Page 1 Catalyst 3750 Switch Software Configuration Guide Cisco IOS Release 12.2(35)SE December 2006 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-8550-02...
Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCVP, the Cisco Logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.;...
Page 3 Product Documentation DVD xlvi Ordering Documentation xlvi Documentation Feedback xlvii Cisco Product Security Overview xlvii Reporting Security Problems in Cisco Products xlvii Product Alerts and Field Notices xlviii Obtaining Technical Assistance xlviii Cisco Support Website xlviii Submitting a Service Request...
Page 4: Table Of Contents
Contents Network Configuration Examples 1-15 Design Concepts for Using the Switch 1-16 Small to Medium-Sized Network Using Catalyst 3750 Switches 1-21 Large Network Using Catalyst 3750 Switches 1-23 Multidwelling Network Using Catalyst 3750 Switches 1-25 Long-Distance, High-Bandwidth Transport Configuration 1-26 Where to Go Next 1-27 Using the Command-Line Interface...
Page 5 Scheduling a Reload of the Software Image 3-16 Configuring a Scheduled Reload 3-17 Displaying Scheduled Reload Information 3-18 Configuring Cisco IOS CNS Agents C H A P T E R Understanding Cisco Configuration Engine Software Configuration Service Event Service NameSpace Mapper...
Page 6 Contents Configuring Cisco IOS Agents Enabling Automated CNS Configuration Enabling the CNS Event Agent Enabling the Cisco IOS CNS Agent Enabling an Initial Configuration Enabling a Partial Configuration 4-11 Displaying CNS Configuration 4-12 Managing Switch Stacks C H A P T E R...
Page 7 Contents Configuring the Switch Stack 5-19 Default Switch Stack Configuration 5-19 Enabling Persistent MAC Address 5-19 Assigning Stack Member Information 5-22 Assigning a Stack Member Number 5-22 Setting the Stack Member Priority Value 5-22 Provisioning a New Member for a Switch Stack 5-23 Accessing the CLI of a Specific Stack Member 5-25...
Page 8 Contents Administering the Switch C H A P T E R Managing the System Time and Date Understanding the System Clock Understanding Network Time Protocol Configuring NTP Default NTP Configuration Configuring NTP Authentication Configuring NTP Associations Configuring NTP Broadcast Service Configuring NTP Access Restrictions Configuring the Source IP Address for NTP Packets 7-10...
Page 9 Contents Managing the ARP Table 7-27 Configuring SDM Templates C H A P T E R Understanding the SDM Templates Dual IPv4 and IPv6 SDM Templates SDM Templates and Switch Stacks Configuring the Switch SDM Template Default SDM Template SDM Template Configuration Guidelines Setting the SDM Template Displaying the SDM Templates Configuring Switch-Based Authentication...
Page 10 Contents Controlling Switch Access with RADIUS 9-17 Understanding RADIUS 9-18 RADIUS Operation 9-19 Configuring RADIUS 9-20 Default RADIUS Configuration 9-20 Identifying the RADIUS Server Host 9-20 Configuring RADIUS Login Authentication 9-23 Defining AAA Server Groups 9-25 Configuring RADIUS Authorization for User Privileged Access and Network Services 9-27 Starting RADIUS Accounting 9-28...
Page 11 Contents Configuring Secure HTTP Servers and Clients 9-44 Default SSL Configuration 9-44 SSL Configuration Guidelines 9-45 Configuring a CA Trustpoint 9-45 Configuring the Secure HTTP Server 9-46 Configuring the Secure HTTP Client 9-47 Displaying Secure HTTP Server and Client Status 9-48 Configuring the Switch for Secure Copy Protocol 9-48...
Page 12 Contents Upgrading from a Previous Software Release 10-26 Configuring IEEE 802.1x Authentication 10-26 Configuring the Switch-to-RADIUS-Server Communication 10-27 Configuring the Host Mode 10-29 Configuring Periodic Re-Authentication 10-30 Manually Re-Authenticating a Client Connected to a Port 10-30 Changing the Quiet Period 10-31 Changing the Switch-to-Client Retransmission Time 10-31...
Page 13 Default Smartports Macro Configuration 12-2 Smartports Macro Configuration Guidelines 12-3 Creating Smartports Macros 12-4 Applying Smartports Macros 12-5 Applying Cisco-Default Smartports Macros 12-6 Displaying Smartports Macros 12-8 Configuring VLANs 13-1 C H A P T E R Understanding VLANs 13-1...
Page 14 Contents Configuring Normal-Range VLANs 13-4 Token Ring VLANs 13-6 Normal-Range VLAN Configuration Guidelines 13-6 VLAN Configuration Mode Options 13-7 VLAN Configuration in config-vlan Mode 13-7 VLAN Configuration in VLAN Database Configuration Mode 13-7 Saving VLAN Configuration 13-7 Default Ethernet VLAN Configuration 13-8 Creating or Modifying an Ethernet VLAN 13-9...
Page 15 Contents Configuring the VMPS Client 13-30 Entering the IP Address of the VMPS 13-30 Configuring Dynamic-Access Ports on VMPS Clients 13-31 Reconfirming VLAN Memberships 13-31 Changing the Reconfirmation Interval 13-31 Changing the Retry Count 13-32 Monitoring the VMPS 13-32 Troubleshooting Dynamic-Access Port VLAN Membership 13-33 VMPS Configuration Example 13-33...
Page 16 Configuring Voice VLAN 15-3 Default Voice VLAN Configuration 15-3 Voice VLAN Configuration Guidelines 15-3 Configuring a Port Connected to a Cisco 7960 IP Phone 15-4 Configuring Cisco IP Phone Voice Traffic 15-5 Configuring the Priority of Incoming Data Frames 15-6...
Page 17 Contents Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling 17-1 C H A P T E R Understanding IEEE 802.1Q Tunneling 17-1 Configuring IEEE 802.1Q Tunneling 17-4 Default IEEE 802.1Q Tunneling Configuration 17-4 IEEE 802.1Q Tunneling Configuration Guidelines 17-4 Native VLANs 17-4 System MTU 17-5...
Page 18 Contents Spanning Tree and Switch Stacks 18-12 Configuring Spanning-Tree Features 18-12 Default Spanning-Tree Configuration 18-13 Spanning-Tree Configuration Guidelines 18-13 Changing the Spanning-Tree Mode. 18-15 Disabling Spanning Tree 18-16 Configuring the Root Switch 18-16 Configuring a Secondary Root Switch 18-18 Configuring Port Priority 18-18 Configuring Path Cost 18-20...
Page 19 Contents Bridge Protocol Data Unit Format and Processing 19-12 Processing Superior BPDU Information 19-13 Processing Inferior BPDU Information 19-13 Topology Changes 19-13 Configuring MSTP Features 19-14 Default MSTP Configuration 19-15 MSTP Configuration Guidelines 19-15 Specifying the MST Region Configuration and Enabling MSTP 19-16 Configuring the Root Switch 19-17...
Page 20 22-1 DHCP Server 22-2 DHCP Relay Agent 22-2 DHCP Snooping 22-2 Option-82 Data Insertion 22-3 Cisco IOS DHCP Server Database 22-6 DHCP Snooping Binding Database 22-7 DHCP Snooping and Switch Stacks 22-8 Configuring DHCP Features 22-8 Default DHCP Configuration 22-8...
Page 21 Contents Enabling DHCP Snooping on Private VLANs 22-14 Enabling the Cisco IOS DHCP Server Database 22-14 Enabling the DHCP Snooping Binding Database Agent 22-15 Displaying DHCP Snooping Information 22-16 Understanding IP Source Guard 22-16 Source IP Address Filtering 22-17 Source IP and MAC Address Filtering...
Page 22 Contents Configuring IGMP Snooping 24-7 Default IGMP Snooping Configuration 24-7 Enabling or Disabling IGMP Snooping 24-8 Setting the Snooping Method 24-9 Configuring a Multicast Router Port 24-10 Configuring a Host Statically to Join a Group 24-11 Enabling IGMP Immediate Leave 24-11 Configuring the IGMP Leave Timer 24-12...
Page 23 Contents Configuring Protected Ports 25-5 Default Protected Port Configuration 25-6 Protected Port Configuration Guidelines 25-6 Configuring a Protected Port 25-6 Configuring Port Blocking 25-7 Default Port Blocking Configuration 25-7 Blocking Flooded Traffic on an Interface 25-7 Configuring Port Security 25-8 Understanding Port Security 25-8 Secure MAC Addresses...
Page 24 Contents Configuring SPAN and RSPAN 28-1 C H A P T E R Understanding SPAN and RSPAN 28-1 Local SPAN 28-2 Remote SPAN 28-3 SPAN and RSPAN Concepts and Terminology 28-4 SPAN Sessions 28-4 Monitored Traffic 28-5 Source Ports 28-6 Source VLANs 28-7 VLAN Filtering...
Page 25 Contents Configuring System Message Logging 30-1 C H A P T E R Understanding System Message Logging 30-1 Configuring System Message Logging 30-2 System Log Message Format 30-2 Default System Message Logging Configuration 30-4 Disabling Message Logging 30-4 Setting the Message Display Destination Device 30-5 Synchronizing Log Messages 30-6...
Page 26 Contents Configuring Network Security with ACLs 32-1 C H A P T E R Understanding ACLs 32-1 Supported ACLs 32-2 Port ACLs 32-3 Router ACLs 32-4 VLAN Maps 32-5 Handling Fragmented and Unfragmented Traffic 32-5 ACLs and Switch Stacks 32-6 Configuring IPv4 ACLs 32-7 Creating Standard and Extended IPv4 ACLs...
Page 27 Contents Using VLAN Maps with Router ACLs 32-36 VLAN Maps and Router ACL Configuration Guidelines 32-37 Examples of Router ACLs and VLAN Maps Applied to VLANs 32-38 ACLs and Switched Packets 32-38 ACLs and Bridged Packets 32-38 ACLs and Routed Packets 32-39 ACLs and Multicast Packets 32-40...
Page 28 Contents Standard QoS Configuration Guidelines 33-33 QoS ACL Guidelines 33-33 Applying QoS on Interfaces 33-33 Policing Guidelines 33-34 General QoS Guidelines 33-35 Enabling QoS Globally 33-35 Enabling VLAN-Based QoS on Physical Ports 33-35 Configuring Classification Using Port Trust States 33-36 Configuring the Trust State on Ports within the QoS Domain 33-36 Configuring the CoS Value for an Interface...
Page 29 Contents Configuring EtherChannels and Link-State Tracking 34-1 C H A P T E R Understanding EtherChannels 34-1 EtherChannel Overview 34-2 Port-Channel Interfaces 34-4 Port Aggregation Protocol 34-5 PAgP Modes 34-6 PAgP Interaction with Other Features 34-6 Link Aggregation Control Protocol 34-7 LACP Modes 34-7...
Page 30 Contents Configuring IP Addressing 35-5 Default Addressing Configuration 35-6 Assigning IP Addresses to Network Interfaces 35-7 Use of Subnet Zero 35-7 Classless Routing 35-8 Configuring Address Resolution Methods 35-9 Define a Static ARP Cache 35-10 Set ARP Encapsulation 35-11 Enable Proxy ARP 35-11 Routing Assistance When IP Routing is Disabled 35-12...
Page 31 35-69 Multi-VRF CE Configuration Example 35-70 Displaying Multi-VRF CE Status 35-74 Configuring Protocol-Independent Features 35-75 Configuring Distributed Cisco Express Forwarding 35-75 Configuring the Number of Equal-Cost Routing Paths 35-76 Configuring Static Unicast Routes 35-77 Specifying Default Routes and Networks 35-78...
Page 32 Contents Configuring Policy-Based Routing 35-82 PBR Configuration Guidelines 35-83 Enabling PBR 35-84 Filtering Routing Information 35-86 Setting Passive Interfaces 35-86 Controlling Advertising and Processing in Routing Updates 35-87 Filtering Sources of Routing Information 35-87 Managing Authentication Keys 35-88 Monitoring and Maintaining the IP Network 35-89 Configuring IPv6 Unicast Routing 36-1...
Page 33 Contents Configuring IPv6 MLD Snooping 37-1 C H A P T E R Understanding MLD Snooping 37-1 MLD Messages 37-2 MLD Queries 37-3 Multicast Client Aging Robustness 37-3 Multicast Router Discovery 37-3 MLD Reports 37-4 MLD Done Messages and Immediate-Leave 37-4 Topology Change Notification Processing 37-5...
Page 34 Configuring HSRP Object Tracking 39-17 Configuring Other Tracking Characteristics 39-18 Configuring IP Multicast Routing 40-1 C H A P T E R Understanding Cisco’s Implementation of IP Multicast Routing 40-2 Understanding IGMP 40-3 IGMP Version 1 40-3 IGMP Version 2...
Page 35 Contents Configuring a Rendezvous Point 40-12 Manually Assigning an RP to Multicast Groups 40-13 Configuring Auto-RP 40-14 Configuring PIMv2 BSR 40-19 Using Auto-RP and a BSR 40-23 Monitoring the RP Mapping Information 40-24 Troubleshooting PIMv1 and PIMv2 Interoperability Problems 40-24 Configuring Advanced PIM Features 40-24 Understanding PIM Shared Tree and Source Tree...
Page 36 Contents Controlling Route Exchanges 40-47 Limiting the Number of DVMRP Routes Advertised 40-47 Changing the DVMRP Route Threshold 40-47 Configuring a DVMRP Summary Address 40-48 Disabling DVMRP Autosummarization 40-50 Adding a Metric Offset to the DVMRP Route 40-50 Monitoring and Maintaining IP Multicast Routing 40-51 Clearing Caches, Tables, and Databases 40-51...
Page 37 Contents Configuring Fallback Bridging 42-3 Default Fallback Bridging Configuration 42-4 Fallback Bridging Configuration Guidelines 42-4 Creating a Bridge Group 42-4 Adjusting Spanning-Tree Parameters 42-6 Changing the VLAN-Bridge Spanning-Tree Priority 42-6 Changing the Interface Priority 42-7 Assigning a Path Cost 42-7 Adjusting BPDU Intervals 42-8 Disabling the Spanning Tree on an Interface...
Page 38 Contents Using IP Traceroute 43-17 Understanding IP Traceroute 43-17 Executing IP Traceroute 43-18 Using TDR 43-19 Understanding TDR 43-19 Running TDR and Displaying the Results 43-20 Using Debug Commands 43-20 Enabling Debugging on a Specific Feature 43-20 Enabling All-System Diagnostics 43-21 Redirecting Debug and Error Message Output 43-21...
Page 39 Contents Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System Displaying Available File Systems Setting the Default File System Displaying Information about Files on a File System...
Page 40 Uploading an Image File By Using RCP C-32 Copying an Image File from One Stack Member to Another C-33 Unsupported Commands in Cisco IOS Release 12.2(35)SE A P P E N D I X Access Control Lists Unsupported Privileged EXEC Commands...
Page 41 Contents IP Multicast Routing Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands IP Unicast Routing Unsupported Privileged EXEC or User EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands Unsupported BGP Router Configuration Commands Unsupported VPN Configuration Commands Unsupported Route Map Commands MAC Address Commands Unsupported Privileged EXEC Commands...
Page 42 Contents D-12 Unsupported Privileged EXEC Commands D-12 N D E X Catalyst 3750 Switch Software Configuration Guide xlii OL-8550-02...
Page 43 This guide is for the networking professional managing the Catalyst 3750 switch, hereafter referred to as the switch module. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.
Page 44: Related Publications
Means reader be careful. In this situation, you might do something that could result in equipment Caution damage or loss of data. Related Publications These documents provide complete information about the switch and are available from this Cisco.com site: http://www.cisco.com/en/US/products/hw/switches/ps5023/tsd_products_support_series_home.html Note Before installing, configuring, or upgrading the switch, see these documents: •...
Page 45 For upgrading information, see the “Downloading Software” section in the release notes. • You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section on page xlvi.
Page 46: Ordering Documentation
DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at the Product Documentation Store at this URL: http://www.cisco.com/go/marketplace/docstore Ordering Documentation You must be a registered Cisco.com user to access Cisco Marketplace. Registered users may order Cisco documentation at the Product Documentation Store at this URL: http://www.cisco.com/go/marketplace/docstore Catalyst 3750 Switch Software Configuration Guide...
Page 47: Cisco Product Security Overview
We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.
Page 48 URL: http://www.cisco.com/en/US/support/index.html Access to all tools on the Cisco Support website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL: http://tools.cisco.com/RPF/register/register.do...
Page 49: Submitting A Service Request
Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Page 50 Information about Cisco products, technologies, and network solutions is available from various online and printed sources. The Cisco Online Subscription Center is the website where you can sign up for a variety of Cisco • e-mail newsletters and other communications. Create a profile and then select the subscriptions that you would like to receive.
Page 51 Preface Obtaining Additional Publications and Information “What’s New in Cisco Documentation” is an online publication that provides information about the • latest documentation releases for Cisco products. Updated monthly, this online publication is organized by product category to direct you quickly to the documentation for your products. You can view the latest release of “What’s New in Cisco Documentation”...
Page 52 Preface Obtaining Additional Publications and Information Catalyst 3750 Switch Software Configuration Guide OL-8550-02...
Page 53: Network Configuration Examples
C H A P T E R Overview This chapter provides these topics about the Catalyst 3750 switch software: Features, page 1-1 • • Default Settings After Initial Switch Configuration, page 1-12 Network Configuration Examples, page 1-15 • • Where to Go Next, page 1-27 Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Page 54 For full IPv6 support, including IPv6 routing and access control lists (ACLs), the advanced IP services image is required; upgrade licenses for this image can be ordered from Cisco. For more information on IPv6 routing, see Chapter 36, “Configuring IPv6 Unicast Routing.”...
Page 55 Using a single IP address and configuration file to manage the entire switch stack. – – Automatic Cisco IOS version-check of new stack members with the option to automatically load images from the stack master or from a TFTP server. –...
Page 56: Performance Features
Port blocking on forwarding unknown Layer 2 unknown unicast, multicast, and bridged broadcast • traffic Cisco Group Management Protocol (CGMP) server support and Internet Group Management • Protocol (IGMP) snooping for IGMP Versions 1, 2, and 3: (For CGMP devices) CGMP for limiting multicast traffic to specified end stations and reducing –...
Page 57: Management Options
Network Assistant—Network Assistant is a network management application that can be • downloaded from Cisco.com. You use it to manage a single switch, a cluster of switches, or a community of devices. For more information about Network Assistant, see Getting Started with Cisco Network Assistant, available on Cisco.com.
Page 58 Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external • source Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • Configuration logging to log and to view changes to the switch configuration •...
Page 59 • Link-state tracking to mirror the state of the ports that carry upstream traffic from connected hosts and servers, and to allow the failover of the server traffic to an operational link on another Cisco Ethernet switch. RPS support through the Cisco RPS 300 and Cisco RPS 675 for enhancing power reliability •...
Page 60: Security Features
– Multidomain authentication (MDA) to allow both a data device and a voice device, such as an IP phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled switch port VLAN assignment for restricting IEEE 802.1x-authenticated users to a specified VLAN –...
Page 61 Chapter 1 Overview Features Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized – or unauthorized state of the port Guest VLAN to provide limited services to non-IEEE 802.1x-compliant users – Restricted VLAN to provide limited services to users who are IEEE 802.1x compliant, but do –...
Page 62 Trusted port states (CoS, DSCP, and IP precedence) within a QoS domain and with a port – bordering another QoS domain Trusted boundary for detecting the presence of a Cisco IP Phone, trusting the CoS value – received, and ensuring port security Policing •...
Page 63 Chapter 1 Overview Features Layer 3 Features These are the Layer 3 features: Some features noted in this section are available only on the IP services image. Note HSRP for Layer 3 router redundancy • IP routing protocols for load balancing and for constructing scalable, routed backbones: •...
Page 64 Support for CDP with power consumption. The powered device notifies the switch of the amount of • power it is consuming. Support for Cisco intelligent power management. The powered device and the switch negotiate • through power-negotiation CDP messages for an agreed power-consumption level. The negotiation allows a high-power Cisco powered device to operate at its highest power mode.
Page 65 “Configuring Interface Characteristics.” Auto-MDIX is enabled. For more information, see Chapter 11, “Configuring Interface – Characteristics.” Note In releases earlier than Cisco IOS Release 12.2(18)SE, the default setting for auto-MDIX is disabled. Catalyst 3750 Switch Software Configuration Guide 1-13 OL-8550-02...
Page 66 Chapter 1 Overview Default Settings After Initial Switch Configuration Flow control is off. For more information, see Chapter 11, “Configuring Interface – Characteristics.” PoE is autonegotiate. For more information, see Chapter 11, “Configuring Interface – Characteristics.” No Smartports macros are defined. For more information, see Chapter 12, “Configuring Smartports •...
Page 67 Chapter 1 Overview Network Configuration Examples Unicast and multicast traffic flooding is not blocked. For more information, see Chapter 25, – “Configuring Port-Based Traffic Control.” No secure ports are configured. For more information, see Chapter 25, “Configuring Port-Based – Traffic Control.” CDP is enabled.
Page 68: Design Concepts For Using The Switch
Chapter 1 Overview Network Configuration Examples Design Concepts for Using the Switch As your network users compete for network bandwidth, it takes longer to send and receive data. When you configure your network, consider the bandwidth required by your network users and the relative priority of the network applications that they use.
Page 69 Chapter 1 Overview Network Configuration Examples Bandwidth alone is not the only consideration when designing your network. As your network traffic profiles evolve, consider providing network services that can support applications for voice and data integration, multimedia integration, application prioritization, and security. Table 1-2 describes some network demands and how you can meet them.
Page 70 Chapter 1 Overview Network Configuration Examples You can have redundant uplink connections, using SFP modules in the switch stack to a Gigabit backbone switch, such as a Catalyst 4500 or Catalyst 3750-12S Gigabit switch. You can also create backup paths by using Fast Ethernet, Gigabit, or EtherChannel links. If one of the redundant connections fails, the other can serve as a backup path.
Page 71 Chapter 1 Overview Network Configuration Examples Figure 1-2 High-Performance Wiring Closet Catalyst 4500 or 6500 multilayer switch Catalyst 3750 Layer 3 StackWise switch stack Redundant Gigabit backbone—Using HSRP, you can create backup paths between two • Catalyst 3750G multilayer Gigabit switches to enhance network reliability and load balancing for different VLANs and subnets.
Page 72 Chapter 1 Overview Network Configuration Examples Fault tolerance from the server racks to the core is achieved through dual homing of servers connected to dual switch stacks, which have redundant Gigabit EtherChannels and cross-stack EtherChannels. Using dual SFP module uplinks from the switches provides redundant uplinks to the network core. Using SFP modules provides flexibility in media and distance options through fiber-optic connections.
Page 73: Small To Medium-Sized Network Using Catalyst 3750 Switches
Data and multimedia traffic are configured on the same VLAN. Voice traffic from the Cisco IP Phones are configured on separate VVIDs. If data, multimedia, and voice traffic are assigned to the same VLAN, only one VLAN can be configured per wiring closet.
Page 74 Each PoE switch port provides 15.4 W of power per port. The powered device, such as a Cisco IP Phone, can receive redundant power when it is also connected to an AC power source. Powered devices not connected to Catalyst PoE switches must be connected to AC power sources to receive power.
Page 75: Large Network Using Catalyst 3750 Switches
Chapter 1 Overview Network Configuration Examples Large Network Using Catalyst 3750 Switches Switches in the wiring closet have traditionally been only Layer 2 devices, but as network traffic profiles evolve, switches in the wiring closet are increasingly employing multilayer services such as multicast management and traffic classification.
Page 76 Chapter 1 Overview Network Configuration Examples Figure 1-7 Catalyst 3750 Switch Stacks in Wiring Closets in a Backbone Configuration Cisco 7x00 routers Catalyst 6500 multilayer switches Catalyst 3750 Catalyst 3750 multilayer multilayer StackWise StackWise switch stack switch stack IEEE 802.3af-compliant IEEE 802.3af-compliant...
Page 77: Multidwelling Network Using Catalyst 3750 Switches
Chapter 1 Overview Network Configuration Examples Multidwelling Network Using Catalyst 3750 Switches A growing segment of residential and commercial customers are requiring high-speed access to Ethernet metropolitan-area networks (MANs). Figure 1-8 shows a configuration for a Gigabit Ethernet MAN ring using multilayer switch stacks as aggregation switches in the mini-point-of-presence (POP) location.
Page 78: Long-Distance, High-Bandwidth Transport Configuration
The CWDM OADM modules on the receiving end separate (or demultiplex) the different wavelengths. For more information about the CWDM SFP modules and CWDM OADM modules, see the Cisco CWDM GBIC and CWDM SFP Installation Note. Catalyst 3750 Switch Software Configuration Guide...
Page 79: Where To Go Next
Chapter 1 Overview Where to Go Next Figure 1-9 Long-Distance, High-Bandwidth Transport Configuration Access layer Aggregation layer 8 Gbps CWDM CWDM OADM OADM Catalyst 4500 modules modules Eight multilayer 1-Gbps switches connections Catalyst switches Where to Go Next Before configuring the switch, review these sections for startup information: •...
Page 80 Chapter 1 Overview Where to Go Next Catalyst 3750 Switch Software Configuration Guide 1-28 OL-8550-02...
Page 81: Understanding Command Modes
C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your Catalyst 3750 switch. It contains these sections: Understanding Command Modes, page 2-1 •...
Page 82: Understanding Command Modes
Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the hostname Switch. Table 2-1 Command Mode Summary Mode...
Page 83: Understanding The Help System
Chapter 2 Using the Command-Line Interface Understanding the Help System Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method About This Mode Interface While in global To exit to global Use this mode to configure Switch(config-if)# configuration configuration mode, configuration mode, parameters for the Ethernet...
Page 84: Understanding Abbreviated Commands
Chapter 2 Using the Command-Line Interface Understanding Abbreviated Commands Table 2-2 Help Summary (continued) Command Purpose List all commands available for a particular command mode. For example: Switch> ? command ? List the associated keywords for a command. For example: Switch>...
Page 85: Understanding Cli Error Messages
Using Configuration Logging Beginning with Cisco IOS Release 12.2(25)SEC, you can log and view changes to the switch configuration. You can use the Configuration Change Logging and Notification feature to track changes on a per-session and per-user basis. The logger tracks each configuration command that is applied, the user who entered the command, the time that the command was entered, and the parser return code for the command.
Page 86: Using Command History
Chapter 2 Using the Command-Line Interface Using Command History Using Command History The software provides a history or record of commands that you have entered. The command history feature is particularly useful for recalling long or complex commands or entries, including access lists. You can customize this feature to suit your needs as described in these sections: Changing the Command History Buffer Size, page 2-6 (optional)
Page 87: Disabling The Command History Feature
Chapter 2 Using the Command-Line Interface Using Editing Features Disabling the Command History Feature The command history feature is automatically enabled. You can disable it for the current terminal session or for the command line. These procedures are optional. To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command.
Page 88 Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke Purpose Press Ctrl-F, or press the Move the cursor forward one character. right arrow key. Press Ctrl-A. Move the cursor to the beginning of the command line. Press Ctrl-E.
Page 89: Editing Command Lines That Wrap
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke Purpose Scroll down a line or screen on Press the Return key. Scroll down one line. displays that are longer than the terminal screen can display.
Page 90: Searching And Filtering Output Of Show And More Commands
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands. This is useful when you need to sort through large amounts of output or if you want to exclude output that you do not need to see.
Page 91 Chapter 2 Using the Command-Line Interface Accessing the CLI If your switch is already configured, you can access the CLI through a local console connection or through a remote Telnet session, but your switch must first be configured for this type of access. For more information, see the “Setting a Telnet Password for a Terminal Line”...
Page 92 Chapter 2 Using the Command-Line Interface Accessing the CLI Catalyst 3750 Switch Software Configuration Guide 2-12 OL-8550-02...
Page 93: Understanding The Boot Process
Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2. This chapter consists of these sections: Understanding the Boot Process, page 3-1 •...
Page 94: C H A P T E R 3 Assigning The Switch Ip Address And Default Gateway
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The normal boot process involves the operation of the boot loader software, which performs these activities: Performs low-level CPU initialization. It initializes the CPU registers, which control where physical •...
Page 95: Default Switch Information
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Stack members retain their IP address when you remove them from a switch stack. To avoid a conflict Note by having two devices with the same IP address in your network, change the IP address of the switch that you removed from the switch stack.
Page 96: Dhcp Client Request Process
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information With DHCP-based autoconfiguration, no DHCP client-side configuration is needed on your switch. However, you need to configure the DHCP server for various lease options associated with IP addresses. If you are using DHCP to relay the configuration file location on the network, you might also need to configure a Trivial File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server.
Page 97: Configuring Dhcp-Based Autoconfiguration
Example Configuration, page 3-8 • If your DHCP server is a Cisco device, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 for additional information about configuring DHCP.
Page 98: Configuring The Dns
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information If you do not configure the DHCP server with the lease options described previously, it replies to client requests with only those parameters that are configured. If the IP address and the subnet mask are not in the reply, the switch is not configured.
Page 99: Configuring The Relay Device
If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
Page 100: Example Configuration
IP information by using DHCP-based autoconfiguration. Figure 3-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (tftpserver) Catalyst 3750 Switch Software Configuration Guide OL-8550-02...
Page 101 Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Table 3-2 shows the configuration of the reserved leases on the DHCP server. Table 3-2 DHCP Server Configuration Switch A Switch B Switch C Switch D Binding key (hardware address) 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003...
Page 102: Manually Assigning Ip Information
Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Switches B through D retrieve their configuration files and IP addresses in the same way. Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs): If the switch is running the IP services image, you can also manually assign IP information to a port if Note...
Page 103 EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix C, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Catalyst 3750 Switch Software Configuration Guide...
Page 104: Modifying The Startup Configuration
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot cycle.
Page 105: Booting Manually
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration This command only works properly from a standalone switch. Note Beginning in privileged EXEC mode, follow these steps to specify a different configuration filename: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 106: Booting A Specific Software Image
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Command Purpose Step 4 show boot Verify your entries. The boot manual global command changes the setting of the MANUAL_BOOT environment variable. The next time you reboot the system, the switch is in boot loader mode, shown by the switch: prompt.
Page 107: Controlling Environment Variables
Cisco IOS configuration file can be stored as an environment variable. You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
Page 108: Scheduling A Reload Of The Software Image
A semicolon-separated list of executable files to try to load and execute when automatically Specifies the Cisco IOS image to load during the booting. If the BOOT environment variable is not next boot cycle and the stack members on which set, the system attempts to load and execute the the image is loaded.
Page 109: Configuring A Scheduled Reload
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Configuring a Scheduled Reload To configure your switch to reload the software image at a later time, use one of these commands in privileged EXEC mode: reload in [hh:]mm [text] •...
Page 110: Displaying Scheduled Reload Information
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Displaying Scheduled Reload Information To display information about a previously scheduled reload or to find out if a reload has been scheduled on the switch, use the show reload privileged EXEC command. It displays reload information including the time the reload is scheduled to occur and the reason for the reload (if it was specified when the reload was scheduled).
Page 111: Understanding Cisco Configuration Engine Software
C H A P T E R Configuring Cisco IOS CNS Agents This chapter describes how to configure the Cisco IOS CNS agents on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
Page 112: Chapter 4 Configuring Cisco Io Cn Agent
URLs that reference the device-specific configuration information stored in a directory. The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server.
Page 113: Event Service
Understanding Cisco Configuration Engine Software Event Service The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine.
Page 114: Deviceid
Therefore, the DeviceID, as originated on the switch, must match the DeviceID of the corresponding switch definition in the Configuration Engine. The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID variable and its usage reside within the event gateway adjacent to the switch.
Page 115: Understanding Cisco Ios Agents
Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent. The Cisco IOS agent feature supports the switch by providing these features: Initial Configuration, page 4-5 •...
Page 116: Incremental (Partial) Configuration
NVRAM for use at the next reboot. Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 4-6.
Page 117 Note For more information about running the setup program and creating templates on the Configuration Engine, see the Cisco Configuration Engine Installation and Setup Guide, 1.5 for Linux at this URL: http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/products_installation_and_configuration_ guide_book09186a00803b59db.html...
Page 118: Enabling The Cns Event Agent
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Enabling the CNS Event Agent You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Note Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch:...
Page 119: Enabling The Cisco Ios Cns Agent
Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: The cns config initial global configuration command enables the Cisco IOS agent and initiates an •...
Page 120 ID, or enter an arbitrary text string for string string as the unique ID. Step 8 cns config initial {ip-address | hostname} Enable the Cisco IOS agent, and initiate an initial [port-number] [event] [no-persist] [page page] configuration. [source ip-address] [syntax-check] For {ip-address | hostname}, enter the IP address or •...
Page 121: Enabling A Partial Configuration
RemoteSwitch(config)# cns id Ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 10.1.1.1 no-persist Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch: Command...
Page 122: Displaying Cns Configuration
Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed. show cns config stats Displays statistics about the Cisco IOS agent.
Page 123: Managing Switch Stacks
One of the switches controls the operation of the stack and is called the stack master. The stack master and the other switches in the stack are stack members. The stack members use the Cisco StackWise technology to behave and work together as a unified system. Layer 2 and Layer 3 protocols present the entire switch stack as a single entity to the network.
Page 124: Switch Stack Membership
You can manage the stack through the same IP address even if you remove the stack master or any other stack member from the stack. You can use these methods to manage switch stacks: Network Assistant (available on Cisco.com) • •...
Page 125 Note their LAN ports, such as the 10/100/1000 ports. For more information about how switch stacks differ from switch clusters, see the “Planning and Creating Clusters” chapter in the Getting Started with Cisco Network Assistant, available on Cisco.com. Switch Stack Membership A switch stack has up to nine stack members connected through their StackWise ports.
Page 126: Stack Master Election And Re-Election
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Figure 5-1 Creating a Switch Stack from Two Standalone Switches Stack member 1 Stack member 1 Stack member 1 Stack member 2 and stack master Figure 5-2 Adding a Standalone Switch to a Switch Stack Stack member 1 Stack member 2 and stack master...
Page 127 Catalyst 3750 IP base image during the master switch election in a stack. However, when two or more switches in the stack use different software images, such as the IP base image for Cisco IOS Release 12.1(11)AX and the cryptographic IP services image for Cisco IOS Release 12.1(19)EA1 or later, the switch running the IP base image is selected as the stack master.
Page 128: Switch Stack Bridge Id And Router Mac Address
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Switch Stack Bridge ID and Router MAC Address The bridge ID and router MAC address identify the switch stack in the network. When the switch stack initializes, the MAC address of the stack master determines the bridge ID and router MAC address. If the stack master changes, the MAC address of the new stack master determines the new bridge ID and router MAC address.
Page 129: Stack Member Priority Values
You manually create the provisioned configuration through the switch stack-member-number provision type global configuration command. The provisioned configuration also is automatically created when a switch is added to a switch stack that is running Cisco IOS Release 12.2(20)SE or later and when no provisioned configuration exists.
