuring QoS Understanding QoS The classification is carried in the IP packet header, using 6 bits from the deprecated IP type of service (TOS) field to carry the classification (class) information. Classification can also be carried in the Layer 2 frame.
Page 525: Basic Qos Model
Chapter 28 Configuring QoS Understanding QoS All switches and routers that access the Internet rely on the class information to provide the same forwarding treatment to packets with the same class information and different treatment to packets with different class information. The class information in the packet can be assigned by end hosts or by switches or routers along the way, based on a configured policy, detailed examination of the packet, or both.
Page 526: Classification
Chapter 28 Configuring QoS Understanding QoS Actions at the egress port include queueing and scheduling: • Queueing evaluates the QoS label and the corresponding DSCP or CoS value to select into which of the four egress queues to place a packet. Because congestion can occur when multiple ingress ports simultaneously send data to an egress port, WTD is used to differentiate traffic classes and to subject the packets to different thresholds based on the QoS label.
Page 527 Chapter 28 Configuring QoS Understanding QoS You specify which fields in the frame or packet that you want to use to classify incoming traffic. For non-IP traffic, you have these classification options as shown in Figure 28-3: • Trust the CoS value in the incoming frame (configure the port to trust CoS). Then use the configurable CoS-to-DSCP map to generate a DSCP value for the packet.
Page 528 Chapter 28 Configuring QoS Understanding QoS Figure 28-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface Trust DSCP (IP traffic). configuration for classification. IP and non-IP Trust DSCP or Trust IP traffic IP precedence precedence (non-IP traffic). (IP traffic).
Page 529: Classification Based On Qos Acls
Chapter 28 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: •...
Page 530: Policing And Marking
Chapter 28 Configuring QoS Understanding QoS You create and name a policy map by using the policy-map global configuration command. When you enter this command, the switch enters the policy-map configuration mode. In this mode, you specify the actions to take on a specific traffic class by using the class, trust, or set policy-map configuration and policy-map class configuration commands.
Page 531 Chapter 28 Configuring QoS Understanding QoS Policing uses a token-bucket algorithm. As each frame is received by the switch, a token is added to the bucket. The bucket has a hole in it and leaks at a rate that you specify as the average traffic rate in bits per second.
Page 532: Mapping Tables
Chapter 28 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an QoS label based on the DSCP or CoS value from the classification stage: • During classification, QoS uses configurable mapping tables to derive a corresponding DSCP or CoS value from a received CoS, DSCP, or IP precedence value.
Page 533: Queueing And Scheduling Overview
Chapter 28 Configuring QoS Understanding QoS Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 28-5. Figure 28-5 Ingress and Egress Queue Location Policer Marker Internal Egress ring queues Policer Marker Ingress queues...
Page 534: Srr Shaping And Sharing
Chapter 28 Configuring QoS Understanding QoS Figure 28-6 WTD and Queue Operation For more information, see the “Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds” section on page 28-53, the “Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set”...
Page 535: Queueing And Scheduling On Ingress Queues
Chapter 28 Configuring QoS Understanding QoS Queueing and Scheduling on Ingress Queues Figure 28-7 shows the queueing and scheduling flowchart for ingress ports. Figure 28-7 Queueing and Scheduling Flowchart for Ingress Ports Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds.
Page 536 Chapter 28 Configuring QoS Understanding QoS You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Page 537: Queueing And Scheduling On Egress Queues
Chapter 28 Configuring QoS Understanding QoS Queueing and Scheduling on Egress Queues Figure 28-8 shows the queueing and scheduling flowchart for egress ports. If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Note Figure 28-8 Queueing and Scheduling Flowchart for Egress Ports Start...
Page 538 Chapter 28 Configuring QoS Understanding QoS Figure 28-9 shows the egress queue buffer. The buffer space is divided between the common pool and the reserved pool. The switch uses a buffer allocation scheme to reserve a minimum amount of buffers for each egress queue, to prevent any queue or port from consuming all the buffers and depriving other queues, and to control whether to grant buffer space to a requesting queue.
Page 539: Packet Modification
Chapter 28 Configuring QoS Understanding QoS threshold-id cos1...cos8} global configuration command. You can display the DSCP output queue threshold map and the CoS output queue threshold map by using the show mls qos maps privileged EXEC command. The queues use WTD to support distinct drop percentages for different traffic classes. Each queue has three drop thresholds: two configurable (explicit) WTD thresholds and one nonconfigurable (implicit) threshold preset to the queue-full state.
Page 540: Configuring Auto-Qos
The switch uses the resulting classification to choose the appropriate egress queue. You use auto-QoS commands to identify ports connected to Cisco IP Phones and to identify ports that receive trusted voice over IP (VoIP) traffic through an uplink. Auto-QoS then performs these functions: •...
Page 541 The switch uses the Cisco Discovery Protocol (CDP) to detect the presence or absence of a Cisco IP Phone. When a Cisco IP Phone is detected, the ingress classification on the port is set to trust the QoS label received in the packet. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet.
Page 542 Ensure Port Security” section on page 28-34. When you enable auto-QoS by using the auto qos voip cisco-phone or the auto qos voip trust interface configuration command, the switch automatically generates a QoS configuration based on the traffic type and ingress packet label and applies the commands listed in Table 28-5 to the port.
Page 543 Chapter 28 Configuring QoS Configuring Auto-QoS Table 28-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically maps DSCP values to an ingress Switch(config)# no mls qos srr-queue input dscp-map Switch(config)# mls qos srr-queue input dscp-map queue and to a threshold ID. queue 1 threshold 2 9 10 11 12 13 14 15 Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7...
Page 544: Effects Of Auto-Qos On The Configuration
Auto-QoS Configuration Guidelines Before configuring auto-QoS, you should be aware of this information: In this release, auto-QoS configures the switch only for VoIP with Cisco IP Phones. • To take advantage of the auto-QoS defaults, you should enable auto-QoS before you configure other •...
Page 545: Enabling Auto-Qos For Voip
Enter global configuration mode. Step 2 interface interface-id Specify the port that is connected to a Cisco IP Phone or the uplink port that is connected to another switch or router in the interior of the network, and enter interface configuration mode.
Page 546: Auto-Qos Configuration Example
IP phones IP phones Cisco IP phones Cisco IP phones Figure 28-10 shows a network in which the VoIP traffic is prioritized over all other traffic. Auto-QoS is enabled on the switches in the wiring closets at the edge of the QoS domain.
Page 547 Step 6 exit Return to global configuration mode. Step 7 Repeat Steps 4 to 6 for as many ports as are connected to the Cisco IP Phone. Step 8 auto qos voip cisco-phone Enable auto-QoS on the port, and specify that the port is connected to a Cisco IP Phone.
Page 548: Displaying Auto-Qos Information
Chapter 28 Configuring QoS Displaying Auto-QoS Information Displaying Auto-QoS Information To display the initial auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings.
Page 549: Default Standard Qos Configuration
Chapter 28 Configuring QoS Configuring Standard QoS Default Standard QoS Configuration QoS is disabled. There is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
Page 550: Default Egress Queue Configuration
Chapter 28 Configuring QoS Configuring Standard QoS Default Egress Queue Configuration Table 28-9 shows the default egress queue configuration for each queue-set when QoS is enabled. All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited. Table 28-9 Default Egress Queue Configuration Feature Queue 1...
Page 551: Standard Qos Configuration Guidelines
Chapter 28 Configuring QoS Configuring Standard QoS Standard QoS Configuration Guidelines Before beginning the QoS configuration, you should be aware of this information: • You configure QoS only on physical ports; there is no support for it on the VLAN or switch virtual interface level.
Page 552: Enabling Qos Globally
Chapter 28 Configuring QoS Configuring Standard QoS Enabling QoS Globally By default, QoS is disabled on the switch. Beginning in privileged EXEC mode, follow these steps to enable QoS. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS globally.
Page 553: Configuring The Trust State On Ports Within The Qos Domain
Chapter 28 Configuring QoS Configuring Standard QoS Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain. When the packets are classified at the edge, the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain.
Page 554 Chapter 28 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be trusted, and enter interface configuration mode.
Page 555: Configuring The Cos Value For An Interface
Chapter 28 Configuring QoS Configuring Standard QoS Configuring the CoS Value for an Interface QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports. Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port: Command Purpose...
Page 556: Configuring A Trusted Boundary To Ensure Port Security
CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue.
Page 557: Configuring The Dscp Trust State On A Port Bordering Another Qos Domain
Chapter 28 Configuring QoS Configuring Standard QoS Configuring the DSCP Trust State on a Port Bordering Another QoS Domain If you are administering two separate QoS domains between which you want to implement QoS features for IP traffic, you can configure the switch ports bordering the domains to a DSCP-trusted state as shown Figure 28-12.
Page 558: Configuring A Qos Policy
Chapter 28 Configuring QoS Configuring Standard QoS Command Purpose Step 5 mls qos dscp-mutation Apply the map to the specified ingress DSCP-trusted port. dscp-mutation-name For dscp-mutation-name, specify the mutation map name created in Step 2. You can configure multiple DSCP-to-DSCP-mutation maps on an ingress port.
Page 559: Classifying Traffic By Using Acls
Chapter 28 Configuring QoS Configuring Standard QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify non-IP traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1...
Page 560 Chapter 28 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | Create an IP extended ACL, repeating the command as many times as permit} protocol source source-wildcard necessary.
Page 561 Chapter 28 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Create a Layer 2 MAC ACL by specifying the name of the list.
Page 562: Classifying Traffic By Using Class Maps
Chapter 28 Configuring QoS Configuring Standard QoS Classifying Traffic by Using Class Maps You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. The class map defines the criteria to use to match against a specific traffic flow to further classify it.
Page 563 Chapter 28 Configuring QoS Configuring Standard QoS Command Purpose Step 4 match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported.
Page 564: Classifying, Policing, And Marking Traffic By Using Policy Maps
Chapter 28 Configuring QoS Configuring Standard QoS Classifying, Policing, and Marking Traffic by Using Policy Maps A policy map specifies which traffic class to act on. Actions can include trusting the CoS, DSCP, or IP precedence values in the traffic class; setting a specific DSCP or IP precedence value in the traffic class; and specifying the traffic bandwidth limitations for each matched traffic class (policer) and the action to take when the traffic is out of profile (marking).
Page 565 Chapter 28 Configuring QoS Configuring Standard QoS Command Purpose Step 5 trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map.
Page 566 Chapter 28 Configuring QoS Configuring Standard QoS Command Purpose Step 8 exit Return to policy map configuration mode. Step 9 exit Return to global configuration mode. Step 10 interface interface-id Specify the port to attach to the policy map, and enter interface configuration mode.
Page 567: Classifying, Policing, And Marking Traffic By Using Aggregate Policers
Chapter 28 Configuring QoS Configuring Standard QoS Switch(config-ext-mac)# exit Switch(config)# class-map macclass1 Switch(config-cmap)# match access-group maclist1 Switch(config-cmap)# exit Switch(config)# policy-map macpolicy1 Switch(config-pmap)# class macclass1 Switch(config-pmap-c)# set ip dscp 63 Switch(config-pmap-c)# exit Switch(config-pmap)# class macclass2 maclist2 Switch(config-pmap-c)# set ip dscp 45 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet0/1...
Page 568 Chapter 28 Configuring QoS Configuring Standard QoS Command Purpose Step 5 class class-map-name Define a traffic classification, and enter policy-map class configuration mode. For more information, see the “Classifying, Policing, and Marking Traffic by Using Policy Maps” section on page 28-42.
Page 569: Configuring Dscp Maps
Chapter 28 Configuring QoS Configuring Standard QoS Switch(config)# interface gigabitethernet0/1 Switch(config-if)# service-policy input aggflow1 Switch(config-if)# exit Configuring DSCP Maps These sections describe how to configure the DSCP maps: • Configuring the CoS-to-DSCP Map, page 28-47 (optional) • Configuring the IP-Precedence-to-DSCP Map, page 28-48 (optional) •...
Page 570: Configuring The Ip-Precedence-To-Dscp Map
Chapter 28 Configuring QoS Configuring Standard QoS This example shows how to modify and display the CoS-to-DSCP map: Switch(config)# mls qos map cos-dscp 10 15 20 25 30 35 40 45 Switch(config)# end Switch# show mls qos maps cos-dscp Cos-dscp map: cos: -------------------------------- dscp:...
Page 571: Configuring The Policed-Dscp Map
Chapter 28 Configuring QoS Configuring Standard QoS Configuring the Policed-DSCP Map You use the policed-DSCP map to mark down a DSCP value to a new value as the result of a policing and marking action. The default policed-DSCP map is a null map, which maps an incoming DSCP value to the same DSCP value.
Page 572: Configuring The Dscp-To-Cos Map
Chapter 28 Configuring QoS Configuring Standard QoS Configuring the DSCP-to-CoS Map You use the DSCP-to-CoS map to generate a CoS value, which is used to select one of the four egress queues. Table 28-14 shows the default DSCP-to-CoS map. Table 28-14 Default DSCP-to-CoS Map DSCP value 0–7 8–15...
Page 573: Configuring The Dscp-To-Dscp-Mutation Map
Chapter 28 Configuring QoS Configuring Standard QoS Configuring the DSCP-to-DSCP-Mutation Map If two QoS domains have different DSCP definitions, use the DSCP-to-DSCP-mutation map to translate one set of DSCP values to match the definition of another domain. You apply the DSCP-to-DSCP-mutation map to the receiving port (ingress mutation) at the boundary of a QoS administrative domain.
Page 574: Configuring Ingress Queue Characteristics
