Page 1 Cisco IE 3000 Switch Software Configuration Guide Cisco IOS Release 12.2(44)EX June 2008 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-13018-01...
Page 2 OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
Page 3: Table Of Contents
Where to Go Next 1-19 Using the Command-Line Interface C H A P T E R Understanding Command Modes Understanding the Help System Understanding Abbreviated Commands Understanding no and default Forms of Commands Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 4 Setting the FCS Error Hysteresis Threshold Configuring Alarm Profiles Creating or Modifying an Alarm Profile 3-10 Attaching an Alarm Profile to a Specific Port 3-11 Enabling SNMP Traps 3-11 Displaying IE 3000 Switch Alarms Status 3-12 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 5 Configuring a Scheduled Reload 4-20 Displaying Scheduled Reload Information 4-21 Configuring Cisco IOS CNS Agents C H A P T E R Understanding Cisco Configuration Engine Software Configuration Service Event Service NameSpace Mapper Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 6 6-10 Other Considerations for Cluster Standby Groups 6-10 Automatic Recovery of Cluster Configuration 6-11 IP Addresses 6-12 Hostnames 6-12 Passwords 6-13 SNMP Community Strings 6-13 TACACS+ and RADIUS 6-13 LRE Profiles 6-14 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 7 Building the Address Table 7-20 MAC Addresses and VLANs 7-20 Default MAC Address Table Configuration 7-20 Changing the Address Aging Time 7-21 Removing Dynamic Address Entries 7-21 Configuring MAC Address Notification Traps 7-21 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 8 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 9-16 Starting TACACS+ Accounting 9-17 Displaying the TACACS+ Configuration 9-17 Controlling Switch Access with RADIUS 9-17 Understanding RADIUS 9-18 RADIUS Operation 9-19 Cisco IE 3000 Switch Software Configuration Guide viii OL-13018-01...
Page 9 Configuring the Switch for Secure Copy Protocol 9-44 Information About Secure Copy 9-44 Configuring IEEE 802.1x Port-Based Authentication 10-1 C H A P T E R Understanding IEEE 802.1x Port-Based Authentication 10-1 Device Roles 10-2 Authentication Process 10-3 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 10 Configuring IEEE 802.1x Accounting 10-30 Configuring a Guest VLAN 10-31 Configuring a Restricted VLAN 10-32 Configuring the Inaccessible Authentication Bypass Feature 10-34 Configuring IEEE 802.1x Authentication with WoL 10-36 Configuring MAC Authentication Bypass 10-37 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 11 Shutting Down and Restarting the Interface 11-20 Configuring Smartports Macros 12-1 C H A P T E R Understanding Smartports Macros 12-1 Configuring Smartports Macros 12-2 Default Smartports Macro Configuration 12-2 Smartports Macro Configuration Guidelines 12-3 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 12 Changing the Pruning-Eligible List 13-19 Configuring the Native VLAN for Untagged Traffic 13-19 Configuring Trunk Ports for Load Sharing 13-20 Load Sharing Using STP Port Priorities 13-20 Load Sharing Using STP Path Cost 13-22 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 13 Configuring a VTP Client 14-11 Disabling VTP (VTP Transparent Mode) 14-12 Enabling VTP Version 2 14-13 Enabling VTP Pruning 14-14 Adding a VTP Client Switch to a VTP Domain 14-14 Monitoring VTP 14-16 Cisco IE 3000 Switch Software Configuration Guide xiii OL-13018-01...
Page 14 Configuring Voice VLAN 15-3 Default Voice VLAN Configuration 15-3 Voice VLAN Configuration Guidelines 15-3 Configuring a Port Connected to a Cisco 7960 IP Phone 15-4 Configuring Cisco IP Phone Voice Traffic 15-5 Configuring the Priority of Incoming Data Frames 15-6...
Page 15 MSTP Configuration Guidelines 17-14 Specifying the MST Region Configuration and Enabling MSTP 17-15 Configuring the Root Switch 17-17 Configuring a Secondary Root Switch 17-18 Configuring Port Priority 17-19 Configuring Path Cost 17-20 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 16 Configuring Flex Links and the MAC Address-Table Move Update Feature 19-1 C H A P T E R Understanding Flex Links and the MAC Address-Table Move Update 19-1 Flex Links 19-1 VLAN Flex Link Load Balancing and Support 19-2 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 17 C H A P T E R Understanding IGMP Snooping 21-1 IGMP Versions 21-2 Joining a Multicast Group 21-3 Leaving a Multicast Group 21-5 Immediate Leave 21-5 IGMP Configurable-Leave Timer 21-5 IGMP Report Suppression 21-5 Cisco IE 3000 Switch Software Configuration Guide xvii OL-13018-01...
Page 18 C H A P T E R Configuring Storm Control 22-1 Understanding Storm Control 22-1 Default Storm Control Configuration 22-3 Configuring Storm Control and Threshold Levels 22-3 Configuring Small-Frame Arrival Rate 22-5 Cisco IE 3000 Switch Software Configuration Guide xviii OL-13018-01...
Page 19 Understanding CDP 24-1 Configuring CDP 24-2 Default CDP Configuration 24-2 Configuring the CDP Characteristics 24-2 Disabling and Enabling CDP 24-3 Disabling and Enabling CDP on an Interface 24-4 Monitoring and Maintaining CDP 24-4 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 20 Configuring a VLAN as an RSPAN VLAN 26-16 Creating an RSPAN Source Session 26-17 Creating an RSPAN Destination Session 26-19 Creating an RSPAN Destination Session and Configuring Incoming Traffic 26-20 Specifying VLANs to Filter 26-21 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 21 29-1 SNMP Versions 29-2 SNMP Manager Functions 29-3 SNMP Agent Functions 29-3 SNMP Community Strings 29-4 Using SNMP to Access MIB Variables 29-4 SNMP Notifications 29-5 SNMP ifIndex MIB Object Values 29-5 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 22 Time Range Applied to an IP ACL 30-19 Commented IP ACL Entries 30-19 Creating Named MAC Extended ACLs 30-19 Applying a MAC ACL to a Layer 2 Interface 30-21 Displaying IPv4 ACL Configuration 30-22 Cisco IE 3000 Switch Software Configuration Guide xxii OL-13018-01...
Page 23 Configuring Cisco IOS IP SLAs Operations 31-1 C H A P T E R Understanding Cisco IOS IP SLAs 31-1 Using Cisco IOS IP SLAs to Measure Network Performance 31-2 IP SLAs Responder and IP SLAs Control Protocol 31-4 Response Time Computation for IP SLAs...