Page 130: Effects Of Adding A Provisioned Switch To A Switch Stack
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Effects of Adding a Provisioned Switch to a Switch Stack When you add a provisioned switch to the switch stack, the stack applies either the provisioned configuration or the default configuration to it. Table 5-1 lists the events that occur when the switch stack compares the provisioned configuration with the provisioned switch.
Page 131: Effects Of Replacing A Provisioned Switch In A Switch Stack
In addition, any configured PoE-related commands that are valid only on PoE-capable interfaces are rejected, even for ports 1 through 24. If the switch stack is running Cisco IOS Release 12.2(20)SE or later and does not contain a provisioned Note configuration for a new switch, the switch joins the stack with the default interface configuration.
Page 132: Hardware Compatibility And Sdm Mismatch Mode In Switch Stacks
“Hardware Compatibility and SDM Mismatch Mode in Switch Stacks” section on page 5-10. All stack members must run the same Cisco IOS software version to ensure compatibility between stack members. This helps ensure full compatibility in the stack protocol version among the stack members.
Page 133: Major Version Number Incompatibility Among Switches
Managing Switch Stacks Understanding Switch Stacks Major Version Number Incompatibility Among Switches Switches with different Cisco IOS software versions likely have different stack protocol versions. Switches with different major version numbers are incompatible and cannot exist in the same switch stack.
Page 134: Auto-Upgrade And Auto-Advise Example Messages
The same events occur when cryptographic and noncryptographic images are running. Beginning with Cisco IOS Release 12.2(35)SE, you can use the archive-download-sw /allow-feature-upgrade privileged EXEC command to allow installing an image with a different feature set.
Page 135 Chapter 5 Managing Switch Stacks Understanding Switch Stacks *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:archiving c3750-ipservices-mz.122-25.SEB/info (450 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:archiving info (104 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:examining image... *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting info (104 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting c3750-ipservices-mz.122-25.SEB/info (450 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting info (104 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:Stacking Version Number:1.4 *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:...
Page 136: Incompatible Software And Stack Member Image Upgrades
EXEC command, the correct directory structure is not properly created. For more information about the info file, see the “tar File Format of Images on a Server or Cisco.com” section on page C-20. Incompatible Software and Stack Member Image Upgrades You can upgrade a switch that has an incompatible software image by using the archive copy-sw privileged EXEC command.
Page 137: Additional Considerations For System-Wide Configuration On Switch Stacks
Managing Switch Stacks Understanding Switch Stacks We recommend that all stack members are installed with Cisco IOS Release 12.1(14)EA1 or later to Note ensure that the interface-specific settings of the stack master are saved, in case the stack master is replaced without saving the running configuration to the startup configuration.
Page 138: Switch Stack Management Connectivity
Chapter 5 Managing Switch Stacks Understanding Switch Stacks “IP Routing and Switch Stacks” section on page 35-3 • “IPv6 and Switch Stacks” section on page 36-7 • “HSRP and Switch Stacks” section on page 39-4 • “Multicast Routing and Switch Stacks” section on page 40-8 •...
Page 139: Connectivity To Specific Stack Members
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Be careful when using multiple CLI sessions to the stack master. Commands that you enter in one session are not displayed in the other sessions. Therefore, it is possible that you might not be able to identify the session from which you entered a command.
Page 140 Chapter 5 Managing Switch Stacks Understanding Switch Stacks Table 5-2 Switch Stack Configuration Scenarios (continued) Scenario Result Stack master election Assuming that all stack members have the The stack member with the cryptographic IP specifically determined same priority value: services image software is elected stack master. by the cryptographic IP Make sure that one stack member has services image software...
Page 141: Configuring The Switch Stack
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Table 5-2 Switch Stack Configuration Scenarios (continued) Scenario Result Stack master failure Remove (or power off) the stack master. Based on the factors described in the “Stack Master Election and Re-Election” section on page 5-4, one of the remaining stack members becomes the new stack master.
Page 142 MAC address elsewhere in the domain could result in lost traffic. Beginning with Cisco IOS Release 12.2(35)SE, you can set the time period as 0 to 60 minutes. If you enter the command with no value, the default delay is 4 minutes. We recommend that you •...
Page 143 Chapter 5 Managing Switch Stacks Configuring the Switch Stack Beginning in privileged EXEC mode, follow these steps to enable persistent MAC address. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 stack-mac persistent timer [0 | time-value] Enable a time delay after a stack-master change before the stack MAC address changes to that of the new stack master.
Page 144: Assigning Stack Member Information
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Current Switch# Role Mac Address Priority Version State ---------------------------------------------------------- Master 0016.4727.a900 Ready Assigning Stack Member Information These sections describe how to assign stack member information: Assigning a Stack Member Number, page 5-22 (optional) •...
Page 145: Provisioning A New Member For A Switch Stack
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Command Purpose Step 2 switch stack-member-number priority Specify the stack member number and the new priority for the stack new-priority-number member. The stack member number range is 1 to 9. The priority value range is 1 to 15.
Page 146 Chapter 5 Managing Switch Stacks Configuring the Switch Stack This example shows how to provision a Catalyst 3750G-12S switch with a stack member number of 2 for the switch stack. The show running-config command output shows the interfaces associated with the provisioned switch: Switch(config)# switch 2 provision WS-C3750G-12S Switch(config)# end...
Page 147: Accessing The Cli Of A Specific Stack Member
Chapter 5 Managing Switch Stacks Accessing the CLI of a Specific Stack Member Accessing the CLI of a Specific Stack Member This task is available only from the stack master. This task is only for debugging purposes. Note You can access all or specific stack members by using the remote command {all | stack-member-number} privileged EXEC command.
Page 148 Chapter 5 Managing Switch Stacks Displaying Switch Stack Information Catalyst 3750 Switch Software Configuration Guide 5-26 OL-8550-02...
Page 149: Clustering Switches
Network Assistant has a Cluster Conversion Wizard to help you convert a cluster to a community. For more information about Network Assistant, including introductory information on managing switch clusters and converting a switch cluster to a community, see Getting Started with Cisco Network Assistant, available on Cisco.com.
Page 150: Chapter 6 Clustering Switche
Table 6-1 Switch Software and Cluster Capability Switch Cisco IOS Release Cluster Capability Catalyst 3750 12.1(11)AX or later Member or command switch Catalyst 3560 12.1(19)EA1b or later...
Page 151: Cluster Command Switch Characteristics
It is running Cisco IOS Release 12.1(11)AX or later. • It has an IP address. • It has Cisco Discovery Protocol (CDP) version 2 enabled (the default). • It is not a command or cluster member switch of another cluster. •...
Page 152: Candidate Switch And Cluster Member Switch Characteristics
Chapter 6 Clustering Switches Planning a Switch Cluster Candidate Switch and Cluster Member Switch Characteristics Candidate switches are cluster-capable switches and switch stacks that have not yet been added to a cluster. Cluster member switches are switches and switch stacks that have actually been added to a switch cluster.
Page 153: Automatic Discovery Of Cluster Candidates And Members
Planning a Switch Cluster Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
Page 154: Discovery Through Non-Cdp-Capable And Noncluster-Capable Devices
Device 15 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Page 155: Discovery Through Different Vlans
Chapter 6 Clustering Switches Planning a Switch Cluster Discovery Through Different VLANs If the cluster command switch is a Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 switch, the cluster can have cluster member switches in different VLANs. As cluster member switches, they must be connected through at least one VLAN in common with the cluster command switch.
Page 156: Discovery Through Routed Ports
Chapter 6 Clustering Switches Planning a Switch Cluster If the switch cluster has a Catalyst 3750 switch or switch stack, that switch or switch stack must be the Note cluster command switch. The cluster command switch and standby command switch in Figure 6-4 (assuming they are Catalyst 2960 Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 cluster command switches)
Page 157: Discovery Of Newly Installed Switches
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-5 Discovery Through Routed Ports Command device VLAN 9 VLAN 62 VLAN VLAN 62 VLAN 9 (management Member device 7 VLAN 62) VLAN 4 Discovery of Newly Installed Switches To join a cluster, the new, out-of-the-box switch must be connected to the cluster through one of its access ports.
Page 158: Hsrp And Standby Cluster Command Switches
Chapter 6 Clustering Switches Planning a Switch Cluster HSRP and Standby Cluster Command Switches The switch supports Hot Standby Router Protocol (HSRP) so that you can configure a group of standby cluster command switches. Because a cluster command switch manages the forwarding of all communication and configuration information to all the cluster member switches, we strongly recommend the following: •...
Page 159: Virtual Ip Addresses
Chapter 6 Clustering Switches Planning a Switch Cluster Virtual IP Addresses You need to assign a unique virtual IP address and group number and name to the cluster standby group. This information must be configured on a specific VLAN or routed port on the active cluster command switch.
Page 160: Automatic Recovery Of Cluster Configuration
Chapter 6 Clustering Switches Planning a Switch Cluster All standby-group members must be members of the cluster. • There is no limit to the number of switches that you can assign as standby cluster command Note switches. However, the total number of switches in the cluster—which would include the active cluster command switch, standby-group members, and cluster member switches—cannot be more than 16.
Page 161: Ip Addresses
Chapter 6 Clustering Switches Planning a Switch Cluster Automatic discovery has these limitations: This limitation applies only to clusters that have Catalyst 2950, Catalyst 3550, Catalyst 3560, and • Catalyst 3750 command and standby cluster command switches: If the active cluster command switch and standby cluster command switch become disabled at the same time, the passive cluster command switch with the highest priority becomes the active cluster command switch.
Page 162: Passwords
Chapter 6 Clustering Switches Planning a Switch Cluster If a switch joins a cluster and it does not have a hostname, the cluster command switch appends a unique member number to its own hostname and assigns it sequentially as each switch joins the cluster. The number means the order in which the switch was added to the cluster.
Page 163: Switch Clusters And Switch Stacks
Chapter 6 Clustering Switches Planning a Switch Cluster Switch Clusters and Switch Stacks A switch cluster can have one or more Catalyst 3750 switch stacks. Each switch stack can act as the cluster command switch or as a single cluster member. Table 6-2 describes the basic differences between switch stacks and switch clusters.
Page 164: Tacacs+ And Radius
Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
Page 165: Catalyst 1900 And Catalyst 2820 Cli Considerations
The Telnet session accesses the member-switch CLI at the same privilege level as on the cluster command switch. The Cisco IOS commands then operate as usual. For instructions on configuring the switch for a Telnet session, see the “Disabling Password Recovery”...
Page 166 Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters When a cluster standby group is configured, the cluster command switch can change without your Note knowledge. Use the first read-write and read-only community strings to communicate with the cluster command switch if there is a cluster standby group configured for the cluster.
Page 167: Administering The Switch
You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.2.
Page 168: Chapter 7 Administering The Switch
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Page 169: Configuring Ntp
Switch F Workstations If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as if it is synchronized through NTP, when in fact it has learned the time by using other means. Other devices then synchronize to that device through NTP.
Page 170: Default Ntp Configuration
Chapter 7 Administering the Switch Managing the System Time and Date These sections contain this configuration information: Default NTP Configuration, page 7-4 • Configuring NTP Authentication, page 7-4 • Configuring NTP Associations, page 7-5 • Configuring NTP Broadcast Service, page 7-6 •...
Page 171: Configuring Ntp Associations
Chapter 7 Administering the Switch Managing the System Time and Date Command Purpose Step 3 ntp authentication-key number md5 value Define the authentication keys. By default, none are defined. For number, specify a key number. The range is 1 to •...
Page 172: Configuring Ntp Broadcast Service
Chapter 7 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to form an NTP association with another device: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp peer ip-address [version number] Configure the switch system clock to synchronize a peer or to be [key keyid] [source interface] [prefer] synchronized by a peer (peer association).
Page 173 Chapter 7 Administering the Switch Managing the System Time and Date The switch can send or receive NTP broadcast packets on an interface-by-interface basis if there is an NTP broadcast server, such as a router, broadcasting time information on the network. The switch can send NTP broadcast packets to a peer so that the peer can synchronize to it.
Page 174: Configuring Ntp Access Restrictions
Chapter 7 Administering the Switch Managing the System Time and Date Command Purpose Step 5 ntp broadcastdelay microseconds (Optional) Change the estimated round-trip delay between the switch and the NTP broadcast server. The default is 3000 microseconds; the range is 1 to 999999. Step 6 Return to privileged EXEC mode.
Page 175 Chapter 7 Administering the Switch Managing the System Time and Date Command Purpose Step 3 access-list access-list-number permit Create the access list. source [source-wildcard] For access-list-number, enter the number specified in Step 2. • Enter the permit keyword to permit access if the conditions are •...
Page 176: Configuring The Source Ip Address For Ntp Packets
Chapter 7 Administering the Switch Managing the System Time and Date Disabling NTP Services on a Specific Interface NTP services are enabled on all interfaces by default. Beginning in privileged EXEC mode, follow these steps to disable NTP packets from being received on an interface: Command Purpose...
Page 177: Displaying The Ntp Configuration
[detail] show ntp status • For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted.
Page 178: Displaying The Time And Date Configuration
Chapter 7 Administering the Switch Managing the System Time and Date Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command. The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate).
Page 179: Configuring Summer Time (Daylight Saving Time)
Chapter 7 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1...
Page 180: Configuring A System Name And Prompt
Chapter 7 Administering the Switch Configuring a System Name and Prompt Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1...
Page 181: Default System Name And Prompt Configuration
Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Page 182: Default Dns Configuration
Chapter 7 Administering the Switch Configuring a System Name and Prompt To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the hostnames, specify the name server that is present on your network, and enable the DNS.
Page 183: Displaying The Dns Configuration
If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
Page 184: Configuring A Message-Of-The-Day Login Banner
Chapter 7 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1...
Page 185: Configuring A Login Banner
Chapter 7 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1...
Page 186: Building The Address Table
Chapter 7 Administering the Switch Managing the MAC Address Table These sections contain this configuration information: Building the Address Table, page 7-20 • MAC Addresses and VLANs, page 7-20 • MAC Addresses and Switch Stacks, page 7-21 • Default MAC Address Table Configuration, page 7-21 •...
Page 187: Mac Addresses And Switch Stacks
Chapter 7 Administering the Switch Managing the MAC Address Table When private VLANs are configured, address learning depends on the type of MAC address: Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the associated •...
Page 188: Removing Dynamic Address Entries
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the dynamic address table aging time: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table aging-time [0 | Set the length of time that a dynamic entry remains in the MAC 10-1000000] [vlan vlan-id] address table after the entry is used or updated.
Page 189 Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message.
Page 190: Adding And Removing Static Address Entries
Chapter 7 Administering the Switch Managing the MAC Address Table Command Purpose Step 9 show mac address-table notification interface Verify your entries. show running-config Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the switch from sending MAC address notification traps, use the no snmp-server enable traps mac-notification global configuration command.
Page 191: Configuring Unicast Mac Address Filtering
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to add a static address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table static mac-addr Add a static address to the MAC address table. vlan vlan-id interface interface-id For mac-addr, specify the destination MAC unicast address to add to •...
Page 192 Chapter 7 Administering the Switch Managing the MAC Address Table If you add a unicast MAC address as a static address and configure unicast MAC address filtering, • the switch either adds the MAC address as a static address or drops packets with that MAC address, depending on which command was entered last.
Page 193: Displaying Address Table Entries
(represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, see the Cisco IOS Release 12.2 documentation on Cisco.com. Catalyst 3750 Switch Software Configuration Guide...
Page 194 Chapter 7 Administering the Switch Managing the ARP Table Catalyst 3750 Switch Software Configuration Guide 7-28 OL-8550-02...
Page 195: Configuring Sdm Templates
C H A P T E R Configuring SDM Templates This chapter describes how to configure the Switch Database Management (SDM) templates on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
Page 196: Chapter 8 Configuring Sdm Template
Chapter 8 Configuring SDM Templates Understanding the SDM Templates Table 8-1 lists the approximate numbers of each resource supported in each of the three templates for a desktop or an aggregator switch. Table 8-1 Approximate Number of Feature Resources Allowed by Each Template Desktop Templates Aggregator Templates Resource...
Page 197: Sdm Templates And Switch Stacks
Chapter 8 Configuring SDM Templates Understanding the SDM Templates Aggregator dual IPv4 and IPv6 default template—supports Layer 2, multicast, routing, QoS, and • ACLs for IPv4, and Layer 2 and routing for IPv6 on Catalyst 3750-12S aggregator switches. Aggregator dual IPv4 and IPv6 routing template—supports Layer 2, multicast, routing (including •...
Page 198: Configuring The Switch Sdm Template
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template If the stack master is a desktop switch and a Catalyst 3750-12S running the aggregator template is added as a stack member, the stack operates with the desktop template selected on the stack master. This could result in configuration losses on the Catalyst 3750-12S if the number of TCAM entries on it exceeds desktop template sizes.
Page 199: Default Sdm Template
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template Default SDM Template The default template for desktop switches is the default desktop template; the default template for the Catalyst 3750-12S is the default aggregator template. SDM Template Configuration Guidelines Follow these guidelines when selecting and configuring SDM templates: You must reload the switch for the configuration to take effect.
Page 200: Setting The Sdm Template
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template Setting the SDM Template Beginning in privileged EXEC mode, follow these steps to use the SDM template to maximize feature usage: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 sdm prefer {access | default | Specify the SDM template to be used on the switch:...
Page 201: Displaying The Sdm Templates
Chapter 8 Configuring SDM Templates Displaying the SDM Templates This is an example of an output display when you have changed the template and have not reloaded the switch: Switch# show sdm prefer The current template is "desktop routing" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.
Page 202 Chapter 8 Configuring SDM Templates Displaying the SDM Templates This is an example of output from the show sdm prefer command, displaying the template in use. Switch# show sdm prefer The current template is "desktop default" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.
Page 203 Chapter 8 Configuring SDM Templates Displaying the SDM Templates This is an example of output from the show sdm prefer dual-ipv4-and-ipv6 default command entered on a desktop switch: Switch# show sdm prefer dual-ipv4-and-ipv6 default “desktop IPv4 and IPv6 default” template: The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.
Page 204 Chapter 8 Configuring SDM Templates Displaying the SDM Templates Catalyst 3750 Switch Software Configuration Guide 8-10 OL-8550-02...
Page 205: Configuring Switch-Based Authentication
C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. This chapter consists of these sections: Preventing Unauthorized Access to Your Switch, page 9-1 •...
Page 206: C H A P T E R 9 Configuring Switch-Based Authentication
Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
Page 207: Setting Or Changing A Static Enable Password
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1...
Page 208 By default, no password is defined. • (Optional) For encryption-type, only type 5, a Cisco proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password that you...
Page 209: Disabling Password Recovery
Disable password recovery. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
Page 210: Setting A Telnet Password For A Terminal Line
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting a Telnet Password for a Terminal Line When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use. The setup program also prompts you to configure your switch for Telnet access through a password.
Page 211: Configuring Multiple Privilege Levels
Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Page 212: Setting The Privilege Level For A Command
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting the Privilege Level for a Command Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 213: Changing The Default Privilege Level For Lines
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 214: Controlling Switch Access With Tacacs
TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
Page 215 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 9-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ Catalyst 6500 server 1) series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) 171.20.10.8 Configure the switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers).
Page 216: Tacacs+ Operation
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user.
Page 217: Default Tacacs+ Configuration
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ authorize, or to keep accounts on users; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted.
Page 218: Configuring Tacacs+ Login Authentication
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 3 aaa new-model Enable AAA. Step 4 aaa group server tacacs+ group-name (Optional) Define the AAA server-group with a group name. This command puts the switch in a server group subconfiguration mode. Step 5 server ip-address (Optional) Associate a particular TACACS+ server with the defined server...
Page 219 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 3 aaa authentication login {default | Create a login authentication method list. list-name} method1 [method2...] To create a default list that is used when a named list is not specified •...
Page 220: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Page 221: Starting Tacacs+ Accounting
RADIUS is facilitated through AAA and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Security Command Reference, Release 12.2. These sections contain this configuration information: •...
Page 222: Understanding Radius
X.25 PAD connections. Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. • RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. • Networks using a variety of services. RADIUS generally binds a user to one service model.
Page 223: Radius Operation
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Figure 9-2 Transitioning from RADIUS to TACACS+ Services RADIUS server RADIUS server TACACS+ server Remote TACACS+ server Workstation RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: The user is prompted to enter a username and password.
Page 224: Configuring Radius
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication.
Page 225 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS You identify RADIUS security servers by their hostname or IP address, hostname and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Page 226 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or hostname of the remote RADIUS server host.
Page 227: Configuring Radius Login Authentication
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2...
Page 228 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 3 aaa authentication login {default | Create a login authentication method list. list-name} method1 [method2...] To create a default list that is used when a named list is not specified •...
Page 229: Defining Aaa Server Groups
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Page 230 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or hostname of the remote RADIUS server host.
Page 231: Configuring Radius Authorization For User Privileged Access And Network Services
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 9-23.
Page 232: Starting Radius Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
Page 233: Configuring Settings For All Radius Servers
1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Page 234 (Optional) Save your entries in the configuration file. For a complete list of RADIUS attributes or more information about vendor-specific attribute 26, see the “RADIUS Attributes” appendix in the Cisco IOS Security Configuration Guide, Release 12.2. Catalyst 3750 Switch Software Configuration Guide...
Page 235: Configuring The Switch For Vendor-Proprietary Radius Server Communication
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Page 236: Controlling Switch Access With Kerberos
• Configuring Kerberos, page 9-35 • For Kerberos configuration examples, see the “Kerberos Configuration Examples” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/ Note For complete syntax and usage information for the commands used in this section, see the “Kerberos Commands”...
Page 237 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts (such as UNIX servers and PCs).
Page 238: Kerberos Operation
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 9-2 Kerberos Terms (continued) Term Definition KEYTAB A password that a network service shares with the KDC. In Kerberos 5 and later Kerberos versions, the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it.
Page 239: Obtaining A Tgt From A Kdc
KDC and obtain a TGT from the KDC to access network services. For instructions about how to authenticate to a KDC, see the “Obtaining a TGT from a KDC” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfkerb.ht...
Page 240: Configuring The Switch For Local Authentication And Authorization
Configure the switch to use the Kerberos protocol. • For instructions, see the “Kerberos Configuration Task List” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfkerb.ht m#1001027. Configuring the Switch for Local Authentication and...
Page 241: Configuring The Switch For Secure Shell
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Page 242: Understanding Ssh
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
Page 243: Limitations
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell SSH also supports these user authentication methods: TACACS+ (for more information, see the “Controlling Switch Access with TACACS+” section on • page 9-10) RADIUS (for more information, see the “Controlling Switch Access with RADIUS”...
Page 244: Setting Up The Switch To Run Ssh
Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: Download the cryptographic software image from Cisco.com. This step is required. For more information, see the release notes for this release. Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server.
Page 245: Configuring The Ssh Server
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Configuring the SSH Server Beginning in privileged EXEC mode, follow these steps to configure the SSH server: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip ssh version [1 | 2] (Optional) Configure the switch to run SSH Version 1 or SSH Version 2.
Page 246: Configuring The Switch For Secure Socket Layer Http
(pages) back to the HTTP secure server, which, in turn, responds to the original request. The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.
Page 247 X.509v3 certificate from the client. Authenticating the client provides more security than server authentication by itself. For additional information on Certificate Authorities, see the “Configuring Certification Authority Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 12.2. Catalyst 3750 Switch Software Configuration Guide 9-43...
Page 248: Ciphersuites
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP CipherSuites A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection. When connecting to the HTTPS server, the client Web browser offers a list of supported CipherSuites, and the client and server negotiate the best encryption algorithm to use from those on the list that are supported by both.
Page 249: Ssl Configuration Guidelines
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP SSL Configuration Guidelines When SSL is used in a switch cluster, the SSL session terminates at the cluster commander. Cluster member switches must run standard HTTP. Before you configure a CA trustpoint, you should ensure that the system clock is set. If the clock is not set, the certificate is rejected due to an incorrect date.
Page 250: Configuring The Secure Http Server
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Use the no crypto ca trustpoint name global configuration command to delete all identity information and certificates associated with the CA. Configuring the Secure HTTP Server If you are using a certificate authority for certification, you should use the previous procedure to configure the CA trustpoint on the switch before enabling the HTTP server.
Page 251: Configuring The Secure Http Client
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Command Purpose Step 11 ip http timeout-policy idle seconds life (Optional) Specify how long a connection to the HTTP server can remain seconds requests value open under the defined circumstances: idle—the maximum time period when no data is received or response •...
Page 252: Displaying Secure Http Server And Client Status
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Command Purpose Step 3 ip http client secure-ciphersuite (Optional) Specify the CipherSuites (encryption algorithms) to be used {[3des-ede-cbc-sha] [rc4-128-md5] for encryption over the HTTPS connection. If you do not have a reason to [rc4-128-sha] [des-cbc-sha]} specify a particular CipherSuite, you should allow the server and client to negotiate a CipherSuite that they both support.
Page 253: Information About Secure Copy
A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.
Page 254 Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Catalyst 3750 Switch Software Configuration Guide 9-50 OL-8550-02...
Page 255: Configuring Ieee 802.1X Port-Based Authentication
For complete syntax and usage information for the commands used in this chapter, see the “RADIUS Note Commands” section in the Cisco IOS Security Command Reference, Release 12.2 and in the command reference for this release. This chapter consists of these sections: •...
Page 256: C H A P T E R 10 Configuring Ieee 802.1X Port-Based Authentication
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication IEEE 802.1x Accounting, page 10-9 • IEEE 802.1x Accounting Attribute-Value Pairs, page 10-9 • Using IEEE 802.1x Authentication with VLAN Assignment, page 10-10 • Using IEEE 802.1x Authentication with Per-User ACLs, page 10-11 •...
Page 257: Authentication Process
Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 258 Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 10-2 shows the authentication process. If Multi Domain Authentication (MDA) is enabled on a port, this flow can be used with some exceptions that are applicable to voice authorization. For more information on MDA, see “Using Multidomain Authentication”...
Page 259: Authentication Initiation And Message Exchange
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which re-authentication occurs. The Termination-Action RADIUS attribute (Attribute [29]) specifies the action to take during re-authentication. The actions are Initialize and ReAuthenticate. When the Initialize action is set (the attribute value is DEFAULT), the IEEE 802.1x session ends, and connectivity is lost during re-authentication.
Page 260 Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The specific exchange of EAP frames depends on the authentication method being used. Figure 10-3 shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server.
Page 261: Ports In Authorized And Unauthorized States
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 10-4 Message Exchange During MAC Authentication Bypass Authentication server Client (RADIUS) Switch EAPOL Request/Identity EAPOL Request/Identity EAPOL Request/Identity Ethernet packet RADIUS Access/Request RADIUS Access/Accept Ports in Authorized and Unauthorized States During IEEE 802.1x authentication, depending on the switch port state, the switch can grant a client access to the network.
Page 262: Ieee 802.1X Authentication And Switch Stacks
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication If the client is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated client are allowed through the port.
Page 263: Ieee 802.1X Accounting
Cisco IOS Release 12.2(35)SE and later support Multi-Domain Authentication (MDA), which allows both a data device and a voice device, such as an IP Phone (Cisco or non-Cisco), to connect to the same switch port. For more information, see the “Using Multidomain Authentication”...
Page 264: Using Ieee 802.1X Authentication With Vlan Assignment
Using IEEE 802.1x Authentication with VLAN Assignment Before Cisco IOS Release 12.1(14)EA1, when an IEEE 802.1x port was authenticated, it was authorized to be in the access VLAN configured on the port even if the RADIUS server returned an authorized VLAN from its database.
Page 265: Using Ieee 802.1X Authentication With Per-User Acls
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication When configured on the switch and the RADIUS server, IEEE 802.1x authentication with VLAN assignment has these characteristics: If no VLAN is supplied by the RADIUS server or if IEEE 802.1x authentication is disabled, the port •...
Page 266 If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
Page 267: Using Ieee 802.1X Authentication With Guest Vlan
In Cisco IOS Release 12.2(25)SEE and later, if devices send EAPOL packets to the switch during the lifetime of the link, the switch no longer allows clients that fail authentication access to the guest VLAN.
Page 268: Using Ieee 802.1X Authentication With Restricted Vlan
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Using IEEE 802.1x Authentication with Restricted VLAN You can configure a restricted VLAN (also referred to as an authentication failed VLAN) for each IEEE 802.1x port on a switch stack or a switch to provide limited services to clients that cannot access the guest VLAN.
Page 269: Using Ieee 802.1X Authentication With Inaccessible Authentication Bypass
Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass In Cisco IOS Release 12.2(25)SED and later, when the switch cannot reach the configured RADIUS servers and hosts cannot be authenticated, you can configure the switch to allow network access to the hosts connected to critical ports.
Page 270: Using Ieee 802.1X Authentication With Voice Vlan Ports
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several IP phones are connected in series, the switch recognizes only the one directly connected to it.
Page 271: Using Ieee 802.1X Authentication With Port Security
If you enable IEEE 802.1x authentication on an access port on which a voice VLAN is configured and Note to which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
Page 272: Using Ieee 802.1X Authentication With Wake-On-Lan
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Using IEEE 802.1x Authentication with Wake-on-LAN The IEEE 802.1x authentication with wake-on-LAN (WoL) feature allows dormant PCs to be powered when the switch receives a specific Ethernet frame, known as the magic packet. You can use this feature in environments where administrators need to connect to systems that have been powered down.
Page 273: Using Network Admission Control Layer 2 Ieee 802.1X Validation
Using Network Admission Control Layer 2 IEEE 802.1x Validation In Cisco IOS Release 12.2(25)SED and later, the switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which checks the antivirus condition or posture of endpoint systems or clients before granting the devices network access.