Chapter 28 Configuring QoS Configuring Standard QoS This example shows how to define the DSCP-to-DSCP-mutation map. All the entries that are not explicitly configured are not modified (remains as specified in the null map): Switch(config)# mls qos map dscp-mutation mutation1 1 2 3 4 5 6 7 to 0 Switch(config)# mls qos map dscp-mutation mutation1 8 9 10 11 12 13 to 10 Switch(config)# mls qos map dscp-mutation mutation1 20 21 22 to 20 Switch(config)# mls qos map dscp-mutation mutation1 30 31 32 33 34 to 30...
Page 575 Chapter 28 Configuring QoS Configuring Standard QoS Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and to set WTD thresholds.
Page 576: Allocating Buffer Space Between The Ingress Queues
Chapter 28 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent. It maps DSCP values 20 to 26 to ingress queue 1 and to threshold 2 with a drop threshold of 70 percent: Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 1 0 1 2 3 4 5 6 Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 2 20 21 22 23 24 25 26...
Page 577: Allocating Bandwidth Between The Ingress Queues
Chapter 28 Configuring QoS Configuring Standard QoS Allocating Bandwidth Between the Ingress Queues You need to specify how much of the available bandwidth is allocated between the ingress queues. The ratio of the weights is the ratio of the frequency in which the SRR scheduler sends packets from each queue.
Page 578: Configuring The Ingress Priority Queue
Chapter 28 Configuring QoS Configuring Standard QoS Configuring the Ingress Priority Queue You should use the priority queue only for traffic that needs to be expedited (for example, voice traffic, which needs minimum delay and jitter). The priority queue is guaranteed part of the bandwidth to reduce the delay and jitter under heavy network traffic on an oversubscribed ring (when there is more traffic than the backplane can carry, and the queues are full and dropping frames).
Page 579: Configuring Egress Queue Characteristics
Chapter 28 Configuring QoS Configuring Standard QoS Configuring Egress Queue Characteristics Depending on the complexity of your network and your QoS solution, you might need to perform all of the tasks in the next sections. You will need to make decisions about these characteristics: •...
Page 580 Chapter 28 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and drop thresholds for a queue-set. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos queue-set output qset-id Allocate buffers to a queue-set.
Page 581: Mapping Dscp Or Cos Values To An Egress Queue And To A Threshold Id
Chapter 28 Configuring QoS Configuring Standard QoS Command Purpose Step 7 show mls qos interface [interface-id] Verify your entries. buffers Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos queue-set output qset-id buffers global configuration command.
Page 582: Configuring Srr Shaped Weights On Egress Queues
Chapter 28 Configuring QoS Configuring Standard QoS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue output dscp-map Map DSCP or CoS values to an egress queue and to a threshold ID. queue queue-id threshold threshold-id By default, DSCP values 0–15 are mapped to queue 2 and threshold 1.
Page 583 Chapter 28 Configuring QoS Configuring Standard QoS Note The egress queue default settings are suitable for most situations. You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution.
Page 584: Configuring Srr Shared Weights On Egress Queues
Chapter 28 Configuring QoS Configuring Standard QoS Configuring SRR Shared Weights on Egress Queues In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue empties and does not require a share of the link, the remaining queues can expand into the unused bandwidth and share it among them.
Page 585: Configuring The Egress Expedite Queue
Chapter 28 Configuring QoS Configuring Standard QoS Configuring the Egress Expedite Queue You can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. SRR services this queue until it is empty before servicing the other queues. Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue.
Page 586: Displaying Standard Qos Information
Chapter 28 Configuring QoS Displaying Standard QoS Information Beginning in privileged EXEC mode, follow these steps to limit the bandwidth on an egress port. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be rate limited, and enter interface configuration mode.
Page 587 Chapter 28 Configuring QoS Displaying Standard QoS Information Table 28-15 Commands for Displaying Standard QoS Information (continued) Command Purpose show mls qos queue-set [qset-id] Display QoS settings for the egress queues. show policy-map [policy-map-name [class Display QoS policy maps, which define classification criteria for class-map-name]] incoming traffic.
Page 588 Chapter 28 Configuring QoS Displaying Standard QoS Information Catalyst 3560 Switch Software Configuration Guide 28-66 78-16156-01...
Page 589: Chapter 29 Configuring Etherchannels
C H A P T E R Configuring EtherChannels This chapter describes how to configure EtherChannels on Layer 2 and Layer 3 ports on the Catalyst 3560 switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Page 590: Etherchannel Overview
Chapter 29 Configuring EtherChannels Understanding EtherChannels EtherChannel Overview An EtherChannel consists of individual Fast Ethernet or Gigabit Ethernet links bundled into a single logical link as shown in Figure 29-1. Figure 29-1 Typical EtherChannel Configuration Catalyst 8500 series switch Gigabit EtherChannel 1000BASE-X 1000BASE-X 10/100...
Page 591: Port-Channel Interfaces
Chapter 29 Configuring EtherChannels Understanding EtherChannels Port-Channel Interfaces When you create an EtherChannel, a port-channel logical interface is involved: • With Layer 2 ports, use the channel-group interface configuration command to dynamically create the port-channel logical interface. You also can use the interface port-channel port-channel-number global configuration command to manually create the port-channel logical interface, but then you must use the channel-group channel-group-number command to bind the logical interface to a physical port.
Page 592: Port Aggregation Protocol
Understanding EtherChannels Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports.
Page 593: Pagp Interaction With Other Features
Link Aggregation Control Protocol The LACP is defined in IEEE 802.3AD and enables Cisco switches to manage Ethernet channels between switches that conform to the 802.3AD protocol. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports.
Page 594: Lacp Modes
Chapter 29 Configuring EtherChannels Understanding EtherChannels LACP Modes Table 29-2 shows the user-configurable EtherChannel LACP modes for the channel-group interface configuration command. Table 29-2 EtherChannel LACP Modes Mode Description active Places a port into an active negotiating state in which the port starts negotiations with other ports by sending LACP packets.
Page 595 Chapter 29 Configuring EtherChannels Understanding EtherChannels With source-MAC address forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the channel based on the source-MAC address of the incoming packet. Therefore, to provide load balancing, packets from different hosts use different ports in the channel, but packets from the same host use the same port in the channel.
Page 596: Configuring Etherchannels
Figure 29-3 Load Distribution and Forwarding Methods Switch with source-based forwarding enabled EtherChannel Cisco router with destination-based forwarding enabled Configuring EtherChannels These sections describe how to configure EtherChannel on Layer 2 and Layer 3 ports: Default EtherChannel Configuration, page 29-9 •...
Page 597: Default Etherchannel Configuration
Chapter 29 Configuring EtherChannels Configuring EtherChannels Default EtherChannel Configuration Table 29-3 shows the default EtherChannel configuration. Table 29-3 Default EtherChannel Configuration Feature Default Setting Channel groups None assigned. Port-channel logical interface None defined. PAgP mode No default. PAgP learn method Aggregate-port learning on all ports.
Page 598: Configuring Layer 2 Etherchannels
Chapter 29 Configuring EtherChannels Configuring EtherChannels • Do not configure an EtherChannel in both the PAgP and LACP modes. EtherChannel groups running PAgP and LACP can coexist on the same switch. Individual EtherChannel groups can run either PAgP or LACP, but they cannot interoperate. Do not configure a Switched Port Analyzer (SPAN) destination as part of an EtherChannel.
Page 599 Chapter 29 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 4 channel-group channel-group-number mode Assign the port to a channel group, and specify the PAgP or the {auto [non-silent] | desirable [non-silent] | on} | LACP mode. {active | passive} For channel-group-number, the range is 1 to 12. For mode, select one of these keywords: •...
Page 600: Configuring Layer 3 Etherchannels
Chapter 29 Configuring EtherChannels Configuring EtherChannels This example shows how to configure an EtherChannel. It assigns two ports as static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable: Switch# configure terminal Switch(config)# interface range gigabitethernet0/1 -2 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 10 Switch(config-if-range)# channel-group 5 mode desirable non-silent...
Page 601: Configuring The Physical Interfaces
Chapter 29 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 8 Assign an Ethernet port to the Layer 3 EtherChannel. For more information, see the “Configuring the Physical Interfaces”...
Page 602 Chapter 29 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 5 channel-group channel-group-number mode Assign the port to a channel group, and specify the PAgP or the {auto [non-silent] | desirable [non-silent] | on} | LACP mode. {active | passive} For channel-group-number, the range is 1 to 12. This number must be the same as the port-channel-number (logical port) configured in the “Creating Port-Channel Logical Interfaces”...
Page 603: Configuring Etherchannel Load Balancing
Chapter 29 Configuring EtherChannels Configuring EtherChannels This example shows how to configure an EtherChannel. It assigns two ports to channel 5 with the LACP mode active: Switch# configure terminal Switch(config)# interface range gigabitethernet0/1 -2 Switch(config-if-range)# no ip address Switch(config-if-range)# no switchport Switch(config-if-range)# channel-group 5 mode active Switch(config-if-range)# end Configuring EtherChannel Load Balancing...
Page 604: Configuring The Pagp Learn Method And Priority
Chapter 29 Configuring EtherChannels Configuring EtherChannels Configuring the PAgP Learn Method and Priority Network devices are classified as PAgP physical learners or aggregate-port learners. A device is a physical learner if it learns addresses by physical ports and directs transmissions based on that knowledge.
Page 605: Configuring Lacp Hot-Standby Ports
Chapter 29 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port for transmission, and enter interface configuration mode. Step 3 pagp learn-method physical-port Select the PAgP learning method. By default, aggregation-port learning is selected, which means the switch sends packets to the source by using any of the ports in the EtherChannel.
Page 606: Configuring The Lacp System Priority
Chapter 29 Configuring EtherChannels Configuring EtherChannels In priority comparisons, numerically lower values have higher priority. The priority decides which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating. Ports are considered for active use in aggregation in link-priority order starting with the port attached to the highest priority link.
Page 607: Configuring The Lacp Port Priority
Chapter 29 Configuring EtherChannels Configuring EtherChannels Configuring the LACP Port Priority By default, all ports use the same port priority. If the local system has a lower value for the system priority and the system ID than the remote system, you can affect which of the hot-standby links become active first by changing the port priority of LACP EtherChannel ports to a lower value than the default.
Page 608: Displaying Etherchannel, Pagp, And Lacp Status
Chapter 29 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Displaying EtherChannel, PAgP, and LACP Status To display EtherChannel, PAgP, and LACP status information, use the privileged EXEC commands described in Table 29-4: Table 29-4 Commands for Displaying EtherChannel, PAgP , and LACP Status Command Description show etherchannel [channel-group-number {detail |...
Page 609: Chapter 30 Configuring Ip Unicast Routing
For more detailed IP unicast configuration information, refer to the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. This chapter consists of these sections: •...
Page 610: Understanding Ip Routing
Chapter 30 Configuring IP Unicast Routing Understanding IP Routing Understanding IP Routing In some network environments, VLANs are associated with individual networks or subnetworks. In an IP network, each subnetwork is mapped to an individual VLAN. Configuring VLANs helps control the size of the broadcast domain and keeps local traffic local.
Page 611: Steps For Configuring Routing
Steps for Configuring Routing By default, IP routing is disabled on the switch, and you must enable it before routing can take place. For detailed IP routing configuration information, refer to the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1.
Page 612: Configuring Ip Addressing
Chapter 30 Configuring IP Unicast Routing Configuring IP Addressing Configuring routing consists of several main procedures: • To support VLAN interfaces, create and configure VLANs on the switch, and assign VLAN membership to Layer 2 interfaces. For more information, see Chapter 12, “Configuring VLANs.”...
Page 613: Assigning Ip Addresses To Network Interfaces
Chapter 30 Configuring IP Unicast Routing Configuring IP Addressing Table 30-1 Default Addressing Configuration (continued) Feature Default Setting IP forward-protocol If a helper address is defined or User Datagram Protocol (UDP) flooding is configured, UDP forwarding is enabled on default ports. Any-local-broadcast: Disabled.
Page 614: Use Of Subnet Zero
Chapter 30 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 7 show interfaces [interface-id] Verify your entries. show ip interface [interface-id] show running-config interface [interface-id] Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Use of Subnet Zero Subnetting with a subnet address of zero is strongly discouraged because of the problems that can arise if a network and a subnet have the same addresses.
Page 615 Chapter 30 Configuring IP Unicast Routing Configuring IP Addressing Figure 30-2 IP Classless Routing 128.0.0.0/8 128.20.4.1 IP classless 128.20.0.0 128.20.1.0 128.20.3.0 128.20.2.0 128.20.4.1 Host Figure 30-3, the router in network 128.20.0.0 is connected to subnets 128.20.1.0, 128.20.2.0, and 128.20.3.0. If the host sends a packet to 120.20.4.1, because there is no network default route, the router discards the packet.
Page 616: Configuring Address Resolution Methods
Using RARP requires a RARP server on the same network segment as the router interface. Use the ip rarp-server address interface configuration command to identify the server. For more information on RARP, refer to the Cisco IOS Configuration Fundamentals Configuration Guide for Release 12.1.
Page 617 Chapter 30 Configuring IP Unicast Routing Configuring IP Addressing Define a Static ARP Cache ARP and other address resolution protocols provide dynamic mapping between IP addresses and MAC addresses. Because most hosts support dynamic address resolution, you usually do not need to specify static ARP cache entries.
Page 618: Set Arp Encapsulation