Page 24 Configuring SRR Shaped Weights on Egress Queues 32-64 Configuring SRR Shared Weights on Egress Queues 32-65 Configuring the Egress Expedite Queue 32-66 Limiting the Bandwidth on an Egress Interface 32-66 Displaying Standard QoS Information 32-67 Cisco IE 3000 Switch Software Configuration Guide xxiv OL-13018-01...
Page 25 Displaying EtherChannel, PAgP, and LACP Status 33-16 Understanding Link-State Tracking 33-17 Configuring Link-State Tracking 33-19 Default Link-State Tracking Configuration 33-20 Link-State Tracking Configuration Guidelines 33-20 Configuring Link-State Tracking 33-20 Displaying Link-State Tracking Status 33-21 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 26 Enabling All-System Diagnostics 34-15 Redirecting Debug and Error Message Output 34-15 Using the show platform forward Command 34-15 Using the crashinfo Files 34-17 Basic crashinfo Files 34-17 Extended crashinfo Files 34-18 Cisco IE 3000 Switch Software Configuration Guide xxvi OL-13018-01...
Page 27 A P P E N D I X MIB List Using FTP to Access the MIB Files Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System...
Page 28 Working with Software Images B-23 Image Location on the Switch B-23 tar File Format of Images on a Server or Cisco.com B-24 Copying Image Files By Using TFTP B-24 Preparing to Download or Upload an Image File By Using TFTP...
Page 29 Unsupported Global Configuration Command Unsupported Interface Configuration Commands Unsupported Policy-Map Configuration Command RADIUS Unsupported Global Configuration Commands SNMP Unsupported Global Configuration Commands Spanning Tree Unsupported Global Configuration Command Unsupported Interface Configuration Command Cisco IE 3000 Switch Software Configuration Guide xxix OL-13018-01...
Page 30 Contents VLAN Unsupported Global Configuration Command Unsupported vlan-config Command Unsupported User EXEC Commands Unsupported Privileged EXEC Commands N D E X Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 31 Network Assistant, see Getting Started with Cisco Network Assistant, available on Cisco.com. This guide does not describe system messages you might encounter or how to install your switch. For more information, see the IE 3000 Switch System Message Guide for this release and the IE 3000 Switch Hardware Installation Guide.
Page 32: Related Publications
Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. Related Publications These documents provide complete information about the switch and are available from this Cisco.com site: http://www.cisco.com/en/US/products/ps9703/tsd_products_support_series_home.html Note Before installing, configuring, or upgrading the switch, see these documents: •...
Page 33 Obtaining Documentation, Obtaining Support, and Security Guidelines For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed...
Page 34 Preface Cisco IE 3000 Switch Software Configuration Guide xxxiv OL-13018-01...
Page 35: Features
Some features described in this chapter are available only on the cryptographic (supports encryption) version of the software. You must obtain authorization to use this feature and to download the cryptographic version of the software from Cisco.com. For more information, see the release notes for this release.
Page 36: Chapter 1 Overview
User-defined and Cisco-default Smartports macros for creating custom switch configurations for • simplified deployment across the network. A removable compact flash card that stores the Cisco IOS software image and configuration files • for the switch. You can replace and upgrade the switch without reconfiguring the software features.
Page 37: Performance Features
IGMP throttling for configuring the action when the maximum number of entries is in the IGMP • forwarding table IGMP leave timer for configuring the leave latency for the network • Switch Database Management (SDM) templates for allocating system resources to maximize • support for user-selected features Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 38: Management Options
Network Assistant—Network Assistant is a network management application that can be • downloaded from Cisco.com. You use it to manage a single switch, a cluster of switches, or a community of devices. For more information about Network Assistant, see Getting Started with Cisco Network Assistant, available on Cisco.com.
Page 39 Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external • source Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • Support for the SSM PIM protocol to optimize multicast applications, such as video •...
Page 40: Availability And Redundancy Features
Overview Features • The HTTP client in Cisco IOS supports can send requests to both IPv4 and IPv6 HTTP server, and the HTTP server in Cisco IOS can service HTTP requests from both IPv4 and IPv6 HTTP clients • Simple Network and Management Protocol (SNMP) can be configured over IPv6 transport so that an IPv6 host can send SNMP queries and receive SNMP notifications from a device running IPv6 •...
Page 41: Vlan Features
• flooded traffic to links destined for stations receiving the traffic Voice VLAN for creating subnets for voice traffic from Cisco IP Phones • VLAN 1 minimization for reducing the risk of spanning-tree loops or storms by allowing VLAN 1 •...
Page 42: Qos And Cos Features
VLAN assignment for restricting IEEE 802.1x-authenticated users to a specified VLAN Port security for controlling access to IEEE 802.1x ports – Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized – or unauthorized state of the port IP phone detection enhancement to detect and recognize a Cisco IP phone.
Page 43: Monitoring Features
Trusted port states (CoS, DSCP, and IP precedence) within a QoS domain and with a port – bordering another QoS domain Trusted boundary for detecting the presence of a Cisco IP Phone, trusting the CoS value – received, and ensuring port security Policing •...
Page 44: Default Settings After Initial Switch Configuration
Switch cluster is disabled. For more information about switch clusters, see Chapter 6, “Clustering • Switches,” and the Getting Started with Cisco Network Assistant, available on Cisco.com. No passwords are defined. For more information, see Chapter 7, “Administering the Switch.” •...
Page 45 The IGMP snooping querier feature is disabled. For more information, see Chapter 21, “Configuring • IGMP Snooping and MVR.” MVR is disabled. For more information, see Chapter 21, “Configuring IGMP Snooping and MVR.” • Cisco IE 3000 Switch Software Configuration Guide 1-11 OL-13018-01...
Page 46: Network Configuration Examples
Table 1-1 describes what can cause network performance to degrade and how you can configure your network to increase the bandwidth available to your network users. Cisco IE 3000 Switch Software Configuration Guide 1-12 OL-13018-01...
Page 47 LRE is the technology used in the Catalyst 2900 LRE XL and Catalyst 2950 Note Internet or an intranet at higher LRE switches. See the documentation sets specific to these switches for LRE speeds information. Cisco IE 3000 Switch Software Configuration Guide 1-13 OL-13018-01...
Page 48: Ethernet-To-The-Factory Architecture
They are all in real-time communication with each other. This zone requires clear isolation and protection from the other levels of plant or enterprise operations. Figure 1-1 shows the EttF architecture. Cisco IE 3000 Switch Software Configuration Guide 1-14 OL-13018-01...