Page 274: Using Multidomain Authentication
The switch supports multidomain authentication (MDA), which allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.
Page 275: Using Web Authentication
When a port host mode is changed from single- or multihost to multidomain mode, an authorized • data device remains authorized on the port. However, a Cisco IP phone that has been allowed on the port voice VLAN is automatically removed and must be reauthenticated on that port.
Page 276: Default Ieee 802.1X Authentication Configuration
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring the Host Mode, page 10-29 (optional) • Configuring Periodic Re-Authentication, page 10-30 (optional) • Manually Re-Authenticating a Client Connected to a Port, page 10-30 (optional) • Changing the Quiet Period, page 10-31 (optional) •...
Page 277: Ieee 802.1X Authentication Configuration Guidelines
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Table 10-2 Default IEEE 802.1x Authentication Configuration (continued) Feature Default Setting Re-authentication number 2 times (number of times that the switch restarts the authentication process before the port changes to the unauthorized state).
Page 278: Vlan Assignment, Guest Vlan, Restricted Vlan, And Inaccessible Authentication Bypass
IEEE 802.1x authentication and EtherChannel are configured. • If you are using a device running the Cisco Access Control Server (ACS) application for IEEE 802.1x authentication with EAP-Transparent LAN Services (TLS) and EAP-MD5 and your switch is running Cisco IOS Release 12.1(14)EA1, make sure that the device is running ACS Version 3.2.1 or later.
Page 279: Mac Authentication Bypass
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication The IEEE 802.1x authentication with VLAN assignment feature is not supported on trunk ports, • dynamic ports, or with dynamic-access port assignment through a VMPS. You can configure IEEE 802.1x authentication on a private-VLAN port, but do not configure •...
Page 280: Upgrading From A Previous Software Release
Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication In Cisco IOS Release 12.2(35)SE and later, you can configure a timeout period for hosts that are • connected by MAC authentication bypass but are inactive. The range is 1-65535 seconds. You must enable port security before configuring a time out value.
Page 281: Configuring The Switch-To-Radius-Server Communication
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure IEEE 802.1x port-based authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication dot1x {default} Create an IEEE 802.1x authentication method list.
Page 282 Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on the switch. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Configure the RADIUS server parameters.
Page 283: Configuring The Host Mode
IEEE 802.1x-authorized port. Use the multi-domain keyword to configure multidomain authentication (MDA) to enable authentication of both a host and a voice device, such as an IP phone (Cisco or non-Cisco) on the same switch port. This procedure is optional.
Page 284: Configuring Periodic Re-Authentication
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring Periodic Re-Authentication You can enable periodic IEEE 802.1x client re-authentication and specify how often it occurs. If you do not specify a time period before enabling re-authentication, the number of seconds between attempts is 3600.
Page 285: Changing The Quiet Period
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Changing the Quiet Period When the switch cannot authenticate the client, the switch remains idle for a set period of time and then tries again. The dot1x timeout quiet-period interface configuration command controls the idle period. A failed authentication of the client might occur because the client provided an invalid password.
Page 286: Setting The Switch-To-Client Frame-Retransmission Number
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show dot1xinterface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default retransmission time, use the no dot1x timeout tx-period interface configuration command.
Page 287: Configuring Ieee 802.1X Accounting
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication You should change the default value of this command only to adjust for unusual circumstances such as Note unreliable links or specific behavioral problems with certain clients and authentication servers. Beginning in privileged EXEC mode, follow these steps to set the re-authentication number.
Page 288: Configuring A Guest Vlan
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure IEEE 802.1x accounting after AAA is enabled on your switch. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 289: Configuring A Restricted Vlan
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 5 dot1x guest-vlan vlan-id Specify an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to 4094. You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x guest VLAN.
Page 290 Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 5 dot1x auth-fail vlan vlan-id Specify an active VLAN as an IEEE 802.1x restricted VLAN. The range is 1 to 4094. You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x restricted VLAN.
Page 291: Configuring The Inaccessible Authentication Bypass Feature
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication This example shows how to set 2 as the number of authentication attempts allowed before the port moves to the restricted VLAN: Switch(config-if)# dot1x auth-fail max-attempts 2 Configuring the Inaccessible Authentication Bypass Feature You can configure the inaccessible bypass feature, also referred to as critical authentication or the AAA fail policy.
Page 292 Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 4 radius-server host ip-address (Optional) Configure the RADIUS server parameters by using these [acct-port udp-port] [auth-port keywords: udp-port] [key string] [test username acct-port udp-port—Specify the UDP port for the RADIUS •...
Page 293: Configuring Ieee 802.1X Authentication With Wol
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 7 dot1x critical [recovery action Enable the inaccessible authentication bypass feature, and use these reinitialize | vlan vlan-id] keywords to configure the feature: recovery action reinitialize—Enable the recovery feature, and •...
Page 294: Configuring Mac Authentication Bypass
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show dot1x interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable IEEE 802.1x authentication with WoL, use the no dot1x control-direction interface configuration command.
Page 295: Configuring Nac Layer 2 Ieee 802.1X Validation
Configuring IEEE 802.1x Authentication Configuring NAC Layer 2 IEEE 802.1x Validation In Cisco IOS Release 12.2(25)SED or later, you can configure NAC Layer 2 IEEE 802.1x validation, which is also referred to as IEEE 802.1x authentication with a RADIUS server.
Page 296 Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication login default group Use RADIUS authentication. Before you can use this authentication radius method, you must configure the RADIUS server.
Page 297 Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip admission name rule proxy http Define a web authentication rule. The same rule cannot be used for both web authentication and Note NAC Layer 2 IP validation.
Page 298: Disabling Ieee 802.1X Authentication On The Port
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 10 dot1x fallback fallback-profile Configure the port to authenticate a client by using web authentication when no IEEE 802.1x supplicant is detected on the port. Any change to the fallback-profile global configuration takes effect the next time IEEE 802.1x fallback is invoked on the interface.
Page 299: Resetting The Ieee 802.1X Authentication Configuration To The Default Values
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication This example shows how to disable IEEE 802.1x authentication on the port: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# no dot1x pae authenticator Resetting the IEEE 802.1x Authentication Configuration to the Default Values Beginning in privileged EXEC mode, follow these steps to reset the IEEE 802.1x authentication configuration to the default values.
Page 300: Displaying Ieee 802.1X Statistics And Status
Chapter 10 Configuring IEEE 802.1x Port-Based Authentication Displaying IEEE 802.1x Statistics and Status Displaying IEEE 802.1x Statistics and Status To display IEEE 802.1x statistics for all ports, use the show dot1x all statistics privileged EXEC command. To display IEEE 802.1x statistics for a specific port, use the show dot1x statistics interface interface-id privileged EXEC command.
Page 301 Monitoring and Maintaining the Interfaces, page 11-28 For complete syntax and usage information for the commands used in this chapter, see the switch Note command reference for this release and the online Cisco IOS Interface Command Reference, Release 12.2. Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface types.
Page 302: Configuring Interface Characteristics
Chapter 11 Configuring Interface Characteristics Understanding Interface Types Power over Ethernet Ports, page 11-6 • Connecting Interfaces, page 11-9 • For information about the internal ports in the Catalyst 3750G Integrated Wireless LAN ,Controller Note switch, see Appendix A, “Configuring the Catalyst 3750G Integrated Wireless LAN Controller Switch.” Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users.
Page 303: Access Ports
Catalyst 6500 series switch; the Catalyst 3750 switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 15, “Configuring Voice VLAN.”...
Page 304: Tunnel Ports
Chapter 11 Configuring Interface Characteristics Understanding Interface Types traffic is forwarded to and from the trunk port for that VLAN. If VTP learns of a new, enabled VLAN that is not in the allowed list for a trunk port, the port does not become a member of the VLAN, and no traffic for the VLAN is forwarded to or from the port.
Page 305: Switch Virtual Interfaces
Chapter 11 Configuring Interface Characteristics Understanding Interface Types Switch Virtual Interfaces A switch virtual interface (SVI) represents a VLAN of switch ports as one interface to the routing or bridging function in the system. Only one SVI can be associated with a VLAN, but you need to configure an SVI for a VLAN only when you wish to route between VLANs, to fallback-bridge nonroutable protocols between VLANs, or to provide IP host connectivity to the switch.
Page 306: Etherchannel Port Groups
Exceptions are the DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP), which operate only on physical ports.
Page 307: Supported Protocols And Standards
CDP messages for an agreed power-consumption level. The negotiation allows a high-power Cisco powered device, which consumes more than 7 W, to operate at its highest power mode. The powered device first boots up in low-power mode, consumes less than 7 W, and negotiates to obtain enough power to operate in high-power mode.
Page 308: Power Management Modes
After power is applied to the port, the switch uses CDP to determine the actual power consumption requirement of the connected Cisco powered devices, and the switch adjusts the power budget accordingly. This does not apply to third-party PoE devices. The switch processes a request and either grants or denies power.
Page 309: Connecting Interfaces
Chapter 11 Configuring Interface Characteristics Understanding Interface Types You can specify the maximum wattage that is allowed on the port. If the IEEE class maximum wattage of the powered device is greater than the configured maximum value, the switch does not provide power to the port.
Page 310: Using Interface Configuration Mode
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode When the IP services image is running on the stack master, the switch supports two methods of forwarding traffic between interfaces: routing and fallback bridging. If the IP base image is on the stack master, only basic routing (static routing and RIP) is supported.
Page 311: Procedures For Configuring Interfaces
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode You can identify physical interfaces by physically checking the interface location on the switch. You can also use the show privileged EXEC commands to display information about a specific interface or all the interfaces on the switch.
Page 312: Configuring A Range Of Interfaces
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode Follow each interface command with the interface configuration commands that the interface requires. Step 3 The commands that you enter define the protocols and applications that will run on the interface. The commands are collected and applied to the interface when you enter another interface command or enter end to return to privileged EXEC mode.
Page 313: Configuring And Using Interface Range Macros
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode When using the interface range global configuration command, note these guidelines: Valid entries for port-range: • vlan vlan-ID - vlan-ID, where the VLAN ID is 1 to 4094 – fastethernet stack member/module/{first port} - {last port}, where the module is always 0 –...
Page 314 Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode Beginning in privileged EXEC mode, follow these steps to define an interface range macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 define interface-range macro_name Define the interface-range macro, and save it in NVRAM. interface-range The macro_name is a 32-character maximum character string.
Page 315: Configuring Ethernet Interfaces
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to define an interface-range named enet_list to include ports 1 and 2 on switch 1 and to verify the macro configuration: Switch# configure terminal Switch(config)# define interface-range enet_list gigabitethernet1/0/1 - 2 Switch(config)# end Switch# show running-config | include define define interface-range enet_list GigabitEthernet1/0/1 - 2...
Page 316 Enabled. The switch might not support a pre-standard powered Note device—such as Cisco IP phones and access points that do not fully support IEEE 802.3af—if that powered device is connected to the switch through a crossover cable. This is regardless of whether auto-MIDX is enabled on the switch port.
Page 317: Configuration Guidelines For 10-Gigabit Ethernet Interfaces
• The 10-Gigabit interfaces do not support these QoS features: • Policing – Auto-QoS for VoIP with Cisco IP Phones – – Servicing the egress queues by using shaped round robin (SRR) weights – Limiting the bandwidth on an egress interface If a 10-Gigabit module port is configured as a SPAN or RSPAN destination port, its link rate •...
Page 318: Setting The Interface Speed And Duplex Parameters
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces The 100BASE-x (where -x is -BX, -CWDM, -LX, -SX, and -ZX) SFP module ports support only – 100 Mbps. These modules support full- and half- duplex options but do not support autonegotiation. For information about which SFP modules are supported on your switch, see the product release notes.
Page 319: Configuring Ieee 802.3X Flow Control
100 Mbps). You cannot configure half-duplex mode for interfaces operating at 1000 Mbps. Beginning with Cisco IOS Release 12.2(20)SE1, you can configure the duplex setting when the speed is set to auto. For more information about duplex settings, see the “Speed and...
Page 320: Configuring Auto-Mdix On An Interface
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces When set to desired, an interface can operate with an attached device that is required to send flow-control packets or with an attached device that is not required to but can send flow-control packets. These rules apply to flow control settings on the device: receive on (or desired): The port cannot send pause frames but can operate with an attached device •...
Page 321: Configuring A Power Management Mode On A Poe Port
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Table 11-3 shows the link states that result from auto-MDIX settings and correct and incorrect cabling. Table 11-3 Link Conditions and Auto-MDIX Settings Local Side Auto-MDIX Remote Side Auto-MDIX With Correct Cabling With Incorrect Cabling Link up Link up...
Page 322 (15400 milliwatts). never—Disable device detection, and disable power to the port. • If a port has a Cisco powered device connected to it, do not use Note the power inline never command to configure the port. A false link-up can occur, placing the port into an error-disabled state.
Page 323: Budgeting Power For Devices Connected To A Poe Port
Budgeting Power for Devices Connected to a PoE Port When Cisco powered devices are connected to PoE ports, the switch uses Cisco Discovery Protocol (CDP) to determine the actual power consumption of the devices, and the switch adjusts the power budget accordingly.
Page 324: Adding A Description For An Interface
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Command Purpose Step 5 show power inline consumption Display the power consumption status. default Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no power inline consumption default global configuration command.
Page 325: Configuring Layer 3 Interfaces
Chapter 11 Configuring Interface Characteristics Configuring Layer 3 Interfaces Command Purpose Step 5 show interfaces interface-id description Verify your entry. show running-config Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no description interface configuration command to delete the description. This example shows how to add a description on a port and how to verify the description: Switch# config terminal Enter configuration commands, one per line.
Page 326 Chapter 11 Configuring Interface Characteristics Configuring Layer 3 Interfaces If the switch is notified by VLAN Trunking Protocol (VTP) of a new VLAN, it sends a message that • there are not enough hardware resources available and shuts down the VLAN. The output of the show vlan user EXEC command shows the VLAN in a suspended state.
Page 327: Configuring The System Mtu
Chapter 11 Configuring Interface Characteristics Configuring the System MTU Configuring the System MTU The default maximum transmission unit (MTU) size for frames received and transmitted on all interfaces on the switch stack is 1500 bytes. You can increase the MTU size for all interfaces operating at 10 or 100 Mbps by using the system mtu global configuration command.
Page 328: Monitoring And Maintaining The Interfaces
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Command Purpose Step 3 system mtu jumbo bytes (Optional) Change the MTU size for all Gigabit Ethernet interfaces on the switch stack. The range is 1500 to 9000 bytes; the default is 1500 bytes. Step 4 system mtu routing bytes (Optional) Change the system MTU for routed ports.
Page 329: Monitoring Interface Status
(You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference, Release 12.2. Table 11-4...
Page 330: Clearing And Resetting Interfaces And Counters
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Clearing and Resetting Interfaces and Counters Table 11-5 lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces. Table 11-5 Clear Commands for Interfaces Command Purpose clear counters [interface-id]...
Page 331: Understanding Smartports Macros
When the macro is applied to an interface, the existing interface configurations are not lost. The new commands are added to the interface and are saved in the running configuration file. There are Cisco-default Smartports macros embedded in the switch software (see Table 12-1).
Page 332: C H A P T E R 12 Configuring Smartports Macros
Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Page 333: Smartports Macro Configuration Guidelines
• to the switch or interface. You can display the applied commands and macro names by using the show running-config user EXEC command. There are Cisco-default Smartports macros embedded in the switch software (see Table 12-1). You can display these macros and the commands they contain by using the show parser macro user EXEC command.
Page 334: Creating Smartports Macros
Cisco-default macro with the required values by using the parameter value keywords. The Cisco-default macros use the $ character to help identify required keywords. There is no restriction on using the $ character to define keywords when you create a macro.
Page 335: Applying Smartports Macros
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Applying Smartports Macros Beginning in privileged EXEC mode, follow these steps to apply a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro global {apply | trace} Apply each individual command defined in the macro to the switch by macro-name [parameter {value}] entering macro global apply macro-name.
Page 336: Applying Cisco-Default Smartports Macros
Enter global configuration mode. Step 4 macro global {apply | trace} Append the Cisco-default macro with the required values by using the macro-name [parameter {value}] parameter value keywords and apply the macro to the switch. [parameter {value}] [parameter...
Page 337 You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command. This example shows how to display the cisco-desktop macro, how to apply the macro, and to set the access VLAN ID to 25 on an interface:...
Page 338: Displaying Smartports Macros
Chapter 12 Configuring Smartports Macros Displaying Smartports Macros Displaying Smartports Macros To display the Smartports macros, use one or more of the privileged EXEC commands in Table 12-2. Table 12-2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros.
Page 339: Understanding Vlans
C H A P T E R Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 3750 switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS).
Page 340: Chapter 13 Configuring Vlan
VLANs as Logically Defined Networks Engineering Marketing Accounting VLAN VLAN VLAN Cisco router Floor 3 Gigabit Ethernet Floor 2 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN. Interface VLAN membership on the switch is assigned manually on an interface-by-interface basis.
Page 341: Vlan Port Membership Modes
Chapter 13 Configuring VLANs Understanding VLANs Although the switch stack supports a total of 1005 (normal range and extended range) VLANs, the number of routed ports, SVIs, and other configured features affects the use of the switch hardware. The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances.
Page 342: Configuring Normal-Range Vlans
VLAN Membership Characteristics VTP Characteristics Voice VLAN A voice VLAN port is an access port attached to a Cisco VTP is not required; it has no affect on a IP Phone, configured to use one VLAN for voice traffic voice VLAN.
Page 343 Chapter 13 Configuring VLANs Configuring Normal-Range VLANs You can cause inconsistency in the VLAN database if you attempt to manually delete the vlan.dat file. Caution If you want to modify the VLAN configuration, use the commands described in these sections and in the command reference for this release.
Page 344: Token Ring Vlans
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Token Ring VLANs Although the switch does not support Token Ring connections, a remote device such as a Catalyst 5000 series switch with Token Ring connections could be managed from one of the supported switches. Switches running VTP Version 2 advertise information about these Token Ring VLANs: Token Ring TrBRF VLANs •...
Page 345: Vlan Configuration Mode Options
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs VLAN Configuration Mode Options You can configure normal-range VLANs (with VLAN IDs 1 to 1005) by using these two configuration modes: VLAN Configuration in config-vlan Mode, page 13-7 • You access config-vlan mode by entering the vlan vlan-id global configuration command. VLAN Configuration in VLAN Database Configuration Mode, page 13-7 •...
Page 346: Default Ethernet Vlan Configuration
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs When you save VLAN and VTP information (including extended-range VLAN configuration information) in the startup configuration file and reboot the switch, the switch configuration is selected as follows: If the VTP mode is transparent in the startup configuration, and the VLAN database and the VTP •...
Page 347: Creating Or Modifying An Ethernet Vlan
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Creating or Modifying an Ethernet VLAN Each Ethernet VLAN in the VLAN database has a unique, 4-digit ID that can be a number from 1 to 1001. VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs. To create a normal-range VLAN to be added to the VLAN database, assign a number and name to the VLAN.
Page 348: Deleting A Vlan
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs You can also create or modify Ethernet VLANs by using the VLAN database configuration mode. VLAN database configuration mode does not support RSPAN VLAN configuration or extended-range Note VLANs. Beginning in privileged EXEC mode, follow these steps to use VLAN database configuration mode to create or modify an Ethernet VLAN: Command Purpose...
Page 349: Assigning Static-Access Ports To A Vlan
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated Caution with the VLAN (and thus inactive) until you assign them to a new VLAN. Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch: Command Purpose Step 1...
Page 350: Configuring Extended-Range Vlans
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Command Purpose Step 7 show interfaces interface-id switchport Verify your entries in the Administrative Mode and the Access Mode VLAN fields of the display. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return an interface to its default configuration, use the default interface interface-id interface configuration command.
Page 351: Extended-Range Vlan Configuration Guidelines
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Extended-Range VLAN Configuration Guidelines Follow these guidelines when creating extended-range VLANs: To add an extended-range VLAN, you must use the vlan vlan-id global configuration command and • access config-vlan mode. You cannot add extended-range VLANs in VLAN database configuration mode (accessed by entering the vlan database privileged EXEC command).
Page 352: Creating An Extended-Range Vlan
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Creating an Extended-Range VLAN You create an extended-range VLAN in global configuration mode by entering the vlan global configuration command with a VLAN ID from 1006 to 4094. This command accesses the config-vlan mode.
Page 353: Creating An Extended-Range Vlan With An Internal Vlan Id
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs This example shows how to create a new extended-range VLAN with all default characteristics, enter config-vlan mode, and save the new VLAN in the switch startup configuration file: Switch(config)# vtp mode transparent Switch(config)# vlan 2000 Switch(config-vlan)# end Switch# copy running-config startup config Creating an Extended-Range VLAN with an Internal VLAN ID...
Page 354: Displaying Vlans
Ethernet trunks carry the traffic of multiple VLANs over a single link, and you can extend the VLANs across an entire network. Two trunking encapsulations are available on all Ethernet interfaces: Inter-Switch Link (ISL)—Cisco-proprietary trunking encapsulation. • IEEE 802.1Q— industry-standard trunking encapsulation.
Page 355 Chapter 13 Configuring VLANs Configuring VLAN Trunks Figure 13-2 shows a network of switches that are connected by ISL trunks. Figure 13-2 Switches in an ISL Trunking Environment Catalyst 6500 series switch trunk trunk trunk trunk Switch Switch Switch Switch VLAN1 VLAN3 VLAN2...
Page 356: Encapsulation Types
Chapter 13 Configuring VLANs Configuring VLAN Trunks Table 13-4 Layer 2 Interface Modes Mode Function switchport mode access Puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface regardless of whether or not the neighboring interface is a trunk interface.
Page 357: Ieee 802.1Q Configuration Considerations
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q switch.
Page 358: Interaction With Other Features
Chapter 13 Configuring VLANs Configuring VLAN Trunks Configuring the Native VLAN for Untagged Traffic, page 13-23 • By default, an interface is in Layer 2 mode. The default mode for Layer 2 interfaces is switchport mode Note dynamic auto. If the neighboring interface supports trunking and is configured to allow trunking, the link is a Layer 2 trunk or, if the interface is in Layer 3 mode, it becomes a Layer 2 trunk when you enter the switchport interface configuration command.
Page 359: Defining The Allowed Vlans On A Trunk
VLANs from the allowed list. VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a Note requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.
Page 360: Changing The Pruning-Eligible List
VLAN 1 from the allowed list. When you remove VLAN 1 from a trunk port, the interface continues to sent and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), DTP, and VTP in VLAN 1.
Page 361: Configuring The Native Vlan For Untagged Traffic
Chapter 13 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to remove VLANs from the pruning-eligible list on a trunk port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Select the trunk port for which VLANs should be pruned, and enter interface configuration mode.
Page 362: Configuring Trunk Ports For Load Sharing
Chapter 13 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 3 switchport trunk native vlan vlan-id Configure the VLAN that is sending and receiving untagged traffic on the trunk port. For vlan-id, the range is 1 to 4094. Step 4 Return to privileged EXEC mode.
Page 363 Chapter 13 Configuring VLANs Configuring VLAN Trunks In this way, Trunk 1 carries traffic for VLANs 8 through 10, and Trunk 2 carries traffic for VLANs 3 through 6. If the active trunk fails, the trunk with the lower priority takes over and carries the traffic for all of the VLANs.
Page 364: Load Sharing Using Stp Path Cost
Chapter 13 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 13 Repeat Steps 7 through 11 on Switch A for a second port in the switch stack. Step 14 Repeat Steps 7 through 11 on Switch B to configure the trunk ports that connect to the trunk ports configured on Switch A.
Page 365 Chapter 13 Configuring VLANs Configuring VLAN Trunks Figure 13-4 Load-Sharing Trunks with Traffic Distributed by Path Cost Switch A Trunk port 1 Trunk port 2 VLANs 2 – 4 (path cost 30) VLANs 8 – 10 (path cost 30) VLANs 8 –...
Page 366: Configuring Vmps
Chapter 13 Configuring VLANs Configuring VMPS Configuring VMPS The VLAN Query Protocol (VQP) is used to support dynamic-access ports, which are not permanently assigned to a VLAN, but give VLAN assignments based on the MAC source addresses seen on the port. Each time an unknown MAC address is seen, the switch sends a VQP query to a remote VMPS;...
Page 367: Dynamic-Access Port Vlan Membership
Chapter 13 Configuring VLANs Configuring VMPS Dynamic-Access Port VLAN Membership A dynamic-access port can belong to only one VLAN with an ID from 1 to 4094. When the link comes up, the switch does not forward traffic to or from this port until the VMPS provides the VLAN assignment.
Page 368: Configuring The Vmps Client
Chapter 13 Configuring VLANs Configuring VMPS Trunk ports cannot be dynamic-access ports, but you can enter the switchport access vlan dynamic • interface configuration command for a trunk port. In this case, the switch retains the setting and applies it if the port is later configured as an access port. You must turn off trunking on the port before the dynamic-access setting takes effect.
Page 369: Configuring Dynamic-Access Ports On Vmps Clients
Chapter 13 Configuring VLANs Configuring VMPS Configuring Dynamic-Access Ports on VMPS Clients If you are configuring a port on a cluster member switch as a dynamic-access port, first use the rcommand privileged EXEC command to log in to the cluster member switch. Dynamic-access port VLAN membership is for end stations or hubs connected to end stations.
Page 370: Changing The Retry Count
Chapter 13 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to change the reconfirmation interval: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vmps reconfirm minutes Enter the number of minutes between reconfirmations of the dynamic VLAN membership.
Page 371: Troubleshooting Dynamic-Access Port Vlan Membership
Chapter 13 Configuring VLANs Configuring VMPS This is an example of output for the show vmps privileged EXEC command: Switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.87 Reconfirmation status ---------------------...
Page 372 Chapter 13 Configuring VLANs Configuring VMPS Figure 13-5 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6500 series switch A Primary VMPS Router Server 1 172.20.26.150 172.20.22.7 Client switch B Dynamic-access port 172.20.26.151 station 1 Trunk port Switch C Catalyst 6500 series 172.20.26.152 Secondary VMPS Server 2...
Page 373: Understanding Vtp
C H A P T E R Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
Page 374: Chapter 14 Configuring Vtp
Chapter 14 Configuring VTP Understanding VTP The switch supports 1005 VLANs, but the number of routed ports, SVIs, and other configured features affects the usage of the switch hardware. If the switch is notified by VTP of a new VLAN and the switch is already using the maximum available hardware resources, it sends a message that there are not enough hardware resources available and shuts down the VLAN.
Page 375: Vtp Modes
Chapter 14 Configuring VTP Understanding VTP For domain name and password configuration guidelines, see the “VTP Configuration Guidelines” section on page 14-8. VTP Modes You can configure a supported switch stack to be in one of the VTP modes listed in Table 14-1.
Page 376: Vtp Version 2
Chapter 14 Configuring VTP Understanding VTP VTP advertisements distribute this global domain information: VTP domain name • VTP configuration revision number • Update identity and update timestamp • MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each •...
Page 377 Chapter 14 Configuring VTP Understanding VTP VTP pruning blocks unneeded flooded traffic to VLANs on trunk ports that are included in the pruning-eligible list. Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning eligible switch trunk ports. If the VLANs are configured as pruning-ineligible, the flooding continues.
Page 378: Vtp And Switch Stacks
Chapter 14 Configuring VTP Configuring VTP Enabling VTP pruning on a VTP server enables pruning for the entire management domain. Making VLANs pruning-eligible or pruning-ineligible affects pruning eligibility for those VLANs on that trunk only (not on all switches in the VTP domain). See the “Enabling VTP Pruning”...
Page 379: Default Vtp Configuration
Chapter 14 Configuring VTP Configuring VTP Default VTP Configuration Table 14-2 shows the default VTP configuration. Table 14-2 Default VTP Configuration Feature Default Setting VTP domain name Null. VTP mode Server. VTP version Version 1 (Version 2 is disabled). VTP password None.
Page 380: Vtp Configuration In Vlan Database Configuration Mode
Chapter 14 Configuring VTP Configuring VTP VTP Configuration in VLAN Database Configuration Mode You can configure all VTP parameters in VLAN database configuration mode, which you access by entering the vlan database privileged EXEC command. For more information about available keywords, see the vtp VLAN database configuration command description in the command reference for this release.
Page 381: Vtp Version
Chapter 14 Configuring VTP Configuring VTP VTP Version Follow these guidelines when deciding which VTP version to implement: • All switches in a VTP domain must run the same VTP version. A VTP Version 2-capable switch can operate in the same VTP domain as a switch running VTP •...
Page 382 Chapter 14 Configuring VTP Configuring VTP Command Purpose Step 4 vtp password password (Optional) Set the password for the VTP domain. The password can be 8 to 64 characters. If you configure a VTP password, the VTP domain does not function properly if you do not assign the same password to each switch in the domain.
Page 383: Configuring A Vtp Client
Chapter 14 Configuring VTP Configuring VTP This example shows how to use VLAN database configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# vlan database Switch(vlan)# vtp server Switch(vlan)# vtp domain eng_group Switch(vlan)# vtp password mypassword Switch(vlan)# exit APPLY completed.
Page 384: Disabling Vtp (Vtp Transparent Mode)
Chapter 14 Configuring VTP Configuring VTP You can also configure a VTP client by using the vlan database privileged EXEC command to enter Note VLAN database configuration mode and entering the vtp client command, similar to the second procedure under “Configuring a VTP Server”...
Page 385: Enabling Vtp Version 2
Chapter 14 Configuring VTP Configuring VTP transparent VLAN database configuration command to return the switch to VTP server mode. If extended-range VLANs are configured on the switch, you cannot change VTP mode to server. You receive an error message, and the configuration is not allowed. Enabling VTP Version 2 VTP Version 2 is disabled by default on VTP Version 2-capable switches.
Page 386: Enabling Vtp Pruning
Chapter 14 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode.
Page 387 Chapter 14 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to verify and reset the VTP configuration revision number on a switch before adding it to a VTP domain: Command Purpose Step 1 show vtp status Check the VTP configuration revision number.
Page 388: Monitoring Vtp
Chapter 14 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 14-3 shows the privileged EXEC commands for monitoring VTP activity.
Page 389: Understanding Voice Vlan
The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. When the switch is connected to a Cisco 7960 IP Phone, the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service (CoS) values, which are both set to 5 by default. Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p CoS.
Page 390: Chapter 15 Configuring Voice Vlan
Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports on...
Page 391: Configuring Voice Vlan
For more information, see Chapter 33, “Configuring QoS.” You must enable CDP on the switch port connected to the Cisco IP Phone to send the configuration • to the phone. (CDP is globally enabled by default on all switch interfaces.)
Page 392: Configuring A Port Connected To A Cisco 7960 Ip Phone
• voice VLAN, the Port Fast feature is not automatically disabled. If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the • same IP subnet. These conditions indicate that they are in the same VLAN: They both use IEEE 802.1p or untagged frames.
Page 393: Configuring Cisco Ip Phone Voice Traffic
Configuring Cisco IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value.
Page 394: Configuring The Priority Of Incoming Data Frames
Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.1p frames), you can configure the switch to send CDP packets to instruct the phone how to send data packets from the device attached to the access port on the Cisco IP Phone.
Page 395: Understanding Private Vlans
C H A P T E R Configuring Private VLANs This chapter describes how to configure private VLANs on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 396: Chapter 16 Configuring Private Vlan