Chapter 30 Configuring IP Unicast Routing Configuring IP Addressing Set ARP Encapsulation By default, Ethernet ARP encapsulation (represented by the arpa keyword) is enabled on an IP interface. You can change the encapsulation methods to SNAP if required by your network. Beginning in privileged EXEC mode, follow these steps to specify the ARP encapsulation type: Command Purpose...
Page 619: Routing Assistance When Ip Routing Is Disabled
Chapter 30 Configuring IP Unicast Routing Configuring IP Addressing Routing Assistance When IP Routing is Disabled These mechanisms allow the switch to learn about routes to other networks when it does not have IP routing enabled: • Proxy ARP, page 30-11 •...
Page 620: Icmp Router Discovery Protocol (Irdp)
Chapter 30 Configuring IP Unicast Routing Configuring IP Addressing ICMP Router Discovery Protocol (IRDP) Router discovery allows the switch to dynamically learn about routes to other networks using IRDP. IRDP allows hosts to locate routers. When operating as a client, the switch generates router discovery packets.
Page 621: Configuring Broadcast Packet Handling
Chapter 30 Configuring IP Unicast Routing Configuring IP Addressing If you change the maxadvertinterval value, the holdtime and minadvertinterval values also change, so it is important to first change the maxadvertinterval value, before manually changing either the holdtime or minadvertinterval values. Use the no ip irdp interface configuration command to disable IRDP routing.
Page 622: Forwarding Udp Broadcast Packets And Protocols
By default, both UDP and ND forwarding are enabled if a helper address has been defined for an interface. The description for the ip forward-protocol interface configuration command in the Cisco IOS IP and IP Routing Command Reference for Release 12.1 lists the ports that are forwarded by default if you do not specify any UDP ports.
Page 623: Establishing An Ip Broadcast Address
Chapter 30 Configuring IP Unicast Routing Configuring IP Addressing If you do not specify any UDP ports when you configure the forwarding of UDP broadcasts, you are configuring the router to act as a BOOTP forwarding agent. BOOTP packets carry Dynamic Host Configuration Protocol (DHCP) information.
Page 624: Flooding Ip Broadcasts
Chapter 30 Configuring IP Unicast Routing Configuring IP Addressing Flooding IP Broadcasts You can allow IP broadcasts to be flooded throughout your internetwork in a controlled fashion by using the database created by the bridging STP. Using this feature also prevents loops. To support this capability, bridging must be configured on each interface that is to participate in the flooding.
Page 625: Monitoring And Maintaining Ip Addressing
Chapter 30 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to increase spanning-tree-based flooding: Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip forward-protocol turbo-flood Use the spanning-tree database to speed up flooding of UDP datagrams. Step 3 Return to privileged EXEC mode.
Page 626: Enabling Ip Unicast Routing
(RIP) router configuration command. For information on specific protocols, refer to sections later in this chapter and to the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1. Note The SMI supports only RIP as a routing protocol Step 4 Return to privileged EXEC mode.
Page 627: Configuring Rip
It is a distance-vector routing protocol that uses broadcast User Datagram Protocol (UDP) data packets to exchange routing information. The protocol is documented in RFC 1058. You can find detailed information about RIP in IP Routing Fundamentals, published by Cisco Press. Note RIP is the only routing protocol supported by the SMI;...
Page 628: Configuring Basic Rip Parameters
Chapter 30 Configuring IP Unicast Routing Configuring RIP Table 30-4 Default RIP Configuration (continued) Feature Default Setting Neighbor None defined. Network None specified. Offset list Disabled. Output delay 0 milliseconds. Timers basic Update: 30 seconds. • Invalid: 180 seconds. • Hold-down: 180 seconds.
Page 629: Configuring Rip Authentication
Chapter 30 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 8 version {1 | 2} (Optional) Configure the switch to receive and send only RIP Version 1 or RIP version 2 packets. By default, the switch receives Version 1 and 2 but sends only Version 1.
Page 630: Configuring Summary Addresses And Split Horizon
Chapter 30 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 3 ip rip authentication key-chain name-of-chain Enable RIP authentication. Step 4 ip rip authentication mode [text | md5} Configure the interface to use plain text authentication (the default) or MD5 digest authentication. Step 5 Return to privileged EXEC mode.
Page 631: Configuring Igrp
Switch(config-router)# end Configuring IGRP Interior Gateway Routing Protocol (IGRP) is a dynamic, distance-vector routing, proprietary Cisco protocol for routing in an autonomous system (AS) that contains large, arbitrarily complex networks with diverse bandwidth and delay characteristics. IGRP uses a combination of user-configurable metrics, including internetwork delay, bandwidth, reliability, and load.
Page 632: Default Igrp Configuration
Chapter 30 Configuring IP Unicast Routing Configuring IGRP Figure 30-4 Interior, System, and Exterior Routes Autonomous Autonomous system 1 system 2 System Exterior Router Router Router By default, a router running IGRP sends an update broadcast every 90 seconds and declares a route inaccessible if it does not receive an update from the first router in the route within three update periods (270 seconds).
Page 633: Understanding Load Balancing And Traffic Distribution Control
Chapter 30 Configuring IP Unicast Routing Configuring IGRP Table 30-5 Default IGRP Configuration (continued) Feature Default Setting Timers basic Update: 90 seconds. Invalid: 270 seconds. Hold-down: 280 seconds. Flush: 630 seconds. Sleeptime: 0 milliseconds. Traffic-share Distributed proportionately to the ratios of the metrics. Routers running IGRP use flash and poison-reverse updates to speed up the convergence of the routing algorithm.
Page 634: Configuring Basic Igrp Parameters
Configuring IP Unicast Routing Configuring IGRP Note For more information and examples, refer to the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1. Configuring Basic IGRP Parameters Beginning in privileged EXEC mode, follow these steps to configure IGRP. Configuring the routing process is required;...
Page 635: Configuring Split Horizon
Chapter 30 Configuring IP Unicast Routing Configuring IGRP Command Purpose Step 8 no metric holddown (Optional) Disable the IGRP hold-down period. The route to a network is placed in holddown if the router learns that the network is farther away than previously known or is down.
Page 636: Configuring Ospf
Configuring OSPF This section briefly describes how to configure Open Shortest Path First (OSPF). For a complete description of the OSPF commands, refer to the “OSPF Commands” chapter of the Cisco IOS IP and IP Routing Command Reference for Release 12.1.
Page 637: Default Ospf Configuration
Chapter 30 Configuring IP Unicast Routing Configuring OSPF OSPF typically requires coordination among many internal routers, area border routers (ABRs) connected to multiple areas, and autonomous system boundary routers (ASBRs). The minimum configuration would use all default parameter values, no authentication, and interfaces assigned to areas. If you customize your environment, you must ensure coordinated configuration of all routers.
Page 638: Configuring Basic Ospf Parameters
Chapter 30 Configuring IP Unicast Routing Configuring OSPF Table 30-6 Default OSPF Configuration (continued) Feature Default Setting Default metric Built-in, automatic metric translation, as appropriate for each routing protocol. Distance OSPF dist1 (all routes within an area): 110. dist2 (all routes from one area to another): 110. and dist3 (routes from other routing domains): 110.
Page 639: Configuring Ospf Interfaces
Chapter 30 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 3 network address wildcard-mask area area-id Define an interface on which OSPF runs and the area ID for that interface. You can use the wildcard-mask to use a single command to define one or more multiple interfaces to be associated with a specific OSPF area.
Page 640: Configuring Ospf Area Parameters
Chapter 30 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 8 ip ospf dead-interval seconds (Optional) Set the number of seconds after the last device hello packet was seen before its neighbors declare the OSPF router to be down. The value must be the same for all nodes on a network. The range is 1 to 65535 seconds.
Page 641: Configuring Other Ospf Parameters
Chapter 30 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 3 area area-id authentication (Optional) Allow password-based protection against unauthorized access to the identified area. The identifier can be either a decimal value or an IP address. Step 4 area area-id authentication message-digest (Optional) Enable MD5 authentication on the area.
Page 642 Chapter 30 Configuring IP Unicast Routing Configuring OSPF • Default route: When you specifically configure redistribution of routes into an OSPF routing domain, the route automatically becomes an autonomous system boundary router (ASBR). You can force the ASBR to generate a default route into the OSPF routing domain. Domain Name Server (DNS) names for use in all OSPF show privileged EXEC command displays •...
Page 643: Changing Lsa Group Pacing
Chapter 30 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 10 timers spf spf-delay spf-holdtime (Optional) Configure route calculation timers. • spf-delay—Enter an integer from 0 to 65535. The default is 5 seconds; 0 means no delay. • spf-holdtime—Enter an integer from 0 to 65535. The default is 10 seconds;...
Page 644: Monitoring Ospf
EXEC commands for displaying statistics. For more show ip ospf database privileged EXEC command options and for explanations of fields in the resulting display, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. Table 30-7 Show IP OSPF Statistics Commands...
Page 645: Configuring Eigrp
Configuring EIGRP Configuring EIGRP Enhanced IGRP (EIGRP) is a Cisco proprietary enhanced version of the IGRP. Enhanced IGRP uses the same distance vector algorithm and distance information as IGRP; however, the convergence properties and the operating efficiency of Enhanced IGRP are significantly improved.
Page 646: Default Eigrp Configuration
Chapter 30 Configuring IP Unicast Routing Configuring EIGRP feasible successors, but there are neighbors advertising the destination, a recomputation must occur. This is the process whereby a new successor is determined. The amount of time it takes to recompute the route affects the convergence time. Recomputation is processor-intensive; it is advantageous to avoid recomputation if it is not necessary.
Page 647: Configuring Basic Eigrp Parameters
Chapter 30 Configuring IP Unicast Routing Configuring EIGRP Table 30-8 Default EIGRP Configuration (continued) Feature Default Setting Distance Internal distance: 90. External distance: 170. EIGRP log-neighbor changes Disabled. No adjacency changes logged. IP authentication key-chain No authentication provided. IP authentication mode No authentication provided.
Page 648: Configuring Eigrp Interfaces
Chapter 30 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 3 network network-number Associate networks with an EIGRP routing process. EIGRP sends updates to the interfaces in the specified networks. If an interface’s network is not specified, it is not advertised in any IGRP or EIGRP update.
Page 649: Configuring Eigrp Route Authentication
15 seconds for all other networks. Caution Do not adjust the hold time without consulting Cisco technical support. Step 7 no ip split-horizon eigrp autonomous-system-number (Optional) Disable split horizon to allow route information to be advertised by a router out any interface from which that information originated.
Page 650: Monitoring And Maintaining Eigrp
You can delete neighbors from the neighbor table. You can also display various EIGRP routing statistics. Table 30-9 lists the privileged EXEC commands for deleting neighbors and displaying statistics. For explanations of fields in the resulting display, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. Table 30-9...
Page 651: Configuring Bgp
BGP in Internet Routing Architectures, published by Cisco Press, and in the “Configuring BGP” chapter in the Cisco IOS IP and IP Routing Configuration Guide. For details about BGP commands and keywords, refer to the Cisco IOS IP and IP Routing Command Note Reference for Release 12.1.
Page 652 AS-level policy decisions. A router or switch running Cisco IOS does not select or use an IBGP route unless it has a route available to the next-hop router and it has received synchronization from an IGP (unless IGP synchronization is disabled).
Page 653: Default Bgp Configuration
Default BGP Configuration Table 30-10 shows the basic default BGP configuration. For the defaults for all characteristics, refer to the specific commands in the Cisco IOS IP and IP Routing Command Reference for Release 12.1. Table 30-10 Default BGP Configuration Feature...
Page 654 Chapter 30 Configuring IP Unicast Routing Configuring BGP Table 30-10 Default BGP Configuration (continued) Feature Default Setting IP prefix list None defined. Multi exit discriminator (MED) Always compare: Disabled. Does not compare MEDs for paths from neighbors in • different autonomous systems. Best path compare: Disabled.
Page 655: Enabling Bgp Routing
Chapter 30 Configuring IP Unicast Routing Configuring BGP Enabling BGP Routing To enable BGP routing, you establish a BGP routing process and define the local network. Because BGP must completely recognize the relationships with its neighbors, you must also specify a BGP neighbor. BGP supports two kinds of neighbors: internal and external.
Page 656 Chapter 30 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 8 no auto-summary (Optional) Disable automatic network summarization. By default, when a subnet is redistributed from an IGP into BGP, only the network route is inserted into the BGP table. Step 9 bgp fast-external-fallover (Optional) Automatically reset a BGP session when a link...
Page 657: Managing Routing Policy Changes
BGP sessions so that the configuration changes take effect. There are two types of reset, hard reset and soft reset. Cisco IOS software releases 12.1 and later support a soft reset without any prior configuration. To use a soft reset without preconfiguration, both BGP peers must support the soft route refresh capability, which is advertised in the OPEN message sent when the peers establish a TCP session.
Page 658: Configuring Bgp Decision Attributes
Prefer the path with the largest weight (a Cisco proprietary parameter). The weight attribute is local to the router and not propagated in routing updates. By default, the weight attribute is 32768 for paths that the router originates and zero for other paths.
Page 659 Chapter 30 Configuring IP Unicast Routing Configuring BGP Prefer the route with the highest local preference. Local preference is part of the routing update and exchanged among routers in the same AS. The default value of the local preference attribute is 100. You can set local preference by using the bgp default local-preference router configuration command or by using a route map.
Page 660: Configuring Bgp Filtering With Route Maps
Chapter 30 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 7 bgp bestpath med missing-as-worst (Optional) Configure the switch to consider a missing MED as having a value of infinity, making the path without a MED value the least desirable path. Step 8 bgp always-compare med (Optional) Configure the switch to compare MEDs for...