Page 49 Chapter 1 Overview Network Configuration Examples Figure 1-1 Ethernet-to-the-Factory Architecture GE Link for Servers Failover Detection Catalyst Catalyst 3750 switch 4500 switch Servers Management tools Catalyst 3750 switch stack Cisco IE 3000 Switch Software Configuration Guide 1-15 OL-13018-01...
Page 50: Topology Options
Ethernet. Most devices have no or limited failover capabilities and therefore cannot effectively use redundant network connections. • Redundant connections can be used in certain industries and applications, such as process-related industries that are applied to critical infrastructure. Cisco IE 3000 Switch Software Configuration Guide 1-16 OL-13018-01...
Page 51 There is no redundancy to the loss of a connection. • Figure 1-2 Cell Network–Trunk-Drop Topology Catalyst 3750 Stackwise Switch Stack Human Machine Interface (HMI) Controllers 3000 Controllers, Drives, and Remote I/Os Cell Zone Cisco IE 3000 Switch Software Configuration Guide 1-17 OL-13018-01...
Page 52 Figure 1-3 Cell Network–Ring Topology Catalyst 3750 Stackwise Switch Stack Human Machine Interface (HMI) Controllers 3000 Controllers, Drives, and Remote I/O Cell Zone Cisco IE 3000 Switch Software Configuration Guide 1-18 OL-13018-01...
Page 53: Where To Go Next
Where to Go Next Before configuring the switch, review these sections for startup information: Chapter 2, “Using the Command-Line Interface” • Chapter 4, “Assigning the Switch IP Address and Default Gateway” • Cisco IE 3000 Switch Software Configuration Guide 1-19 OL-13018-01...
Page 54 Chapter 1 Overview Where to Go Next Cisco IE 3000 Switch Software Configuration Guide 1-20 OL-13018-01...
Page 55: Understanding Command Modes
C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your IE 3000 switch. It contains these sections: Understanding Command Modes, page 2-1 •...
Page 56: C H A P T E R 2 Using The Command-Line Interface
To exit to privileged Use this mode to configure Switch(vlan)# EXEC mode, enter EXEC mode, enter VLAN parameters for VLANs the vlan database exit. 1 to 1005 in the VLAN command. database. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 57: Understanding The Help System
Obtain a list of commands that begin with a particular character string. For example: Switch# di? dir disable disconnect abbreviated-command-entry<Tab> Complete a partial command name. For example: Switch# sh conf<tab> Switch# show configuration Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 58: Understanding Abbreviated Commands
However, some commands are enabled by default and have variables set to certain default values. In these cases, the default command enables the command and sets variables to their default values. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 59: Understanding Cli Error Messages
For more information, see the Configuration Change Notification and Logging feature module at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d1e81. html Only CLI or HTTP changes are logged. Note Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 60: Using Command History
The number of commands that appear is controlled by the setting of the terminal history global configuration command and the history line configuration command. 1. The arrow keys function only on ANSI-compatible terminals such as VT100s. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 61: Disabling The Command History Feature
Table 2-5 Editing Commands through Keystrokes Capability Keystroke Purpose Move around the command line to Press Ctrl-B, or press the Move the cursor back one character. make changes or corrections. left arrow key. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 62 Change the word at the cursor to lowercase. Press Esc U. Capitalize letters from the cursor to the end of the word. Designate a particular keystroke as Press Ctrl-V or Esc Q. an executable command, perhaps as a shortcut. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 63: Editing Command Lines That Wrap
Use line wrapping with the command history feature to recall and modify previous complex command entries. For information about recalling previous command entries, see the “Editing Commands through Keystrokes” section on page 2-7. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 64: Searching And Filtering Output Of Show And More Commands
9-33. The switch supports up to five simultaneous secure SSH sessions. After you connect through the console port, through a Telnet session or through an SSH session, the user EXEC prompt appears on the management station. Cisco IE 3000 Switch Software Configuration Guide 2-10 OL-13018-01...
Page 65: Understanding Ie 3000 Switch Alarms
Understanding IE 3000 Switch Alarms The IE 3000 switch software monitors switch conditions on a per port or a switch basis. If the conditions present on the switch or a port do not match the set parameters, the switch software triggers an alarm or a system message.
Page 66: Global Status Monitoring Alarms
3-8 for more information. Port Status Monitoring Alarms The IE 3000 switch can also monitor the status of the Ethernet ports and generate alarm messages based on the alarms listed in Table 3-2. To save user time and effort, the switch supports changing alarm configurations by using alarm profiles.
Page 67: Triggering Alarm Options
You can associate any alarm condition with either alarm relay or both relays. Each fault condition is assigned a severity level based on the Cisco IOS System Error Message Severity Level.
Page 68: Configuring Ie 3000 Switch Alarms
Switch Alarms” section on page 3-4 for more information. Configuring IE 3000 Switch Alarms This section describes how to configure the IE 3000 switch alarms: Default IE 3000 Switch Alarm Configuration, page 3-4 • Configuring the Power Supply Alarm, page 3-5 •...
Page 69: Configuring The Power Supply Alarm
Setting the Power Supply Alarm Options, page 3-5 Setting the Power Mode The IE 3000 switch has two DC power inputs. By default, the system operates in the single-power mode. You can use the power-supply dual global configuration command to set the dual-mode operation. In dual-power mode, a second power supply gives power to the switch if the primary power supply fails.
Page 70: Configuring The Switch Temperature Alarms
This example shows how to delete the primary temperature monitoring alarm configuration and return to the default setting. Switch(config) # no alarm facility temperature primary high 45 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 71: Setting A Secondary Temperature Threshold For The Switch
{primary | secondary} syslog Step 5 Return to privileged EXEC mode. Step 6 show alarm settings Verify the configuration. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 72: Configuring The Fcs Bit Error Rate Alarm
Verify the setting. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no fcs-threshold interface configuration command to return to the default FCS threshold value. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 73: Configuring Alarm Profiles
Use the alarm facility fcs-hysteresis global configuration command to set the FCS error hysteresis threshold. The FCS hysteresis threshold is applied to all ports of an IE 3000 switch. Note Beginning in privileged EXEC mode, follow these steps to set the FCS error hysteresis threshold for a...
Page 74: Creating Or Modifying An Alarm Profile
Before you use the notifies command to send alarm traps to an SNMP server, you must first set up the SNMP server by using the snmp-server enable traps alarms global configuration command. See the “Enabling SNMP Traps” section on page 3-11. Cisco IE 3000 Switch Software Configuration Guide 3-10 OL-13018-01...
Page 75: Attaching An Alarm Profile To A Specific Port
Before using alarm profiles to set the switch to send SNMP alarm trap notifications to an SNMP server, you must first enable SNMP by using the snmp-server enable traps alarms global configuration command. Cisco IE 3000 Switch Software Configuration Guide 3-11 OL-13018-01...