Chapter 16 Configuring Private VLANs Understanding Private VLANs Figure 16-1 Private-VLAN Domain Primary VLAN Private Private VLAN VLAN domain domain Subdomain Subdomain Subdomain Subdomain Secondary Secondary Secondary Secondary community VLAN community VLAN isolated VLAN isolated VLAN There are two types of secondary VLANs: Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the •...
Page 397: Ip Addressing Scheme With Private Vlans
Chapter 16 Configuring Private VLANs Understanding Private VLANs Primary and secondary VLANs have these characteristics: Primary VLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a • member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports.
Page 398: Private Vlans Across Multiple Switches
Chapter 16 Configuring Private VLANs Understanding Private VLANs Private VLANs across Multiple Switches As with regular VLANs, private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. The trunk port treats the private VLAN as any other VLAN.
Page 399: Private Vlans And Unicast, Broadcast, And Multicast Traffic
Chapter 16 Configuring Private VLANs Understanding Private VLANs You should also see the “Secondary and Primary VLAN Configuration” section on page 16-7 under the “Private-VLAN Configuration Guidelines” section. Private VLANs and Unicast, Broadcast, and Multicast Traffic In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but devices connected to interfaces in different VLANs must communicate at the Layer 3 level.
Page 400: Private Vlans And Switch Stacks
Chapter 16 Configuring Private VLANs Configuring Private VLANs Private VLANs and Switch Stacks Private VLANs can operate within the switch stack, and private-VLAN ports can reside on different stack members. However, some changes to the switch stack can impact private-VLAN operation: •...
Page 401: Default Private-Vlan Configuration
Chapter 16 Configuring Private VLANs Configuring Private VLANs If inter-VLAN routing will be used, configure the primary SVI, and map secondary VLANs to the Step 5 primary. See the “Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface” section on page 16-14.
Page 402: Private-Vlan Port Configuration
Chapter 16 Configuring Private VLANs Configuring Private VLANs We recommend that you prune the private VLANs from the trunks on devices that carry no traffic • in the private VLANs. You can apply different quality of service (QoS) configurations to primary, isolated, and community •...
Page 403: Limitations With Other Features
Chapter 16 Configuring Private VLANs Configuring Private VLANs Do not configure ports that belong to a PAgP or LACP EtherChannel as private-VLAN ports. While • a port is part of the private-VLAN configuration, any EtherChannel configuration for it is inactive. Enable Port Fast and BPDU guard on isolated and community host ports to prevent STP loops due •...
Page 404: Configuring And Associating Vlans In A Private Vlan
Chapter 16 Configuring Private VLANs Configuring Private VLANs Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the Note associated VLANs. For example, a MAC address learned in a secondary VLAN is replicated in the primary VLAN. When the original dynamic MAC address is deleted or aged out, the replicated addresses are removed from the MAC address table.
Page 405 Chapter 16 Configuring Private VLANs Configuring Private VLANs Command Purpose Step 15 show vlan private-vlan [type] Verify the configuration. show interfaces status Step 16 copy running-config startup config Save your entries in the switch startup configuration file. To save the private-VLAN configuration, you need to save the VTP transparent mode configuration and private-VLAN configuration in the switch startup configuration file.
Page 406: Configuring A Layer 2 Interface As A Private-Vlan Host Port
Chapter 16 Configuring Private VLANs Configuring Private VLANs Configuring a Layer 2 Interface as a Private-VLAN Host Port Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN host port and to associate it with primary and secondary VLANs: Isolated and community VLANs are both secondary VLANs.
Page 407: Configuring A Layer 2 Interface As A Private-Vlan Promiscuous Port
Chapter 16 Configuring Private VLANs Configuring Private VLANs Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN promiscuous port and map it to primary and secondary VLANs: Isolated and community VLANs are both secondary VLANs.
Page 408: Mapping Secondary Vlans To A Primary Vlan Layer 3 Vlan Interface
Chapter 16 Configuring Private VLANs Configuring Private VLANs Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface If the private VLAN will be used for inter-VLAN routing, you configure an SVI for the primary VLAN and map secondary VLANs to the SVI. Isolated and community VLANs are both secondary VLANs.
Page 409: Monitoring Private Vlans
Chapter 16 Configuring Private VLANs Monitoring Private VLANs Monitoring Private VLANs Table 16-1 shows the privileged EXEC commands for monitoring private-VLAN activity. Table 16-1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces, including the VLANs to which they belongs.
Page 410 Chapter 16 Configuring Private VLANs Monitoring Private VLANs Catalyst 3750 Switch Software Configuration Guide 16-16 OL-8550-02...
Page 411: Understanding Ieee 802.1Q Tunneling
C H A P T E R Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Virtual private networks (VPNs) provide enterprise-scale connectivity on a shared infrastructure, often Ethernet-based, with the same security, prioritization, reliability, and manageability requirements of private networks. Tunneling is a feature designed for service providers who carry traffic of multiple customers across their networks and are required to maintain the VLAN and Layer 2 protocol configurations of each customer without impacting the traffic of other customers.
Page 412: C H A P T E R 17 Configuring Ieee 802.1Q And Layer 2 Protocol Tunneling
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling Customer traffic tagged in the normal way with appropriate VLAN IDs comes from an IEEE 802.1Q trunk port on the customer device and into a tunnel port on the service-provider edge switch. The link between the customer device and the edge switch is asymmetric because one end is configured as an IEEE 802.1Q trunk port, and the other end is configured as a tunnel port.
Page 413 Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling Figure 17-2 Original (Normal), IEEE 802.1Q, and Double-Tagged Ethernet Packet Formats Source address Destination Length/ Frame Check address EtherType Sequence Original Ethernet frame Len/Etype Data IEE 802.1Q frame from Etype Len/Etype Data...
Page 414: Configuring Ieee 802.1Q Tunneling
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling These sections contain this configuration information: Default IEEE 802.1Q Tunneling Configuration, page 17-4 • IEEE 802.1Q Tunneling Configuration Guidelines, page 17-4 • •...
Page 415: System Mtu
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling These are some ways to solve this problem: Use ISL trunks between core switches in the service-provider network. Although customer • interfaces connected to edge switches must be IEEE 802.1Q trunks, we recommend using ISL trunks for connecting switches in the core layer.
Page 416: Ieee 802.1Q Tunneling And Other Features
When a port is configured as an IEEE 802.1Q tunnel port, spanning-tree bridge protocol data unit • (BPDU) filtering is automatically enabled on the interface. Cisco Discovery Protocol (CDP) is automatically disabled on the interface. Configuring an IEEE 802.1Q Tunneling Port Beginning in privileged EXEC mode, follow these steps to configure a port as an IEEE 802.1Q tunnel...
Page 417: Understanding Layer 2 Protocol Tunneling
VLAN should build a proper spanning tree that includes the local site and all remote sites across the service-provider network. Cisco Discovery Protocol (CDP) must discover neighboring Cisco devices from local and remote sites. VLAN Trunking Protocol (VTP) must provide consistent VLAN configuration throughout all sites in the customer network.
Page 418 Users on each of a customer’s sites can properly run STP, and every VLAN can build a correct • spanning tree based on parameters from all sites and not just from the local site. CDP discovers and shows information about the other Cisco devices connected through the • service-provider network.
Page 419 Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling Figure 17-4 Layer 2 Protocol Tunneling Customer X Site 1 VLANs 1 to 100 Customer X Site 2 VLANs 1 to 100 Service VLAN 30 provider VLAN 30 VLAN 30...
Page 420: Configuring Layer 2 Protocol Tunneling
When the Layer 2 PDUs that entered the service-provider inbound edge switch through a Layer 2 protocol-enabled port exit through the trunk port into the service-provider network, the switch overwrites the customer PDU-destination MAC address with a well-known Cisco proprietary multicast address (01-00-0c-cd-cd-d0). If IEEE 802.1Q tunneling is enabled, packets are also double-tagged; the outer tag is the customer metro tag, and the inner tag is the customer’s VLAN tag.
Page 421: Default Layer 2 Protocol Tunneling Configuration
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Figure 17-4, with Customer X and Customer Y in access VLANs 30 and 40, respectively. Asymmetric links connect the customers in Site 1 to edge switches in the service-provider network. The Layer 2 PDUs (for example, BPDUs) coming into Switch 2 from Customer Y in Site 1 are forwarded to the infrastructure as double-tagged packets with the well-known MAC address as the destination MAC address.
Page 422: Layer 2 Protocol Tunneling Configuration Guidelines
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Layer 2 Protocol Tunneling Configuration Guidelines These are some configuration guidelines and operating characteristics of Layer 2 protocol tunneling: The switch supports tunneling of CDP, STP, including multiple STP (MSTP), and VTP. Protocol •...
Page 423: Configuring Layer 2 Protocol Tunneling
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Beginning in privileged EXEC mode, follow these steps to configure a port for Layer 2 protocol tunneling: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 424: Configuring Layer 2 Tunneling For Etherchannels
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Use the no l2protocol-tunnel [cdp | stp | vtp] interface configuration command to disable protocol tunneling for one of the Layer 2 protocols or for all three. Use the no l2protocol-tunnel shutdown-threshold [cdp | stp | vtp] and the no l2protocol-tunnel drop-threshold [cdp | stp | vtp] commands to return the shutdown and drop thresholds to the default settings.
Page 425 Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Command Purpose Step 4 l2protocol-tunnel point-to-point (Optional) Enable point-to-point protocol tunneling for the desired [pagp | lacp | udld] protocol. If no keyword is entered, tunneling is enabled for all three protocols.
Page 426: Configuring The Customer Switch
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Configuring the Customer Switch After configuring the SP edge switch, begin in privileged EXEC mode and follow these steps to configure a customer switch for Layer 2 protocol tunneling for EtherChannels: Command Purpose Step 1...
Page 427 Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Switch(config-if)# l2protocol-tunnel drop-threshold point-to-point pagp 1000 Switch(config-if)# exit Switch(config)# interface fastethernet1/0/3 Switch(config-if)# switchport trunk encapsulation isl Switch(config-if)# switchport mode trunk SP edge switch 2 configuration: Switch(config)# interface fastethernet1/0/1 Switch(config-if)# switchport access vlan 19 Switch(config-if)# switchport mode dot1q-tunnel...
Page 428: Monitoring And Maintaining Tunneling Status
Chapter 17 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status Monitoring and Maintaining Tunneling Status Table 17-2 shows the privileged EXEC commands for monitoring and maintaining IEEE 802.1Q and Layer 2 protocol tunneling. Table 17-2 Commands for Monitoring and Maintaining Tunneling Command Purpose...
Page 429 Catalyst 3750 switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard. A switch stack appears as a single spanning-tree node to the rest of the network, and all stack members use the same bridge ID.
Page 430: Chapter 18 Configuring Stp
The path cost value represents the media speed. In Cisco IOS Release 12.2(18)SE and later, the default is for the switch to send keepalive messages (to Note ensure the connection is up) only on interfaces that do not have small form-factor pluggable (SFP) modules.
Page 431: Spanning-Tree Topology And Bpdus
Chapter 18 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: The unique bridge ID (switch priority and MAC address) associated with each VLAN on each •...
Page 432: Bridge Id, Switch Priority, And Extended System Id
Chapter 18 Configuring STP Understanding Spanning-Tree Features Only one outgoing port on the stack root switch is selected as the root port. The remaining switches in the stack become its designated switches (Switch 2 and Switch 3) as shown in Figure 18-1 on page 18-4.
Page 433: Spanning-Tree Interface States
Chapter 18 Configuring STP Understanding Spanning-Tree Features The switch supports the IEEE 802.1t spanning-tree extensions, and some of the bits previously used for the switch priority are now used as the VLAN identifier. The result is that fewer MAC addresses are reserved for the switch, and a larger range of VLAN IDs can be supported, all while maintaining the uniqueness of the bridge ID.
Page 434: Understanding Spanning-Tree Features
Chapter 18 Configuring STP Understanding Spanning-Tree Features From learning to forwarding or to disabled • From forwarding to disabled • Figure 18-2 illustrates how an interface moves through the states. Figure 18-2 Spanning-Tree Interface States Power-on initialization Blocking state Listening Disabled state state...
Page 435: Blocking State
Chapter 18 Configuring STP Understanding Spanning-Tree Features Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each switch interface. A switch initially functions as the root until it exchanges BPDUs with other switches.
Page 436: Disabled State
Chapter 18 Configuring STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational. A disabled interface performs these functions: •...
Page 437: Spanning Tree And Redundant Connectivity
Chapter 18 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices, as shown in Figure 18-4]. Spanning tree automatically disables one interface but enables it if the other one fails.
Page 438: Spanning-Tree Modes And Protocols
Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary • extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
Page 439: Spanning-Tree Interoperability And Backward Compatibility
VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.
Page 440: Spanning Tree And Switch Stacks
Chapter 18 Configuring STP Configuring Spanning-Tree Features VLAN spanning trees to prevent loops from forming if there are multiple connections among VLANs. It also prevents the individual spanning trees from the VLANs being bridged from collapsing into a single spanning tree. To support VLAN-bridge spanning tree, some of the spanning-tree timers are increased.
Page 441: Default Spanning-Tree Configuration
Chapter 18 Configuring STP Configuring Spanning-Tree Features Configuring the Switch Priority of a VLAN, page 18-21 (optional) • Configuring Spanning-Tree Timers, page 18-22 (optional) • Default Spanning-Tree Configuration Table 18-3 shows the default spanning-tree configuration. Table 18-3 Default Spanning-Tree Configuration Feature Default Setting Enable state...
Page 442 Chapter 18 Configuring STP Configuring Spanning-Tree Features Switches that are not running spanning tree still forward BPDUs that they receive so that the other Caution switches on the VLAN that have a running spanning-tree instance can break loops. Therefore, spanning tree must be running on enough switches to break all the loops in the network;...
Page 443: Changing The Spanning-Tree Mode
Chapter 18 Configuring STP Configuring Spanning-Tree Features Changing the Spanning-Tree Mode. The switch supports three spanning-tree modes: PVST+, rapid PVST+, or MSTP. By default, the switch runs the PVST+ protocol. Beginning in privileged EXEC mode, follow these steps to change the spanning-tree mode. If you want to enable a mode that is different from the default mode, this procedure is required.
Page 444: Disabling Spanning Tree
Chapter 18 Configuring STP Configuring Spanning-Tree Features Disabling Spanning Tree Spanning tree is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit specified in the “Supported Spanning-Tree Instances” section on page 18-10. Disable spanning tree only if you are sure there are no loops in the network topology.
Page 445 Chapter 18 Configuring STP Configuring Spanning-Tree Features The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not Note configure an access switch as the spanning-tree primary root. Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).
Page 446: Configuring A Secondary Root Switch
Chapter 18 Configuring STP Configuring Spanning-Tree Features Configuring a Secondary Root Switch When you configure a switch as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified VLAN if the primary root switch fails.
Page 447 Chapter 18 Configuring STP Configuring Spanning-Tree Features If your switch is a member of a switch stack, you must use the spanning-tree [vlan vlan-id] cost cost Note interface configuration command instead of the spanning-tree [vlan vlan-id] port-priority priority interface configuration command to select an interface to put in the forwarding state. Assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Page 448: Configuring Path Cost
Chapter 18 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree [vlan vlan-id] port-priority interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree port priorities, see the “Configuring Trunk Ports for Load Sharing”...
Page 449: Configuring The Switch Priority Of A Vlan
Chapter 18 Configuring STP Configuring Spanning-Tree Features The show spanning-tree interface interface-id privileged EXEC command displays information only Note for ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. To return to the default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command.
Page 450: Configuring Spanning-Tree Timers
Chapter 18 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 18-4 describes the timers that affect the entire spanning-tree performance. Table 18-4 Spanning-Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches. Forward-delay timer Controls how long each of the listening and learning states last before the interface begins forwarding.
Page 451: Configuring The Forwarding-Delay Time For A Vlan
Chapter 18 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 452: Configuring The Transmit Hold-Count
Chapter 18 Configuring STP Displaying the Spanning-Tree Status Configuring the Transmit Hold-Count You can configure the BPDU burst size by changing the transmit hold count value. Changing this parameter to a higher value can have a significant impact on CPU utilization, especially Note in Rapid-PVST mode.
Page 453 C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Catalyst 3750 switch. The multiple spanning-tree (MST) implementation in Cisco IOS Release 12.2(25)SEC is based on the Note IEEE 802.1s standard.
Page 454: Chapter 19 Configuring Mstp
Chapter 19 Configuring MSTP Understanding MSTP This chapter consists of these sections: Understanding MSTP, page 19-2 • Understanding RSTP, page 19-9 • Configuring MSTP Features, page 19-14 • Displaying the MST Configuration and Status, page 19-26 • Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances.
Page 455: Ist, Cist, And Cst
Chapter 19 Configuring MSTP Understanding MSTP IST, CIST, and CST Unlike PVST+ and rapid PVST+ in which all the spanning-tree instances are independent, the MSTP establishes and maintains two types of spanning trees: An internal spanning tree (IST), which is the spanning tree that runs in an MST region. •...
Page 456: Operations Between Mst Regions
Chapter 19 Configuring MSTP Understanding MSTP For correct operation, all switches in the MST region must agree on the same CIST regional root. Therefore, any two switches in the region only synchronize their port roles for an MST instance if they converge to a common CIST regional root.
Page 457: Ieee 802.1S Terminology
IEEE 802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches. IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network.
Page 458: Boundary Ports
The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary, unless it is running in an STP-compatible mode.
Page 459: Port Role Naming Change
The boundary role is no longer in the final MST standard, but this boundary concept is maintained in Cisco’s implementation. However, an MST instance port at a boundary of the region might not follow the state of the corresponding CIST port. Two cases exist now: The boundary port is the root port of the CIST regional root—When the CIST instance port is...
Page 460: Detecting Unidirectional Link Failure
Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
Page 461: Interoperability With Ieee 802.1D Stp
Chapter 19 Configuring MSTP Understanding RSTP Interoperability with IEEE 802.1D STP A switch running MSTP supports a built-in protocol migration mechanism that enables it to interoperate with legacy IEEE 802.1D switches. If this switch receives a legacy IEEE 802.1D configuration BPDU (a BPDU with the protocol version set to 0), it sends only IEEE 802.1D BPDUs on that port.
Page 462: Rapid Convergence
Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of discarding. Designated ports start in the listening state. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN.
Page 463: Synchronization Of Port Roles
Chapter 19 Configuring MSTP Understanding RSTP After receiving Switch B’s agreement message, Switch A also immediately transitions its designated port to the forwarding state. No loops in the network are formed because Switch B blocked all of its nonedge ports and because there is a point-to-point link between Switches A and B. When Switch C is connected to Switch B, a similar set of handshaking messages are exchanged.
Page 464: Bridge Protocol Data Unit Format And Processing
Chapter 19 Configuring MSTP Understanding RSTP If a designated port is in the forwarding state and is not configured as an edge port, it transitions to the blocking state when the RSTP forces it to synchronize with new root information. In general, when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions, its port state is set to blocking.
Page 465: Processing Superior Bpdu Information
Chapter 19 Configuring MSTP Understanding RSTP Table 19-3 RSTP BPDU Flags (continued) Function Forwarding Agreement Topology change acknowledgement (TCA) The sending switch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN. The port role in the proposal message is always set to the designated port. The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal.
Page 466: Configuring Mstp Features
Chapter 19 Configuring MSTP Configuring MSTP Features Notification—Unlike IEEE 802.1D, which uses TCN BPDUs, the RSTP does not use them. • However, for IEEE 802.1D interoperability, an RSTP switch processes and generates TCN BPDUs. Acknowledgement—When an RSTP switch receives a TCN message on a designated port from an •...
Page 467: Default Mstp Configuration
Chapter 19 Configuring MSTP Configuring MSTP Features Default MSTP Configuration Table 19-4 shows the default MSTP configuration. Table 19-4 Default MSTP Configuration Feature Default Setting Spanning-tree mode PVST+ (Rapid PVST+ and MSTP are disabled). Switch priority (configurable on a per-CIST port basis) 32768.
Page 468: Specifying The Mst Region Configuration And Enabling Mstp
Chapter 19 Configuring MSTP Configuring MSTP Features For load balancing across redundant paths in the network to work, all VLAN-to-instance mapping • assignments must match; otherwise, all traffic flows on a single link. You can achieve load balancing across a switch stack by manually configuring the path cost. All MST boundary ports must be forwarding for load balancing between a PVST+ and an MST •...
Page 469: Configuring The Root Switch
Chapter 19 Configuring MSTP Configuring MSTP Features Command Purpose Step 8 spanning-tree mode mst Enable MSTP. RSTP is also enabled. Changing spanning-tree modes can disrupt traffic because all Caution spanning-tree instances are stopped for the previous mode and restarted in the new mode. You cannot run both MSTP and PVST+ or both MSTP and rapid PVST+ at the same time.
Page 470 4-bit switch priority value as shown in Table 18-1 on page 18-5.) Catalyst 3750 switches running software earlier than Cisco IOS Release 12.1(14)EA1 do not support the Note MSTP. If your network consists of switches that both do and do not support the extended system ID, it is unlikely that the switch with the extended system ID support will become the root switch.
Page 471: Configuring Port Priority
Chapter 19 Configuring MSTP Configuring MSTP Features To return the switch to its default setting, use the no spanning-tree mst instance-id root global configuration command. Configuring a Secondary Root Switch When you configure a switch with the extended system ID support as the secondary root, the switch priority is modified from the default value (32768) to 28672.
Page 472 Chapter 19 Configuring MSTP Configuring MSTP Features If your switch is a member of a switch stack, you must use the spanning-tree mst [instance-id] cost cost Note interface configuration command instead of the spanning-tree mst [instance-id] port-priority priority interface configuration command to select a port to put in the forwarding state. Assign lower cost values to ports that you want selected first and higher cost values to ports that you want selected last.
Page 473: Configuring Path Cost
Chapter 19 Configuring MSTP Configuring MSTP Features Configuring Path Cost The MSTP path cost default value is derived from the media speed of an interface. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Page 474: Configuring The Switch Priority
Chapter 19 Configuring MSTP Configuring MSTP Features Configuring the Switch Priority You can configure the switch priority and make it more likely that a standalone switch or a switch in the stack will be chosen as the root switch. Exercise care when using this command. For most situations, we recommend that you use the Note spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority.
Page 475: Configuring The Forwarding-Delay Time
Chapter 19 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the hello time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst hello-time seconds Configure the hello time for all MST instances.
Page 476: Configuring The Maximum-Aging Time
Chapter 19 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Aging Time Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-age seconds Configure the maximum-aging time for all MST instances.
Page 477: Designating The Neighbor Type
Chapter 19 Configuring MSTP Configuring MSTP Features By default, the link type is controlled from the duplex mode of the interface: a full-duplex port is considered to have a point-to-point connection; a half-duplex port is considered to have a shared connection.
Page 478: Restarting The Protocol Migration Process
Chapter 19 Configuring MSTP Displaying the MST Configuration and Status Restarting the Protocol Migration Process A switch running MSTP supports a built-in protocol migration mechanism that enables it to interoperate with legacy IEEE 802.1D switches. If this switch receives a legacy IEEE 802.1D configuration BPDU (a BPDU with the protocol version set to 0), it sends only IEEE 802.1D BPDUs on that port.
Page 479: Understanding Optional Spanning-Tree Features
C H A P T E R Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Catalyst 3750 switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+).
Page 480: C H A P T E R 20 Configuring Optional Spanning-Tree Features
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. You can use Port Fast on interfaces connected to a single workstation or server, as shown in Figure 20-1, to allow those devices to...
Page 481: Understanding Bpdu Filtering
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features At the interface level, you enable BPDU guard on any interface by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature. When the interface receives a BPDU, it is put in the error-disabled state.
Page 482 Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 20-2 Switches in a Hierarchical Network Backbone switches Root bridge Distribution switches Access switches Active link Blocked link If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port.
Page 483: Understanding Cross-Stack Uplinkfast
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 20-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure...
Page 484: How Csuf Works
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root. As shown in Figure 20-5, the stack-root port on Switch 1 provides the path to the root of the spanning tree. The alternate stack-root ports on Switches 2 and 3 can provide an alternate path to the spanning-tree root if the current stack-root switch fails or if its link to the spanning-tree root fails.
Page 485: Events That Cause Fast Convergence
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Each switch in the stack decides if the sending switch is a better choice than itself to be the stack root of this spanning-tree instance by comparing the root, cost, and bridge ID. If the sending switch is the best choice as the stack root, each switch in the stack returns an acknowledgement;...
Page 486 Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features BackboneFast, which is enabled by using the spanning-tree backbonefast global configuration command, starts when a root port or blocked interface on a switch receives inferior BPDUs from its designated switch. An inferior BPDU identifies a switch that declares itself as both the root bridge and the designated switch.
Page 487 Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If link L1 fails as shown in Figure 20-7, Switch C cannot detect this failure because it is not connected directly to link L1. However, because Switch B is directly connected to the root switch over L1, it detects the failure, elects itself the root, and begins sending BPDUs to Switch C, identifying itself as the root.
Page 488: Understanding Etherchannel Guard
Chapter 20 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding EtherChannel Guard You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device. A misconfiguration can occur if the switch interfaces are configured in an EtherChannel, but the interfaces on the other device are not.
Page 489: Understanding Loop Guard
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Figure 20-9 Root Guard in a Service-Provider Network Service-provider network Customer network Potential spanning-tree root without root guard enabled Desired root switch Enable the root-guard feature on these interfaces to prevent switches in the customer network from becoming the root switch or being...
Page 490: Default Optional Spanning-Tree Configuration
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BackboneFast, page 20-16 (optional) • Enabling EtherChannel Guard, page 20-17 (optional) • Enabling Root Guard, page 20-17 (optional) • Enabling Loop Guard, page 20-18 (optional) • Default Optional Spanning-Tree Configuration Table 20-1 shows the default optional spanning-tree configuration.
Page 491: Enabling Bpdu Guard
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to enable Port Fast. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Page 492: Enabling Bpdu Filtering
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You also can use the spanning-tree bpduguard enable interface configuration command to enable BPDU guard on any interface without also enabling the Port Fast feature. When the interface receives a BPDU, it is put in the error-disabled state.
Page 493: Enabling Uplinkfast For Use With Redundant Links
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to globally enable the BPDU filtering feature. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree portfast bpdufilter default Globally enable BPDU filtering.
Page 494: Enabling Cross-Stack Uplinkfast
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show spanning-tree summary Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. When UplinkFast is enabled, the switch priority of all VLANs is set to 49152.
Page 495: Enabling Etherchannel Guard
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 4 show spanning-tree summary Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the BackboneFast feature, use the no spanning-tree backbonefast global configuration command.
Page 496: Enabling Loop Guard
Chapter 20 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to enable root guard on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Page 497: Displaying The Spanning-Tree Status
Chapter 20 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 20-2: Table 20-2 Commands for Displaying the Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information on active interfaces only.
Page 498 Chapter 20 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Catalyst 3750 Switch Software Configuration Guide 20-20 OL-8550-02...
Page 499: Flex Links
C H A P T E R Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the Catalyst 3750 switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature.
Page 500 Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update You configure Flex Links on one Layer 2 interface (the active link) by assigning another Layer 2 interface as the Flex Link or backup link. The Flex Link can be on the same switch or on another switch in the stack.
Page 501: C H A P T E R 21 Configuring Flex Links And The Mac Address-Table Move Update Feature
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update If the MAC address-table move update feature is configured and enabled on the switches in Figure 21-2 and port 1 goes down, port 2 starts forwarding traffic from the PC to the server. The switch sends a MAC address-table move update packet from port 2.
Page 502: Mac Address-Table Move Update
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links and MAC Address-Table Move Update These sections contain this information: Configuration Guidelines, page 21-4 • Default Configuration, page 21-4 •...
Page 503: Configuring Flex Links
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links and MAC Address-Table Move Update This section contains this information: Configuring Flex Links, page 21-5 • Configuring the MAC Address-Table Move Update Feature, page 21-6 •...
Page 504: Configuring Flex Links And Mac Address-Table Move Update
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Command Purpose Step 3 switchport backup interface interface-id Configure a physical Layer 2 interface (or port channel) as part of a Flex Links pair with the interface. When one link is forwarding traffic, the other interface is in standby mode.
Page 505: Configuring Flex Links
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Beginning in privileged EXEC mode, follow these steps to configure an access switch to send MAC address-table move updates: Command Purpose Step 1 configure terminal...
Page 506 Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update This example shows how to verify the configuration: Switch# show mac-address-table move update Switch-ID : 010b.4630.1780 Dst mac-address : 0180.c200.0010 Vlans/Macs supported : 1023/8320 Default/Current settings: Rcv Off/On, Xmt Off/On Max packets per min : Rcv 40, Xmt 60...
Page 507: Monitoring Flex Links And The Mac Address-Table Move Update
Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Monitoring Flex Links and the MAC Address-Table Move Update Monitoring Flex Links and the MAC Address-Table Move Update Table 21-1 shows the privileged EXEC commands for monitoring the Flex Links configuration and the MAC address-table move update information.
Page 508 Chapter 21 Configuring Flex Links and the MAC Address-Table Move Update Feature Monitoring Flex Links and the MAC Address-Table Move Update Catalyst 3750 Switch Software Configuration Guide 21-10 OL-8550-02...
Page 509: Understanding Dhcp Features
For complete syntax and usage information for the commands used in this chapter, see the command reference for this release, and see the “DHCP Commands” section in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2.
Page 510: C H A P T E R 22 Configuring Dhcp Features And Ip Source Guard
Understanding DHCP Features For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them.
Page 511: Option-82 Data Insertion
Address Resolution Protocol (ARP) inspection on the switch unless you use static bindings or ARP access control lists (ACLs). In Cisco IOS Release 12.2(25)SEA or later, when an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping information option allow-untrusted global configuration command, the aggregation switch accepts packets with option-82 information from the edge switch.
Page 512 MAC address, and the circuit-ID suboption is the port identifier, vlan-mod-port, from which the packet is received. Beginning with Cisco IOS Release 12.2(25)SEE, you can configure the remote ID and circuit ID. For information on configuring these suboptions, see the “Enabling DHCP Snooping and Option 82”...
Page 513 Chapter 22 Configuring DHCP Features and IP Source Guard Understanding DHCP Features In the default suboption configuration, when the described sequence of events occurs, the values in these fields in Figure 22-2 do not change: Circuit-ID suboption fields • Suboption type –...
Page 514: Cisco Ios Dhcp Server Database
An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address from a DHCP address pool.
Page 515: Dhcp Snooping Binding Database
Chapter 22 Configuring DHCP Features and IP Source Guard Understanding DHCP Features DHCP Snooping Binding Database When DHCP snooping is enabled, the switch uses the DHCP snooping binding database to store information about untrusted interfaces. The database can have up to 8192 bindings. Each database entry (binding) has an IP address, an associated MAC address, the lease time (in hexadecimal format), the interface to which the binding applies, and the VLAN to which the interface belongs.
Page 516: Configuration Guidelines
Enabling DHCP Snooping and Option 82, page 22-12 • Enabling DHCP Snooping on Private VLANs, page 22-14 • Enabling the Cisco IOS DHCP Server Database, page 22-14 • Enabling the DHCP Snooping Binding Database Agent, page 22-15 • Default DHCP Configuration Table 22-1 shows the default DHCP configuration.
Page 517: Dhcp Snooping Configuration Guidelines
• DHCP server and the DHCP relay agent are configured and enabled. When you globally enable DHCP snooping on the switch, these Cisco IOS commands are not • available until snooping is disabled. If you enter these commands, the switch returns an error message, and the configuration is not applied.
Page 518: Configuring The Dhcp Server
Configuring the DHCP Server The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational.
Page 519: Configuring The Dhcp Relay Agent
To disable the DHCP server and relay agent, use the no service dhcp global configuration command. See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 for these procedures: Checking (validating) the relay agent information •...