Page 661: Configuring Bgp Filtering By Neighbor
Chapter 30 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 3 set ip next-hop ip-address [...ip-address] (Optional) Set a route map to disable next-hop processing [peer-address] • In an inbound route map, set the next hop of matching routes to be the neighbor peering address, overriding third-party next hops.
Page 662: Configuring Prefix Lists For Bgp Filtering
BGP autonomous system paths. Each filter is an access list based on regular expressions. (Refer to the “Regular Expressions” appendix in the Cisco IOS Dial Services Command Reference for more information on forming regular expressions.) To use this method, define an autonomous system path access list, and apply it to updates to and from particular neighbors.
Page 663: Configuring Bgp Community Filtering
Chapter 30 Configuring IP Unicast Routing Configuring BGP You do not need to specify a sequence number when removing a configuration entry. Show commands include the sequence numbers in their output. Before using a prefix list in a command, you must set up the prefix list. Beginning in privileged EXEC mode, follow these steps to create a prefix list or to add an entry to a prefix list: Command Purpose...
Page 664 (Optional) Display and parse BGP communities in the format AA:NN. A BGP community is displayed in a two-part format 2 bytes long. The Cisco default community format is in the format NNAA. In the most recent RFC for BGP, a community takes the form AA:NN, where the first part is the AS number and the second part is a 2-byte number.
Page 665: Configuring Bgp Neighbors And Peer Groups
Chapter 30 Configuring IP Unicast Routing Configuring BGP Configuring BGP Neighbors and Peer Groups Often many BGP neighbors are configured with the same update policies (that is, the same outbound route maps, distribute lists, filter lists, update source, and so on). Neighbors with the same update policies can be grouped into peer groups to simplify configuration and to make updating more efficient.
Page 666 Chapter 30 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 13 neighbor {ip-address | peer-group-name} (Optional) Control how many prefixes can be received from a maximum-prefix maximum [threshold] neighbor. The range is 1 to 4294967295. The threshold (optional) is the percentage of maximum at which a warning message is generated.
Page 667: Configuring Aggregate Addresses
Chapter 30 Configuring IP Unicast Routing Configuring BGP Configuring Aggregate Addresses Classless interdomain routing (CIDR) enables you to create aggregate routes (or supernets) to minimize the size of routing tables. You can configure aggregate routes in BGP either by redistributing an aggregate route into BGP or by creating an aggregate entry in the BGP routing table.
Page 668: Configuring Bgp Route Reflectors
Chapter 30 Configuring IP Unicast Routing Configuring BGP To configure a BGP confederation, you must specify a confederation identifier that acts as the autonomous system number for the group of autonomous systems. Beginning in privileged EXEC mode, use these commands to configure a BGP confederation: Command Purpose Step 1...
Page 669: Configuring Route Dampening
Chapter 30 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, use these commands to configure a route reflector and clients: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enter BGP router configuration mode. Step 3 neighbor ip-address | peer-group-name Configure the local router as a BGP route reflector and the...
Page 670: Monitoring And Maintaining Bgp
Table 30-9 lists the privileged EXEC commands for clearing and displaying BGP. For explanations of the display fields, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. Table 30-12 IP BGP Clear and Show Commands...
Page 671: Configuring Protocol-Independent Features
SMI or the EMI; except that with the SMI, protocol-related features are available only for RIP. For a complete description of the IP routing protocol-independent commands in this chapter, refer to the “IP Routing Protocol-Independent Commands” chapter of the Cisco IOS IP and IP Routing Command Reference for Release 12.1.
Page 672: Configuring The Number Of Equal-Cost Routing Paths
Chapter 30 Configuring IP Unicast Routing Configuring Protocol-Independent Features The two main components in CEF are the distributed FIB and the distributed adjacency tables. • The FIB is similar to a routing table or information base and maintains a mirror image of the forwarding information in the IP routing table.
Page 673: Configuring Static Unicast Routes
Chapter 30 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to change the maximum number of parallel paths installed in a routing table from the default: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router {bgp | rip | ospf | igrp | eigrp} Enter router configuration mode.
Page 674: Specifying Default Routes And Networks
Chapter 30 Configuring IP Unicast Routing Configuring Protocol-Independent Features Table 30-13 Dynamic Routing Protocol Default Administrative Distances Route Source Default Distance Connected interface Static route Enhanced IRGP summary route External BGP Internal Enhanced IGRP IGRP OSPF Internal BGP Unknown Static routes that point to an interface are advertised through RIP, IGRP, and other dynamic routing protocols, whether or not static redistribute router configuration commands were specified for those routing protocols.
Page 675: Using Route Maps To Redistribute Routing Information
The system periodically scans its routing table to choose the optimal default network as its default route. In IGRP networks, there might be several candidate networks for the system default. Cisco routers use administrative distance and metric information to determine the default route or the gateway of last resort.
Page 676 Chapter 30 Configuring IP Unicast Routing Configuring Protocol-Independent Features Note Although each of Steps 3 through 14 in the following section is optional, you must enter at least one match route-map configuration command and one set route-map configuration command. Beginning in privileged EXEC mode, follow these steps to configure a route map for redistribution: Command Purpose Step 1...
Page 677 Chapter 30 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 12 set dampening halflife reuse suppress Set BGP route dampening factors. max-suppress-time Step 13 set local-preference value Assign a value to a local BGP path. Step 14 set origin {igp | egp as | incomplete} Set the BGP origin code.
Page 678 Chapter 30 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to control route redistribution. Note that the keywords are the same as defined in the previous procedure. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 679: Configuring Policy-Based Routing
Note For details about PBR commands and keywords, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. For a list of PBR commands that are visible but not supported by the switch, Appendix C, “Unsupported Commands in Cisco IOS Release 12.1(19)EA1.”...
Page 680: Pbr Configuration Guidelines
Chapter 30 Configuring IP Unicast Routing Configuring Protocol-Independent Features PBR Configuration Guidelines Before configuring PBR, you should be aware of this information: To use PBR, you must have the EMI installed on the switch. • Multicast traffic is not policy-routed. PBR applies to only to unicast traffic. •...
Page 681 Chapter 30 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to configure PBR: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 route-map map-tag [permit | deny] [sequence Define any route maps used to control where packets are number] output, and enter route-map configuration mode.
Page 682: Filtering Routing Information
Chapter 30 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 14 show ip local policy (Optional) Display whether or not local policy routing is enabled and, if so, the route map being used. Step 15 copy running-config startup-config (Optional) Save your entries in the configuration file.
Page 683: Controlling Advertising And Processing In Routing Updates
Chapter 30 Configuring IP Unicast Routing Configuring Protocol-Independent Features Use a network monitoring privileged EXEC command such as show ip ospf interface to verify the interfaces that you enabled as passive, or use the show ip interface privileged EXEC command to verify the interfaces that you enabled as active.
Page 684: Managing Authentication Keys
Chapter 30 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to filter sources of routing information: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router {bgp | rip | ospf | igrp | eigrp} Enter router configuration mode.
Page 685: Monitoring And Maintaining The Ip Network
Chapter 30 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Command Purpose Step 4 key-string text Identify the key string. The string can contain from 1 to 80 uppercase and lowercase alphanumeric characters, but the first character cannot be a number. Step 5 accept-lifetime start-time {infinite | end-time | duration (Optional) Specify the time period during which the key...
Page 686 Chapter 30 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Catalyst 3560 Switch Software Configuration Guide 30-78 78-16156-01...
Page 687: Chapter 31 Configuring Hsrp
Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and the Cisco IOS IP and IP Routing Command Reference for Release 12.1. This chapter consists of these sections: Understanding HSRP, page 31-1 •...
Page 688 Chapter 31 Configuring HSRP Understanding HSRP HSRP provides high network availability by providing redundancy for IP traffic from hosts on networks. In a group of router interfaces, the active router is the router of choice for routing packets; the standby router is the router that takes over the routing duties when an active router fails or when preset conditions are met.
Page 689: Configuring Hsrp
Chapter 31 Configuring HSRP Configuring HSRP Figure 31-1 Typical HSRP Configuration Host B 172.20.130.5 Active Virtual Standby router router router 172.20.128.1 172.20.128.3 172.20.128.2 Router A Router B 172.20.128.55 172.20.128.32 Host C Host A Configuring HSRP These sections include HSRP configuration information: •...
Page 690: Default Hsrp Configuration
Chapter 31 Configuring HSRP Configuring HSRP Default HSRP Configuration Table 31-1 shows the default HSRP configuration. Table 31-1 Default HSRP Configuration Feature Default Setting HSRP groups None configured Standby group number Standby MAC address System assigned as: 0000.0c07.acXX, where XX is the HSRP group number Standby priority Standby delay...
Page 691: Enabling Hsrp
Chapter 31 Configuring HSRP Configuring HSRP Enabling HSRP The standby ip interface configuration command activates HSRP on the configured interface. If an IP address is specified, that address is used as the designated address for the Hot Standby group. If no IP address is specified, the address is learned through the standby function.
Page 692: Configuring Hsrp Group Attributes
Chapter 31 Configuring HSRP Configuring HSRP Configuring HSRP Group Attributes Although HSRP can run with no other configuration required, you can configure attributes for the HSRP group, including authentication, priority, preemption and preemption delay, timers, or MAC address. Configuring HSRP Priority The standby priority, standby preempt, and standby track interface configuration commands are all used to set characteristics for determining active and standby routers and behavior regarding when a new active router takes over.
Page 693 Chapter 31 Configuring HSRP Configuring HSRP Beginning in privileged EXEC mode, use one or more of these steps to configure HSRP priority characteristics on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the HSRP interface on which you want to set priority.
Page 694: Configuring Hsrp Authentication And Timers
[group-number] authentication string (Optional) authentication string—Enter a string to be carried in all HSRP messages. The authentication string can be up to eight characters in length; the default string is cisco. (Optional) group-number—The group number to which the command applies.
Page 695: Configuring Hsrp Groups And Clustering
Chapter 31 Configuring HSRP Configuring HSRP Command Purpose Step 4 standby [group-number] timers hellotime (Optional) Configure the time between hello packets and the holdtime time before other routers declare the active router to be down. • group-number—The group number to which the command applies.
Page 696: Displaying Hsrp Configurations
Chapter 31 Configuring HSRP Displaying HSRP Configurations This example shows how to bind standby group my_hsrp to the cluster and enable the same HSRP group to be used for command switch redundancy and router redundancy. The command can only be executed on the cluster command switch.
Page 697: Chapter 32 Configuring Ip Multicast Routing
To use this feature, the switch must be running the enhanced multilayer image (EMI). Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1.
Page 698: Understanding Cisco's Implementation Of Ip Multicast Routing
• Internet (MBONE). The software supports PIM-to-DVMRP interaction. • Cisco Group Management Protocol (CGMP) is used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP. Figure 32-1 shows where these protocols operate within the IP multicast environment.
Page 699: Igmp Version 1
Chapter 32 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing what members it has can vary from group to group and from time to time. A multicast group can be active for a long time, or it can be very short-lived. Membership in a group can constantly change. A group that has members can have no activity.
Page 700: Pim Versions
Chapter 32 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing PIM Versions PIMv2 includes these improvements over PIMv1: A single, active rendezvous point (RP) exists per multicast group, with multiple backup RPs. This • single RP compares to multiple active RPs for the same group in PIMv1.
Page 701: Auto-Rp
This proprietary feature eliminates the need to manually configure the RP information in every router and multilayer switch in the network. For Auto-RP to work, you configure a Cisco router or multilayer switch as the mapping agent. It uses IP multicast to learn which routers or switches in the network are possible candidate RPs to receive candidate RP announcements.
Page 702: Multicast Forwarding And Reverse Path Check
Chapter 32 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Multicast Forwarding and Reverse Path Check With unicast routing, routers and multilayer switches forward traffic through the network along a single path from the source to the destination host whose IP address appears in the destination address field of the IP packet.
Page 703: Understanding Dvmrp
This protocol has been deployed in the MBONE and in other intradomain multicast networks. Cisco routers and multilayer switches run PIM and can forward multicast packets to and receive from a DVMRP neighbor. It is also possible to propagate DVMRP routes into and through a PIM cloud. The software propagates DVMRP routes and builds a separate database for these routes on each router and multilayer switch, but PIM uses this routing information to make the packet-forwarding decision.
Page 704: Configuring Ip Multicast Routing
• Auto-RP and BSR Configuration Guidelines, page 32-9 PIMv1 and PIMv2 Interoperability The Cisco PIMv2 implementation provides interoperability and transition between Version 1 and Version 2, although there might be some minor problems. Catalyst 3560 Switch Software Configuration Guide 32-8...