Page 76: Displaying Ie 3000 Switch Alarms Status
{all | power | temperature} Displays the status of environmental facilities on the switch. show facility-alarm status [critical | info | Displays generated alarms on the switch. major | minor] Cisco IE 3000 Switch Software Configuration Guide 3-12 OL-13018-01...
Page 77: Chapter 4 Assigning The Switch Ip Address And Default Gateway
This chapter describes how to create the initial switch configuration (for example, assigning the IP address and default gateway information) for the IE 3000 switch by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration.
Page 78: Assigning Switch Information
You can replace and upgrade the switch without reconfiguring the switch. Removing the compact flash card does not interrupt switch operation, unless you need to reload the Cisco IOS software because of a power cycle or user action. However, when the compact flash card is removed, you do not have access to the flash file system, and any attempt to access it generates an error message.
Page 79: Default Switch Information
If you are using DHCP to relay the configuration file location on the network, you might also need to configure a Trivial File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 80: Dhcp Client Request Process
If the switch accepts replies from a BOOTP server and configures itself, the switch broadcasts, instead of unicasts, TFTP requests to obtain the switch configuration file. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 81: Understanding Dhcp-Based Autoconfiguration And Image Update
Unless you configure a timeout, the DHCP-based autoconfiguration with a saved configuration feature tries indefinitely to download an IP address. The auto-install process stops if a configuration file cannot be downloaded or it the configuration • file is corrupted. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 82: Configuring Dhcp-Based Autoconfiguration
Example Configuration, page 4-9 • If your DHCP server is a Cisco device, for additional information about configuring DHCP, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >...
Page 83: Configuring The Dns
The DNS server can be on the same or on a different LAN as the switch. If it is on a different LAN, the switch must be able to access it through a router. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 84: Configuring The Relay Device
If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
Page 85: Example Configuration
Figure 4-3 Figure 4-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (tftpserver) Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 86 If no configuration filename is given in the DHCP server reply, Switch A reads the network-confg • file from the base directory of the TFTP server. It adds the contents of the network-confg file to its host table. • Cisco IE 3000 Switch Software Configuration Guide 4-10 OL-13018-01...
Page 87: Configuring The Dhcp Auto Configuration And Image Update Features
This example shows how to configure a switch as a DHCP server so that it will download a configura- tion file: Switch# configure terminal Switch(config)# ip dhcp pool pool1 Switch(dhcp-config)# network 10.10.10.0 255.255.255.0 Switch(dhcp-config)# bootfile config-boot.text Cisco IE 3000 Switch Software Configuration Guide 4-11 OL-13018-01...
Page 88: Configuring Dhcp Auto-Image Update (Configuration File And Image)
Upload the tar file for the new image to the switch. Step 10 exit Return to global configuration mode. Step 11 tftp-server flash:config.text Specify the Cisco IOS configuration file on the TFTP server. Step 12 tftp-server flash:imagename.tar Specify the image name on the TFTP server. Step 13 tftp-server flash:filename.txt...
Page 89: Configuring The Client
You to Nolonger Automatically Download Configuration Files at Reboot^C Switch(config)# vlan 99 Switch(config-vlan)# interface vlan 99 Switch(config-if)# no shutdown Switch(config-if)# end Switch# show boot BOOT path-list: Config file: flash:/config.text Private Config file: flash:/private-config.text Enable Break: Cisco IE 3000 Switch Software Configuration Guide 4-13 OL-13018-01...
Page 90: Manually Assigning Ip Information
For information on setting the switch system name, protecting access to privileged EXEC commands, and setting time and calendar services, see Chapter 7, “Administering the Switch.” Cisco IE 3000 Switch Software Configuration Guide 4-14 OL-13018-01...
Page 91: Checking And Saving The Running Configuration
EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Cisco IE 3000 Switch Software Configuration Guide...
Page 92: Modifying The Startup Configuration
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot-up cycle.
Page 93: Booting Manually
Filenames and directory names are case sensitive. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable manual booting, use the no boot manual global configuration command. Cisco IE 3000 Switch Software Configuration Guide 4-17 OL-13018-01...
Page 94: Booting A Specific Software Image
A variable that is set to a null string (for example, “ ”) is a variable with a value. Many environment variables are predefined and have default values. Cisco IE 3000 Switch Software Configuration Guide 4-18...
Page 95 Cisco IOS configuration file can be stored as an environment variable. You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
Page 96: Scheduling A Reload Of The Software Image
This example shows how to reload the software on the switch on the current day at 7:30 p.m: Switch# reload at 19:30 Reload scheduled for 19:30:00 UTC Wed Jun 5 1996 (in 2 hours and 25 minutes) Proceed with reload? [confirm] Cisco IE 3000 Switch Software Configuration Guide 4-20 OL-13018-01...
Page 97: Displaying Scheduled Reload Information
EXEC command. It displays reload information including the time the reload is scheduled to occur and the reason for the reload (if it was specified when the reload was scheduled). Cisco IE 3000 Switch Software Configuration Guide 4-21 OL-13018-01...
Page 98 Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Cisco IE 3000 Switch Software Configuration Guide 4-22 OL-13018-01...
Page 99: Chapter 5 Configuring Cisco Ios Cns Agents
C H A P T E R Configuring Cisco IOS CNS Agents This chapter describes how to configure the Cisco IOS CNS agents on the IE 3000 switch. For complete configuration information for the Cisco Configuration Engine, see this URL on Cisco.com Note http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.html...
Page 100: Configuration Service
(LDAP) URLs that reference the device-specific configuration information stored in a directory. The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server.
Page 101: Event Service
Understanding Cisco Configuration Engine Software Event Service The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine.
Page 102: Deviceid
Therefore, the DeviceID, as originated on the switch, must match the DeviceID of the corresponding switch definition in the Configuration Engine. The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID variable and its usage reside within the event gateway adjacent to the switch.
Page 103: Understanding Cisco Ios Agents
Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent. The Cisco IOS agent feature supports the switch by providing these features: •...
Page 104: Incremental (Partial) Configuration
NVRAM for use at the next reboot. Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 5-6.
Page 105: Enabling The Cns Event Agent
For more information about running the setup program and creating templates on the Configuration Note Engine, see the Cisco Configuration Engine Installation and Setup Guide, 1.5 for Linux at this URL: http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/products_installation_and_configuration_ guide_book09186a00803b59db.html...
Page 106 This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count. Switch(config)# cns event 10.180.1.27 keepalive 120 10 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 107: Enabling The Cisco Ios Cns Agent
Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: •...