Page 520: Enabling Dhcp Snooping And Option 82
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Command Purpose Step 6 interface range port-range Configure multiple physical ports that are connected to the DHCP clients, and enter interface range configuration mode. interface interface-id Configure a single physical port that is connected to the DHCP client, and enter interface configuration mode.
Page 521 Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Command Purpose Step 6 ip dhcp snooping information option (Optional) If the switch is an aggregation switch connected to an edge allow-untrusted switch, enable the switch to accept incoming DHCP snooping packets with option-82 information from the edge switch.
Page 522: Enabling Dhcp Snooping On Private Vlans
VLANs, on which DHCP snooping is enabled. Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database, see the “DHCP Configuration Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Page 523: Enabling The Dhcp Snooping Binding Database Agent
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Enabling the DHCP Snooping Binding Database Agent Beginning in privileged EXEC mode, follow these steps to enable and configure the DHCP snooping binding database agent on the switch: Command Purpose Step 1...
Page 524: Displaying Dhcp Snooping Information
Chapter 22 Configuring DHCP Features and IP Source Guard Displaying DHCP Snooping Information Displaying DHCP Snooping Information To display the DHCP snooping information, use the privileged EXEC commands in Table 22-2: Table 22-2 Commands for Displaying DHCP Information Command Purpose show ip dhcp snooping Displays the DHCP snooping configuration for a switch show ip dhcp snooping binding...
Page 525: Source Ip Address Filtering
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Source IP Address Filtering When IP source guard is enabled with this option, IP traffic is filtered based on the source IP address. The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table.
Page 526: Enabling Ip Source Guard
Chapter 22 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard • If you are enabling IP source guard on a trunk interface with multiple VLANs and DHCP snooping is enabled on all the VLANs, the source IP address filter is applied on all the VLANs. If IP source guard is enabled and you enable or disable DHCP snooping on a VLAN on the Note trunk interface, the switch might not properly filter traffic.
Page 527: Displaying Ip Source Guard Information
Chapter 22 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information Command Purpose Step 8 show ip source binding [ip-address] Display the IP source bindings on the switch, on a specific VLAN, or on [mac-address] [dhcp-snooping | static] a specific interface.
Page 528 Chapter 22 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information Catalyst 3750 Switch Software Configuration Guide 22-20 OL-8550-02...
Page 529: Understanding Dynamic Arp Inspection
C H A P T E R Configuring Dynamic ARP Inspection This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 3750 switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN.
Page 530: C H A P T E R 23 Configuring Dynamic Arp Inspection
Chapter 23 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Figure 23-1 ARP Cache Poisoning Host A Host B (IA, MA) (IB, MB) Host C (man-in-the-middle) (IC, MC) Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet.
Page 531: Interface Trust States And Network Security
Chapter 23 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header.
Page 532: Rate Limiting Of Arp Packets
Chapter 23 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a switch running dynamic ARP inspection.
Page 533: Logging Of Dropped Packets
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Logging of Dropped Packets When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
Page 534: Dynamic Arp Inspection Configuration Guidelines
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Table 23-1 Default Dynamic ARP Inspection Configuration (continued) Feature Default Setting Log buffer When dynamic ARP inspection is enabled, all denied or dropped ARP packets are logged. The number of entries in the log is 32. The number of system messages is limited to 5 per second.
Page 535: Configuring Dynamic Arp Inspection In Dhcp Environments
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection The operating rate for the port channel is cumulative across all the physical ports within the channel. • For example, if you configure the port channel with an ARP rate-limit of 400 pps, all the interfaces combined on the channel receive an aggregate 400 pps.
Page 536: Configuring Arp Acls For Non-Dhcp Environments
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Command Purpose Step 4 interface interface-id Specify the interface connected to the other switch, and enter interface configuration mode. Step 5 ip arp inspection trust Configure the connection between the switches as trusted. By default, all interfaces are untrusted.
Page 537 Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Beginning in privileged EXEC mode, follow these steps to configure an ARP ACL on Switch A. This procedure is required in non-DHCP environments. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 arp access-list acl-name Define an ARP ACL, and enter ARP access-list...
Page 538: Limiting The Rate Of Incoming Arp Packets
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Command Purpose Step 7 no ip arp inspection trust Configure the Switch A interface that is connected to Switch B as untrusted. By default, all interfaces are untrusted. For untrusted interfaces, the switch intercepts all ARP requests and responses.
Page 539: Performing Validation Checks
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection For configuration guidelines for rate limiting trunk ports and EtherChannel ports, see the “Dynamic ARP Inspection Configuration Guidelines” section on page 23-6. Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This procedure is optional.
Page 540: Configuring The Log Buffer
Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip arp inspection validate Perform a specific check on incoming ARP packets.
Page 541 Chapter 23 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time.
Page 542: Displaying Dynamic Arp Inspection Information
Chapter 23 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Command Purpose Step 3 ip arp inspection vlan vlan-range Control the type of packets that are logged per VLAN. By default, all denied logging {acl-match {matchlog | or all dropped packets are logged. The term logged means the entry is placed none} | dhcp-bindings {all | none | in the log buffer and a system message is generated.
Page 543 Chapter 23 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information To clear or display dynamic ARP inspection statistics, use the privileged EXEC commands in Table 23-3: Table 23-3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics.
Page 544 Chapter 23 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Catalyst 3750 Switch Software Configuration Guide 23-16 OL-8550-02...
Page 545 For complete syntax and usage information for the commands used in this chapter, see the switch Note command reference for this release and the “IP Multicast Routing Commands” section in the Cisco IOS IP Command Reference, Volume 3 of 3:Multicast, Release 12.2.
Page 546: Chapter 24 Configuring Igmp Snooping And Mvr
Chapter 24 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Understanding IGMP Snooping Layer 2 switches can use IGMP snooping to constrain the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with IP multicast devices.
Page 547: Igmp Versions
Specific Multicast (SSM) feature. For more information about source-specific multicast with IGMPv3 and IGMP, see the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t5/dtssm5t.htm Joining a Multicast Group When a host connected to the switch wants to join an IP multicast group and it is an IGMP Version 2 client, it sends an unsolicited IGMP join message, specifying the IP multicast group to join.
Page 548 Chapter 24 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 24-1 Initial IGMP Join Message Router A IGMP report 224.1.2.3 VLAN Forwarding table Host 1 Host 2 Host 3 Host 4 Router A sends a general query to the switch, which forwards the query to ports 2 through 5, which are all members of the same VLAN.
Page 549: Leaving A Multicast Group
Chapter 24 Configuring IGMP Snooping and MVR Understanding IGMP Snooping If another host (for example, Host 4) sends an unsolicited IGMP join message for the same group (Figure 24-2), the CPU receives that message and adds the port number of Host 4 to the forwarding table as shown in Table 24-2.
Page 550: Immediate Leave
24-11. IGMP Configurable-Leave Timer In Cisco IOS Release 12.2(25)SEA and earlier, the IGMP snooping leave time was fixed at 5 seconds. If membership reports were not received by the switch before the query response time of the query expired, a port was removed from the multicast group membership. However, some applications require a leave latency of less than 5 seconds.
Page 551: Igmp Snooping And Switch Stacks
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping IGMP Snooping and Switch Stacks IGMP snooping functions across the switch stack; that is, IGMP control information from one switch is distributed to all switches in the stack. (See Chapter 5, “Managing Switch Stacks,” for more information about switch stacks.) Regardless of the stack member through which IGMP multicast data enters the stack, the data reaches the hosts that have registered for that group.
Page 552: Enabling Or Disabling Igmp Snooping
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Table 24-3 Default IGMP Snooping Configuration (continued) Feature Default Setting IGMP snooping querier Disabled IGMP report suppression Enabled 1. TCN = Topology Change Notification Enabling or Disabling IGMP Snooping By default, IGMP snooping is globally enabled on the switch. When globally enabled or disabled, it is also enabled or disabled in all existing VLAN interfaces.
Page 553: Setting The Snooping Method
Snooping on IGMP queries, Protocol Independent Multicast (PIM) packets, and Distance Vector • Multicast Routing Protocol (DVMRP) packets Listening to Cisco Group Management Protocol (CGMP) packets from other routers • Statically connecting to a multicast router port with the ip igmp snooping mrouter global •...
Page 554: Configuring A Multicast Router Port
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping To return to the default learning method, use the no ip igmp snooping vlan vlan-id mrouter learn cgmp global configuration command. This example shows how to configure IGMP snooping to use CGMP packets as the learning method: Switch# configure terminal Switch(config)# ip igmp snooping vlan 1 mrouter learn cgmp Switch(config)# end...
Page 555: Configuring A Host Statically To Join A Group
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring a Host Statically to Join a Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure a host on an interface. Beginning in privileged EXEC mode, follow these steps to add a Layer 2 port as a member of a multicast group: Command Purpose...
Page 556: Configuring The Igmp Leave Timer
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 4 show ip igmp snooping vlan vlan-id Verify that Immediate Leave is enabled on the VLAN interface. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable IGMP Immediate Leave on a VLAN, use the no ip igmp snooping vlan vlan-id immediate-leave global configuration command.
Page 557: Configuring Tcn-Related Commands
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring TCN-Related Commands These sections describe how to control flooded multicast traffic during a TCN event: Controlling the Multicast Flooding Time After a TCN Event, page 24-13 • Recovering from Flood Mode, page 24-13 •...
Page 558: Disabling Multicast Flooding During A Tcn Event
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to enable the switch to send the global leave message whether or not it is the spanning-tree root: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 559: Configuring The Igmp Snooping Querier
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring the IGMP Snooping Querier Follow these guidelines when configuring the IGMP snooping querier: Configure the VLAN in global configuration mode. • Configure an IP address on the VLAN interface. When enabled, the IGMP snooping querier uses the •...
Page 560: Disabling Igmp Report Suppression
Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information This example shows how to set the IGMP snooping querier source address to 10.0.0.64: Switch# configure terminal Switch(config)# ip igmp snooping querier 10.0.0.64 Switch(config)# end This example shows how to set the IGMP snooping querier maximum response time to 25 seconds: Switch# configure terminal Switch(config)# ip igmp snooping querier query-interval 25 Switch(config)# end...
Page 561 Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information To display IGMP snooping information, use one or more of the privileged EXEC commands in Table 24-4. Table 24-4 Commands for Displaying IGMP Snooping Information Command Purpose show ip igmp snooping [vlan vlan-id] Display the snooping configuration information for all VLANs on the switch or for a specified VLAN.
Page 562: Understanding Multicast Vlan Registration
Chapter 24 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service-provider network (for example, the broadcast of multiple television channels over a service-provider network).
Page 563: Using Mvr In A Multicast Television Application
VLAN. Uplink ports that send and receive multicast data to and from the multicast VLAN are called MVR source ports. Figure 24-3 Multicast VLAN Registration Example Multicast VLAN Cisco router Multicast server Switch B Multicast Multicast...
Page 564: Configuring Mvr
Chapter 24 Configuring IGMP Snooping and MVR Configuring MVR When a subscriber changes channels or turns off the television, the set-top box sends an IGMP leave message for the multicast stream. The switch CPU sends a MAC-based general query through the receiver port VLAN.
Page 565: Mvr Configuration Guidelines And Limitations
Chapter 24 Configuring IGMP Snooping and MVR Configuring MVR Table 24-5 Default MVR Configuration (continued) Feature Default Setting Interface (per port) default Neither a receiver nor a source port Immediate Leave Disabled on all ports MVR Configuration Guidelines and Limitations Follow these guidelines when configuring MVR: Receiver ports can only be access ports;...
Page 566: Configuring Mvr Interfaces
Chapter 24 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 3 mvr group ip-address [count] Configure an IP multicast address on the switch or use the count parameter to configure a contiguous series of MVR group addresses (the range for count is 1 to 256;...
Page 567: Default Configuration
Chapter 24 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 3 interface interface-id Specify the Layer 2 port to configure, and enter interface configuration mode. Step 4 mvr type {source | receiver} Configure an MVR port as one of these: source—Configure uplink ports that receive and send multicast data as •...
Page 568: Displaying Mvr Information
Chapter 24 Configuring IGMP Snooping and MVR Displaying MVR Information Displaying MVR Information You can display MVR information for the switch or for a specified interface. Beginning in privileged EXEC mode, use the commands in Table 24-6 to display MVR configuration: Table 24-6 Commands for Displaying MVR Information Command...
Page 569: Default Igmp Filtering And Throttling Configuration
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling IGMP filtering is applicable only to the dynamic learning of IP multicast group addresses, not static configuration. With the IGMP throttling feature, you can set the maximum number of IGMP groups that a Layer 2 interface can join.
Page 570: Applying Igmp Profiles
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling range: Specifies a range of IP addresses for the profile. You can enter a single IP address or a range • with a start and an end address. The default is for the switch to have no IGMP profiles configured.
Page 571: Setting The Maximum Number Of Igmp Groups
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Beginning in privileged EXEC mode, follow these steps to apply an IGMP profile to a switch port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the physical interface, and enter interface configuration mode.
Page 572: Configuring The Igmp Throttling Action
Chapter 24 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling To remove the maximum group limitation and return to the default of no maximum, use the no ip igmp max-groups interface configuration command. This example shows how to limit to 25 the number of IGMP groups that a port can join. Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# ip igmp max-groups 25 Switch(config-if)# end...
Page 573: Displaying Igmp Filtering And Throttling Configuration
Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show running-config interface Verify the configuration. interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default action of dropping the report, use the no ip igmp max-groups action interface configuration command.
Page 574 Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Catalyst 3750 Switch Software Configuration Guide 24-30 OL-8550-02...
Page 575: Configuring Storm Control
C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 576 Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received • (Cisco IOS Release 12.2(25)SE or later) Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received (Cisco • IOS Release 12.2(25)SE or later) With each method, the port blocks traffic when the rising threshold is reached.
Page 577: C H A P T E R 25 Configuring Port-Based Traffic Control
Chapter 25 Configuring Port-Based Traffic Control Configuring Storm Control Because packets do not arrive at uniform intervals, the 1-second time interval during which traffic Note activity is measured can affect the behavior of storm control. You use the storm-control interface configuration commands to set the threshold value for each traffic type.
Page 578 Chapter 25 Configuring Port-Based Traffic Control Configuring Storm Control Command Purpose Step 3 storm-control {broadcast | multicast | Configure broadcast, multicast, or unicast storm control. By unicast} level {level [level-low] | bps bps default, storm control is disabled. [bps-low] | pps pps [pps-low]} The keywords have these meanings: For level, specify the rising threshold level for broadcast, •...
Page 579: Configuring Protected Ports
Chapter 25 Configuring Port-Based Traffic Control Configuring Protected Ports Command Purpose Step 6 show storm-control [interface-id] [broadcast | Verify the storm control suppression levels set on the interface for multicast | unicast] the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed.
Page 580: Default Protected Port Configuration
Chapter 25 Configuring Port-Based Traffic Control Configuring Protected Ports Default Protected Port Configuration The default is to have no protected ports defined. Protected Port Configuration Guidelines You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5).
Page 581: Configuring Port Blocking
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Blocking Configuring Port Blocking By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can block a port (protected or nonprotected) from flooding unknown unicast or multicast packets to other ports.
Page 582: Configuring Port Security
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Configuring Port Security You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.
Page 583: Security Violations
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter the switchport port-security mac-address sticky interface configuration command.
Page 584: Default Port Security Configuration
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Table 25-1 shows the violation mode and the actions taken when you configure an interface for port security. Table 25-1 Security Violation Mode Actions Violation Traffic is Sends SNMP Sends syslog Displays error counter Violation Mode...
Page 585 IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
Page 586: Enabling And Configuring Port Security
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Enabling and Configuring Port Security Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port: Command Purpose Step 1...
Page 587 Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 7 switchport port-security violation (Optional) Set the violation mode, the action to be taken when a security {protect | restrict | shutdown} violation is detected, as one of these: protect—When the number of port secure MAC addresses reaches the •...
Page 588 Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 10 switchport port-security (Optional) Enter a sticky secure MAC address, repeating the command as mac-address sticky [mac-address | many times as necessary. If you configure fewer secure MAC addresses than vlan {vlan-id | {access | voice}}] the maximum, the remaining MAC addresses are dynamically learned, are converted to sticky secure MAC addresses, and are added to the running...
Page 589: Enabling And Configuring Port Security Aging
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security You must specifically delete configured secure MAC addresses from the address table by using the no switchport port-security mac-address mac-address interface configuration command. This example shows how to enable port security on a port and to set the maximum number of secure addresses to 50.
Page 590 Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 3 switchport port-security aging {static | time time | Enable or disable static aging for the secure port, or set the type {absolute | inactivity}} aging time or type. The switch does not support port security aging of Note sticky secure addresses.
Page 591: Port Security And Switch Stacks
Chapter 25 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Port Security and Switch Stacks When a switch joins a stack, the new switch will get the configured secure addresses. All dynamic secure addresses are downloaded by the new stack member from the other stack members. When a switch (either the stack master or a stack member) leaves the stack, the remaining stack members are notified, and the secure MAC addresses configured or learned by that switch are deleted from the secure MAC address table.
Page 592 Chapter 25 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Catalyst 3750 Switch Software Configuration Guide 25-18 OL-8550-02...
Page 593: Understanding Cdp
Monitoring and Maintaining CDP, page 26-5 Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
Page 594: Cdp And Switch Stacks
Chapter 26 Configuring CDP Configuring CDP CDP and Switch Stacks A switch stack appears as a single switch in the network. Therefore, CDP discovers the switch stack, not the individual stack members. The switch stack sends CDP messages to neighboring network devices when there are changes to the switch stack membership, such as stack members being added or removed.
Page 595: Chapter 26 Configuring Cdp
26-5. Disabling and Enabling CDP CDP is enabled by default. Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Note Disabling CDP can interrupt cluster discovery and device connectivity. For more information, see Chapter 6, “Clustering Switches”...
Page 596: Disabling And Enabling Cdp On An Interface
Chapter 26 Configuring CDP Configuring CDP This example shows how to enable CDP if it has been disabled. Switch# configure terminal Switch(config)# cdp run Switch(config)# end Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and to receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on a port: Command Purpose...
Page 597: Monitoring And Maintaining Cdp
Chapter 26 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors.
Page 598 Chapter 26 Configuring CDP Monitoring and Maintaining CDP Catalyst 3750 Switch Software Configuration Guide 26-6 OL-8550-02...
Page 599: Understanding Udld
C H A P T E R Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Page 600: Chapter 27 Configuring Udld
Chapter 27 Configuring UDLD Understanding UDLD A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection.
Page 601 Chapter 27 Configuring UDLD Understanding UDLD Event-driven detection and echoing • UDLD relies on echoing as its detection mechanism. Whenever a UDLD device learns about a new neighbor or receives a resynchronization request from an out-of-sync neighbor, it restarts the detection window on its side of the connection and sends echo messages in reply.
Page 602: Configuring Udld
Chapter 27 Configuring UDLD Configuring UDLD Configuring UDLD These sections contain this configuration information: Default UDLD Configuration, page 27-4 • Configuration Guidelines, page 27-4 • • Enabling UDLD Globally, page 27-5 Enabling UDLD on an Interface, page 27-6 • Resetting an Interface Disabled by UDLD, page 27-6 •...
Page 603: Enabling Udld Globally
Chapter 27 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch and all members in the switch stack: Command Purpose...
Page 604: Enabling Udld On An Interface
Chapter 27 Configuring UDLD Configuring UDLD Enabling UDLD on an Interface Beginning in privileged EXEC mode, follow these steps either to enable UDLD in the aggressive or normal mode or to disable UDLD on a port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 605: Displaying Udld Status
Chapter 27 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release.
Page 606 Chapter 27 Configuring UDLD Displaying UDLD Status Catalyst 3750 Switch Software Configuration Guide 27-8 OL-8550-02...
Page 607: Understanding Span And Rspan
You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device can send TCP reset packets to close down the TCP session of a suspected attacker.
Page 608: Chapter 28 Configuring Span And Rspan
Chapter 28 Configuring SPAN and RSPAN Understanding SPAN and RSPAN These sections contain this conceptual information: Local SPAN, page 28-2 • Remote SPAN, page 28-3 • SPAN and RSPAN Concepts and Terminology, page 28-4 • SPAN and RSPAN Interaction with Other Features, page 28-9 •...
Page 609: Remote Span
Chapter 28 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 28-2 Example of Local SPAN Configuration on a Switch Stack Catalyst 3750 switch stack Switch 1 1/0/4 Port 4 on switch 1 in the stack Port 4 on switch 1 in the stack Port 4 on switch 1 in the stack mirrored on port 15 on switch 2 mirrored on port 15 on switch 2...
Page 610: Span And Rspan Concepts And Terminology
Chapter 28 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 28-3 Example of RSPAN Configuration RSPAN destination ports RSPAN Switch C destination session Intermediate switches must support RSPAN VLAN RSPAN VLAN Switch A Switch B RSPAN RSPAN source source session A session B RSPAN...
Page 611: Monitored Traffic
Chapter 28 Configuring SPAN and RSPAN Understanding SPAN and RSPAN An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed over normal trunk ports to the destination switch.
Page 612: Source Ports
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
Page 613: Source Vlans
Chapter 28 Configuring SPAN and RSPAN Understanding SPAN and RSPAN A source port has these characteristics: It can be monitored in multiple SPAN sessions. • Each source port can be configured with a direction (ingress, egress, or both) to monitor. •...
Page 614: Destination Port
Chapter 28 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Destination Port Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user, usually a network analyzer.
Page 615: Rspan Vlan
Chapter 28 Configuring SPAN and RSPAN Understanding SPAN and RSPAN RSPAN VLAN The RSPAN VLAN carries SPAN traffic between RSPAN source and destination sessions. It has these special characteristics: • All traffic in the RSPAN VLAN is always flooded. • No MAC address learning occurs on the RSPAN VLAN.
Page 616: Span And Rspan And Switch Stacks
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN A physical port that belongs to an EtherChannel group can be configured as a SPAN source port and still be a part of the EtherChannel. In this case, data from the physical port is monitored as it participates in the EtherChannel.
Page 617: Default Span And Rspan Configuration
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Default SPAN and RSPAN Configuration Table 28-1 shows the default SPAN and RSPAN configuration. Table 28-1 Default SPAN and RSPAN Configuration Feature Default Setting SPAN state (SPAN and RSPAN) Disabled. Source port traffic to monitor Both received and sent traffic (both).
Page 618: Creating A Local Span Session
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN You can configure a disabled port to be a source or destination port, but the SPAN function does not • start until the destination port and at least one source port or source VLAN are enabled. You can limit SPAN traffic to specific VLANs by using the filter vlan keyword.
Page 619 Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 3 monitor session session_number source Specify the SPAN session and the source port (monitored port). {interface interface-id | vlan vlan-id} [, | -] For session_number, the range is 1 to 66. [both | rx | tx] For interface-id, specify the source port or source VLAN to monitor.
Page 620 Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 6 show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command. To remove a source or destination port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command or the no monitor session session_number destination interface interface-id global configuration command.
Page 621: Creating A Local Span Session And Configuring Incoming Traffic
VLANs and the destination ports, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating a Local SPAN Session”...
Page 622: Specifying Vlans To Filter
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN To delete a SPAN session, use the no monitor session session_number global configuration command. To remove a source or destination port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command or the no monitor session session_number destination interface interface-id global configuration command.
Page 623: Configuring Rspan
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 5 monitor session session_number Specify the SPAN session and the destination port (monitoring port). destination {interface interface-id [, | -] For session_number, specify the session number entered in Step 3. [encapsulation replicate]} For interface-id, specify the destination port.
Page 624: Rspan Configuration Guidelines
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN RSPAN Configuration Guidelines Follow these guidelines when configuring RSPAN: • All the items in the “SPAN Configuration Guidelines” section on page 28-11 apply to RSPAN. As RSPAN VLANs have special properties, you should reserve a few VLANs across your network •...
Page 625: Configuring A Vlan As An Rspan Vlan
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Configuring a VLAN as an RSPAN VLAN First create a new VLAN to be the RSPAN VLAN for the RSPAN session. You must create the RSPAN VLAN in all switches that will participate in RSPAN. If the RSPAN VLAN-ID is in the normal range (lower than 1005) and VTP is enabled in the network, you can create the RSPAN VLAN in one switch, and VTP propagates it to the other switches in the VTP domain.
Page 626 Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 3 monitor session session_number source Specify the RSPAN session and the source port (monitored port). {interface interface-id | vlan vlan-id} [, | -] For session_number, the range is 1 to 66. [both | rx | tx] Enter a source port or source VLAN for the RSPAN session: For interface-id, specify the source port to monitor.
Page 627: Creating An Rspan Destination Session
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating an RSPAN Destination Session You configure the RSPAN destination session on a different switch or switch stack; that is, not the switch or switch stack on which the source session was configured. Beginning in privileged EXEC mode, follow these steps to define the RSPAN VLAN on that switch, to create an RSPAN destination session, and to specify the source RSPAN VLAN and the destination port: Command...
Page 628: Creating An Rspan Destination Session And Configuring Incoming Traffic
RSPAN VLAN and the destination port, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating an RSPAN Destination...
Page 629 Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 4 monitor session session_number Specify the SPAN session, the destination port, the packet destination {interface interface-id [, | -] encapsulation, and the incoming VLAN and encapsulation. [ingress {dot1q vlan vlan-id | isl | untagged For session_number, enter the number defined in Step 4.
Page 630: Specifying Vlans To Filter
Chapter 28 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to configure the RSPAN source session to limit RSPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 631: Displaying Span And Rspan Status
Chapter 28 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions.
Page 632 Chapter 28 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Catalyst 3750 Switch Software Configuration Guide 28-26 OL-8550-02...
Page 633: Understanding Rmon
For complete syntax and usage information for the commands used in this chapter, see the “System Note Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. This chapter consists of these sections: Understanding RMON, page 29-1 •...
Page 634: Chapter 29 Configuring Rmon
Chapter 29 Configuring RMON Configuring RMON Figure 29-1 Remote Monitoring Example Network management station with generic RMON console application RMON alarms and events configured. SNMP configured. RMON history and statistic collection enabled. Workstations Workstations The switch supports these RMON groups (defined in RFC 1757): •...
Page 635: Default Rmon Configuration
Chapter 29 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station.
Page 636 Chapter 29 Configuring RMON Configuring RMON Command Purpose Step 3 rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. For number, assign an event number. The range •...
Page 637: Collecting Group History Statistics On An Interface
Chapter 29 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface. This procedure is optional.
Page 638: Displaying Rmon Status
Displays the RMON statistics table. For information about the fields in these displays, see the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Catalyst 3750 Switch Software Configuration Guide 29-6 OL-8550-02...
Page 639: Understanding System Message Logging
This chapter describes how to configure system message logging on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.2.
Page 640: Configuring System Message Logging
Chapter 30 Configuring System Message Logging Configuring System Message Logging You can access logged system messages by using the switch command-line interface (CLI) or by saving them to a properly configured syslog server. The switch software saves syslog messages in an internal buffer on a standalone switch, and in the case of a switch stack, on the stack master.
Page 641: C H A P T E R 30 Configuring System Message Logging
Chapter 30 Configuring System Message Logging Configuring System Message Logging Table 30-1 describes the elements of syslog messages. Table 30-1 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured.
Page 642: Default System Message Logging Configuration
Chapter 30 Configuring System Message Logging Configuring System Message Logging Default System Message Logging Configuration Table 30-2 shows the default system message logging configuration. Table 30-2 Default System Message Logging Configuration Feature Default Setting System message logging to the console Enabled.
Page 643: Setting The Message Display Destination Device
Chapter 30 Configuring System Message Logging Configuring System Message Logging The logging synchronous global configuration command also affects the display of messages to the console. When this command is enabled, messages appear only after you press Return. For more information, see the “Synchronizing Log Messages”...
Page 644: Synchronizing Log Messages
Chapter 30 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 6 terminal monitor Log messages to a nonconsole terminal during the current session. Terminal parameter-setting commands are set locally and do not remain in effect after the session has ended. You must perform this step for each session to see the debugging messages.
Page 645 Chapter 30 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to configure synchronous logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line [console | vty] line-number Specify the line to be configured for synchronous logging of [ending-line-number] messages.
Page 646: Enabling And Disabling Time Stamps On Log Messages
Chapter 30 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Time Stamps on Log Messages By default, log messages are not time-stamped. Beginning in privileged EXEC mode, follow these steps to enable time-stamping of log messages. This procedure is optional.
Page 647: Defining The Message Severity Level
Chapter 30 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable sequence numbers, use the no service sequence-numbers global configuration command. This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) (Switch-2) Defining the Message Severity Level...
Page 648: Limiting Syslog Messages Sent To The History Table And To Snmp
Chapter 30 Configuring System Message Logging Configuring System Message Logging Table 30-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level. Table 30-3 Message Logging Level Keywords Level Keyword Level Description...
Page 649: Enabling The Configuration-Change Logger
[end-number] | statistics} [provisioning] privileged EXEC command to display the complete configuration log or the log for specified parameters. The default is that configuration logging is disabled. For information about the commands, see the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3 T at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter0918 6a00801a8086.html#wp1114989...
Page 650: Configuring Unix Syslog Servers
Chapter 30 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to enable configuration logging: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 archive Enter archive configuration mode. Step 3 log config Enter configuration-change logger configuration mode.
Page 651: Configuring The Unix System Logging Facility
Add a line such as the following to the file /etc/syslog.conf: Step 1 cisco.log local7.debug /usr/adm/logs/ The local7 keyword specifies the logging facility to be used; see Table 30-4 on page 30-14 information on the facilities.
Page 652: Displaying The Logging Configuration
Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Page 653: Understanding Snmp
Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. This chapter consists of these sections: Understanding SNMP, page 31-1 •...
Page 654: Chapter 31 Configuring Snmp