Page 705: Auto-Rp And Bsr Configuration Guidelines
If you have a network that includes non-Cisco routers, configure the Auto-RP mapping agent and the BSR on a Cisco PIMv2 router or multilayer switch. Ensure that no PIMv1 device is on the path between the BSR and a non-Cisco PIMv2 router.
Page 706: Configuring Basic Multicast Routing
Chapter 32 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Basic Multicast Routing You must enable IP multicast routing and configure the PIM version and the PIM mode. Then the software can forward multicast packets, and the switch can populate its multicast routing table. You can configure an interface to be in PIM dense mode, sparse mode, or sparse-dense mode.
Page 707: Configuring A Rendezvous Point
You can use several methods, as described in these sections: Manually Assigning an RP to Multicast Groups, page 32-11 • Configuring Auto-RP, page 32-13 (a standalone, Cisco-proprietary protocol separate from PIMv1) • Configuring PIMv2 BSR, page 32-17 (a standards track protocol in the Internet Engineering Task •...
Page 708 Chapter 32 Configuring IP Multicast Routing Configuring IP Multicast Routing You can configure a single RP for multiple groups defined by an access list. If there is no RP configured for a group, the multilayer switch treats the group as dense and uses the dense-mode PIM techniques. Beginning in privileged EXEC mode, follow these steps to manually configure the address of the RP.
Page 709: Configuring Auto-Rp
Switch(config)# ip pim rp-address 147.106.6.22 1 Configuring Auto-RP Auto-RP uses IP multicast to automate the distribution of group-to-RP mappings to all Cisco routers and multilayer switches in a PIM network. It has these benefits: It is easy to use multiple RPs within a network to serve different group ranges.
Page 710 Chapter 32 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 1 show running-config Verify that a default RP is already configured on all PIM devices and the RP in the sparse-mode network. It was previously configured with the ip pim rp-address global configuration command.
Page 711 Chapter 32 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 5 ip pim send-rp-discovery scope ttl Find a switch whose connectivity is not likely to be interrupted, and assign it the role of RP-mapping agent. For scope ttl, specify the time-to-live value in hops to limit the RP discovery packets.
Page 712 Chapter 32 Configuring IP Multicast Routing Configuring IP Multicast Routing Filtering Incoming RP Announcement Messages You can add configuration commands to the mapping agents to prevent a maliciously configured router from masquerading as a candidate RP and causing problems. Beginning in privileged EXEC mode, follow these steps to filter incoming RP announcement messages. This procedure is optional.
Page 713: Configuring Pimv2 Bsr
Chapter 32 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows a sample configuration on an Auto-RP mapping agent that is used to prevent candidate RP announcements from being accepted from unauthorized candidate RPs: Switch(config)# ip pim rp-announce-filter rp-list 10 group-list 20 Switch(config)# access-list 10 permit host 172.16.5.1 Switch(config)# access-list 10 permit host 172.16.2.1 Switch(config)# access-list 20 deny 239.0.0.0 0.0.255.255...
Page 714 Chapter 32 Configuring IP Multicast Routing Configuring IP Multicast Routing To remove the PIM border, use the no ip pim bsr-border interface configuration command. Figure 32-3 Constraining PIMv2 BSR Messages PIMv2 sparse-mode network Configure the Configure the ip pim bsr-border ip pim bsr-border command on command on...
Page 715 Chapter 32 Configuring IP Multicast Routing Configuring IP Multicast Routing To remove the boundary, use the no ip multicast boundary interface configuration command. This example shows a portion of an IP multicast boundary configuration that denies Auto-RP information: Switch(config)# access-list 1 deny 224.0.1.39 Switch(config)# access-list 1 deny 224.0.1.40 Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ip multicast boundary 1...
Page 716 IP multicast address space or a portion of it. Candidate RPs send candidate RP advertisements to the BSR. When deciding which devices should be RPs, consider these options: • In a network of Cisco routers and multilayer switches where only Auto-RP is used, any device can be configured as an RP. •...
Page 717: Using Auto-Rp And A Bsr
Switch(config)# access-list 4 permit 239.0.0.0 0.255.255.255 Using Auto-RP and a BSR If there are only Cisco devices in you network (no routers from other vendors), there is no need to configure a BSR. Configure Auto-RP in a network that is running both PIMv1 and PIMv2.
Page 718: Monitoring The Rp Mapping Information
Chapter 32 Configuring IP Multicast Routing Configuring Advanced PIM Features Monitoring the RP Mapping Information To monitor the RP mapping information, use these commands in privileged EXEC mode: • show ip pim bsr displays information about the elected BSR. • show ip pim rp-hash group displays the RP that was selected for the specified group.
Page 719 Chapter 32 Configuring IP Multicast Routing Configuring Advanced PIM Features Figure 32-4 Shared Tree and Source Tree (Shortest-Path Tree) Source Router B Router A Source tree Shared tree (shortest from RP path tree) Router C Receiver If the data rate warrants, leaf routers (routers without any downstream connections) on the shared tree can use the data distribution tree rooted at the source.
Page 720: Delaying The Use Of Pim Shortest-Path Tree
Chapter 32 Configuring IP Multicast Routing Configuring Advanced PIM Features Delaying the Use of PIM Shortest-Path Tree The change from shared to source tree happens when the first data packet arrives at the last-hop router (Router C in Figure 32-4). This change occurs because the ip pim spt-threshold global configuration command controls that timing.
Page 721: Modifying The Pim Router-Query Message Interval
Chapter 32 Configuring IP Multicast Routing Configuring Advanced PIM Features Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip pim spt-threshold {kbps | infinity} global configuration command.
Page 722: Configuring Optional Igmp Features
Chapter 32 Configuring IP Multicast Routing Configuring Optional IGMP Features Configuring Optional IGMP Features These sections describe how to configure optional IGMP features: • Default IGMP Configuration, page 32-26 Configuring the Switch as a Member of a Group, page 32-26 (optional) •...
Page 723: Controlling Access To Ip Multicast Groups
Chapter 32 Configuring IP Multicast Routing Configuring Optional IGMP Features Beginning in privileged EXEC mode, follow these steps to configure the switch to be a member of a group. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration...
Page 724: Changing The Igmp Version
Chapter 32 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 5 access-list access-list-number {deny | Create a standard access list. permit} source [source-wildcard] • For access-list-number, specify the access list created in Step 3. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Page 725: Modifying The Igmp Host-Query Message Interval
Chapter 32 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 5 show ip igmp interface [interface-id] Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip igmp version interface configuration command. Modifying the IGMP Host-Query Message Interval The switch periodically sends IGMP host-query messages to discover which multicast groups are present on attached networks.
Page 726: Changing The Igmp Query Timeout For Igmpv2
Chapter 32 Configuring IP Multicast Routing Configuring Optional IGMP Features Changing the IGMP Query Timeout for IGMPv2 If you are using IGMPv2, you can specify the period of time before the switch takes over as the querier for the interface. By default, the switch waits twice the query interval controlled by the ip igmp query-interval interface configuration command.
Page 727: Configuring The Switch As A Statically Connected Member
Chapter 32 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features To return to the default setting, use the no ip igmp query-max-response-time interface configuration command. Configuring the Switch as a Statically Connected Member Sometimes there is either no group member on a network segment or a host cannot report its group membership by using IGMP.
Page 728: Enabling Cgmp Server Support
The switch serves as a CGMP server for devices that do not support IGMP snooping but have CGMP client functionality. CGMP is a protocol used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP. CGMP is necessary because the Layer 2 switch cannot distinguish between IP multicast data packets and IGMP report messages, which are both at the MAC-level and are addressed to the same group address.
Page 729: Configuring Sdr Listener Support
Chapter 32 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Configuring sdr Listener Support The MBONE is the small subset of Internet routers and hosts that are interconnected and capable of forwarding IP multicast traffic. Other multimedia content is often broadcast over the MBONE. Before you can join a multimedia session, you need to know what multicast group address and port are being used for the session, when the session is going to be active, and what sort of applications (audio, video, and so forth) are required on your workstation.
Page 730: Limiting How Long An Sdr Cache Entry Exists
Chapter 32 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Limiting How Long an sdr Cache Entry Exists By default, entries are never deleted from the sdr cache. You can limit how long the entry remains active so that if a source stops advertising SAP information, old advertisements are not needlessly kept. Beginning in privileged EXEC mode, follow these steps to limit how long an sdr cache entry stays active in the cache.
Page 731 Chapter 32 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Figure 32-5 Administratively-Scoped Boundaries Company XYZ Engineering Marketing 239.128.0.0/16 239.0.0.0/8 You can define an administratively-scoped boundary on a routed interface for multicast group addresses. A standard access list defines the range of addresses affected. When a boundary is defined, no multicast data packets are allowed to flow across the boundary from either direction.
Page 732: Configuring Basic Dvmrp Interoperability Features
DVMRP routers or interoperate with DVMRP routers over an MBONE tunnel. DVMRP advertisements produced by the Cisco IOS software can cause older versions of the mrouted protocol to corrupt their routing tables and those of their neighbors.
Page 733 Chapter 32 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to configure the sources that are advertised and the metrics that are used when DVMRP route-report messages are sent. This procedure is optional. Command Purpose Step 1...
Page 734: Configuring A Dvmrp Tunnel
You cannot configure a DVMRP tunnel between two routers. When a Cisco router or multilayer switch runs DVMRP through a tunnel, it advertises sources in DVMRP report messages, much as it does on real networks. The software also caches DVMRP report messages it receives and uses them in its RPF calculation.
Page 735 Chapter 32 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to configure a DVMRP tunnel. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | Create a standard access list, repeating the command as many times as permit} source [source-wildcard]...
Page 736: Advertising Network 0.0.0.0 To Dvmrp Neighbors
This example shows how to configure a DVMRP tunnel. In this configuration, the IP address of the tunnel on the Cisco switch is assigned unnumbered, which causes the tunnel to appear to have the same IP address as port 1. The tunnel endpoint source address is 172.16.2.1, and the tunnel endpoint address of the remote DVMRP router to which the tunnel is connected is 192.168.1.10.
Page 737: Responding To Mrinfo Requests
171.69.214.18 -> 171.69.214.17 (mm1-45a.cisco.com) [1/0/pim] Configuring Advanced DVMRP Interoperability Features Cisco routers and multilayer switches run PIM to forward multicast packets to receivers and receive multicast packets from senders. It is also possible to propagate DVMRP routes into and through a PIM cloud.
Page 738: Enabling Dvmrp Unicast Routing
DVMRP unicast routes, to which PIM can then reverse-path forward. Cisco devices do not perform DVMRP multicast routing among each other, but they can exchange DVMRP routes. The DVMRP routes provide a multicast topology that might differ from the unicast topology.
Page 739 Chapter 32 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 32-6 Leaf Nonpruning DVMRP Neighbor Source router or RP PIM dense mode Router A Valid Router B multicast Receiver traffic Layer 3 switch Unnecessary multicast traffic Leaf nonpruning DVMRP device Stub LAN with no members You can prevent the switch from peering (communicating) with a DVMRP neighbor if that neighbor does...
Page 740 Chapter 32 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 32-7 Router Rejects Nonpruning DVMRP Neighbor Source router or RP Router A Multicast Router B traffic gets Receiver to receiver, not to leaf DVMRP device Layer 3 switch Configure the ip dvmrp reject-non-pruners command on this interface.
Page 741: Controlling Route Exchanges
Chapter 32 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Controlling Route Exchanges These sections describe how to tune the Cisco device advertisements of DVMRP routes: • Limiting the Number of DVMRP Routes Advertised, page 32-45 (optional) • Changing the DVMRP Route Threshold, page 32-45 (optional) •...
Page 742: Configuring A Dvmrp Summary Address
Cisco router that is not on these two Ethernet segments does not properly RPF-check on the DVMRP router and is discarded. You can force the Cisco router to advertise the summary address (specified by the address and mask pair in the ip dvmrp summary-address address mask interface configuration command) in place of any route that falls in this address range.
Page 743 = 1 ip pim dense-mode 176.32.15.0/24 m = 1 DVMRP router interface fastethernet 0/2 ip addr 176.32.15.1 255.255.255.0 ip pim dense-mode Tunnel Cisco DVMRP Route Table Unicast Routing Table (10,000 Routes) router Network Intf Metric Dist Src Network Intf...
Page 744: Disabling Dvmrp Autosummarization
Chapter 32 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Disabling DVMRP Autosummarization By default, the software automatically performs some level of DVMRP summarization. Disable this function if you want to advertise all routes, not just a summary. In some special cases, you can use the neighboring DVMRP router with all subnet information to better control the flow of multicast traffic in the DVMRP network.
Page 745: Monitoring And Maintaining Ip Multicast Routing
Chapter 32 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to change the default metric. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Page 746: Clearing Caches, Tables, And Databases
Chapter 32 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Clearing Caches, Tables, and Databases You can remove all contents of a particular cache, table, or database. Clearing a cache, table, or database might be necessary when the contents of the particular structure are or suspected to be invalid. You can use any of the privileged EXEC commands in Table 32-4 to clear IP multicast caches, tables,...
Page 747: Monitoring Ip Multicast Routing
Chapter 32 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Table 32-5 Commands for Displaying System and Network Statistics (continued) Command Purpose show ip mpacket [source-address | name] Display the contents of the circular cache-header [group-address | name] [detail] buffer.