Page 108 Return to global configuration mode. Step 11 hostname name Enter the hostname for the switch. Step 12 ip route network-number (Optional) Establish a static route to the Configuration Engine whose IP address is network-number. Cisco IE 3000 Switch Software Configuration Guide 5-10 OL-13018-01...
Page 109 ID, enter an arbitrary text string for string string as the unique ID, or enter udi to set the unique device identifier (UDI) as the unique ID. Cisco IE 3000 Switch Software Configuration Guide 5-11 OL-13018-01...
Page 110 Verify your entries. To disable the CNS Cisco IOS agent, use the no cns config initial {ip-address | hostname} global configuration command. This example shows how to configure an initial configuration on a remote switch when the switch configuration is unknown (the CNS Zero Touch feature).
Page 111: Enabling A Partial Configuration
RemoteSwitch(config)# cns id ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 172.28.129.22 no-persist Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch: Command...
Page 112: Displaying Cns Configuration
Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed. show cns config stats Displays statistics about the Cisco IOS agent.
Page 113: Chapter 6 Clustering Switches
C H A P T E R Clustering Switches This chapter provides the concepts and procedures to create and manage IE 3000 switch clusters. You can create and manage switch clusters by using Cisco Network Assistant (hereafter known as Network Assistant), the command-line interface (CLI), or SNMP.
Page 114 Catalyst 2900 XL (8-MB switches) 12.0(5.1)XU or later Member or command switch Catalyst 2900 XL (4-MB switches) 11.2(8.5)SA6 (recommended) Member switch only Catalyst 1900 and 2820 9.00(-A or -EN) or later Member switch only Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 115: Cluster Command Switch Characteristics
Standby cluster command switches must be the same type of switches as the cluster command Note switch. For example, if the cluster command switch is an IE 3000 switch, the standby cluster command switches must also be IE 3000 switches. Refer to the switch configuration guide of other cluster-capable switches for their requirements on standby cluster command switches.
Page 116: Planning A Switch Cluster
Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
Page 117: Discovery Through Cdp Hops
Command device VLAN 16 VLAN 62 Member Member device 8 device 10 Member Device 12 device 9 Device 11 candidate Candidate Device 13 devices device Edge of cluster Device 14 Device 15 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 118: Discovery Through Non-Cdp-Capable And Noncluster-Capable Devices
Planning a Switch Cluster Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Page 119: Discovery Through Different Management Vlans
Switches 7 and 10 (switches in management VLAN 4) because they are not connected through a • common VLAN (meaning VLANs 62 and 9) with the cluster command switch Switch 9 because automatic discovery does not extend beyond a noncandidate device, which is • switch 7 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 120: Discovery Of Newly Installed Switches
One cluster-capable switch and its access port are assigned to VLAN 9. • The other cluster-capable switch and its access port are assigned to management VLAN 16. • Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 121: Hsrp And Standby Cluster Command Switches
The HSRP standby hold time interval should be greater than or equal to three times the hello time Note interval. The default HSRP standby hold time interval is 10 seconds. The default HSRP standby hello time interval is 3 seconds. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 122: Virtual Ip Addresses
Standby cluster command switches must be the same type of switches as the cluster command switch. For example, if the cluster command switch is a IE 3000 switch, the standby cluster command switches must also be IE 3000 switches. Refer to the switch configuration guide of other cluster-capable switches for their requirements on standby cluster command switches.
Page 123: Automatic Recovery Of Cluster Configuration
The active cluster command switch only forwards cluster-configuration information to the standby cluster command switch. You must therefore rebuild the cluster. Cisco IE 3000 Switch Software Configuration Guide 6-11 OL-13018-01...
Page 124: Ip Addresses
(such as eng-cluster-5) with the hostname of the cluster command switch in the new cluster (such as mkg-cluster-5). If the switch member number changes in the new cluster (such as 3), the switch retains the previous name (eng-cluster-5). Cisco IE 3000 Switch Software Configuration Guide 6-12 OL-13018-01...
Page 125: Passwords
For more information about TACACS+, see the “Controlling Switch Access with TACACS+” section on page 9-10. For more information about RADIUS, see the “Controlling Switch Access with RADIUS” section on page 9-17. Cisco IE 3000 Switch Software Configuration Guide 6-13 OL-13018-01...
Page 126: Lre Profiles
Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
Page 127: Using Snmp To Manage Switch Clusters
For more information about SNMP and community strings, see Chapter 29, “Configuring SNMP.” Figure 6-7 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 Member 1 Member 2 Member 3 Cisco IE 3000 Switch Software Configuration Guide 6-15 OL-13018-01...
Page 128 Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Cisco IE 3000 Switch Software Configuration Guide 6-16 OL-13018-01...
Page 129: Managing The System Time And Date
You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Configuration Fundamentals Command Reference from the Cisco.com page under Documentation >...
Page 130: Understanding Network Time Protocol
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Page 131: Configuring Ntp
Switch F Workstations If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as if it is synchronized through NTP, when in fact it has learned the time by using other means. Other devices then synchronize to that device through NTP.
Page 132: Default Ntp Configuration
NTP that provide for accurate timekeeping) with other devices for security purposes: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp authenticate Enable the NTP authentication feature, which is disabled by default. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 133: Configuring Ntp Associations
An NTP association can be a peer association (this switch can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this switch synchronizes to the other device, and not the other way around). Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 134: Configuring Ntp Broadcast Service
However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast messages. However, the information flow is one-way only. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 135 Specify the interface to receive NTP broadcast packets, and enter interface configuration mode. Step 3 ntp broadcast client Enable the interface to receive NTP broadcast packets. By default, no interfaces receive NTP broadcast packets. Step 4 exit Return to global configuration mode. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 136: Configuring Ntp Access Restrictions
NTP control queries and allows the • switch to synchronize to the remote device. For access-list-number, enter a standard IP access list number from 1 to 99. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 137 99. However, the switch restricts access to allow only time requests from access list 42: Switch# configure terminal Switch(config)# ntp access-group peer 99 Switch(config)# ntp access-group serve-only 42 Switch(config)# access-list 99 permit 172.20.130.5 Switch(config)# access list 42 permit 172.20.130.6 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 138: Configuring The Source Ip Address For Ntp Packets
“Configuring NTP Associations” section on page 7-5. Cisco IE 3000 Switch Software Configuration Guide 7-10 OL-13018-01...
Page 139: Displaying The Ntp Configuration
• Note For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Page 140: Displaying The Time And Date Configuration
Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and .5 means 50 percent. In this case, the necessary command is clock timezone AST -3 30. To set the time to UTC, use the no clock timezone global configuration command. Cisco IE 3000 Switch Software Configuration Guide 7-12 OL-13018-01...