Chapter 31 Configuring SNMP Understanding SNMP These sections contain this conceptual information: SNMP Versions, page 31-2 • SNMP Manager Functions, page 31-3 • SNMP Agent Functions, page 31-4 • SNMP Community Strings, page 31-4 • • Using SNMP to Access MIB Variables, page 31-4 •...
Page 655: Snmp Manager Functions
Chapter 31 Configuring SNMP Understanding SNMP Table 31-1 identifies the characteristics of the different combinations of security models and levels. Table 31-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No...
Page 656: Snmp Agent Functions
(@esN, where N is the switch number) to the first configured RW and RO community strings on the command switch and propagates them to the member switches. For more information, see Chapter 6, “Clustering Switches” and see Getting Started with Cisco Network Assistant, available on Cisco.com. Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software.
Page 657: Snmp Notifications
Chapter 31 Configuring SNMP Understanding SNMP As shown in Figure 31-1, the SNMP agent gathers data from the MIB. The agent can send traps, or notification of certain events, to the SNMP manager, which receives and processes the traps. Traps alert the SNMP manager to a condition on the network such as improper user authentication, restarts, link status (up or down), MAC address tracking, and so forth.
Page 658: Snmp Ifindex Mib Object Values
Chapter 31 Configuring SNMP Configuring SNMP SNMP ifIndex MIB Object Values In an NMS, the IF-MIB generates and assigns an interface index (ifIndex) object value that is a unique number greater than zero to identify a physical or a logical interface. When the switch reboots or the switch software is upgraded, the switch uses this same value for the interface.
Page 659: Default Snmp Configuration
Modifying the group's notify view affects all users associated with that group. See the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 for information about when you should configure notify views.
Page 660: Disabling The Snmp Agent
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
Page 661 Chapter 31 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure a community string on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server community string [view Configure the community string. view-name] [ro | rw] [access-list-number] For string, specify a string that acts like a password and •...
Page 662: Configuring Snmp Groups And Users
Chapter 31 Configuring SNMP Configuring SNMP This example shows how to assign the string comaccess to SNMP, to allow read-only access, and to specify that IP access list 4 can use the community string to gain access to the switch SNMP agent: Switch(config)# snmp-server community comaccess ro 4 Configuring SNMP Groups and Users You can specify an identification name (engine ID) for the local or remote SNMP server engine on the...
Page 663 Chapter 31 Configuring SNMP Configuring SNMP Command Purpose Step 3 snmp-server group groupname {v1 | v2c | v3 Configure a new SNMP group on the remote device. {auth | noauth | priv}} [read readview] For groupname, specify the name of the group. •...
Page 664: Configuring Snmp Notifications
By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Many commands use the word traps in the command syntax. Unless there is an option in the command Note to select either traps or informs, the keyword traps refers to either traps, informs, or both.
Page 665 Generates a trap for Open Shortest Path First (OSPF) changes. You can enable any or all of these traps: Cisco specific, errors, link-state advertisement, rate limit, retransmit, and state changes. Generates a trap for Protocol-Independent Multicast (PIM) changes. You can enable any or all of these traps: invalid PIM messages, neighbor changes, and rendezvous point (RP)-mapping changes.
Page 666 Chapter 31 Configuring SNMP Configuring SNMP Though visible in the command-line help strings, the cpu [threshold] keyword is not supported. To Note enable the sending of SNMP inform notifications, use the snmp-server enable traps global configuration command combined with the snmp-server host host-addr informs global configuration command.
Page 667: Setting The Agent Contact And Location Information
Chapter 31 Configuring SNMP Configuring SNMP Command Purpose Step 6 snmp-server enable traps Enable the switch to send traps or informs and specify the type of notification-types notifications to be sent. For a list of notification types, see Table 31-5 on page 31-12, or enter snmp-server enable traps ? To enable multiple types of traps, you must enter a separate snmp-server...
Page 668: Limiting Tftp Servers Used Through Snmp
Chapter 31 Configuring SNMP Configuring SNMP Limiting TFTP Servers Used Through SNMP Beginning in privileged EXEC mode, follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP to the servers specified in an access list: Command Purpose Step 1...
Page 669: Displaying Snmp Status
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
Page 670 Chapter 31 Configuring SNMP Displaying SNMP Status Catalyst 3750 Switch Software Configuration Guide 31-18 OL-8550-02...
Page 671: Understanding Acls
“Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2, and the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2.
Page 672: C H A P T E R 32 Configuring Network Security With Acls
Chapter 32 Configuring Network Security with ACLs Understanding ACLs You configure access lists on a router or Layer 3 switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network.
Page 673: Port Acls
Chapter 32 Configuring Network Security with ACLs Understanding ACLs When an output router ACL and input port ACL exist in an SVI, incoming packets received on the • ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are filtered by the router ACL.
Page 674: Router Acls
Chapter 32 Configuring Network Security with ACLs Understanding ACLs Figure 32-1 Using ACLs to Control Traffic to a Network Host A Host B Human Research & Resources Development network network = ACL denying traffic from Host B and permitting traffic from Host A = Packet When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port.
Page 675: Vlan Maps
Chapter 32 Configuring Network Security with ACLs Understanding ACLs As with port ACLs, the switch examines ACLs associated with features configured on a given interface. However, router ACLs are supported in both directions. As packets enter the switch on an interface, ACLs associated with all inbound features configured on that interface are examined.
Page 676: Acls And Switch Stacks
Chapter 32 Configuring Network Security with ACLs Understanding ACLs Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains • Layer 4 information. Consider access list 102, configured with these commands, applied to three fragmented packets: Switch(config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp Switch(config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet Switch(config)# access-list 102 permit tcp any host 10.1.1.2...
Page 677: Configuring Ipv4 Acls
ACL information to all switches in the stack. Configuring IPv4 ACLs Configuring IP v4ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. The process is briefly described here. For more detailed information on configuring ACLs, see the “Configuring IP Services”...
Page 678: Access List Numbers
Chapter 32 Configuring Network Security with ACLs Configuring IPv4 ACLs The software supports these types of ACLs or access lists for IPv4: Standard IP access lists use source addresses for matching operations. • Extended IP access lists use source and destination addresses for matching operations and optional •...
Page 679: Acl Logging
Chapter 32 Configuring Network Security with ACLs Configuring IPv4 ACLs In addition to numbered standard and extended ACLs, you can also create standard and extended named Note IP ACLs by using the supported numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended IP ACL can be 100 to 199.
Page 680: Creating A Numbered Standard Acl
Chapter 32 Configuring Network Security with ACLs Configuring IPv4 ACLs Creating a Numbered Standard ACL Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} Define a standard IPv4 access list by using a source address and source [source-wildcard] [log]...
Page 681: Creating A Numbered Extended Acl
ICMP echo-reply cannot be filtered. All other ICMP codes or types can be filtered. For more details on the specific keywords for each protocol, see these command references: Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 •...
Page 682 Chapter 32 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2a access-list access-list-number Define an extended IPv4 access list and the access conditions. {deny | permit} protocol The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
Page 683 TCP port. To see TCP port names, use the ? or see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2. Use only TCP port numbers or names when filtering TCP.
Page 684 ICMP message type and code name. To see a list of ICMP message type names and code names, use the ?, or see the “Configuring IP Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. Step 2e access-list access-list-number (Optional) Define an extended IGMP access list and the access conditions.
Page 685: Resequencing Aces In An Acl
32-29). Resequencing ACEs in an ACL In Cisco IOS Release 12.2(18)SE and later, sequence numbers for the entries in an access list are automatically generated when you create a new ACL. You can use the ip access-list resequence global configuration command to edit the sequence numbers in an ACL and change the order in which ACEs are applied.
Page 686 Chapter 32 Configuring Network Security with ACLs Configuring IPv4 ACLs Command Purpose Step 3 deny {source [source-wildcard] | host source | In access-list configuration mode, specify one or more conditions any} [log] denied or permitted to decide if the packet is forwarded or dropped. host source—A source and source wildcard of source 0.0.0.0.
Page 687: Using Time Ranges With Acls
Chapter 32 Configuring Network Security with ACLs Configuring IPv4 ACLs After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACL entries to a specific ACL. However, you can use no permit and no deny access-list configuration mode commands to remove entries from a named ACL.
Page 688 Chapter 32 Configuring Network Security with ACLs Configuring IPv4 ACLs Command Purpose Step 3 absolute [start time date] Specify when the function it will be applied to is operational. [end time date] You can use only one absolute statement in the time range. If you •...
Page 689: Including Comments In Acls
Chapter 32 Configuring Network Security with ACLs Configuring IPv4 ACLs This example uses named ACLs to permit and deny the same traffic. Switch(config)# ip access-list extended deny_access Switch(config-ext-nacl)# deny tcp any any time-range new_year_day_2006 Switch(config-ext-nacl)# exit Switch(config)# ip access-list extended may_access Switch(config-ext-nacl)# permit tcp any any time-range workhours Switch(config-ext-nacl)# end Switch# show ip access-lists...
Page 690: Applying An Ipv4 Acl To An Interface
Chapter 32 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 691 Chapter 32 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to control access to an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Identify a specific interface for configuration, and enter interface configuration mode.
Page 692: Hardware And Software Treatment Of Ip Acls
This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Page 693 Chapter 32 Configuring Network Security with ACLs Configuring IPv4 ACLs Use router ACLs to do this in one of two ways: Create a standard ACL, and filter traffic coming to the server from Port 1. • Create an extended ACL, and filter traffic coming from the server into Port 1. •...
Page 694: Numbered Acls
Chapter 32 Configuring Network Security with ACLs Configuring IPv4 ACLs Numbered ACLs In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host.
Page 695: Time Range Applied To An Ip Acl
Chapter 32 Configuring Network Security with ACLs Configuring IPv4 ACLs The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.255 and denies any other TCP traffic. It permits ICMP traffic, denies UDP traffic from any source to the destination address range 171.69.0.0 through 179.69.255.255 with a destination port less than 1024, denies any other IP traffic, and provides a log of the result.
Page 696: Acl Logging
Chapter 32 Configuring Network Security with ACLs Configuring IPv4 ACLs In this example of a named ACL, the Jones subnet is not allowed access: Switch(config)# ip access-list standard prevention Switch(config-std-nacl)# remark Do not allow Jones subnet through Switch(config-std-nacl)# deny 171.69.0.0 0.0.255.255 In this example of a named ACL, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out...
Page 697: Creating Named Mac Extended Acls
Chapter 32 Configuring Network Security with ACLs Creating Named MAC Extended ACLs This is a an example of a log for an extended ACL: 01:24:23:%SEC-6-IPACCESSLOGDP:list ext1 permitted icmp 10.1.1.15 -> 10.1.1.61 (0/0), 1 packet 01:25:14:%SEC-6-IPACCESSLOGDP:list ext1 permitted icmp 10.1.1.15 -> 10.1.1.61 (0/0), 7 packets 01:26:12:%SEC-6-IPACCESSLOGP:list ext1 denied udp 0.0.0.0(0) ->...
Page 698: Applying A Mac Acl To A Layer 2 Interface
Chapter 32 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Command Purpose Step 3 {deny | permit} {any | host source MAC In extended MAC access-list configuration mode, specify to address | source MAC address mask} {any | permit or deny any source MAC address, a source MAC address host destination MAC address | destination with a mask, or a specific host source MAC address and any...
Page 699: Configuring Vlan Maps
Chapter 32 Configuring Network Security with ACLs Configuring VLAN Maps A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 • interface that has a MAC ACL configured, the new ACL replaces the previously configured one. Beginning in privileged EXEC mode, follow these steps to apply a MAC access list to control access to a Layer 2 interface: Command...
Page 700: Vlan Map Configuration Guidelines
Chapter 32 Configuring Network Security with ACLs Configuring VLAN Maps To create a VLAN map and apply it to one or more VLANs, perform these steps: Step 1 Create the standard or extended IPv4 ACLs or named MAC extended ACLs that you want to apply to the VLAN.
Page 701: Creating A Vlan Map
Chapter 32 Configuring Network Security with ACLs Configuring VLAN Maps When a frame is Layer-2 forwarded within a private VLAN, the same VLAN map is applied at the • ingress side and at the egress side. When a frame is routed from inside a private VLAN to an external port, the private-VLAN map is applied at the ingress side.
Page 702: Examples Of Acls And Vlan Maps
Chapter 32 Configuring Network Security with ACLs Configuring VLAN Maps Examples of ACLs and VLAN Maps These examples show how to create ACLs and VLAN maps that for specific purposes. Example 1 This example shows how to create an ACL and a VLAN map to deny a packet. In the first map, any packets that match the ip1 ACL (TCP packets) would be dropped.
Page 703 Chapter 32 Configuring Network Security with ACLs Configuring VLAN Maps Example 3 In this example, the VLAN map has a default action of drop for MAC packets and a default action of forward for IP packets. Used with MAC extended access lists good-hosts and good-protocols, the map will have the following results: Forward MAC packets from hosts 0000.0c00.0111 and 0000.0c00.0211 •...
Page 704: Applying A Vlan Map To A Vlan
Chapter 32 Configuring Network Security with ACLs Configuring VLAN Maps Applying a VLAN Map to a VLAN Beginning in privileged EXEC mode, follow these steps to apply a VLAN map to one or more VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 705: Denying Access To A Server On Another Vlan
Chapter 32 Configuring Network Security with ACLs Configuring VLAN Maps Figure 32-4 Wiring Closet Configuration Switch B Switch A Switch C VLAN map: Deny HTTP from X to Y. HTTP is dropped at entry point. Host X Host Y 10.1.1.32 10.1.1.34 VLAN 1 VLAN 2...
Page 706: Using Vlan Maps With Router Acls
Chapter 32 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 32-5 Deny Access to a Server on Another a VLAN VLAN map 10.1.1.100 Subnet 10.1.2.0/8 Server (VLAN 10) 10.1.1.4 Host (VLAN 20) Layer 3 switch Host (VLAN 10) 10.1.1.8 Packet Host (VLAN 10)
Page 707: Vlan Maps And Router Acl Configuration Guidelines
Chapter 32 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs When you use router ACLs with VLAN maps, packets that require logging on the router ACLs are not Note logged if they are denied by a VLAN map. If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match the type, the default is to drop the packet.
Page 708: Examples Of Router Acls And Vlan Maps Applied To Vlans
Chapter 32 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Examples of Router ACLs and VLAN Maps Applied to VLANs This section gives examples of applying router ACLs and VLAN maps to a VLAN for switched, bridged, routed, and multicast packets.
Page 709: Acls And Routed Packets
Chapter 32 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 32-7 Applying ACLs on Bridged Packets VLAN 10 VLAN 20 Frame Host A Host B (VLAN 10) (VLAN 20) Fallback bridge VLAN 10 VLAN 20 Packet ACLs and Routed Packets Figure 32-8 shows how ACLs are applied on routed packets.
Page 710: Acls And Multicast Packets
Chapter 32 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration ACLs and Multicast Packets Figure 32-9 shows how ACLs are applied on packets that are replicated for IP multicasting. A multicast packet being routed has two different kinds of filters applied: one for destinations that are other ports in the input VLAN and another for each of the destinations that are in other VLANs to which the packet has been routed.
Page 711 Chapter 32 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Table 32-2 Commands for Displaying Access Lists and Access Groups (continued) Command Purpose show ip interface interface-id Display detailed configuration and status of an interface. If IP is enabled on the interface and ACLs have been applied by using the ip access-group interface configuration command, the access groups are included in the display.
Page 712 Chapter 32 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Catalyst 3750 Switch Software Configuration Guide 32-42 OL-8550-02...
Page 713: Configuring Qos
In software releases earlier than Cisco IOS Release 12.2(25)SE, you can configure QoS only on physical ports. In Cisco IOS Release 12.2(25)SE or later, you can configure QoS on physical ports and on switch virtual interfaces (SVIs). Other than to apply policy maps, you configure the QoS settings, such as classification, queueing, and scheduling, the same way on physical ports and SVIs.
Page 714: Chapter 33 Configuring Qo
Chapter 33 Configuring QoS Understanding QoS Understanding QoS Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Page 715: Basic Qos Model
Chapter 33 Configuring QoS Understanding QoS Figure 33-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 IP header Data header Layer 2 ISL Frame ISL header Encapsulated frame 1... (26 bytes) (24.5 KB) (4 bytes) 3 bits used for CoS Layer 2 802.1Q and 802.1p Frame Start frame Preamble...
Page 716 Chapter 33 Configuring QoS Understanding QoS Figure 33-2 shows the basic QoS model. Actions at the ingress port include classifying traffic, policing, marking, queueing, and scheduling: Classifying a distinct path for a packet by associating it with a QoS label. The switch maps the CoS •...
Page 717: Classification
Chapter 33 Configuring QoS Understanding QoS Classification Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification is enabled only if QoS is globally enabled on the switch. By default, QoS is globally disabled, so no classification occurs.
Page 718 Chapter 33 Configuring QoS Understanding QoS After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Figure 33-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface Trust DSCP (IP traffic). configuration for classification.
Page 719: Classification Based On Qos Acls
Chapter 33 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: If a match with a permit action is encountered (first-match principle), the specified QoS-related •...
Page 720: Policing And Marking
“Policing on Physical Ports” section on page 33-9. In Cisco IOS Release 12.2(25)SE or later, you can configure policing on a physical port or an SVI. For more information about configuring policing on physical ports, see the “Policing on Physical Ports”...
Page 721: Policing On Physical Ports
In this way, the aggregate policer is shared by multiple classes of traffic within a policy map. In Cisco IOS Release 12.2(25)SE or later, you can only configure individual policers on an Note SVI.
Page 722: Policing On Svis
Chapter 33 Configuring QoS Understanding QoS Figure 33-4 Policing and Marking Flowchart on Physical Ports Start Get the clasification result for the packet. Is a policer configured for this packet? Check if the packet is in profile by querying the policer. Pass through Drop...
Page 723 SVI. The interface-level policy map only supports individual policers and does not support aggregate policers. Beginning with Cisco IOS Release 12.2(25)SED, you can configure different interface-level policy maps for each class defined in the VLAN-level policy map.
Page 724: Mapping Tables
Chapter 33 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an QoS label based on the DSCP or CoS value from the classification stage: During classification, QoS uses configurable mapping tables to derive a corresponding DSCP or •...
Page 725: Queueing And Scheduling Overview
Chapter 33 Configuring QoS Understanding QoS Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 33-6. Figure 33-6 Ingress and Egress Queue Location Policer Marker Egress queues Stack ring Policer Marker Ingress queues...
Page 726: Srr Shaping And Sharing
Chapter 33 Configuring QoS Understanding QoS Figure 33-7 WTD and Queue Operation CoS 6-7 100% 1000 CoS 4-5 CoS 0-3 For more information, see the “Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds” section on page 33-68, the “Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set”...
Page 727: Queueing And Scheduling On Ingress Queues
Chapter 33 Configuring QoS Understanding QoS Queueing and Scheduling on Ingress Queues Figure 33-8 shows the queueing and scheduling flowchart for ingress ports. Figure 33-8 Queueing and Scheduling Flowchart for Ingress Ports Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds.
Page 728 Chapter 33 Configuring QoS Understanding QoS You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Page 729: Queueing And Scheduling On Egress Queues
Chapter 33 Configuring QoS Understanding QoS Queueing and Scheduling on Egress Queues Figure 33-9 shows the queueing and scheduling flowchart for egress ports. If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Note Figure 33-9 Queueing and Scheduling Flowchart for Egress Ports...
Page 730 Chapter 33 Configuring QoS Understanding QoS Figure 33-10 shows the egress queue buffer. The buffer space is divided between the common pool and the reserved pool. The switch uses a buffer allocation scheme to reserve a minimum amount of buffers for each egress queue, to prevent any queue or port from consuming all the buffers and depriving other queues, and to control whether to grant buffer space to a requesting queue.
Page 731: Packet Modification
Chapter 33 Configuring QoS Understanding QoS threshold-id cos1...cos8} global configuration command. You can display the DSCP output queue threshold map and the CoS output queue threshold map by using the show mls qos maps privileged EXEC command. The queues use WTD to support distinct drop percentages for different traffic classes. Each queue has three drop thresholds: two configurable (explicit) WTD thresholds and one nonconfigurable (implicit) threshold preset to the queue-full state.
Page 732: Configuring Auto-Qos
The switch uses the resulting classification to choose the appropriate egress queue. You use auto-QoS commands to identify ports connected to Cisco IP Phones and to devices running the Cisco SoftPhone application. You also use the commands to identify ports that receive trusted traffic through an uplink.
Page 733 The switch uses the Cisco Discovery Protocol (CDP) to detect the presence or absence of a Cisco IP Phone. When a Cisco IP Phone is detected, the ingress classification on the port is set to trust the QoS label received in the packet. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet.
Page 734 When you enter the auto qos voip cisco-softphone interface configuration command on a port at • the edge of the network that is connected to a device running the Cisco SoftPhone, the switch uses policing to determine whether a packet is in or out of profile and to specify the action on the packet.
Page 735 Chapter 33 Configuring QoS Configuring Auto-QoS Table 33-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically maps DSCP values to an ingress Switch(config)# no mls qos srr-queue input dscp-map Switch(config)# mls qos srr-queue input dscp-map queue and to a threshold ID. queue 1 threshold 2 9 10 11 12 13 14 15 Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7...
Page 736 DSCP value received in the packet on a routed port by using the mls qos trust dscp command. If you entered the auto qos voip cisco-phone command, the Switch(config-if)# mls qos trust device cisco-phone switch automatically enables the trusted boundary feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone.
Page 737: Effects Of Auto-Qos On The Configuration
In releases earlier than Cisco IOS Release 12.2(20)SE, auto-QoS configures VoIP only on switch ports with Cisco IP Phones. In Cisco IOS Release 12.2(20)SE or later, auto-QoS configures the switch for VoIP with Cisco IP • Phones on nonrouted and routed ports. Auto-QoS also configures the switch for VoIP with devices running the Cisco SoftPhone application.
Page 738: Enabling Auto-Qos For Voip
By default, the CDP is enabled on all ports. For auto-QoS to function properly, do not disable the • CDP. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address • to the IP phone.
Page 739 Enable auto-QoS. cisco-softphone | trust} The keywords have these meanings: cisco-phone—If the port is connected to a Cisco IP Phone, the • QoS labels of incoming packets are trusted only when the telephone is detected. This keyword is not supported on 10-Gigabit interfaces.
Page 740: Auto-Qos Configuration Example
IP phones IP phones Cisco IP phones Cisco IP phones Figure 33-11 shows a network in which the VoIP traffic is prioritized over all other traffic. Auto-QoS is enabled on the switches in the wiring closets at the edge of the QoS domain.
Page 741 Step 6 exit Return to global configuration mode. Step 7 Repeat Steps 4 to 6 for as many ports as are connected to the Cisco IP Phone. Step 8 interface interface-id Specify the switch port identified as connected to a trusted switch or router, and enter interface configuration mode.
Page 742: Displaying Auto-Qos Information
Chapter 33 Configuring QoS Displaying Auto-QoS Information Displaying Auto-QoS Information To display the initial auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings.
Page 743: Default Standard Qos Configuration
Chapter 33 Configuring QoS Configuring Standard QoS Default Standard QoS Configuration QoS is disabled. There is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
Page 744: Default Egress Queue Configuration
Chapter 33 Configuring QoS Configuring Standard QoS Default Egress Queue Configuration Table 33-9 shows the default egress queue configuration for each queue-set when QoS is enabled. All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited. Table 33-9 Default Egress Queue Configuration Feature...
Page 745: Default Mapping Table Configuration
Chapter 33 Configuring QoS Configuring Standard QoS Default Mapping Table Configuration The default CoS-to-DSCP map is shown in Table 33-12 on page 33-61. The default IP-precedence-to-DSCP map is shown in Table 33-13 on page 33-62. The default DSCP-to-CoS map is shown in Table 33-14 on page 33-64.
Page 746: Policing Guidelines
Chapter 33 Configuring QoS Configuring Standard QoS In Cisco IOS Release 12.2(25)SE or later, follow these guidelines when configuring policy maps on • physical ports or SVIs: You cannot apply the same policy map to a physical port and to an SVI.
Page 747: General Qos Guidelines
By default, VLAN-based QoS is disabled on all physical switch ports. The switch applies QoS, including class maps and policy maps, only on a physical-port basis. In Cisco IOS Release 12.2(25)SE or later, yYou can enable VLAN-based QoS on a switch port.
Page 748: Configuring Classification Using Port Trust States
Chapter 33 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to enable VLAN-based QoS. This procedure is required on physical ports that are specified in the interface level of a hierarchical policy map on an SVI. Command Purpose Step 1...
Page 749 Chapter 33 Configuring QoS Configuring Standard QoS Figure 33-12 Port Trusted States within the QoS Domain Trusted interface Trunk Traffic classification performed here Trusted boundary Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose...
Page 750: Configuring The Cos Value For An Interface
Chapter 33 Configuring QoS Configuring Standard QoS Command Purpose Step 3 mls qos trust [cos | dscp | ip-precedence] Configure the port trust state. By default, the port is not trusted. If no keyword is specified, the default is dscp. The keywords have these meanings: cos—Classifies an ingress packet by using the packet CoS value.
Page 751: Configuring A Trusted Boundary To Ensure Port Security
CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the Catalyst 3750 Switch Software Configuration Guide...
Page 752: Enabling Dscp Transparency Mode
In some situations, you can prevent a PC connected to the Cisco IP Phone from taking advantage of a high-priority data queue. You can use the switchport priority extend cos interface configuration command to configure the telephone through the switch CLI to override the priority of the traffic received from the PC.
Page 753: Configuring The Dscp Trust State On A Port Bordering Another Qos Domain
Chapter 33 Configuring QoS Configuring Standard QoS If DSCP transparency is enabled by using the no mls qos rewrite ip dscp command, the switch does not modify the DSCP field in the incoming packet, and the DSCP field in the outgoing packet is the same as that in the incoming packet.
Page 754 Chapter 33 Configuring QoS Configuring Standard QoS Figure 33-13 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 IP traffic Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. Beginning in privileged EXEC mode, follow these steps to configure the DSCP-trusted state on a port and modify the DSCP-to-DSCP-mutation map.
Page 755: Configuring A Qos Policy
Chapter 33 Configuring QoS Configuring Standard QoS To return a port to its non-trusted state, use the no mls qos trust interface configuration command. To return to the default DSCP-to-DSCP-mutation map values, use the no mls qos map dscp-mutation dscp-mutation-name global configuration command. This example shows how to configure a port to the DSCP-trusted state and to modify the DSCP-to-DSCP-mutation map (named gi1/0/2-mutation) so that incoming DSCP values 10 to 13 are mapped to DSCP 30:...
Page 756: Classifying Traffic By Using Acls
Chapter 33 Configuring QoS Configuring Standard QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify non-IP traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1...
Page 757 Chapter 33 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | Create an IP extended ACL, repeating the command as many times as permit} protocol source source-wildcard necessary.
Page 758 Chapter 33 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Create a Layer 2 MAC ACL by specifying the name of the list.
Page 759: Classifying Traffic By Using Class Maps
Chapter 33 Configuring QoS Configuring Standard QoS Classifying Traffic by Using Class Maps You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. The class map defines the criteria to use to match against a specific traffic flow to further classify it.
Page 760 Chapter 33 Configuring QoS Configuring Standard QoS Command Purpose Step 4 match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported.
Page 761: Classifying, Policing, And Marking Traffic On Physical Ports By Using Policy Maps
If you want the egress DSCP value to be different than the ingress value, use the set dscp new-dscp policy-map class configuration command. In Cisco IOS Release 12.2(25)SE or later, if you enter or have used the set ip dscp command, the •...
Page 762 Chapter 33 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a nonhierarchical policy map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 class-map [match-all | match-any] Create a class map, and enter class-map configuration mode. class-map-name By default, no class maps are defined.
Page 763 Chapter 33 Configuring QoS Configuring Standard QoS Command Purpose Step 5 trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. This command is mutually exclusive with the set command Note within the same policy map.
Page 764 Chapter 33 Configuring QoS Configuring Standard QoS Command Purpose Step 8 exit Return to policy map configuration mode. Step 9 exit Return to global configuration mode. Step 10 interface interface-id Specify the port to attach to the policy map, and enter interface configuration mode.
Page 765: Classifying, Policing, And Marking Traffic On Svis By Using Hierarchical Policy Maps
• In Cisco IOS Release 12.2(25)SE or later, if you enter or have used the set ip dscp command, the switch changes this command to set dscp in its configuration. If you enter the set ip dscp command, this setting appears as set dscp in the switch configuration.
Page 766 Chapter 33 Configuring QoS Configuring Standard QoS If VLAN-based QoS is enabled, the hierarchical policy map supersedes the previously configured • port-based policy map. The hierarchical policy map is attached to the SVI and affects all traffic belonging to the VLAN. •...
Page 767 Chapter 33 Configuring QoS Configuring Standard QoS Command Purpose Step 3 match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported.
Page 768 Chapter 33 Configuring QoS Configuring Standard QoS Command Purpose Step 11 class-map class-map-name Define an interface-level traffic classification, and enter policy-map configuration mode. By default, no policy-map class-maps are defined. If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command.
Page 769 Specify the interface-level policy-map name (from Step 10) and associate it with the VLAN-level policy map. If the VLAN-level policy map specifies more than one class, beginning in Cisco IOS Release 12.2(25)SED, each class can have a different service-policy policy-map-name command. Step 20 exit Return to policy-map configuration mode.
Page 770 Chapter 33 Configuring QoS Configuring Standard QoS Command Purpose Step 23 service-policy input policy-map-name Specify the VLAN-level policy-map name, and apply it to the SVI. Repeat the previous step and this command to apply the policy map to other SVIs. If the hierarchical VLAN-level policy map has more than one interface-level policy map, all class maps must be configured to the same VLAN-level policy map specified in the service-policy...
Page 771: Classifying, Policing, And Marking Traffic By Using Aggregate Policers
Chapter 33 Configuring QoS Configuring Standard QoS Switch(config-pmap-c)#exit Switch(config-pmap)#class-map cm-2 Switch(config-pmap-c)#match ip dscp 2 Switch(config-pmap-c)#service-policy port-plcmap-1 Switch(config-pmap)#exit Switch(config-pmap)#class-map cm-3 Switch(config-pmap-c)#match ip dscp 3 Switch(config-pmap-c)#service-policy port-plcmap-2 Switch(config-pmap)#exit Switch(config-pmap)#class-map cm-4 Switch(config-pmap-c)#trust dscp Switch(config-pmap)#exit Switch(config)#interface vlan 10 Switch(config-if)# Switch(config-if)#ser input vlan-plcmap Switch(config-if)#exit Switch(config)#exit Switch# Classifying, Policing, and Marking Traffic by Using Aggregate Policers By using an aggregate policer, you can create a policer that is shared by multiple traffic classes within...
Page 772 Chapter 33 Configuring QoS Configuring Standard QoS Command Purpose Step 3 class-map [match-all | match-any] Create a class map to classify traffic as necessary. For more class-map-name information, see the “Classifying Traffic by Using Class Maps” section on page 33-47. Step 4 policy-map policy-map-name Create a policy map by entering the policy map name, and enter...
Page 773: Configuring Dscp Maps
Chapter 33 Configuring QoS Configuring Standard QoS Switch(config-cmap)# match access-group 2 Switch(config-cmap)# exit Switch(config)# policy-map aggflow1 Switch(config-pmap)# class ipclass1 Switch(config-pmap-c)# trust dscp Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# class ipclass2 Switch(config-pmap-c)# set dscp 56 Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# service-policy input aggflow1...
Page 774: Configuring The Ip-Precedence-To-Dscp Map
Chapter 33 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the CoS-to-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map cos-dscp dscp1...dscp8 Modify the CoS-to-DSCP map.
Page 775: Configuring The Policed-Dscp Map
Chapter 33 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the IP-precedence-to-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map ip-prec-dscp Modify the IP-precedence-to-DSCP map.
Page 776: Configuring The Dscp-To-Cos Map
Chapter 33 Configuring QoS Configuring Standard QoS To return to the default map, use the no mls qos policed-dscp global configuration command. This example shows how to map DSCP 50 to 57 to a marked-down DSCP value of 0: Switch(config)# mls qos map policed-dscp 50 51 52 53 54 55 56 57 to 0 Switch(config)# end Switch# show mls qos maps policed-dscp Policed-dscp map:...
Page 777: Configuring The Dscp-To-Dscp-Mutation Map
Chapter 33 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-CoS map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-cos dscp-list to cos Modify the DSCP-to-CoS map.
Page 778 Chapter 33 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-DSCP-mutation map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-mutation Modify the DSCP-to-DSCP-mutation map.
Page 779: Configuring Ingress Queue Characteristics
Chapter 33 Configuring QoS Configuring Standard QoS In the above DSCP-to-DSCP-mutation map, the mutated values are shown in the body of the matrix. The Note d1 column specifies the most-significant digit of the original DSCP; the d2 row specifies the least-significant digit of the original DSCP.
Page 780: Mapping Dscp Or Cos Values To An Ingress Queue And Setting Wtd Thresholds
Chapter 33 Configuring QoS Configuring Standard QoS Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and to set WTD thresholds.
Page 781: Allocating Buffer Space Between The Ingress Queues
Chapter 33 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent. It maps DSCP values 20 to 26 to ingress queue 1 and to threshold 2 with a drop threshold of 70 percent: Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 1 0 1 2 3 4 5 6 Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 2 20 21 22 23 24 25 26...
Page 782: Configuring The Ingress Priority Queue
Chapter 33 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to allocate bandwidth between the ingress queues. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input bandwidth Assign shared round robin weights to the ingress queues.