Page 748 Chapter 32 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Catalyst 3560 Switch Software Configuration Guide 32-52 78-16156-01...
Page 749: Chapter 33 Configuring Msdp
MSDP can operate with if MBGP is not running. To use this feature, the switch must be running the enhanced multilayer image (EMI). For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note IP and IP Routing Command Reference for Release 12.1.
Page 750: Msdp Operation
Chapter 33 Configuring MSDP Understanding MSDP The purpose of this topology is to have domains discover multicast sources in other domains. If the multicast sources are of interest to a domain that has receivers, multicast data is delivered over the normal, source-tree building mechanism in PIM-SM.
Page 751: Msdp Benefits
Chapter 33 Configuring MSDP Understanding MSDP Figure 33-1 MSDP Running Between RP Peers MSDP peer RP + MSDP peer MSDP SA Peer RPF flooding MSDP SA TCP connection Receiver MSDP peer Register Multicast (S,G) Join Source PIM sparse-mode domain MSDP Benefits MSDP has these benefits: •...
Page 752: Configuring Msdp
Chapter 33 Configuring MSDP Configuring MSDP Configuring MSDP These sections describe how to configure MSDP: • Default MSDP Configuration, page 33-4 Configuring a Default MSDP Peer, page 33-4 (required) • Caching Source-Active State, page 33-6 (optional) • Requesting Source Information from an MSDP Peer, page 33-8 (optional) •...
Page 753 Chapter 33 Configuring MSDP Configuring MSDP Figure 33-2 Default MSDP Peer Network Router C Default MSDP peer ISP C PIM domain 10.1.1.1 Switch B Router A Default MSDP peer Default MSDP peer ISP A PIM domain Customer PIM domain Beginning in privileged EXEC mode, follow these steps to specify a default MSDP peer. This procedure is required.
Page 754: Caching Source-Active State
Chapter 33 Configuring MSDP Configuring MSDP Command Purpose Step 3 ip prefix-list name [description string] | (Optional) Create a prefix list using the name specified in Step 2. seq number {permit | deny} network • (Optional) For description string, enter a description of up to 80 length characters to describe this prefix list.
Page 755 Chapter 33 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to enable the caching of source/group pairs. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp cache-sa-state [list Enable the caching of source/group pairs (create an SA state).
Page 756: Requesting Source Information From An Msdp Peer
Chapter 33 Configuring MSDP Configuring MSDP Requesting Source Information from an MSDP Peer Local RPs can send SA requests and get immediate responses for all active sources for a given group. By default, the switch does not send any SA request messages to its MSDP peers when a new member joins a group and wants to receive multicast traffic.
Page 757: Controlling Source Information That Your Switch Originates
Chapter 33 Configuring MSDP Configuring MSDP Controlling Source Information that Your Switch Originates You can control the multicast source information that originates with your switch: • Sources you advertise (based on your sources) • Receivers of source information (based on knowing the requestor) For more information, see the “Redistributing Sources”...
Page 758 Chapter 33 Configuring MSDP Configuring MSDP Command Purpose Step 3 access-list access-list-number {deny | Create an IP standard access list, repeating the command as many times permit} source [source-wildcard] as necessary. access-list access-list-number {deny | Create an IP extended access list, repeating the command as many times permit} protocol source source-wildcard as necessary.
Page 759: Filtering Source-Active Request Messages
Chapter 33 Configuring MSDP Configuring MSDP Filtering Source-Active Request Messages By default, only switches that are caching SA information can respond to SA requests. By default, such a switch honors all SA request messages from its MSDP peers and supplies the IP addresses of the active sources.
Page 760: Controlling Source Information That Your Switch Forwards
Chapter 33 Configuring MSDP Configuring MSDP Controlling Source Information that Your Switch Forwards By default, the switch forwards all SA messages it receives to all its MSDP peers. However, you can prevent outgoing messages from being forwarded to a peer by using a filter or by setting a time-to-live (TTL) value.
Page 761 This example shows how to allow only (S,G) pairs that pass access list 100 to be forwarded in an SA message to the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet0/1 Switch(config)# ip msdp sa-filter out switch.cisco.com list 100 Switch(config)# access-list 100 permit ip 171.69.0.0 0.0.255.255 224.20 0 0.0.255.255 Catalyst 3560 Switch Software Configuration Guide...
Page 762: Using Ttl To Limit The Multicast Data Sent In Sa Messages
Chapter 33 Configuring MSDP Configuring MSDP Using TTL to Limit the Multicast Data Sent in SA Messages You can use a TTL value to control what data is encapsulated in the first SA message for every source. Only multicast packets with an IP-header TTL greater than or equal to the ttl argument are sent to the specified MSDP peer.
Page 763 To remove the filter, use the no ip msdp sa-filter in {ip-address | name} [list access-list-number] [route-map map-tag] global configuration command. This example shows how to filter all SA messages from the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet0/1 Switch(config)# ip msdp sa-filter in switch.cisco.com...
Page 764: Configuring An Msdp Mesh Group
Chapter 33 Configuring MSDP Configuring MSDP Configuring an MSDP Mesh Group An MSDP mesh group is a group of MSDP speakers that have fully meshed MSDP connectivity among one another. Any SA messages received from a peer in a mesh group are not forwarded to other peers in the same mesh group.
Page 765: Including A Bordering Pim Dense-Mode Region In Msdp
Chapter 33 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to shut down a peer. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp shutdown {peer-name | peer Administratively shut down the specified MSDP peer without losing address} configuration information.
Page 766: Configuring An Originating Address Other Than The Rp Address
Chapter 33 Configuring MSDP Configuring MSDP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note that the ip msdp originator-id global configuration command also identifies an interface to be used as the RP address.
Page 767: Monitoring And Maintaining Msdp
Chapter 33 Configuring MSDP Monitoring and Maintaining MSDP Monitoring and Maintaining MSDP To monitor MSDP SA messages, peers, state, or peer status, use one or more of the privileged EXEC commands in Table 33-1: Table 33-1 Commands for Monitoring and Maintaining MSDP Command Purpose debug ip msdp [peer-address | name] [detail] [routes]...
Page 768 Chapter 33 Configuring MSDP Monitoring and Maintaining MSDP Catalyst 3560 Switch Software Configuration Guide 33-20 78-16156-01...
Page 769: Chapter 34 Configuring Fallback Bridging
To use this feature, the switch must be running the enhanced multilayer image (EMI). Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Bridging and IBM Networking Command Reference for Release 12.1.
Page 770: Configuring Fallback Bridging
Chapter 34 Configuring Fallback Bridging Configuring Fallback Bridging The switch creates a VLAN-bridge spanning-tree instance when a bridge group is created. The switch runs the bridge group and treats the SVIs and routed ports in the bridge group as its spanning-tree ports. These are the reasons for placing network interfaces into a bridge group: •...
Page 771: Default Fallback Bridging Configuration
Chapter 34 Configuring Fallback Bridging Configuring Fallback Bridging Default Fallback Bridging Configuration Table 34-1 shows the default fallback bridging configuration. Table 34-1 Default Fallback Bridging Configuration Feature Default Setting Bridge groups None are defined or assigned to a port. No VLAN-bridge STP is defined.
Page 772 Chapter 34 Configuring Fallback Bridging Configuring Fallback Bridging Beginning in privileged EXEC mode, follow these steps to create a bridge group and to assign an interface to it. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 bridge bridge-group protocol Assign a bridge group number, and specify the VLAN-bridge...
Page 773: Adjusting Spanning-Tree Parameters
Poorly planned adjustments can have a negative impact on performance. A good source on switching is the IEEE 802.1D specification. For more information, refer to the “References and Recommended Reading” appendix in the Cisco IOS Configuration Fundamentals Command Reference.
Page 774: Changing The Vlan-Bridge Spanning-Tree Priority
Chapter 34 Configuring Fallback Bridging Configuring Fallback Bridging Changing the VLAN-Bridge Spanning-Tree Priority You can globally configure the VLAN-bridge spanning-tree priority of a switch when it ties with another switch for the position as the root switch. You also can configure the likelihood that the switch will be selected as the root switch.
Page 775: Assigning A Path Cost
Chapter 34 Configuring Fallback Bridging Configuring Fallback Bridging Command Purpose Step 5 show running-config Verify your entry. Step 6 copy running-config startup-config (Optional) Save your entry in the configuration file. To return to the default setting, use the no bridge-group bridge-group priority interface configuration command.
Page 776: Adjusting Bpdu Intervals
Chapter 34 Configuring Fallback Bridging Configuring Fallback Bridging Adjusting BPDU Intervals You can adjust BPDU intervals as described in these sections: Adjusting the Interval between Hello BPDUs, page 34-8 (optional) • Changing the Forward-Delay Interval, page 34-9 (optional) • • Changing the Maximum-Idle Interval, page 34-9 (optional) Note...
Page 777 Chapter 34 Configuring Fallback Bridging Configuring Fallback Bridging Changing the Forward-Delay Interval The forward-delay interval is the amount of time spent listening for topology change information after a port has been activated for switching and before forwarding actually begins. Beginning in privileged EXEC mode, follow these steps to change the forward-delay interval. This procedure is optional.
Page 778: Disabling The Spanning Tree On An Interface
[bridge-group] [interface-id | Displays MAC addresses learned in the bridge group. mac-address | verbose] For information about the fields in these displays, refer to the Cisco IOS Bridging and IBM Networking Command Reference for Release 12.1. Catalyst 3560 Switch Software Configuration Guide...
Page 779: Chapter 35 Troubleshooting
C H A P T E R Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the Catalyst 3560 switch. Depending on the nature of the problem, you can use the command-line interface (CLI) or the Cluster Management Suite (CMS) to identify and solve problems.
Page 780: Recovering From Corrupted Software By Using The Xmodem Protocol
From your PC, download the software image tar file (image_filename.tar) from Cisco.com. Step 1 The Cisco IOS image is stored as a bin file in a directory in the tar file. For information about locating the software image files on Cisco.com, refer to the release notes.
Page 781 After the XMODEM request appears, use the appropriate command on the terminal-emulation software Step 11 to start the transfer and to copy the software image into Flash memory. Boot the newly downloaded Cisco IOS image. Step 12 switch:boot flash:image_filename.bin Use the archive download-sw privileged EXEC command to download the software image to the Step 13 switch.
Page 782: Recovering From A Lost Or Forgotten Password
Chapter 35 Troubleshooting Recovering from a Lost or Forgotten Password Recovering from a Lost or Forgotten Password The default configuration for the switch allows an end user with physical access to the switch to recover from a lost password by interrupting the boot process during power-on and by entering a new password. These recovery procedures require that you have physical access to the switch.
Page 783: Procedure With Password Recovery Enabled
Chapter 35 Troubleshooting Recovering from a Lost or Forgotten Password Procedure with Password Recovery Enabled If the password-recovery mechanism is enabled, this message appears: The system has been interrupted prior to initializing the flash file system. The following commands will initialize the flash file system, and finish loading the operating system software: flash_init load_helper...
Page 784: Procedure With Password Recovery Disabled
Chapter 35 Troubleshooting Recovering from a Lost or Forgotten Password Step 9 Copy the configuration file into memory: Switch# copy flash:config.text system:running-config Source filename [config.text]? Destination filename [running-config]? Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password. Enter global configuration mode: Step 10 Switch# configure terminal...
Page 785 Chapter 35 Troubleshooting Recovering from a Lost or Forgotten Password • If you enter n (no), the normal boot process continues as if the Mode button had not been pressed; you cannot access the boot loader prompt, and you cannot enter a new password. You see the message: Press Enter to continue..
Page 786: Recovering From A Command Switch Failure
Chapter 35 Troubleshooting Recovering from a Command Switch Failure Step 9 Write the running configuration to the startup configuration file: Switch# copy running-config startup-config The new password is now in the startup configuration. This procedure is likely to leave your switch virtual interface in a shutdown state. You can see which Note interface is in this state by entering the show running-config privileged EXEC command.
Page 787 Chapter 35 Troubleshooting Recovering from a Command Switch Failure Step 3 Start a CLI session on the new command switch. You can access the CLI by using the console port or, if an IP address has been assigned to the switch, by using Telnet.
Page 788: Replacing A Failed Command Switch With Another Switch
Chapter 35 Troubleshooting Recovering from a Command Switch Failure Step 12 When prompted for the enable secret and enable passwords, enter the passwords of the failed command switch again. Step 13 When prompted, make sure to enable the switch as the cluster command switch, and press Return. Step 14 When prompted, assign a name to the cluster, and press Return.
Page 789: Recovering From Lost Cluster Member Connectivity
Chapter 35 Troubleshooting Recovering from Lost Cluster Member Connectivity Step 6 Enter Y at the first prompt. The prompts in the setup program vary depending on the switch you selected to be the command switch: Continue with configuration dialog? [yes/no]: y Configuring global parameters: If this prompt does not appear, enter enable, and press Return.
Page 790: Preventing Autonegotiation Mismatches
Troubleshooting Power over Ethernet Switch Ports If a powered device (such as a Cisco IP Phone 7910) that is connected to a PoE switch port and is being powered by an AC power source loses power from the AC power source, the device might enter an error-disabled state.
Page 791: Using Ping
Troubleshooting Using Ping If you are using a non-Cisco approved SFP module, remove the SFP module from the switch, and replace it with a Cisco-approved module. After inserting a Cisco-approved SFP module, use the errdisable recovery cause gbic-invalid global configuration command to verify the port status, and enter a time interval for recovering from the error-disabled state.
Page 792: Using Layer 2 Traceroute