Page 141: Configuring Summer Time (Daylight Saving Time)
This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00: Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 Cisco IE 3000 Switch Software Configuration Guide 7-13 OL-13018-01...
Page 142: Configuring A System Name And Prompt
A greater-than symbol [>] is appended. The prompt is updated whenever the system name changes. For complete syntax and usage information for the commands used in this section, from the Cisco.com page, select Documentation > Cisco IOS Software > 12.2 Mainline > Command References and see the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols.
Page 143: Default System Name And Prompt Configuration
Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.
Page 144: Default Dns Configuration
Internet naming scheme (DNS). Step 5 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 7-16 OL-13018-01...
Page 145: Displaying The Dns Configuration
If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
Page 146: Configuring A Message-Of-The-Day Login Banner
User Access Verification Password: Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Cisco IE 3000 Switch Software Configuration Guide 7-18 OL-13018-01...
Page 147: Managing The Mac Address Table
• MAC Addresses and VLANs, page 7-20 • Default MAC Address Table Configuration, page 7-20 • Changing the Address Aging Time, page 7-21 • Removing Dynamic Address Entries, page 7-21 • Cisco IE 3000 Switch Software Configuration Guide 7-19 OL-13018-01...
Page 148: Building The Address Table
Table 7-3 shows the default MAC address table configuration. Table 7-3 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned Static addresses None configured Cisco IE 3000 Switch Software Configuration Guide 7-20 OL-13018-01...
Page 149: Changing The Address Aging Time
MAC address activity for each hardware port for which the trap is enabled. MAC address notifications are generated for dynamic and secure MAC addresses; events are not generated for self addresses, multicast addresses, or other static addresses. Cisco IE 3000 Switch Software Configuration Guide 7-21 OL-13018-01...
Page 150 Enable the MAC notification trap whenever a MAC address is added on this interface. Enable the MAC notification trap whenever a • MAC address is removed from this interface. Step 8 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 7-22 OL-13018-01...
Page 151: Adding And Removing Static Address Entries
You add a static address to the address table by specifying the destination MAC unicast address and the VLAN from which it is received. Packets received with this destination address are forwarded to the interface specified with the interface-id option. Cisco IE 3000 Switch Software Configuration Guide 7-23 OL-13018-01...
Page 152: Configuring Unicast Mac Address Filtering
% Only unicast addresses can be configured to be dropped % CPU destined address cannot be configured as drop address Packets that are forwarded to the CPU are also not supported. • Cisco IE 3000 Switch Software Configuration Guide 7-24 OL-13018-01...
Page 153 When a packet is received in VLAN 4 with this MAC address as its source or destination, the packet is dropped: Switch(config)# mac ddress-table static c2f3.220a.12f4 vlan 4 drop Cisco IE 3000 Switch Software Configuration Guide 7-25 OL-13018-01...
Page 154: Displaying Address Table Entries
(represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, see the Cisco IOS Release 12.2 documentation from the Cisco.com page under Note Documentation >...
Page 155: Chapter 8 Configuring Sdm Templates
Approximate Number of Feature Resources Allowed by Each Template Resource Default Unicast MAC addresses IPv4 IGMP groups IPv4 unicast routes IPv4 policy-based routing aces IPv4 MAC QoS ACEs IPv4 MAC security ACEs Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 156: Configuring The Switch Sdm Template
• qos—Maximizes system resources for QoS ACEs. • Use the no sdm prefer command to set the switch to the default template. The default template balances the use of system resources. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 157: Displaying The Sdm Templates
Use the show sdm prefer privileged EXEC command with no parameters to display the active template. Use the show sdm prefer [default | qos] privileged EXEC command to display the resource numbers supported by the specified template. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 158 Chapter 8 Configuring SDM Templates .Displaying the SDM Templates Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 159: Preventing Unauthorized Access To Your Switch
C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the IE 3000 switch. It consists of these sections: Preventing Unauthorized Access to Your Switch, page 9-1 • Protecting Access to Privileged EXEC Commands, page 9-2 •...
Page 160: Protecting Access To Privileged Exec Commands
Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2 from the Cisco.com page under Documentation >...
Page 161: Setting Or Changing A Static Enable Password
We recommend that you use the enable secret command because it uses an improved encryption algorithm. If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 162 The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined. (Optional) For encryption-type, only type 5, a Cisco • proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password that you...
Page 163: Disabling Password Recovery
Disable password recovery. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
Page 164: Setting A Telnet Password For A Terminal Line
If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 165: Configuring Multiple Privilege Levels
Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Page 166: Setting The Privilege Level For A Command
This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands: Switch(config)# privilege exec level 14 configure Switch(config)# enable password level 14 SecretPswd14 Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 167: Changing The Default Privilege Level For Lines
Log in to a specified privilege level. For level, the range is 0 to 15. Step 2 disable level Exit to a specified privilege level. For level, the range is 0 to 15. Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 168: Controlling Switch Access With Tacacs
(AAA) and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Security Command Reference, Release 12.2. These sections contain this configuration information: •...
Page 169 The TACACS+ protocol provides authentication between the switch and the TACACS+ daemon, and it ensures confidentiality because all protocol exchanges between the switch and the TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your switch. Cisco IE 3000 Switch Software Configuration Guide 9-11 OL-13018-01...
Page 170: Tacacs+ Operation
You can use method lists to designate one or more security protocols to be used, thus ensuring a backup system if the initial method fails. The software uses the first method listed to authenticate, to Cisco IE 3000 Switch Software Configuration Guide 9-12...
Page 171: Default Tacacs+ Configuration
(Optional) For key string, specify the encryption key for encrypting • and decrypting all traffic between the switch and the TACACS+ daemon. You must configure the same key on the TACACS+ daemon for encryption to be successful. Cisco IE 3000 Switch Software Configuration Guide 9-13 OL-13018-01...
Page 172: Configuring Tacacs+ Login Authentication
Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Cisco IE 3000 Switch Software Configuration Guide 9-14 OL-13018-01...
Page 173 {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command. Cisco IE 3000 Switch Software Configuration Guide 9-15 OL-13018-01...
Page 174: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services
HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >...
Page 175: Starting Tacacs+ Accounting
RADIUS is facilitated through AAA and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2 from the Cisco.com page under Documentation >...
Page 176: Understanding Radius
Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. • RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
Page 177: Radius Operation
You can use method lists to designate one or more security protocols to be used (such as TACACS+ or local username lookup), thus ensuring a backup system if the initial method fails. The Cisco IE 3000 Switch Software Configuration Guide 9-19...