Page 783: Configuring Egress Queue Characteristics
Chapter 33 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the priority queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input Assign a queue as the priority queue and guarantee bandwidth on the stack priority-queue queue-id bandwidth ring if the ring is congested.
Page 784: Allocating Buffer Space To And Setting Wtd Thresholds For An Egress Queue-Set
Chapter 33 Configuring QoS Configuring Standard QoS These sections contain this configuration information: Configuration Guidelines, page 33-72 • Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set, page 33-72 • (optional) Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID, page 33-74 (optional) •...
Page 785 Chapter 33 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and to drop thresholds for a queue-set. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos queue-set output qset-id Allocate buffers to a queue-set.
Page 786: Mapping Dscp Or Cos Values To An Egress Queue And To A Threshold Id
Chapter 33 Configuring QoS Configuring Standard QoS Command Purpose Step 7 show mls qos interface [interface-id] Verify your entries. buffers Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos queue-set output qset-id buffers global configuration command.
Page 787 Chapter 33 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an egress queue and to a threshold ID. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 788: Configuring Srr Shaped Weights On Egress Queues
Chapter 33 Configuring QoS Configuring Standard QoS Configuring SRR Shaped Weights on Egress Queues Note You cannot configure SSR shaped weights on the 10-Gigabit interfaces. You can specify how much of the available bandwidth is allocated to each queue. The ratio of the weights is the ratio of frequency in which the SRR scheduler sends packets from each queue.
Page 789: Configuring Srr Shared Weights On Egress Queues
Chapter 33 Configuring QoS Configuring Standard QoS This example shows how to configure bandwidth shaping on queue 1. Because the weight ratios for queues 2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.5 percent: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# srr-queue bandwidth shape 8 0 0 0...
Page 790: Configuring The Egress Expedite Queue
Configuring Standard QoS Configuring the Egress Expedite Queue Beginning in Cisco IOS Release 12.1(19)EA1, you can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. SRR services this queue until it is empty before servicing the other queues.
Page 791: Displaying Standard Qos Information
Chapter 33 Configuring QoS Displaying Standard QoS Information Beginning in privileged EXEC mode, follow these steps to limit the bandwidth on an egress port. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be rate limited, and enter interface configuration mode.
Page 792 Chapter 33 Configuring QoS Displaying Standard QoS Information Table 33-15 Commands for Displaying Standard QoS Information (continued) Command Purpose show mls qos queue-set [qset-id] Display QoS settings for the egress queues. show mls qos vlan vlan-id Display the policy maps attached to the specified SVI. show policy-map [policy-map-name [class Display QoS policy maps, which define classification criteria for class-map-name]]...
Page 793: Understanding Etherchannels
C H A P T E R Configuring EtherChannels and Link-State Tracking This chapter describes how to configure EtherChannels on Layer 2 and Layer 3 ports on the Catalyst 3750 switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Page 794: Etherchannel Overview
Incompatible ports are suspended. Beginning with Cisco IOS Release 12.2(35)SE, instead of a suspended state, the local port is put into an independent state and continues to carry data traffic as would any other single link.
Page 795: C H A P T E R 34 Configuring Etherchannels And Link-State Tracking
Chapter 34 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels You can create an EtherChannel on a standalone switch, on a single switch in the stack, or on multiple switches in the stack (known as cross-stack EtherChannel). See Figure 34-2 Figure 34-3.
Page 796: Port-Channel Interfaces
Chapter 34 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Figure 34-3 Cross-Stack EtherChannel Catalyst 3750 switch stack Switch 1 StackWise port connections Switch A Switch 2 Channel group 1 Switch 3 Port-Channel Interfaces When you create an EtherChannel, a port-channel logical interface is involved: With Layer 2 ports, use the channel-group interface configuration command to dynamically create •...
Page 797: Port Aggregation Protocol
Layer 2 EtherChannel as a trunk. Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports.
Page 798: Pagp Modes
PAgP Interaction with Other Features The Dynamic Trunking Protocol (DTP) and the Cisco Discovery Protocol (CDP) send and receive packets over the physical ports in the EtherChannel. Trunk ports send and receive PAgP protocol data units (PDUs) on the lowest numbered VLAN.
Page 799: Link Aggregation Control Protocol
Link Aggregation Control Protocol The LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the IEEE 802.3ad protocol. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports.
Page 800: Etherchannel On Mode
Chapter 34 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels In Layer 2 EtherChannels, the first port in the channel that comes up provides its MAC address to the EtherChannel. If this port is removed from the bundle, one of the remaining ports in the bundle provides its MAC address to the EtherChannel.
Page 801 Chapter 34 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels With source-IP address-based forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the EtherChannel based on the source-IP address of the incoming packet. Therefore, to provide load-balancing, packets from different IP addresses use different ports in the channel, but packets from the same IP address use the same port in the channel.
Page 802: Etherchannel And Switch Stacks
Load Distribution and Forwarding Methods Switch with source-based forwarding enabled EtherChannel Cisco router with destination-based forwarding enabled EtherChannel and Switch Stacks If a stack member that has ports participating in an EtherChannel fails or leaves the stack, the stack master removes the failed stack member switch ports from the EtherChannel. The remaining ports of the EtherChannel, if any, continue to provide connectivity.
Page 803: Configuring Etherchannels
Chapter 34 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Configuring EtherChannels These sections contain this configuration information: Default EtherChannel Configuration, page 34-11 • EtherChannel Configuration Guidelines, page 34-12 • • Configuring Layer 2 EtherChannels, page 34-13 (required) Configuring Layer 3 EtherChannels, page 34-15 (required) •...
Page 804: Etherchannel Configuration Guidelines
IEEE 802.1x port. If you try to enable IEEE 802.1x on an EtherChannel port, an error message appears, and IEEE 802.1x is not enabled. Note In software releases earlier than Cisco IOS Release 12.2(18)SE, if IEEE 802.1x is enabled on an inactive port of an EtherChannel, the port does not join the EtherChannel. •...
Page 805: Configuring Layer 2 Etherchannels
Chapter 34 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels An EtherChannel supports the same allowed range of VLANs on all the ports in a trunking – Layer 2 EtherChannel. If the allowed range of VLANs is not the same, the ports do not form an EtherChannel even when PAgP is set to the auto or desirable mode.
Page 806 Chapter 34 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Command Purpose Step 4 channel-group channel-group-number mode Assign the port to a channel group, and specify the PAgP or the {auto [non-silent] | desirable [non-silent] | on} | LACP mode. {active | passive} For channel-group-number, the range is 1 to 48.
Page 807: Configuring Layer 3 Etherchannels
Chapter 34 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels This example shows how to configure an EtherChannel on a single switch in the stack. It assigns two ports as static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable: Switch# configure terminal Switch(config)# interface range gigabitethernet2/0/1 -2 Switch(config-if-range)# switchport mode access...
Page 808: Configuring The Physical Interfaces
Chapter 34 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to create a port-channel interface for a Layer 3 EtherChannel. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface port-channel port-channel-number Specify the port-channel logical interface, and enter interface...
Page 809 Chapter 34 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Command Purpose Step 5 channel-group channel-group-number mode Assign the port to a channel group, and specify the PAgP or the {auto [non-silent] | desirable [non-silent] | on} | LACP mode. {active | passive} For channel-group-number, the range is 1 to 48.
Page 810: Configuring Etherchannel Load Balancing
Chapter 34 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels This example shows how to configure an EtherChannel. It assigns two ports to channel 5 with the LACP mode active: Switch# configure terminal Switch(config)# interface range gigabitethernet2/0/1 -2 Switch(config-if-range)# no ip address Switch(config-if-range)# no switchport Switch(config-if-range)# channel-group 5 mode active Switch(config-if-range)# end...
Page 811: Configuring The Pagp Learn Method And Priority
Chapter 34 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command.
Page 812: Configuring Lacp Hot-Standby Ports
Chapter 34 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to configure your switch as a PAgP physical-port learner and to adjust the priority so that the same port in the bundle is selected for sending packets.
Page 813: Configuring The Lacp System Priority
Chapter 34 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels If you configure more than eight links for an EtherChannel group, the software automatically decides which of the hot-standby ports to make active based on the LACP priority. To every link between systems that operate LACP, the software assigns a unique priority made up of these elements (in priority order): LACP system priority •...
Page 814: Configuring The Lacp Port Priority
Chapter 34 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Configuring the LACP Port Priority By default, all ports use the same port priority. If the local system has a lower value for the system priority and the system ID than the remote system, you can affect which of the hot-standby links become active first by changing the port priority of LACP EtherChannel ports to a lower value than the default.
Page 815: Displaying Etherchannel, Pagp, And Lacp Status
Chapter 34 Configuring EtherChannels and Link-State Tracking Displaying EtherChannel, PAgP, and LACP Status Displaying EtherChannel, PAgP, and LACP Status To display EtherChannel, PAgP, and LACP status information, use the privileged EXEC commands described in Table 34-4: Table 34-4 Commands for Displaying EtherChannel, PAgP , and LACP Status Command Description show etherchannel [channel-group-number {detail |...
Page 816 Chapter 34 Configuring EtherChannels and Link-State Tracking Understanding Link-State Tracking When you enable link-state tracking on the switch, the link states of the downstream ports are bound to the link state of one or more of the upstream ports. After you associate a set of downstream ports to a set of upstream ports, if all of the upstream ports become unavailable, link-state tracking automatically puts The associated downstream ports in an error-disabled state.
Page 817: Configuring Link-State Tracking
Chapter 34 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Figure 34-6 Typical Link-State Tracking Configuration Network Layer 3 link Distribution Distribution switch 1 switch 2 Link-state Link-state group 1 group 2 Link-state Link-state group 1 group 2 Port Port Port Port Port...
Page 818: Default Link-State Tracking Configuration
Chapter 34 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Default Link-State Tracking Configuration There are no link-state groups defined, and link-state tracking is not enabled for any group. Link-State Tracking Configuration Guidelines Follow these guidelines to avoid configuration problems: An interface that is defined as an upstream interface cannot also be defined as a downstream •...
Page 819: Displaying Link-State Tracking Status
Chapter 34 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking To disable a link-state group, use the no link state track number global configuration command. Displaying Link-State Tracking Status Use the show link state group command to display the link-state group information. Enter this command without keywords to display information about all link-state groups.
Page 820 Chapter 34 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Catalyst 3750 Switch Software Configuration Guide 34-28 OL-8550-02...
Page 821 IPv6 on the switch, see Chapter 36, “Configuring IPv6 Unicast Routing.” For more detailed IP unicast configuration information, see the Cisco IOS IP Configuration Guide, Release 12.2 For complete syntax and usage information for the commands used in this chapter, see these command references: •...
Page 822: Understanding Ip Routing
Chapter 35 Configuring IP Unicast Routing Understanding IP Routing When configuring routing parameters on the switch and to allocate system resources to maximize the Note number of unicast routes allowed, you can use the sdm prefer routing global configuration command to set the Switch Database Management (sdm) feature to the routing template.
Page 823: Chapter 35 Configuring Ip Unicast Routing
It processes routing protocol messages and updates received from peer routers. • It generates, maintains, and distributes the distributed Cisco Express Forwarding (dCEF) database • to all stack members. The routes are programmed on all switches in the stack bases on this database.
Page 824 • information from NSF-aware or NSF-capable neighbors and do not wait for a restart. Beginning with Cisco IOS Release 12.2(35)SE, the switch stack supports NSF-capable routing for OSPF and EIGRP. For more information, see the “OSPF NSF Capability” section on page 35-27 and the “EIGRP NSF Capability”...
Page 825: Steps For Configuring Routing
Steps for Configuring Routing By default, IP routing is disabled on the switch, and you must enable it before routing can take place. For detailed IP routing configuration information, see the Cisco IOS IP Configuration Guide, Release 12.2 In the following procedures, the specified interface must be one of these Layer 3 interfaces: A routed port: a physical port configured as a Layer 3 port by using the no switchport interface •...
Page 826: Default Addressing Configuration
Chapter 35 Configuring IP Unicast Routing Configuring IP Addressing Configuring Address Resolution Methods, page 35-9 • Routing Assistance When IP Routing is Disabled, page 35-12 • Configuring Broadcast Packet Handling, page 35-14 • Monitoring and Maintaining IP Addressing, page 35-18 •...
Page 827: Assigning Ip Addresses To Network Interfaces
Chapter 35 Configuring IP Unicast Routing Configuring IP Addressing Assigning IP Addresses to Network Interfaces An IP address identifies a location to which IP packets can be sent. Some IP addresses are reserved for special uses and cannot be used for host, subnet, or network addresses. RFC 1166, “Internet Numbers,” contains the official description of IP addresses.
Page 828: Classless Routing
Chapter 35 Configuring IP Unicast Routing Configuring IP Addressing Classless Routing By default, classless routing behavior is enabled on the switch when it is configured to route. With classless routing, if a router receives packets for a subnet of a network with no default route, the router forwards the packet to the best supernet route.
Page 829: Configuring Address Resolution Methods
Chapter 35 Configuring IP Unicast Routing Configuring IP Addressing To prevent the switch from forwarding packets destined for unrecognized subnets to the best supernet route possible, you can disable classless routing behavior. Beginning in privileged EXEC mode, follow these steps to disable classless routing: Command Purpose Step 1...
Page 830: Define A Static Arp Cache
Chapter 35 Configuring IP Unicast Routing Configuring IP Addressing For more information on RARP, see the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2. You can perform these tasks to configure address resolution: Define a Static ARP Cache, page 35-10 •...
Page 831: Set Arp Encapsulation
Chapter 35 Configuring IP Unicast Routing Configuring IP Addressing To remove an entry from the ARP cache, use the no arp ip-address hardware-address type global configuration command. To remove all nonstatic entries from the ARP cache, use the clear arp-cache privileged EXEC command.
Page 832: Routing Assistance When Ip Routing Is Disabled
Chapter 35 Configuring IP Unicast Routing Configuring IP Addressing Routing Assistance When IP Routing is Disabled These mechanisms allow the switch to learn about routes to other networks when it does not have IP routing enabled: Proxy ARP, page 35-12 •...
Page 833 Chapter 35 Configuring IP Unicast Routing Configuring IP Addressing listen to Routing Information Protocol (RIP) routing updates and use this information to infer locations of routers. The switch does not actually store the routing tables sent by routing devices; it merely keeps track of which systems are sending the data.
Page 834: Configuring Broadcast Packet Handling
Chapter 35 Configuring IP Unicast Routing Configuring IP Addressing Configuring Broadcast Packet Handling After configuring an IP interface address, you can enable routing and configure one or more routing protocols, or you can configure the way the switch responds to network broadcasts. A broadcast is a data packet destined for all hosts on a physical network.
Page 835: Forwarding Udp Broadcast Packets And Protocols
By default, both UDP and ND forwarding are enabled if a helper address has been defined for an interface. The description for the ip forward-protocol interface configuration command in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 lists the ports that are forwarded by default if you do not specify any UDP ports.
Page 836: Establishing An Ip Broadcast Address
Chapter 35 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to enable forwarding UDP broadcast packets on an interface and specify the destination address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface...
Page 837: Flooding Ip Broadcasts
Chapter 35 Configuring IP Unicast Routing Configuring IP Addressing Flooding IP Broadcasts You can allow IP broadcasts to be flooded throughout your internetwork in a controlled fashion by using the database created by the bridging STP. Using this feature also prevents loops. To support this capability, bridging must be configured on each interface that is to participate in the flooding.
Page 838: Monitoring And Maintaining Ip Addressing
Chapter 35 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip forward-protocol turbo-flood Use the spanning-tree database to speed up flooding of UDP datagrams. Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entry.
Page 839: Enabling Ip Unicast Routing
It is a distance-vector routing protocol that uses broadcast User Datagram Protocol (UDP) data packets to exchange routing information. The protocol is documented in RFC 1058. You can find detailed information about RIP in IP Routing Fundamentals, published by Cisco Press. Note RIP is the only routing protocol supported by the IP base image;...
Page 840: Default Rip Configuration
Chapter 35 Configuring IP Unicast Routing Configuring RIP Using RIP, the switch sends routing information updates (advertisements) every 30 seconds. If a router does not receive an update from another router for 180 seconds or more, it marks the routes served by that router as unusable.
Page 841: Configuring Basic Rip Parameters
Chapter 35 Configuring IP Unicast Routing Configuring RIP Table 35-4 Default RIP Configuration (continued) Feature Default Setting Timers basic Update: 30 seconds. • Invalid: 180 seconds. • • Hold-down: 180 seconds. • Flush: 240 seconds. Validate-update-source Enabled. Version Receives RIP Version 1 and 2 packets; sends Version 1 packets. Configuring Basic RIP Parameters To configure RIP, you enable RIP routing for a network and optionally configure other parameters.
Page 842: Configuring Rip Authentication
Chapter 35 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 8 version {1 | 2} (Optional) Configure the switch to receive and send only RIP Version 1 or RIP Version 2 packets. By default, the switch receives Version 1 and 2 but sends only Version 1.
Page 843: Configuring Summary Addresses And Split Horizon
Chapter 35 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 3 ip rip authentication key-chain name-of-chain Enable RIP authentication. Step 4 ip rip authentication mode [text | md5} Configure the interface to use plain text authentication (the default) or MD5 digest authentication. Step 5 Return to privileged EXEC mode.
Page 844: Configuring Split Horizon
Chapter 35 Configuring IP Unicast Routing Configuring RIP To disable IP summarization, use the no ip summary-address rip router configuration command. In this example, the major net is 10.0.0.0. The summary address 10.2.0.0 overrides the autosummary address of 10.0.0.0 so that 10.2.0.0 is advertised out interface Gigabit Ethernet port 2, and 10.0.0.0 is not advertised.
Page 845: Configuring Ospf
This section briefly describes how to configure Open Shortest Path First (OSPF). For a complete description of the OSPF commands, see the “OSPF Commands” chapter of the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Page 846: Default Ospf Configuration
. Allows Layer 3 switches to continue forwarding packets from a neighboring NSF-capable router during hardware or software changes. NSF capability Disabled. Beginning with Cisco IOS Release 12.2(35)SE, the Catalyst 3750 switch supports OSPF NSF (NSF-capable routing) is supported for IPv4. Catalyst 3750 Switch Software Configuration Guide...
Page 847: Ospf Nonstop Forwarding
Message-digest key (MD5): no key predefined. 1. NSF = Nonstop forwarding 2. OSPF NSF awareness is enabled for IPv4 on Catalyst 3550, 3560 and 3750 switches running the IP services image, Cisco IOS Release 12.2(25)SEC or later. OSPF Nonstop Forwarding...
Page 848: Configuring Basic Ospf Parameters
Use the nsf OSPF routing configuration command to enable OSPF NSF routing. Use the show ip ospf privileged EXEC command to verify that it is enabled. For more information about NSF, see the Cisco Nonstop Forwarding Feature Overview at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00800ab7fc.
Page 849: Configuring Ospf Interfaces
Chapter 35 Configuring IP Unicast Routing Configuring OSPF This example shows how to configure an OSPF routing process and assign it a process number of 109: Switch(config)# router ospf 109 Switch(config-router)# network 131.108.0.0 255.255.255.0 area 24 Configuring OSPF Interfaces You can use the ip ospf interface configuration commands to modify interface-specific OSPF parameters.
Page 850: Configuring Ospf Area Parameters
Chapter 35 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 11 ip ospf database-filter all out (Optional) Block flooding of OSPF LSA packets to the interface. By default, OSPF floods new LSAs over all interfaces in the same area, except the interface on which the LSA arrives.
Page 851: Configuring Other Ospf Parameters
Chapter 35 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 5 area area-id stub [no-summary] (Optional) Define an area as a stub area. The no-summary keyword prevents an ABR from sending summary link advertisements into the stub area. Step 6 area area-id nssa [no-redistribution] (Optional) Defines an area as a not-so-stubby-area.
Page 852 Chapter 35 Configuring IP Unicast Routing Configuring OSPF Default Metrics: OSPF calculates the OSPF metric for an interface according to the bandwidth of • the interface. The metric is calculated as ref-bw divided by bandwidth, where ref is 10 by default, and bandwidth (bw) is specified by the bandwidth interface configuration command.
Page 853: Changing Lsa Group Pacing
Chapter 35 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 10 timers throttle spf spf-delay spf-holdtime (Optional) Configure route calculation timers. spf-wait spf-delay—Delay between receiving a change to SPF • calculation. The range is from 1 to 600000. miliseconds. spf-holdtime—Delay between first and second SPF calculation.
Page 854: Monitoring Ospf
EXEC commands for displaying statistics. For more show ip ospf database privileged EXEC command options and for explanations of fields in the resulting display, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Table 35-6...
Page 855: Configuring Eigrp
Configuring EIGRP Configuring EIGRP Enhanced IGRP (EIGRP) is a Cisco proprietary enhanced version of the IGRP. EIGRP uses the same distance vector algorithm and distance information as IGRP; however, the convergence properties and the operating efficiency of EIGRP are significantly improved.
Page 856: Default Eigrp Configuration
Chapter 35 Configuring IP Unicast Routing Configuring EIGRP This is the process whereby a new successor is determined. The amount of time it takes to recompute the route affects the convergence time. Recomputation is processor-intensive; it is advantageous to avoid recomputation if it is not necessary. When a topology change occurs, DUAL tests for feasible successors.
Page 857 1 (equal-cost load balancing). 1. NSF = Nonstop Forwarding 2. EIGRP NSF awareness is enabled for IPv4 on Catalyst 3550, 3560 and 3750 switches running the IP services image, Cisco IOS Release 12.2(25)SEC or later. To create an EIGRP routing process, you must enable EIGRP and associate networks. EIGRP sends updates to the interfaces in the specified networks.
Page 858: Eigrp Nonstop Forwarding
• EIGRP NSF Awareness The EIGRP NSF Awareness feature is supported for IPv4 in the IP services image, beginning with Cisco IOS Release 12.2(25)SEC. When the neighboring router is NSF-capable, the Layer 3 switch continues to forward packets from the neighboring router during the interval between the primary Route Processor (RP) in a router failing and the backup RP taking over, or while the primary RP is manually reloaded for a nondisruptive software upgrade.
Page 859: Configuring Basic Eigrp Parameters
Chapter 35 Configuring IP Unicast Routing Configuring EIGRP Configuring Basic EIGRP Parameters Beginning in privileged EXEC mode, follow these steps to configure EIGRP. Configuring the routing process is required; other steps are optional: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router eigrp autonomous-system number Enable an EIGRP routing process, and enter router configuration...
Page 860: Configuring Eigrp Interfaces
15 seconds for all other networks. Do not adjust the hold time without consulting Caution Cisco technical support. Step 7 no ip split-horizon eigrp autonomous-system-number (Optional) Disable split horizon to allow route information to be advertised by a router out any interface from which that information originated.
Page 861: Eigrp Stub Routing
Chapter 35 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure. Step 3 ip authentication mode eigrp autonomous-system md5 Enable MD5 authentication in IP EIGRP packets.
Page 862: Monitoring And Maintaining Eigrp
You can delete neighbors from the neighbor table. You can also display various EIGRP routing statistics. Table 35-8 lists the privileged EXEC commands for deleting neighbors and displaying statistics. For explanations of fields in the resulting display, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Table 35-8...
Page 863: Configuring Bgp
“Configuring BGP” chapter in the Cisco IP and IP Routing Configuration Guide. For details about BGP commands and keywords, see the “IP Routing Protocols” part of the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. For a list of BGP commands that are visible but not supported by the switch, see Appendix D, “Unsupported Commands in...
Page 864 AS-level policy decisions. A router or switch running Cisco IOS does not select or use an IBGP route unless it has a route available to the next-hop router and it has received synchronization from an IGP (unless IGP synchronization is disabled).
Page 865: Default Bgp Configuration
Protocols” part of the Cisco IOS IP Configuration Guide, Release 12.2. For details about specific commands, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. For a list of BGP commands that are visible but not supported by the switch, see Appendix D, “Unsupported Commands in Cisco IOS Release 12.2(35)SE.”...
Page 866 Chapter 35 Configuring IP Unicast Routing Configuring BGP Table 35-9 Default BGP Configuration (continued) Feature Default Setting Distance External route administrative distance: 20 (acceptable values are from 1 to 255). • Internal route administrative distance: 200 (acceptable values are from 1 to 255). •...
Page 867: Nonstop Forwarding Awareness
Keepalive: 60 seconds; holdtime: 180 seconds. 1. NSF = Nonstop Forwarding 2. NSF Awareness can be enabled for IPv4 on Catalyst 3550, 3560, and 3750 switches with the Cisco IOS Release 12.2(25)SEC IP services image by enabling Graceful Restart. Nonstop Forwarding Awareness The BGP NSF Awareness feature is supported for IPv4 in the IP services image, beginning with Cisco IOS Release 12.2(25)SEC.
Page 868 Chapter 35 Configuring IP Unicast Routing Configuring BGP To enable BGP, the stack master must be running the IP services image. Note Beginning in privileged EXEC mode, follow these steps to enable BGP routing, establish a BGP routing process, and specify a neighbor: Command Purpose Step 1...
Page 869 Chapter 35 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 12 show ip bgp network network-number Verify the configuration. show ip bgp neighbor Verify that NSF awareness (Graceful Restart) is enabled on the neighbor. If NSF awareness is enabled on the switch and the neighbor, this message appears: Graceful Restart Capability: advertised and received If NSF awareness is enabled on the switch, but not on the...
Page 870: Managing Routing Policy Changes
BGP sessions so that the configuration changes take effect. There are two types of reset, hard reset and soft reset. Cisco IOS Releases 12.1 and later support a soft reset without any prior configuration. To use a soft reset without preconfiguration, both BGP peers must support the soft route refresh capability, which is advertised in the OPEN message sent when the peers establish a TCP session.
Page 871: Configuring Bgp Decision Attributes
Prefer the path with the largest weight (a Cisco proprietary parameter). The weight attribute is local to the router and not propagated in routing updates. By default, the weight attribute is 32768 for paths that the router originates and zero for other paths.
Page 872 Chapter 35 Configuring IP Unicast Routing Configuring BGP Prefer the route with the highest local preference. Local preference is part of the routing update and exchanged among routers in the same AS. The default value of the local preference attribute is 100. You can set local preference by using the bgp default local-preference router configuration command or by using a route map.
Page 873: Configuring Bgp Filtering With Route Maps
Chapter 35 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 7 bgp bestpath med missing-as-worst (Optional) Configure the switch to consider a missing MED as having a value of infinity, making the path without a MED value the least desirable path. Step 8 bgp always-compare med (Optional) Configure the switch to compare MEDs for...
Page 874: Configuring Bgp Filtering By Neighbor
Chapter 35 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 3 set ip next-hop ip-address [...ip-address] (Optional) Set a route map to disable next-hop processing [peer-address] In an inbound route map, set the next hop of matching routes to •...
Page 875: Configuring Prefix Lists For Bgp Filtering
BGP autonomous system paths. Each filter is an access list based on regular expressions. (See the “Regular Expressions” appendix in the Cisco IOS Dial Technologies Command Reference, Release 12.2 for more information on forming regular expressions.) To use this method, define an autonomous system path access list, and apply it to updates to and from particular neighbors.
Page 876: Configuring Bgp Community Filtering
Chapter 35 Configuring IP Unicast Routing Configuring BGP You do not need to specify a sequence number when removing a configuration entry. Show commands include the sequence numbers in their output. Before using a prefix list in a command, you must set up the prefix list. Beginning in privileged EXEC mode, follow these steps to create a prefix list or to add an entry to a prefix list: Command Purpose...
Page 877: Configuring Bgp Neighbors And Peer Groups
(Optional) Display and parse BGP communities in the format AA:NN. A BGP community is displayed in a two-part format 2 bytes long. The Cisco default community format is in the format NNAA. In the most recent RFC for BGP, a community takes the form AA:NN, where the first part is the AS number and the second part is a 2-byte number.
Page 878 Chapter 35 Configuring IP Unicast Routing Configuring BGP To configure a BGP peer group, you create the peer group, assign options to the peer group, and add neighbors as peer group members. You configure the peer group by using the neighbor router configuration commands.
Page 879: Configuring Aggregate Addresses
Chapter 35 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 15 neighbor {ip-address | peer-group-name} (Optional) Set MD5 authentication on a TCP connection to a password string BGP peer. The same password must be configured on both BGP peers, or the connection between them is not made. Step 16 neighbor {ip-address | peer-group-name} (Optional) Apply a route map to incoming or outgoing routes.
Page 880: Configuring Routing Domain Confederations
Chapter 35 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, use these commands to create an aggregate address in the routing table: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enter BGP router configuration mode.
Page 881: Configuring Bgp Route Reflectors
Chapter 35 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, use these commands to configure a BGP confederation: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enter BGP router configuration mode. Step 3 bgp confederation identifier autonomous-system Configure a BGP confederation identifier.
Page 882: Configuring Route Dampening
Chapter 35 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, use these commands to configure a route reflector and clients: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enter BGP router configuration mode. Step 3 neighbor ip-address | peer-group-name Configure the local router as a BGP route reflector and the...
Page 883: Monitoring And Maintaining Bgp
Table 35-8 lists the privileged EXEC commands for clearing and displaying BGP. For explanations of the display fields, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Table 35-11 IP BGP Clear and Show Commands...
Page 884: Configuring Multi-Vrf Ce
The switch does not use Multiprotocol Label Switching (MPLS) to support VPNs. For information about Note MPLS VRF, refer to the Cisco IOS Switching Services Configuration Guide, Release 12.2. These sections contain this information: Understanding Multi-VRF CE, page 35-65 •...
Page 885: Understanding Multi-Vrf Ce
Chapter 35 Configuring IP Unicast Routing Configuring Multi-VRF CE Understanding Multi-VRF CE Multi-VRF CE is a feature that allows a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs. Multi-VRF CE uses input interfaces to distinguish routes for different VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF.
Page 886 Chapter 35 Configuring IP Unicast Routing Configuring Multi-VRF CE Figure 35-6 Catalyst 3750 Switches Acting as Multiple Virtual CEs VPN 1 VPN 1 Service provider VPN 2 VPN 2 CE = Customer-edge device PE = Provider-edge device When the CE switch receives a command to add a Layer 3 interface to a VRF, it sets up the appropriate mapping between the VLAN ID and the policy label (PL) in multi-VRF-CE-related data structures and adds the VLAN ID and PL to the VLAN database.
Page 887: Default Multi-Vrf Ce Configuration
Chapter 35 Configuring IP Unicast Routing Configuring Multi-VRF CE VPN forwarding—transports all traffic between all VPN community members across a VPN • service-provider network. Default Multi-VRF CE Configuration Table 35-12 shows the default VRF configuration. Table 35-12 Default VRF Configuration Feature Default Setting Disabled.
Page 888: Configuring Vrfs
Beginning in privileged EXEC mode, follow these steps to configure one or more VRFs. For complete syntax and usage information for the commands, refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2. Command...
Page 889: Configuring A Vpn Routing Session
Chapter 35 Configuring IP Unicast Routing Configuring Multi-VRF CE Use the no ip vrf vrf-name global configuration command to delete a VRF and to remove all interfaces from it. Use the no ip vrf forwarding interface configuration command to remove an interface from the VRF.
Page 890: Multi-Vrf Ce Configuration Example
Chapter 35 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 6 address-family ipv4 vrf vrf-name Define BGP parameters for PE to CE routing sessions, and enter VRF address-family mode. Step 7 neighbor address remote-as as-number Define a BGP session between PE and CE routers. Step 8 neighbor address activate Activate the advertisement of the IPv4 address family.
Page 891 Chapter 35 Configuring IP Unicast Routing Configuring Multi-VRF CE Configuring Switch A On Switch A, enable routing and configure VRF. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ip routing Switch(config)# ip vrf v11 Switch(config-vrf)# rd 800:1 Switch(config-vrf)# route-target export 800:1 Switch(config-vrf)# route-target import 800:1 Switch(config-vrf)# exit...
Page 892 Chapter 35 Configuring IP Unicast Routing Configuring Multi-VRF CE Switch(config-if)# ip vrf forwarding v12 Switch(config-if)# ip address 118.0.0.8 255.255.255.0 Switch(config-if)# exit Switch(config)# interface vlan208 Switch(config-if)# ip vrf forwarding v11 Switch(config-if)# ip address 208.0.0.8 255.255.255.0 Switch(config-if)# exit Configure OSPF routing in VPN1 and VPN2. Switch(config)# router ospf 1 vrf vl1 Switch(config-router)# redistribute bgp 800 subnets Switch(config-router)# network 208.0.0.0 0.0.0.255 area 0...
Page 893 Chapter 35 Configuring IP Unicast Routing Configuring Multi-VRF CE Switch(config-router)# address-family ipv4 vrf vl1 Switch(config-router-af)# redistribute ospf 1 match internal Switch(config-router-af)# neighbor 38.0.0.3 remote-as 100 Switch(config-router-af)# neighbor 38.0.0.3 activate Switch(config-router-af)# network 8.8.1.0 mask 255.255.255.0 Switch(config-router-af)# end Configuring Switch D Switch D belongs to VPN 1. Configure the connection to Switch A by using these commands. Switch# configure terminal Enter configuration commands, one per line.
Page 894: Displaying Multi-Vrf Ce Status
[brief | detail | interfaces] [vrf-name] Display information about the defined VRF instances. For more information about the information in the displays, refer to the Cisco IOS Switching Services Command Reference, Release 12.2. Catalyst 3750 Switch Software Configuration Guide...