Chapter 35 Troubleshooting Using Layer 2 Traceroute Note Though other protocol keywords are available with the ping command, they are not supported in this release. This example shows how to ping an IP host: Switch# ping 172.20.52.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 172.20.52.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms...
Page 793: Usage Guidelines
These are the Layer 2 traceroute usage guidelines: • Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 traceroute to function properly, do not disable CDP. For a list of switches that support Layer 2 traceroute, see the “Usage Guidelines”...
Page 794: Displaying The Physical Path
Chapter 35 Troubleshooting Using IP Traceroute Displaying the Physical Path You can display physical path that a packet takes from a source device to a destination device by using one of these privileged EXEC commands: • tracetroute mac [interface interface-id] {source-mac-address} [interface interface-id] {destination-mac-address} [vlan vlan-id] [detail] tracetroute mac ip {source-ip-address | source-hostname}{destination-ip-address | •...
Page 795: Executing Ip Traceroute
Chapter 35 Troubleshooting Using IP Traceroute Executing IP Traceroute Beginning in privileged EXEC mode, follow this step to trace the path packets take through the network: Command Purpose traceroute ip host Trace the path packets take through the network by using IP. Note Though other protocol keywords are available with the traceroute privileged EXEC command, they are not supported in this release.
Page 796: Using Debug Commands
For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Page 797: Enabling All-System Diagnostics
Chapter 35 Troubleshooting Using the show platform forward Command Enabling All-System Diagnostics Beginning in privileged EXEC mode, enter this command to enable all-system diagnostics: Switch# debug all Because debugging output takes priority over other network traffic, and because the debug all privileged Caution EXEC command generates more output than any other debug command, it can severely diminish switch performance or even render it unusable.
Page 798 Chapter 35 Troubleshooting Using the show platform forward Command This is an example of the output from the show platform forward command on Gigabit Ethernet port 1 in VLAN 5 when the packet entering that port is addressed to unknown MAC addresses. The packet should be flooded to all other ports in VLAN 5.
Page 799 Chapter 35 Troubleshooting Using the show platform forward Command Packet 1 Lookup Key-Used Index-Hit A-Data OutptACL 50_0D020202_0D010101-00_40000014_000A0000 01FFE 03000000 Port Vlan SrcMac DstMac Dscpv Gi0/2 0005 0001.0001.0001 0009.43A8.0145 This is an example of the output when the packet coming in on Gigabit Ethernet port 1in VLAN 5 has a destination MAC address set to the router MAC address in VLAN 5 and the destination IP address unknown.
Page 800: Using The Crashinfo File
Cisco IOS image to fail (crash). The switch writes the crash information to the console at the time of the failure, and the file is created the next time you boot the Cisco IOS image after the failure (instead of while the system is failing).
Page 801: Appendix
CISCO-CDP-MIB • • CISCO-CLUSTER-MIB • CISCO-CONFIG-COPY-MIB • CISCO-CONFIG-MAN-MIB • CISCO-ENTITY-FRU-CONTROL-MIB CISCO-ENVMON-MIB • • CISCO-FLASH-MIB (Flash memory on all switches is modeled as removable Flash memory.) CISCO-FTP-CLIENT-MIB • • CISCO-HSRP-MIB CISCO-HSRP-EXT-MIB (partial support) • • CISCO-IGMP-FILTER-MIB CISCO-IMAGE-MIB • • CISCO IP-STAT-MIB CICSO-L2L3-INTERFACE-MIB •...
Page 802: Appendix A Supported Mib
Appendix A Supported MIBs MIB List • CISCO-MAC-NOTIFICATION-MIB • CISCO-MEMORY-POOL-MIB • CISCO-PAGP-MIB • CISCO-PING-MIB CISCO-PROCESS-MIB • CISCO-RTTMON-MIB • CISCO-STACKMAKER-MIB • CISCO-STP-EXTENSIONS-MIB • • CISCO-SYSLOG-MIB • CISCO-TCP-MIB • CISCO-VLAN-IFTABLE-RELATIONSHIP-MIB CISCO-VLAN-MEMBERSHIP-MIB • CISCO-VTP-MIB • ENTITY-MIB • ETHERLIKE_MIB • • IEEE8023-LACP-MIB • IF-MIB (In and out counters for VLANs are not supported.) •...
Page 803: Using Ftp To Access The Mib Files
You can also use this URL for a list of supported MIBs for the Catalyst 3560 switch: Note ftp://ftp.cisco.com/pub/mibs/supportlists/cat3560/cat3560-supportlist.html You can access other information about MIBs and Cisco products on the Cisco web site: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Using FTP to Access the MIB Files...
Page 804 Appendix A Supported MIBs Using FTP to Access the MIB Files Catalyst 3560 Switch Software Configuration Guide 78-16156-01...
Page 805: Appendix
Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This appendix consists of these sections: •...
Page 806: Displaying Available File Systems
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown in this example.
Page 807: A P P E N D I X B Working With The Cisco Ios File System, Configuration Files, And Software Images
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Setting the Default File System You can specify the file system or directory that the system uses as the default file system by using the cd filesystem: privileged EXEC command.
Page 808: Creating And Removing Directories
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Command Purpose...
Page 809: Deleting Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Some invalid combinations of source and destination exist. Specifically, you cannot copy these combinations: • From a running configuration to a running configuration •...
Page 810: Creating A Tar File
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating a tar File To create a tar file and write files into it, use this privileged EXEC command: archive tar /create destination-url flash:/file-url For destination-url, specify the destination URL alias for the local or network file system and the name of the tar file to create.
Page 811: Extracting A Tar File
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System This example shows how to display the contents of a switch tar file that is in Flash memory: Switch# archive tar /table flash:c3560-i5-mz.121-19.EA1.tar info (219 bytes) c3560-i5-mz.121-19.EA1/ (directory)
Page 812: Displaying The Contents Of A File
This section describes how to create, load, and maintain configuration files. Configuration files contain commands entered to customize the function of the Cisco IOS software. A way to create a basic configuration file is to use the setup program or to enter the setup privileged EXEC command.
Page 813 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Guidelines for Creating and Using Configuration Files Creating configuration files can aid in your switch configuration. Configuration files can contain some or all of the commands needed to configure one or more switches. For example, you might want to download the same configuration file to several switches that have the same hardware configuration.
Page 814: Preparing To Download Or Upload A Configuration File By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Creating a Configuration File By Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately.
Page 815 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation).
Page 816: Copying Configuration Files By Using Ftp
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy a configuration file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: •...
Page 817: Preparing To Download Or Upload A Configuration File By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This section includes this information: • Preparing to Download or Upload a Configuration File By Using FTP, page B-13 • Downloading a Configuration File By Using FTP, page B-13 •...
Page 818 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 Return to privileged EXEC mode. Step 7 copy Using FTP, copy the configuration file from a network ftp:[[[//[username[:password]@]location]/directory]...
Page 819: Uploading A Configuration File By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using FTP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using FTP:...
Page 820: Copying Configuration Files By Using Rcp
The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: •...
Page 821 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • When you upload a file to the RCP server, it must be properly configured to accept the RCP write request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server.
Page 822 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to specify a remote username of netadmin1. Then it copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101...
Page 823: Clearing Configuration Information
Depending on the setting of the file prompt global configuration command, you might be prompted for confirmation before you delete a file. By default, the switch prompts for confirmation on destructive file operations. For more information about the file prompt command, refer to the Cisco IOS Command Reference for Release 12.1.
Page 824: Working With Software Images
Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the HTML files needed for web management. The image is stored on the system board Flash memory (flash:).
Page 825 Flash memory is required to hold just the Cisco IOS image total_image_file_size Specifies the size of all the images (the Cisco IOS image and the HTML files) in the tar file, which is an approximate measure of how much Flash memory is required to hold them...
Page 826: Preparing To Download Or Upload An Image File By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Copying Image Files By Using TFTP You can download a switch image from a TFTP server or upload the image from the switch to a TFTP server.
Page 827 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images • Before uploading the image file, you might need to create an empty file on the TFTP server. To create an empty file, enter the touch filename command, where filename is the name of the file you will use when uploading the image to the server.
Page 828 The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the HTML files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 829: Copying Image Files By Using Ftp
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: •...
Page 830 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images If the server has a directory structure, the image file is written to or copied from the directory associated with the username on the server. For example, if the image file resides in the home directory of a user on the server, specify that user's name as the remote username.
Page 831 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 7 archive download-sw /overwrite /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and overwrite the current image.
Page 832 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board Flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Page 833: Copying Image Files By Using Rcp
Working with Software Images The archive upload-sw command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the HTML files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 834 RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
Page 835 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Downloading an Image File By Using RCP You can download a new image file and replace or keep the current image. Beginning in privileged EXEC mode, follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image.
Page 836 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 7 archive download-sw /leave-old-sw /reload Download the image file from the RCP server to the switch, rcp:[[[//[username@]location]/directory]/image-na and keep the current image.
Page 837 The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the HTML files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 838 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Catalyst 3560 Switch Software Configuration Guide B-34 78-16156-01...
Page 839: Appendix
A P P E N D I X Unsupported Commands in Cisco IOS Release 12.1(19)EA1 This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Catalyst 3560 switch prompt but are not supported in this release, either because they are not tested or because of Catalyst 3560 hardware limitations.
Page 840: Arp Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.1(19)EA1 ARP Commands ARP Commands Unsupported Global Configuration Commands arp ip-address hardware-address smds arp ip-address hardware-address srp-a arp ip-address hardware-address srp-b Unsupported Interface Configuration Commands arp probe ip probe proxy Unsupported Debug Commands...
Page 841: Unsupported Interface Configuration Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.1(19)EA1 FallBack Bridging bridge bridge-group circuit-group circuit-group pause milliseconds bridge bridge-group circuit-group circuit-group source-based bridge cmf bridge crb bridge bridge-group domain domain-name bridge irb bridge bridge-group mac-address-table limit number bridge bridge-group multicast-source...
Page 842: Hsrp
Appendix C Unsupported Commands in Cisco IOS Release 12.1(19)EA1 HSRP HSRP Unsupported Global Configuration Commands interface Async interface BVI interface Dialer interface Group-Async interface Lex interface Multilink interface Virtual-Template interface Virtual-Tokenring Unsupported Interface Configuration Commands standby mac-refresh seconds standby use-bia...
Page 843: Unsupported Interface Configuration Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.1(19)EA1 IP Multicast Routing Unsupported Interface Configuration Commands switchport broadcast level switchport multicast level switchport unicast level These commands have been replaced by the storm-control {broadcast | multicast | unicast} level level Note [.level] interface configuration command.
Page 844: Unsupported Interface Configuration Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.1(19)EA1 IP Unicast Routing Unsupported Interface Configuration Commands frame-relay ip rtp header-compression [active | passive] frame-relay map ip ip-address dlci [broadcast] compress frame-relay map ip ip-address dlci rtp header-compression [active | passive]...
Page 845: Unsupported Global Configuration Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.1(19)EA1 IP Unicast Routing Unsupported Global Configuration Commands ip accounting-list ip-address wildcard ip as-path access-list ip accounting-transits count ip cef accounting [per-prefix] [non-recursive] ip cef traffic-statistics [load-interval seconds] [update-rate seconds]] ip flow-aggregation...
Page 846: Unsupported Bgp Router Configuration Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.1(19)EA1 IP Unicast Routing Unsupported BGP Router Configuration Commands address-family vpnv4 default-information originate neighbor advertise-map neighbor allowas-in neighbor default-originate neighbor description network backdoor table-map Unsupported VPN Configuration Commands Unsupported Route Map Commands...
Page 847: Msdp
Appendix C Unsupported Commands in Cisco IOS Release 12.1(19)EA1 MSDP MSDP Unsupported Privileged EXEC Commands show access-expression show exception show location show pm LINE show smf [interface-id] show subscriber-policy [policy-number] show template [template-name] Unsupported Global Configuration Commands ip msdp default-peer ip-address | name [prefix-list list] (Because BGP/MBGP is not supported, use the ip msdp peer command instead of this command.)
Page 848: Radius
Appendix C Unsupported Commands in Cisco IOS Release 12.1(19)EA1 RADIUS RADIUS Unsupported Global Configuration Commands aaa nas port extended radius-server attribute nas-port radius-server configure radius-server extended-portnames SNMP Unsupported Global Configuration Commands snmp-server enable informs snmp-server enable traps flash insertion snmp-server enable traps flash removal...