Page 178: Default Radius Configuration
(The RADIUS host entries are tried in the order that they are configured.) Cisco IE 3000 Switch Software Configuration Guide 9-20...
Page 179 9-29. You can configure the switch to use AAA server groups to group existing server hosts for authentication. For more information, see the “Defining AAA Server Groups” section on page 9-25. Cisco IE 3000 Switch Software Configuration Guide 9-21 OL-13018-01...
Page 180 This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2 Cisco IE 3000 Switch Software Configuration Guide 9-22 OL-13018-01...
Page 181: Configuring Radius Login Authentication
Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Cisco IE 3000 Switch Software Configuration Guide 9-23 OL-13018-01...
Page 182 For list-name, specify the list created with the aaa authentication • login command. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 9-24 OL-13018-01...
Page 183: Defining Aaa Server Groups
HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >...
Page 184 Repeat this step for each RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Cisco IE 3000 Switch Software Configuration Guide 9-26 OL-13018-01...
Page 185: Configuring Radius Authorization For User Privileged Access And Network Services
EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network-related service requests. Cisco IE 3000 Switch Software Configuration Guide 9-27 OL-13018-01...
Page 186: Starting Radius Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
Page 187: Configuring Settings For All Radius Servers
1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Page 188 For a complete list of RADIUS attributes or more information about vendor-specific attribute 26, see the Note “RADIUS Attributes” appendix in the Cisco IOS Security Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Page 189: Configuring The Switch For Vendor-Proprietary Radius Server Communication
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Page 190: Configuring The Switch For Local Authentication And Authorization
(Optional) Save your entries in the configuration file. To disable AAA, use the no aaa new-model global configuration command. To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command. Cisco IE 3000 Switch Software Configuration Guide 9-32 OL-13018-01...
Page 191: Configuring The Switch For Secure Shell
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
Page 192: Limitations
9-35. When generating the RSA key pair, the message might appear. If it does, • No host name specified you must configure a hostname by using the hostname global configuration command. Cisco IE 3000 Switch Software Configuration Guide 9-34 OL-13018-01...
Page 193: Setting Up The Switch To Run Ssh
Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: Download the cryptographic software image from Cisco.com. This step is required. For more information, see the release notes for this release. Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server.
Page 194: Configuring The Ssh Server
Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default SSH control parameters, use the no ip ssh {timeout | authentication-retries} global configuration command. Cisco IE 3000 Switch Software Configuration Guide 9-36 OL-13018-01...
Page 195: Displaying The Ssh Configuration And Status
Displaying Secure HTTP Server and Client Status, page 9-43 • For configuration examples and complete syntax and usage information for the commands used in this section, see the “HTTPS - HTTP Server and Client with SSL 3.0” feature description for Cisco IOS Release 12.2(15)T at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a008015a4c6.
Page 196: Certificate Authority Trustpoints
(pages) back to the HTTP secure server, which, in turn, responds to the original request. The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.
Page 197: Ciphersuites
For additional information on Certificate Authorities, see the “Configuring Certification Authority Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Page 198: Configuring Secure Http Servers And Clients
Specify a local configuration name for the CA trustpoint and enter CA trustpoint configuration mode. Step 6 enrollment url url Specify the URL to which the switch should send certificate requests. Cisco IE 3000 Switch Software Configuration Guide 9-40 OL-13018-01...
Page 199: Configuring The Secure Http Server
(Optional) Specify the port number to be used for the HTTPS server. The default port number is 443. Valid options are 443 or any number in the range 1025 to 65535. Cisco IE 3000 Switch Software Configuration Guide 9-41 OL-13018-01...
Page 200 IP address or hostname of the server switch. If you configure a port other than the default port, you must also specify the port number after the URL. For example: https://209.165.129:1026 https://host.domain.com:1026 Cisco IE 3000 Switch Software Configuration Guide 9-42 OL-13018-01...
Page 201: Configuring The Secure Http Client
Shows the HTTP secure client configuration. secure status show ip http server Shows the HTTP secure server configuration. secure status show running-config Shows the generated self-signed certificate for secure HTTP connections. Cisco IE 3000 Switch Software Configuration Guide 9-43 OL-13018-01...
Page 202: Configuring The Switch For Secure Copy Protocol
A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.
Page 203: Understanding Ieee 802.1X Port-Based Authentication
Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the IE 3000 switch. IEEE 802.1x authentication prevents unauthorized devices (clients) from gaining access to the network. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release and the “RADIUS Commands”...
Page 204: Device Roles
LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client. In this release, the RADIUS security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server. It is available Cisco IE 3000 Switch Software Configuration Guide 10-2 OL-13018-01...
Page 205: Authentication Process
EAP frame, which is then encapsulated for Ethernet and sent to the client. The devices that can act as intermediaries include the IE 3000, the Catalyst 3750-E, Catalyst 3560-E, Catalyst 3750, Catalyst 3560, Catalyst 3550, Catalyst 2970, Catalyst 2960, Catalyst 2955, Catalyst 2950, Catalyst 2940 switches, or a wireless access point.
Page 206 After IEEE 802.1x authentication using a RADIUS server is configured, the switch uses timers based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]). The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which re-authentication occurs. Cisco IE 3000 Switch Software Configuration Guide 10-4 OL-13018-01...
Page 207: Authentication Initiation And Message Exchange
The specific exchange of EAP frames depends on the authentication method being used. Figure 10-3 shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server. Cisco IE 3000 Switch Software Configuration Guide 10-5 OL-13018-01...
Page 208 MAC authentication bypass. Figure 10-4 Message Exchange During MAC Authentication Bypass Authentication server Client (RADIUS) Switch EAPOL Request/Identity EAPOL Request/Identity EAPOL Request/Identity Ethernet packet RADIUS Access/Request RADIUS Access/Accept Cisco IE 3000 Switch Software Configuration Guide 10-6 OL-13018-01...
Page 209: Ports In Authorized And Unauthorized States
The switch detects the client by sending an EAPOL frame when the port link state changes to the up state. If a client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state. Cisco IE 3000 Switch Software Configuration Guide 10-7 OL-13018-01...
Page 210: Ieee 802.1X Accounting
RADIUS accounting packets are sent by a switch: START–sent when a new user session starts • INTERIM–sent during an existing session for updates • STOP–sent when a session terminates • Cisco IE 3000 Switch Software Configuration Guide 10-8 OL-13018-01...
Page 211: Using 802.1X Readiness Check
You can view the AV pairs that are being sent by the switch by entering the debug radius accounting privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2 at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_book09186a...