Page 895: Configuring Protocol-Independent Features
RIP. For a complete description of the IP routing protocol-independent commands in this chapter, see the “IP Routing Protocol-Independent Commands” chapter of the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. These sections contain this configuration information: Configuring Distributed Cisco Express Forwarding, page 35-75 •...
Page 896: Configuring The Number Of Equal-Cost Routing Paths
Chapter 35 Configuring IP Unicast Routing Configuring Protocol-Independent Features detail privileged EXEC command can be useful to debug software-forwarded traffic. To enable CEF on an interface for the software-forwarding path, use the ip route-cache cef interface configuration command. Caution Although the no ip route-cache cef interface configuration command to disable CEF on an interface is visible in the CLI, we strongly recommend that you do not disable dCEF on interfaces except for debugging purposes.
Page 897: Configuring Static Unicast Routes
Chapter 35 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router {bgp | rip | ospf | eigrp} Enter router configuration mode. Step 3 maximum-paths maximum Set the maximum number of parallel paths for the protocol routing table.
Page 898: Specifying Default Routes And Networks
Chapter 35 Configuring IP Unicast Routing Configuring Protocol-Independent Features Table 35-14 Dynamic Routing Protocol Default Administrative Distances (continued) Route Source Default Distance External BGP Internal Enhanced IGRP IGRP OSPF Internal BGP Unknown Static routes that point to an interface are advertised through RIP, IGRP, and other dynamic routing protocols, whether or not static redistribute router configuration commands were specified for those routing protocols.
Page 899: Using Route Maps To Redistribute Routing Information
The system periodically scans its routing table to choose the optimal default network as its default route. In IGRP networks, there might be several candidate networks for the system default. Cisco routers use administrative distance and metric information to set the default route or the gateway of last resort.
Page 900 Chapter 35 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to configure a route map for redistribution: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 route-map map-tag [permit | deny] [sequence number] Define any route maps used to control redistribution and enter route-map configuration mode.
Page 901 Chapter 35 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 14 set origin {igp | egp as | incomplete} Set the BGP origin code. Step 15 set as-path {tag | prepend as-path-string} Modify the BGP autonomous system path. Step 16 set level {level-1 | level-2 | level-1-2 | stub-area | Set the level for routes that are advertised into the...
Page 902: Configuring Policy-Based Routing
Chapter 35 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router {bgp | rip | ospf | eigrp} Enter router configuration mode. Step 3 redistribute protocol [process-id] {level-1 | level-1-2 | Redistribute routes from one routing protocol to level-2} [metric metric-value] [metric-type type-value] another routing protocol.
Page 903: Pbr Configuration Guidelines
For details about PBR commands and keywords, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. For a list of PBR commands that are visible but not supported by the switch, see Appendix D, “Unsupported Commands in Cisco IOS Release 12.2(35)SE,”...
Page 904: Enabling Pbr
Policy maps with no valid set actions or with set action set to Don’t Fragment are not supported. • Beginning with Cisco IOS Release 12.2(35)SE, the switch supports quality of service (QoS) DSCP and IP precedence matching in PBR route maps with these limitations: –...
Page 905 Chapter 35 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to configure PBR: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 route-map map-tag [permit] [sequence number] Define any route maps used to control where packets are output, and enter route-map configuration mode.
Page 906: Filtering Routing Information
Chapter 35 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 11 Return to privileged EXEC mode. Step 12 show route-map [map-name] (Optional) Display all route maps configured or only the one specified to verify configuration. Step 13 show ip policy (Optional) Display policy route maps attached to interfaces.
Page 907: Controlling Advertising And Processing In Routing Updates
Chapter 35 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 7 Return to privileged EXEC mode. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Use a network monitoring privileged EXEC command such as show ip ospf interface to verify the interfaces that you enabled as passive, or use the show ip interface privileged EXEC command to verify the interfaces that you enabled as active.
Page 908: Managing Authentication Keys
Chapter 35 Configuring IP Unicast Routing Configuring Protocol-Independent Features router to intelligently discriminate between sources of routing information. The router always picks the route whose routing protocol has the lowest administrative distance. Table 35-14 on page 35-77 shows the default administrative distances for various routing information sources. Because each network has its own requirements, there are no general guidelines for assigning administrative distances.
Page 909: Monitoring And Maintaining The Ip Network
Chapter 35 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 key chain name-of-chain Identify a key chain, and enter key chain configuration mode. Step 3 key number Identify the key number.
Page 910 Chapter 35 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Table 35-15 Commands to Clear IP Routes or Display Route Status Command Purpose show ip cache Display the routing table used to switch IP traffic. show route-map [map-name] Display all route maps configured or only the one specified.
Page 911: Understanding Ipv6
Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS documentation referenced in the procedures This chapter consists of these sections: •...
Page 912: C H A P T E R 36 Configuring Ipv6 Unicast Routing
Routing optimized for mobile devices Duplicate Address Detection (DAD) feature • For information about how Cisco Systems implements IPv6, go to this URL: http://www.cisco.com//warp/public/732/Tech/ipv6/ This section describes IPv6 implementation on the switch. These sections are included: IPv6 Addresses, page 36-2 •...
Page 913: Supported Ipv6 Unicast Routing Features
Chapter 36 Configuring IPv6 Unicast Routing Understanding IPv6 In the “Information About Implementing Basic Connectivity for IPv6” section, these sections apply to the Catalyst 3750 switch: IPv6 Address Formats • IPv6 Address Type: Unicast • IPv6 Address Output Display • Simplified IPv6 Packet Header •...
Page 914: Dns For Ipv6
Understanding IPv6 See the section on IPv6 Unicast Addresses in the “Implementing Basic Connectivity for IPv6” chapter in the Cisco IOS IPv6 Configuration Library at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ipv6_vgf.htm Each IPv6 host interface can support up to three addresses in hardware (one aggregatable global unicast address, one link-local unicast address, and zero or more privacy addresses).
Page 915: Ipv6 Stateless Autoconfiguration And Duplicate Address Detection
• Cisco Discovery Protocol (CDP) support for IPv6 addresses • For more information about managing these applications with Cisco IOS, see the “Managing Cisco IOS Applications over IPv6” section in the Cisco IOS IPv6 Configuration Library at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipv6_c/sa_mgev6.htm...
Page 916: Dual Ipv4 And Ipv6 Protocol Stacks
New and upgraded applications can use both IPv4 and IPv6 protocol stacks. The Cisco IOS software supports the dual IPv4 and IPv6 protocol stack technique. When both IPv4 and IPv6 routing are enabled and an interface is configured with both an IPv4 and IPv6 address, the interface forwards both IPv4 and IPv6 traffic.
Page 917: Ipv6 And Switch Stacks
Chapter 36 Configuring IPv6 Unicast Routing Understanding IPv6 IPv6 unicast reverse-path forwarding • IPv6 general prefixes • Limitations Because IPv6 is implemented in hardware in the switch, some limitations occur due to the use of IPv6 compressed addresses in the TCAM. These hardware limitations result in some loss of functionality and limits some features.
Page 918: Sdm Templates
Chapter 36 Configuring IPv6 Unicast Routing Understanding IPv6 If a new switch becomes the stack master, the new master recomputes the IPv6 routing tables and distributes them to the member switches. While the new stack master is elected and is resetting, the switch stack does not forward IPv6 packets.
Page 919: Dual Ipv4-And Ipv6 Sdm Templates
Chapter 36 Configuring IPv6 Unicast Routing Understanding IPv6 Aggregator templates are only supported on Catalyst 3750-12S switches. All other Catalyst 3750 Note switches support only the desktop templates. You can select SDM templates to support IP Version 6 (IPv6). The dual desktop and aggregator IPv4 and IPv6 templates allow the switch to be used in dual stack environments (supporting both IPv4 and IPv6).
Page 920: Configuring Ipv6
Chapter 36 Configuring IPv6 Unicast Routing Configuring IPv6 Table 36-1 defines the approximate feature resources allocated by each new template. Template estimations are based on a switch with eight routed interfaces and approximately one thousand VLANs. Table 36-1 Approximate Feature Resources Allowed by Dual IPv4-IPv6 Templates Desktop Desktop Desktop...
Page 921: Default Ipv6 Configuration
Before configuring IPv6 on the switch, be sure to select a dual IPv4 and IPv6 SDM template. Note For more information about configuring IPv6 routing, see the “Implementing Basic Connectivity for IPv6” chapter in the Cisco IOS IPv6 Configuration Library at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ipv6_vgf.htm Note Not all features discussed in this chapter are supported by the Catalyst 3750 switch.
Page 922 Chapter 36 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these steps to assign an IPv6 address to a Layer 3 interface and enable IPv6 routing: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 sdm prefer dual-ipv4-and-ipv6 {default | Select an SDM template that supports IPv4 and IPv6.
Page 923: Configuring Ipv4 And Ipv6 Protocol Stacks
Chapter 36 Configuring IPv6 Unicast Routing Configuring IPv6 To remove an IPv6 address from an interface, use the no ipv6 address ipv6-prefix/prefix length eui-64 or no ipv6 address ipv6-address link-local interface configuration command. To remove all manually configured IPv6 addresses from an interface, use the no ipv6 address interface configuration command without arguments.
Page 924 Chapter 36 Configuring IPv6 Unicast Routing Configuring IPv6 Command Purpose Step 3 ipv6 unicast-routing Enable forwarding of IPv6 data packets on the switch. Step 4 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure. Step 5 no switchport Remove the interface from Layer 2 configuration mode (if it is a physical interface).
Page 925: Configuring Ipv6 Icmp Rate Limiting
Switch(config)#ipv6 icmp error-interval 50 20 Configuring CEF and dCEF for IPv6 Cisco Express Forwarding (CEF) is a Layer 3 IP switching technology used to optimize network performance. CEF implements an advanced IP look-up and forwarding algorithm to deliver maximum Layer 3 switching performance. It is less CPU-intensive than fast-switching route-caching, allowing more CPU processing power to be dedicated to packet forwarding.
Page 926: Configuring Static Routing For Ipv6
Chapter 36 Configuring IPv6 Unicast Routing Configuring IPv6 To disable IPv6 CEF or distributed CEF, use the no ipv6 cef or no ipv6 cef distributed global configuration command. To reenable IPv6 CEF or dCEF if it has been disabled, use the ipv6 cef or ipv6 cef distributed global configuration command.
Page 927 Chapter 36 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these steps to configure an IPv6 static route: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 route ipv6-prefix/prefix length Configure a static IPv6 route. {ipv6-address | interface-id [ipv6-address]} ipv6-prefix—The IPv6 network that is the destination of the •...
Page 928: Configuring Rip For Ipv6
130: Switch(config)# ipv6 route 2001:0DB8::/32 gigabitethernet2/0/1 130 For more information about configuring static IPv6 routing, see the “Implementing Static Routes for IPv6” chapter in the Cisco IOS IPv6 Configuration Library at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ipv6_vgf.htm Configuring RIP for IPv6 Routing Information Protocol (RIP) for IPv6 is a distance-vector protocol that uses hop count as a routing metric.
Page 929 RIP routing process for an interface, use the no ipv6 rip name interface configuration command. This example shows how to enable the RIP routing process cisco, with a maximum of eight equal-cost routes and enable it on an interface:...
Page 930: Configuring Ospf For Ipv6
Chapter 36 Configuring IPv6 Unicast Routing Configuring IPv6 Configuring OSPF for IPv6 Open Shortest Path First (OSPF) is a link-state protocol for IP, which means that routing decisions are based on the states of the links that connect the source and destination devices. The state of a link is a description of the interface and its relationship to its neighboring networking devices.
Page 931 Chapter 36 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these required and optional steps to configure IPv6 OSPF: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 router ospf process-id Enable OSPF router configuration mode for the process. The process ID is the number assigned administratively when enabling the OSPF for IPv6 routing process.
Page 932: Displaying Ipv6
To disable the OSPF routing process for an interface, use the no ipv6 ospf process-id area area-id interface configuration command. For more information about configuring OSPF routing for IPv6, see the “Implementing OSPF for IPv6” chapter in the Cisco IOS IPv6 Configuration Library at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ipv6_vgf.htm Displaying IPv6 Table 36-3 shows the privileged EXEC commands for monitoring IPv6 on the switch.
Page 933 Chapter 36 Configuring IPv6 Unicast Routing Displaying IPv6 This is an example of the output from the show ipv6 cef privileged EXEC command: Switch# show ipv6 cef ::/0 nexthop 3FFE:C000:0:7::777 Vlan7 3FFE:C000:0:1::/64 attached to Vlan1 3FFE:C000:0:1:20B:46FF:FE2F:D940/128 receive 3FFE:C000:0:7::/64 attached to Vlan7 3FFE:C000:0:7::777/128 attached to Vlan7 3FFE:C000:0:7:20B:46FF:FE2F:D97F/128...
Page 934 Chapter 36 Configuring IPv6 Unicast Routing Displaying IPv6 This is an example of the output from the show ipv6 neighbor privileged EXEC command: Switch# show ipv6 neighbors IPv6 Address Age Link-layer Addr State Interface 3FFE:C000:0:7::777 - 0007.0007.0007 REACH Vl7 3FFE:C101:113:1::33 - 0000.0000.0033 REACH Fa1/0/13 This is an example of the output from the show ipv6 static privileged EXEC command:...
Page 935 Chapter 36 Configuring IPv6 Unicast Routing Displaying IPv6 ICMP statistics: Rcvd: 1 input, 0 checksum errors, 0 too short 0 unknown info type, 0 unknown error type unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port parameter: 0 error, 0 header, 0 option 0 hopcount expired, 0 reassembly timeout,0 too big 0 echo request, 0 echo reply 0 group query, 0 group report, 0 group reduce...
Page 936 Chapter 36 Configuring IPv6 Unicast Routing Displaying IPv6 Catalyst 3750 Switch Software Configuration Guide 36-26 OL-8550-02...
Page 937: Understanding Mld Snooping
36, “Configuring IPv6 Unicast Routing.” Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release or the Cisco IOS documentation referenced in the procedures. This chapter includes these sections: •...
Page 938: Chapter 37 Configuring Ipv6 Mld Snooping
Chapter 37 Configuring IPv6 MLD Snooping Understanding MLD Snooping MLD is a protocol used by IPv6 multicast routers to discover the presence of multicast listeners (nodes wishing to receive IPv6 multicast packets) on its directly attached links and to discover which multicast packets are of interest to neighboring nodes.
Page 939: Mld Queries
Chapter 37 Configuring IPv6 MLD Snooping Understanding MLD Snooping MLD Queries The switch sends out MLD queries, constructs an IPv6 multicast address database, and generates MLD group-specific and MLD group-and-source-specific queries in response to MLD Done messages. The switch also supports report suppression, report proxying, Immediate-Leave functionality, and static IPv6 multicast MAC-address configuration.
Page 940: Mld Reports
Chapter 37 Configuring IPv6 MLD Snooping Understanding MLD Snooping Received IPv6 multicast router control packets are always flooded to the ingress VLAN, whether or • not MLD snooping is enabled on the switch. After the discovery of the first IPv6 multicast router port, unknown IPv6 multicast data is forwarded •...
Page 941: Topology Change Notification Processing
Chapter 37 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Topology Change Notification Processing When topology change notification (TCN) solicitation is enabled by using the ipv6 mld snooping tcn query solicit global configuration command, MLDv1 snooping sets the VLAN to flood all IPv6 multicast traffic with a configured number of MLDv1 queries before it begins sending multicast data only to selected ports.
Page 942: Mld Snooping Configuration Guidelines
Chapter 37 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Table 37-1 Default MLD Snooping Configuration (continued) Feature Default Setting IPv6 Multicast addresses None configured. IPv6 Multicast router ports None configured. MLD snooping Immediate Leave Disabled. MLD snooping robustness variable Global: 2;...
Page 943 Chapter 37 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping You can enable and disable MLD snooping on a per-VLAN basis or for a range of VLANs, but if you globally disable MLD snooping, it is disabled in all VLANs. If global snooping is enabled, you can enable or disable VLAN snooping.
Page 944: Configuring A Static Multicast Group
Chapter 37 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Configuring a Static Multicast Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure an IPv6 multicast address and member ports for a VLAN. Beginning in privileged EXEC mode, follow these steps to add a Layer 2 port as a member of a multicast group: Command...
Page 945: Enabling Mld Immediate Leave
Chapter 37 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Beginning in privileged EXEC mode, follow these steps to add a multicast router port to a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 mld snooping vlan vlan-id mrouter Specify the multicast router VLAN ID, and specify the interface interface interface-id to the multicast router.
Page 946: Configuring Mld Snooping Queries
Chapter 37 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Configuring MLD Snooping Queries When Immediate Leave is not enabled and a port receives an MLD Done message, the switch generates MASQs on the port and sends them to the IPv6 multicast address for which the Done message was sent. You can optionally configure the number of MASQs that are sent and the length of time the switch waits for a response before deleting the port from the multicast group.
Page 947: Disabling Mld Listener Message Suppression
Chapter 37 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information This example shows how to set the MLD snooping global robustness variable to 3: Switch# configure terminal Switch(config)# ipv6 mld snooping robustness-variable 3 Switch(config)# exit This example shows how to set the MLD snooping last-listener query count for a VLAN to 3: Switch# configure terminal Switch(config)# ipv6 mld snooping vlan 200 last-listener-query-count 3 Switch(config)# exit...
Page 948 Chapter 37 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information Table 37-2 Commands for Displaying MLD Snooping Information Command Purpose show ipv6 mld snooping [vlan vlan-id] Display the MLD snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.
Page 949: Understanding Ipv6 Acls
(IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces similarly to the way that you create and apply IP version 4(IPv4) named ACLs. Beginning with Cisco IOS Release 12.2(35)SE, you can also create and apply input router ACLs to filter Layer 3 management traffic when the IP services or IP base image is installed.
Page 950: Chapter 38 Configuring Ipv6 Acl
Chapter 38 Configuring IPv6 ACLs Understanding IPv6 ACLs IPv6 port ACLs are supported on inbound traffic on Layer 2 interfaces only. IPv6 port ACLs are • applied to all IPv6 packets entering the interface. A switch stack running the IP services or IP base image supports only input router IPv6 ACLs. It does not support port ACLs or output IPv6 router ACLs.
Page 951: Ipv6 Acl Limitations
Output router ACLs and input port ACLs for IPv6 are supported only on switch stacks that are running the advanced IP services image. Beginning with Cisco IOS Release 12.2(35)SE, switches running the IP services or IP base image support input router ACLs for IPv6 management traffic.
Page 952: Configuring Ipv6 Acls
Chapter 38 Configuring IPv6 ACLs Configuring IPv6 ACLs Configuring IPv6 ACLs Before configuring IPv6 ACLs, you must select one of the dual IPv4 and IPv6 SDM templates. To filter IPv6 traffic, you perform these steps: Create an IPv6 ACL, and enter IPv6 access list configuration mode. Step 1 Configure the IPv6 ACL to block (deny) or pass (permit) traffic.
Page 953: Creating Ipv6 Acls
Chapter 38 Configuring IPv6 ACLs Configuring IPv6 ACLs Creating IPv6 ACLs Beginning in privileged EXEC mode, follow these steps to create an IPv6 ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 access-list access-list-name Define an IPv6 access list name, and enter IPv6 access-list configuration mode. Step 3a deny | permit protocol Enter deny or permit to specify whether to deny or permit the packet if...
Page 954 Chapter 38 Configuring IPv6 ACLs Configuring IPv6 ACLs Command Purpose Step 3b deny | permit tcp (Optional) Define a TCP access list and the access conditions. {source-ipv6-prefix/prefix-length Enter tcp for Transmission Control Protocol. The parameters are the same as | any | host source-ipv6-address} those described in Step 3a, with these additional optional parameters: [operator [port-number]] ack—Acknowledgment bit set.
Page 955: Applying An Ipv6 Acl To An Interface
This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000.
Page 956: Displaying Ipv6 Acls
Use the no ipv6 traffic-filter access-list-name interface configuration command to remove an access list from an interface. This example shows how to apply the access list Cisco to outbound traffic on a Layer 3 interface: Switch(config)# interface gigabitethernet 1/0/3 Switch(config-if)# no switchport...
Page 957: Understanding Hsrp
For complete syntax and usage information for the commands used in this chapter, see the switch Note command reference for this release and the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2. This chapter consists of these sections: •...
Page 958: C H A P T E R 39 Configuring Hsrp And Enhanced Object Tracking
Chapter 39 Configuring HSRP and Enhanced Object Tracking Understanding HSRP Routers in an HSRP group can be any router interface that supports HSRP, including Catalyst 3750 Note routed ports and switch virtual interfaces (SVIs). HSRP provides high network availability by providing redundancy for IP traffic from hosts on networks. In a group of router interfaces, the active router is the router of choice for routing packets;...
Page 959: Multiple Hsrp
Host A Multiple HSRP Cisco IOS Release 12.2(18)SE and above supports Multiple HSRP (MHSRP), an extension of HSRP that allows load sharing between two or more HSRP groups. You can configure MHSRP to achieve load balancing and to use two or more standby groups (and paths) from a host network to a server network.
Page 960: Hsrp And Switch Stacks
Chapter 39 Configuring HSRP and Enhanced Object Tracking Configuring HSRP Figure 39-2 MHSRP Load Sharing Active router for group 1 Active router for group 2 Standby router for group 2 Standby router for group 1 Router A Router B 10.0.0.1 10.0.0.2 Client 1 Client 2...
Page 961: Default Hsrp Configuration
Chapter 39 Configuring HSRP and Enhanced Object Tracking Configuring HSRP Default HSRP Configuration Table 39-1 shows the default HSRP configuration. Table 39-1 Default HSRP Configuration Feature Default Setting HSRP groups None configured Standby group number Standby MAC address System assigned as: 0000.0c07.acXX, where XX is the HSRP group number Standby priority Standby delay...
Page 962: Configuring Hsrp Priority
Chapter 39 Configuring HSRP and Enhanced Object Tracking Configuring HSRP Beginning in privileged EXEC mode, follow these steps to create or enable HSRP on a Layer 3 interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the Layer 3 interface on which you want to enable HSRP.
Page 963 Chapter 39 Configuring HSRP and Enhanced Object Tracking Configuring HSRP When configuring HSRP priority, follow these guidelines: Assigning priority helps select the active and standby routers. If preemption is enabled, the router • with the highest priority becomes the designated active router. If priorities are equal, the primary IP addresses are compared, and the higher IP address has priority.
Page 964 Chapter 39 Configuring HSRP and Enhanced Object Tracking Configuring HSRP Command Purpose Step 4 standby [group-number] [priority Configure the router to preempt, which means that when the local router has priority] preempt [delay delay] a higher priority than the active router, it assumes control as the active router. (Optional) group-number—The group number to which the command •...
Page 965: Configuring Mhsrp
Chapter 39 Configuring HSRP and Enhanced Object Tracking Configuring HSRP Configuring MHSRP To enable MHSRP and load balancing, you configure two routers as active routers for their groups, with virtual routers as standby routers. This example shows how to enable the MHSRP configuration shown Figure 39-2.
Page 966 [group-number] authentication string (Optional) authentication string—Enter a string to be carried in all HSRP messages. The authentication string can be up to eight characters in length; the default string is cisco. (Optional) group-number—The group number to which the command applies.
Page 967: Enabling Hsrp Support For Icmp Redirect Messages
HSRP group. If a host is redirected by ICMP to the real MAC address of a router and that router later fails, packets from the host will be lost. In Cisco IOS Release 12.2(18)SE and later, ICMP redirect messages are automatically enabled on interfaces configured with HSRP. This feature filters outgoing ICMP redirect messages through HSRP, in which the next hop IP address might be changed to an HSRP virtual IP address.
Page 968: Configuring Enhanced Object Tracking
For more information about enhanced object tracking and the commands used to configure it, see this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801541be. html Understanding Enhanced Object Tracking Each tracked object has a unique number that is specified on the tracking command-line interface (CLI).
Page 969: Configuring Enhanced Object Tracking Features
Chapter 39 Configuring HSRP and Enhanced Object Tracking Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features These sections describe configuring enhanced object tracking: Tracking Interface Line-Protocol or IP Routing State, page 39-13 • Configuring a Tracked List, page 39-14 •...
Page 970: Configuring A Tracked List
Chapter 39 Configuring HSRP and Enhanced Object Tracking Configuring Enhanced Object Tracking This example configures the tracking of an interface line-protocol state and verifies the configuration: Switch(config)# track 33 interface gigabitethernet 1/0/1 line-protocol Switch(config-track)# end Switch# show track 33 Track 33 Interface GigabitEthernet0/1 line-protocol Line protocol is Down (hw down) 1 change, last change 00:18:28...
Page 971 Chapter 39 Configuring HSRP and Enhanced Object Tracking Configuring Enhanced Object Tracking Command Purpose Step 4 delay {up seconds [down seconds] | (Optional) Specify a period of time in seconds to delay communicating state [up seconds] down seconds} changes of a tracked object. The range is from 1 to 180 seconds. Step 5 Return to privileged EXEC mode.
Page 972 Chapter 39 Configuring HSRP and Enhanced Object Tracking Configuring Enhanced Object Tracking Use the no track track-number global configuration command to delete the tracked list. The example configures track list 4 to track by weight threshold. If object 1, and object 2 are down, then track list 4 is up, because object 3 satisfies the up threshold value of up 30.
Page 973: Configuring Hsrp Object Tracking
Chapter 39 Configuring HSRP and Enhanced Object Tracking Configuring Enhanced Object Tracking This example configures tracked list 4 with three objects and a specified percentages to measure the state of the list: Switch(config)# track 4 list threshold percentage Switch(config-track)# object 1 Switch(config-track)# object 2 Switch(config-track)# object 3 Switch(config-track)# threshold percentage up 51 down 10...
Page 974: Configuring Other Tracking Characteristics
Use the show track privileged EXEC command to verify enhanced object tracking configuration. For more information about enhanced object tracking and the commands used to configure it, see this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801541be. html Catalyst 3750 Switch Software Configuration Guide 39-18...
Page 975: Configuring Ip Multicast Routing
[EMI]). Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS IP Note Command Reference, Volume 3 of 3: Multicast, Release 12.2.
Page 976: C H A P T E R 40 Configuring Ip Multicast Routing
Distance Vector Multicast Routing Protocol (DVMRP) is used on the multicast backbone of the • Internet (MBONE). The software supports PIM-to-DVMRP interaction. Cisco Group Management Protocol (CGMP) is used on Cisco routers and multilayer switches • connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP.
Page 977: Understanding Igmp
Chapter 40 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding IGMP To participate in IP multicasting, multicast hosts, routers, and multilayer switches must have the IGMP operating. This protocol defines the querier and host roles: A querier is a network device that sends query messages to discover which network devices are •...
Page 978: Understanding Pim
Chapter 40 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding PIM PIM is called protocol-independent: regardless of the unicast routing protocols used to populate the unicast routing table, PIM uses this information to perform multicast forwarding instead of maintaining a separate multicast routing table.
Page 979: Auto-Rp
This proprietary feature eliminates the need to manually configure the RP information in every router and multilayer switch in the network. For Auto-RP to work, you configure a Cisco router or multilayer switch as the mapping agent. It uses IP multicast to learn which routers or switches in the network are possible candidate RPs to receive candidate RP announcements.
Page 980: Multicast Forwarding And Reverse Path Check
Chapter 40 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing The BSR is elected from a set of candidate routers and switches in the domain that have been configured to function as BSRs. The election mechanism is similar to the root-bridge election mechanism used in bridged LANs.
Page 981: Understanding Dvmrp
This protocol has been deployed in the MBONE and in other intradomain multicast networks. Cisco routers and multilayer switches run PIM and can forward multicast packets to and receive from a DVMRP neighbor. It is also possible to propagate DVMRP routes into and through a PIM cloud. The software propagates DVMRP routes and builds a separate database for these routes on each router and multilayer switch, but PIM uses this routing information to make the packet-forwarding decision.
Page 982: Understanding Cgmp
The switch serves as a CGMP server for devices that do not support IGMP snooping but have CGMP-client functionality. CGMP is a protocol used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP. CGMP permits Layer 2 group membership information to be communicated from the CGMP server to the switch.
Page 983: Configuring Ip Multicast Routing
(required if the interface is in sparse-dense mode, and • you want to treat the group as a sparse group) Using Auto-RP and a BSR, page 40-23 (required for non-Cisco PIMv2 devices to interoperate with • Cisco PIM v1 devices)) •...
Page 984: Pimv1 And Pimv2 Interoperability
If you have a network that includes non-Cisco routers, configure the Auto-RP mapping agent and the BSR on a Cisco PIMv2 router or multilayer switch. Ensure that no PIMv1 device is on the path between the BSR and a non-Cisco PIMv2 router.
Page 985: Configuring Basic Multicast Routing
Chapter 40 Configuring IP Multicast Routing Configuring IP Multicast Routing If you have non-Cisco PIMv2 routers that need to interoperate with Cisco PIMv1 routers and • multilayer switches, both Auto-RP and a BSR are required. We recommend that a Cisco PIMv2 device be both the Auto-RP mapping agent and the BSR.
Page 986: Configuring A Rendezvous Point
You can use several methods, as described in these sections: Manually Assigning an RP to Multicast Groups, page 40-13 • Configuring Auto-RP, page 40-14 (a standalone, Cisco-proprietary protocol separate from PIMv1) • • Configuring PIMv2 BSR, page 40-19 (a standards track protocol in the Internet Engineering Task...
Page 987: Manually Assigning An Rp To Multicast Groups
Chapter 40 Configuring IP Multicast Routing Configuring IP Multicast Routing You can use Auto-RP, BSR, or a combination of both, depending on the PIM version you are running and the types of routers in your network. For more information, see the “PIMv1 and PIMv2 Interoperability”...
Page 988: Configuring Auto-Rp
Switch(config)# access-list 1 permit 225.2.2.2 0.0.0.0 Switch(config)# ip pim rp-address 147.106.6.22 1 Configuring Auto-RP Auto-RP uses IP multicast to automate the distribution of group-to-RP mappings to all Cisco routers and multilayer switches in a PIM network. It has these benefits: •...
Page 989 Chapter 40 Configuring IP Multicast Routing Configuring IP Multicast Routing Setting up Auto-RP in a New Internetwork, page 40-15 (optional) • Adding Auto-RP to an Existing Sparse-Mode Cloud, page 40-15 (optional) • Preventing Join Messages to False RPs, page 40-16 (optional) •...
Page 990 Chapter 40 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 4 access-list access-list-number {deny | Create a standard access list, repeating the command as many times as permit} source [source-wildcard] necessary. For access-list-number, enter the access list number specified in •...
Page 991 Chapter 40 Configuring IP Multicast Routing Configuring IP Multicast Routing To accept all RPs advertised with Auto-RP and reject all other RPs by default, use the ip pim accept-rp auto-rp global configuration command. This procedure is optional. If all interfaces are in sparse mode, use a default-configured RP to support the two well-known groups 224.0.1.39 and 224.0.1.40.
Page 992 Chapter 40 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 3 access-list access-list-number {deny | Create a standard access list, repeating the command as many times as permit} source [source-wildcard] necessary. For access-list-number, enter the access list number specified in •...
Page 993: Configuring Pimv2 Bsr
Chapter 40 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring PIMv2 BSR These sections describe how to set up BSR in your PIMv2 network: • Defining the PIM Domain Border, page 40-19 (optional) Defining the IP Multicast Boundary, page 40-20 (optional) •...
Page 994 Chapter 40 Configuring IP Multicast Routing Configuring IP Multicast Routing Figure 40-3 Constraining PIMv2 BSR Messages PIMv2 sparse-mode network Configure the Configure the ip pim bsr-border ip pim bsr-border command on command on this interface. this interface. messages messages Neighboring Neighboring Layer 3 Layer 3...
Page 995 Chapter 40 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows a portion of an IP multicast boundary configuration that denies Auto-RP information: Switch(config)# access-list 1 deny 224.0.1.39 Switch(config)# access-list 1 deny 224.0.1.40 Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip multicast boundary 1 Configuring Candidate BSRs You can configure one or more candidate BSRs.
Page 996 IP multicast address space or a portion of it. Candidate RPs send candidate RP advertisements to the BSR. When deciding which devices should be RPs, consider these options: In a network of Cisco routers and multilayer switches where only Auto-RP is used, any device can •...
Page 997: Using Auto-Rp And A Bsr
Switch(config)# access-list 4 permit 239.0.0.0 0.255.255.255 Using Auto-RP and a BSR If there are only Cisco devices in you network (no routers from other vendors), there is no need to configure a BSR. Configure Auto-RP in a network that is running both PIMv1 and PIMv2.
Page 998: Monitoring The Rp Mapping Information
Chapter 40 Configuring IP Multicast Routing Configuring Advanced PIM Features Monitoring the RP Mapping Information To monitor the RP mapping information, use these commands in privileged EXEC mode: show ip pim bsr displays information about the elected BSR. • show ip pim rp-hash group displays the RP that was selected for the specified group. •...
Page 999 Chapter 40 Configuring IP Multicast Routing Configuring Advanced PIM Features Figure 40-4 Shared Tree and Source Tree (Shortest-Path Tree) Source Router A Router B Source tree Shared tree (shortest from RP path tree) Router C Receiver If the data rate warrants, leaf routers (routers without any downstream connections) on the shared tree can use the data distribution tree rooted at the source.
Page 1000: Delaying The Use Of Pim Shortest-Path Tree
Chapter 40 Configuring IP Multicast Routing Configuring Advanced PIM Features Delaying the Use of PIM Shortest-Path Tree The change from shared to source tree happens when the first data packet arrives at the last-hop router (Router C in Figure 40-4). This change occurs because the ip pim spt-threshold global configuration command controls that timing.

Cisco 3750G - Catalyst Integrated Wireless LAN Controller Configuration Manual

Table of Contents

Chapter 2 Using the Command-Line Interface

Using the Command-Line Interface

CHAPTER 3 Assigning the Switch IP Address and Default Gateway3-1

Chapter 4 Configuring Cisco IO CN Agent

Switch Stack Membership/Chapter 5 Managing Switch Stack

Chapter 5 Managing Switch Stack

Chapter 6 Clustering Switche

Chapter 7 Administering the Switch

Building the Address Table

Chapter 8 Configuring SDM Template

CHAPTER 9 Configuring Switch-Based Authentication

Configuring Radius

CHAPTER 10 Configuring IEEE 802.1X Port-Based Authentication

Device Roles

CHAPTER 11 Configuring Interface Characteristics

CHAPTER 12 Configuring Smartports Macros12-1

Chapter 13 Configuring VLAN

Quick Links

Chapters

Troubleshooting

Related Manuals for Cisco 3750G - Catalyst Integrated Wireless LAN Controller

Summary of Contents for Cisco 3750G - Catalyst Integrated Wireless LAN Controller