Page 849: Unsupported User Exec Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.1(19)EA1 Unsupported User EXEC Commands show running-config vlan show vlan ifindex show vlan private-vlan Unsupported Privileged EXEC Commands vtp {password password | pruning | version number}private-vlan Note This command has been replaced by the vtp global configuration command.
Page 850 Appendix C Unsupported Commands in Cisco IOS Release 12.1(19)EA1 Miscellaneous Catalyst 3560 Switch Software Configuration Guide C-12 78-16156-01...
Page 851: I N D E X
I N D E X access groups Numerics applying ACLs to interfaces 27-20 802.1D 27-20 See STP Layer 2 27-20 802.1Q Layer 3 27-20 and trunk ports 10-3 accessing configuration limitations 12-18 clusters, switch 5-13 encapsulation 12-16 command switches 5-11 native VLAN for untagged traffic 12-23 member switches...
Page 852 Index ACLs (continued) ACLs (continued) on switched packets 27-37 port 27-2 time ranges to precedence of 27-16 27-2 to an interface 27-19 28-7, 28-37 to QoS 28-7 router 27-2 classifying traffic for QoS standard IP 28-37 comments in configuring for QoS classification 27-18 28-37 compiling...
Page 853 Index adjacency tables, with CEF AS-path filters, BGP 30-64 30-53 administrative distances attributes, RADIUS defined vendor-proprietary 30-75 8-31 OSPF vendor-specific 30-34 8-29 routing protocol defaults 30-66 audience xxxiii advertisements authentication EIGRP 21-1 30-41 IGRP 30-23 HSRP 31-8 30-19 local mode with AAA 8-36 NTP associations 12-19, 13-3...
Page 854 Index automatic QoS BGP (continued) See QoS default configuration 30-45 automatic recovery, clusters described 5-10 30-44 See also HSRP enabling 30-47 autonegotiation monitoring 30-62 duplex mode multipath support 30-50 interface configuration guidelines neighbors, types of 10-13 30-47 mismatches 35-12 path selection 30-50 autonomous system boundary routers peers, configuring...
Page 855 19-3 broadcast storms overview 20-2, 30-13 32-7 server support only 32-7 switch support of CIDR 30-59 Cisco 7960 IP Phone 14-1 cables, monitoring for unidirectional links 22-1 Cisco Discovery Protocol candidate switch See CDP adding 5-17 Cisco Express Forwarding automatic discovery...
Page 856 Index classless routing clusters, switch (continued) 30-6 class maps for QoS benefits configuring command switch configuration 28-40 5-16 described compatibility 28-7 displaying 28-64 creating 5-16 class of service creating a cluster standby group 5-19 See CoS described clearing interfaces 10-23 LRE profile considerations 5-15 managing...
Page 857 Index command switch (continued) benefits replacing configuration modes with another switch 35-10 described with cluster member 1-2, 1-4 35-8 Front Panel view requirements described standby (SC) 5-10, 5-19 operating systems and supported browsers See also candidate switch, cluster standby group, member switch, and standby command switch privilege levels community list, BGP...
Page 858 Index configuration files (continued) cryptographic software image limiting TFTP server access 26-15 Kerberos 8-32 obtaining with DHCP 8-37 password recovery disable considerations CWDM 1-16 specifying the filename 4-12 CWDM SFPs 1-16 system contact and location information 26-14 types and location uploading preparing B-10, B-13, B-16...
Page 859 Index default configuration (continued) device discovery protocol 21-1 Layer 2 interfaces 10-11 Device Manager 3-15 MAC address table See also Switch Manager 6-22 MSDP DHCP-based autoconfiguration 33-4 MSTP 16-12 client request message exchange configuring 19-16 client side optional spanning-tree features 17-9 OSPF 30-29...
Page 860 PIM domain to DVMRP router xxxvi 32-38 world wide web xxxv enabling unicast routing 32-42 ordering xxxvi interoperability related with Cisco devices xxxv 32-36 document conventions with IOS software xxxiv 32-7 domain names mrinfo requests, responding to 32-41 neighbors...
Page 861 Index DVMRP (continued) EIGRP displaying 32-50 and IGRP 30-39 favoring one over another authentication 32-48 30-41 limiting the number injected into MBONE components 32-45 30-37 limiting unicast route advertisements 32-36 configuring 30-39 routing table default configuration 32-7 30-38 source distribution tree, building definition 32-7 30-37...
Page 862 Index EtherChannel (continued) Express Setup 1-9, 3-12 LACP See also hardware installation guide described extended-range VLANs 29-5 displaying status configuration guidelines 29-20 12-13 hot-standby ports 29-17 configuring 12-12 interaction with other features creating 29-6 12-13, 12-14 modes defined 29-6 12-1 port priority 29-19 extended system ID...
Page 863 Index fallback bridging (continued) filters, IP See ACLs, IP disabling on an interface Flash device, number of 34-10 forward-delay interval Flash updates, IGRP 34-9 30-25 hello BPDU interval 34-8 flooded traffic, blocking 20-6 interface priority flow-based packet classification 34-6 maximum-idle interval flowcharts 34-9 path cost...
Page 864 Index guide HSRP (continued) audience xxxiii routing redundancy purpose of timers xxxiii 31-8 guide mode tracking 1-2, 3-5 31-6 See also clusters, cluster standby group, and standby command switch hardware limitations and Layer 3 interfaces 10-19 HC (candidate switch) 5-19 IBPG 30-43 hello time...
Page 865 Index IGMP (continued) IGMP snooping (continued) join messages 19-3 global configuration 19-7 leave processing, enabling Immediate Leave 19-10 19-6 leaving multicast group method 19-5 19-8 multicast reachability 32-26 monitoring 19-12 overview support for 32-2 queries VLAN configuration 19-4 19-7 report suppression IGMP throttling described 19-6...
Page 866 Index interface configuration mode Intrusion Detection System interfaces See IDS configuration guidelines inventory, cluster 10-13 5-20 configuring IOS File System 10-7 configuring duplex mode 10-12 See IFS configuring speed ip access group command 10-12 27-20 counters, clearing IP ACLs 10-23 described 10-18 applying to an interface...
Page 867 Auto-RP 32-13 overview 32-5 configuring PIMv2 BSR 32-17 using with Auto-RP 32-21 monitoring mapping information 32-22 Cisco implementation 32-2 using Auto-RP and BSR 32-21 configuring statistics, displaying system and network 32-50 basic multicast routing 32-10 See also CGMP IP multicast boundary...
Page 868 Index IP precedence IP unicast routing (continued) 28-2 IP-precedence-to-DSCP map for QoS 28-48 IP addressing IP protocols classes 30-5 in ACLs configuring 27-11 30-4 routing IRDP 30-12 IP routes, monitoring Layer 3 interfaces 30-77 30-3 IP routing MAC address and IP address 30-8 connecting interfaces with 10-6...
Page 869 Index Layer 2 traceroute and ARP 35-15 join messages, IGMP 19-3 and CDP 35-15 described 35-14 IP addresses and subnets 35-15 MAC addresses and VLANs 35-15 multicast traffic 35-15 described 8-32 multiple devices on a port 35-15 See also Kerberos unicast traffic 35-14 Kerberos...
Page 870 Index loop guard management access described 17-8 in-band enabling browser session 17-15 support for CLI session LRE profiles, considerations in switch clusters 5-15 SNMP out-of-band console port connection management options benefits clustering MAC addresses aging time 6-22 and VLAN association 6-22 overview building the address table...
Page 871 Index member switch (continued) monitoring (continued) managing 5-21 passwords address tables 5-13 30-17 recovering from lost connectivity multicast routing 35-11 32-49 requirements routes 30-77 See also candidate switch, cluster standby group, and MSDP peers 33-19 standby command switch multicast router interfaces 19-12 menu bar 19-20...
Page 872 Index MSDP (continued) MSTP (continued) join latency, defined 33-6 configuring meshed groups forward-delay time 16-20 configuring hello time 33-16 16-19 defined 33-16 link type for rapid convergence 16-22 originating address, changing maximum aging time 33-18 16-21 overview maximum hop count 33-1 16-21 peer-RPF flooding...
Page 873 Index MSTP (continued) Multiple Spanning Tree Protocol MST region See MSTP CIST 16-3 configuring and address aliasing 16-13 19-16 described 16-2 configuring interfaces 19-18 hop-count mechanism default configuration 16-5 19-16 described 16-3 19-13 supported spanning-tree instances 16-2 modes 19-17 optional features supported monitoring 19-20 overview...
Page 874 Index normal-range VLANs OSPF (continued) configuration modes 12-6 metrics 30-34 defined route 12-1 30-34 no switchport command settings 10-3 30-29 note, described xxxiv described 30-28 not-so-stubby areas interface parameters, configuring 30-31 See NSSA LSA group pacing 30-35 NSSA, OSPF 30-32 monitoring 30-36 router IDs...
Page 875 Index path cost PIM-DVMRP, as snooping method 19-8 MSTP 16-18 ping character output description 15-18 35-14 executing 35-13 defined 30-71 overview 35-13 enabling 30-72 fast-switched policy-based routing configuring 30-73 10-16 local policy-based routing 30-73 support for PC (passive command switch) 5-10, 5-19 troubleshooting 35-12...
Page 876 Index port-based authentication port-based authentication (continued) authentication server ports defined authorization state and dot1x port-control command RADIUS server authorized and unauthorized client, defined voice VLAN configuration guidelines 9-11 port security configuring and voice VLAN 802.1X authentication 9-11 described guest VLAN 9-18 interactions host mode...
Page 877 Index ports privilege levels (continued) access 10-2 exiting 8-10 blocking in CMS 20-6 dynamic access logging into 12-4 8-10 protected 20-5 mapping on member switches 5-22 routed overview 10-3 8-2, 8-8 secure setting a command with 20-7 static-access 12-3, 12-11 protected ports 1-6, 20-5 switch...
Page 878 Index QoS (continued) QoS (continued) displaying the initial configuration 28-26 MAC ACLs 28-39 effects on running configuration policy maps 28-22 28-42 egress queue defaults port trust states within the domain 28-19 28-31 enabling for VoIP 28-23 trusted boundary 28-34 example configuration default auto configuration 28-24 28-18...
Page 879 Index QoS (continued) QoS (continued) setting WTD thresholds 28-53 SRR, described 28-12 WTD, described WTD, described 28-14 28-11 IP phones rewrites 28-17 automatic classification and queueing 28-18 support for detection and trusted settings trust states 28-18, 28-34 limiting bandwidth on egress interface bordering another domain 28-63 28-35...
Page 880 Index range Remote Authentication Dial-In User Service macro 10-9 See RADIUS of interfaces Remote Copy Protocol 10-8 rapid convergence See RCP 16-7 rapid per-VLAN spanning-tree plus Remote Network Monitoring See rapid PVST+ See RMON rapid PVST+ Remote SPAN 802.1Q trunking interoperability 15-10 See RSPAN described...
Page 881 Index RFC (continued) routed ports 1771, BGP 30-43 configuring 30-3 1901, SNMPv2C defined 26-2 10-3 1902 to 1907, SNMPv2 in switch clusters 26-2 2236, IP multicast and IGMP 19-2 IP addresses on 10-19, 30-3 2273-2275, SNMPv3 route-map command 26-2 30-73 route maps advertisements 30-19...
Page 882 Index RSPAN (continued) session limits 23-10 SC (standby command switch) 5-10, 5-19 sessions scheduled reloads 4-16 creating 23-17 defined 23-3 described limiting source traffic to specific VLANs 23-22 templates specifying monitored ports 23-17 configuring with ingress traffic enabled 23-20 number of source ports 23-5 SDM template...
Page 883 Index show cluster members command SNMP (continued) 5-21 show configuration command 10-18 described 26-5 show forward command differences from traps 35-19 26-5 show interfaces command enabling 10-14, 10-18 26-14 show platform forward command 35-19 limiting access by TFTP servers 26-15 show running-config command limiting system log messages to NMS 25-9...
Page 884 Index source-and-destination MAC address forwarding, SRR (continued) EtherChannel 29-7 described 28-12 source-IP address based forwarding, EtherChannel 29-7 shaped mode 28-12 source-MAC address forwarding, EtherChannel 29-7 shared mode 28-12 SPAN support for configuration guidelines 23-10 default configuration 23-9 configuring 8-39 destination ports 23-7 cryptographic software image 8-37...
Page 885 Index static IP routing STP (continued) static MAC addressing configuring static routes, configuring forward-delay time 30-65 15-21 static routing hello time 30-2 15-20 static VLAN membership 12-2 maximum aging time 15-21 statistics path cost 15-18 802.1X port priority 9-19 15-17 21-5 root switch 15-14...
Page 886 Index STP (continued) stratum, NTP using path costs 12-26 stub areas, OSPF 30-32 using port priorities subnet mask 12-24 30-5 loop guard subnet zero 30-6 described 17-8 success response, VMPS 12-28 enabling summer time 17-15 6-13 modes supported SunNet Manager 15-9 multicast addresses, effect of 15-8...
Page 887 Index system clock configuring TACACS+ daylight saving time 6-13 accounting, defined 8-11 manually 6-11 authentication, defined 8-11 summer time 6-13 authorization, defined 8-11 time zones 6-12 configuring displaying the time and date 6-12 accounting 8-17 overview authentication key 8-13 See also NTP authorization 8-16 system message logging...
Page 888 Index TFTP (continued) traffic policing configuration files in base directory traffic suppression 20-2 configuring for autoconfiguration transparent mode, VTP 13-3, 13-12 image files trap-door mechanism deleting B-24 traps downloading configuring MAC address notification B-23 6-23 preparing the server configuring managers B-22 26-11 uploading...
Page 889 Index trunks (continued) unicast MAC address filtering (continued) pruning-eligible list 12-22 and multicast addresses 6-26 to non-DTP device and router MAC addresses 12-17 6-26 understanding configuration guidelines 12-17 6-26 trusted boundary for QoS 28-34 described 6-26 trusted port states unicast storm control command 20-4 between QoS domains unicast storms...
Page 890 Index User Datagram Protocol VLAN maps See UDP applying 27-33 user EXEC mode common uses for 27-33 username-based authentication configuration example 27-34 configuration guidelines 27-29 configuring 27-29 creating 27-30 defined 27-2 version-dependent transparent mode 13-4 denying access example 27-35 virtual IP address denying and permitting packets 27-31 cluster standby group...
Page 891 Index VLANs (continued) voice-over-IP 14-1 illustrated 12-2 voice VLAN internal Cisco 7960 phone, port connections 12-13 14-1 limiting source traffic with RSPAN configuration guidelines 23-22 7-2, 14-3 limiting source traffic with SPAN 23-15 configuring IP phones for data traffic modifying...
Page 892 Index VTP (continued) described 13-1 weighted tail drop disabling 13-12 See WTD domain names 13-8 wizards 1-2, 3-6 domains 13-2 modes described 28-11 client 13-3, 13-11 setting thresholds server 13-3, 13-9 egress queue-sets 28-57 transitions 13-3 ingress queues 28-53 transparent 13-3, 13-12 support for monitoring...

This manual is also suitable for:

Ws-c3560e-48pd-e Ws-c3560g-24ps-e 3560 - rfcatalyst - poe si 3560 24ts - catalyst emi switch 3560-48ts - catalyst emi switch 3560g 48ts - catalyst switch ... Show all

Cisco WS-C3560-48PS-S Software Configuration Manual

Chapter 1 Overview

CHAPTER 2 Using the Command-Line Interface

Chapter 3 Getting Started with CMS

Chapter 4 Assigning the Switch IP Address and Default Gateway

Chapter 5 Clustering Switches

Chapter 6 Administering the Switch

Chapter 7 Configuring SDM Templates

CHAPTER 8 Configuring Switch-Based Authentication

CHAPTER 9 Configuring 802.1X Port-Based Authentication

CHAPTER 10 Configuring Interface Characteristics

Chapter 11 Configuring Smartport Macros

Chapter 12 Configuring Vlans

Quick Links

Troubleshooting

Related Manuals for Cisco WS-C3560-48PS-S

Summary of Contents for Cisco WS-C3560-48PS-S