Page 212: Using Ieee 802.1X Authentication With Vlan Assignment
VLAN. The IEEE 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS). Cisco IE 3000 Switch Software Configuration Guide 10-10 OL-13018-01...
Page 213: Using Ieee 802.1X Authentication With Guest Vlan
If an EAPOL packet is detected after the interface has changed to the guest VLAN, the interface reverts Note to an unauthorized state, and IEEE 802.1x authentication restarts. Cisco IE 3000 Switch Software Configuration Guide 10-11 OL-13018-01...
Page 214: Using Ieee 802.1X Authentication With Restricted Vlan
After a port moves to the restricted VLAN, a simulated EAP success message is sent to the client. This prevents clients from indefinitely attempting authentication. Some clients (for example, devices running Windows XP) cannot implement DHCP without EAP success. Cisco IE 3000 Switch Software Configuration Guide 10-12 OL-13018-01...
Page 215: Using Ieee 802.1X Authentication With Inaccessible Authentication Bypass
If all the RADIUS servers are not available and the client is connected to a critical port, the switch authenticates the client and puts the critical port in the critical-authentication state in the RADIUS-configured or user-specified access VLAN. Cisco IE 3000 Switch Software Configuration Guide 10-13 OL-13018-01...
Page 216: Using Ieee 802.1X Authentication With Voice Vlan Ports
If you enable IEEE 802.1x authentication on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
Page 217: Using Ieee 802.1X Authentication With Port Security
IEEE 802.1x port becomes unauthorized. The port can only receive and send EAPOL packets, and WoL magic packets cannot reach the host. When the PC is powered off, it is not authorized, and the switch port is not opened. Cisco IE 3000 Switch Software Configuration Guide 10-15 OL-13018-01...
Page 218: Using Ieee 802.1X Authentication With Mac Authentication Bypass
IEEE 802.1x authentication times out, the switch uses the MAC authentication bypass feature to initiate re-authorization. For more information about these AV pairs, see RFC 3580, “IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines.” Cisco IE 3000 Switch Software Configuration Guide 10-16 OL-13018-01...
Page 219: Using Network Admission Control Layer 2 Ieee 802.1X Validation
You can use a web browser to authenticate a client that does not support IEEE 802.1x functionality. This feature can authenticate up to eight users on the same shared port and apply the appropriate policies for each end host on a shared port. Cisco IE 3000 Switch Software Configuration Guide 10-17 OL-13018-01...
Page 220: Web Authentication With Automatic Mac Check
You can configure a port to use only web authentication. You can also configure the port to first try and use IEEE 802.1x authentication and then to use web authorization if the client does not support IEEE 802.1x authentication. Web authentication requires two Cisco Attribute-Value (AV) pair attributes: • The first attribute, , must always be set to 15.
Page 221: Default Ieee 802.1X Authentication Configuration
Disabled. Number of seconds between 3600 seconds. re-authentication attempts Re-authentication number 2 times (number of times that the switch restarts the authentication process before the port changes to the unauthorized state). Cisco IE 3000 Switch Software Configuration Guide 10-19 OL-13018-01...
Page 222: Ieee 802.1X Authentication Configuration Guidelines
For example, this change occurs if a port is assigned to a RADIUS server-assigned VLAN and is then assigned to a different VLAN after re-authentication. Cisco IE 3000 Switch Software Configuration Guide 10-20 OL-13018-01...
Page 223: Vlan Assignment, Guest Vlan, Restricted Vlan, And Inaccessible Authentication Bypass
IP address from the DHCP server. Decrease the settings for the IEEE 802.1x authentication process (dot1x timeout quiet-period and dot1x timeout tx-period interface configuration commands). The amount to decrease the settings depends on the connected IEEE 802.1x client type. Cisco IE 3000 Switch Software Configuration Guide 10-21 OL-13018-01...
Page 224: Mac Authentication Bypass
IEEE 802.1x-capable. A syslog message is generated if the client responds within the timeout period. If the client does not respond to the query, the client is not IEEE 802.1x-capable. No syslog message is generated. Cisco IE 3000 Switch Software Configuration Guide 10-22 OL-13018-01...
Page 225: Configuring Ieee 802.1X Authentication
Step 5 The switch sends an interim accounting update to the accounting server that is based on the result of Step 6 re-authentication. The user disconnects from the port. Step 7 Cisco IE 3000 Switch Software Configuration Guide 10-23 OL-13018-01...
Page 226: Configuring The Switch-To-Radius-Server Communication
The RADIUS host entries are tried in the order that they were configured. Cisco IE 3000 Switch Software Configuration Guide 10-24...
Page 227 You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation. Cisco IE 3000 Switch Software Configuration Guide 10-25 OL-13018-01...
Page 228: Configuring The Host Mode
You can enable periodic IEEE 802.1x client re-authentication and specify how often it occurs. If you do not specify a time period before enabling re-authentication, the number of seconds between attempts is 3600. Cisco IE 3000 Switch Software Configuration Guide 10-26 OL-13018-01...
Page 229: Manually Re-Authenticating A Client Connected To A Port
“Configuring Periodic Re-Authentication” section on page 10-26. This example shows how to manually re-authenticate the client connected to a port: Switch# dot1x re-authenticate interface gigabitethernet1/2 Cisco IE 3000 Switch Software Configuration Guide 10-27 OL-13018-01...
Page 230: Changing The Quiet Period
Set the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request. The range is 1 to 65535 seconds; the default is 5. Cisco IE 3000 Switch Software Configuration Guide 10-28 OL-13018-01...
Page 231: Setting The Switch-To-Client Frame-Retransmission Number
Switch(config-if)# dot1x max-req 5 Setting the Re-Authentication Number You can also change the number of times that the switch restarts the authentication process before the port changes to the unauthorized state. Cisco IE 3000 Switch Software Configuration Guide 10-29 OL-13018-01...
Page 232: Configuring Ieee 802.1X Accounting
To turn on these functions, enable logging of “Update/Watchdog packets from this AAA client” in your RADIUS server Network Configuration tab. Next, enable “CVS RADIUS Accounting” in your RADIUS server System Configuration tab. Cisco IE 3000 Switch Software Configuration Guide 10-30 OL-13018-01...
Page 233: Configuring A Guest Vlan
Specify an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to 4094. You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x guest VLAN. Step 6 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 10-31 OL-13018-01...
Page 234: Configuring A Restricted Vlan
(Optional) Save your entries in the configuration file. To disable and remove the restricted VLAN, use the no dot1x auth-fail vlan interface configuration command. The port returns to the unauthorized state. Cisco IE 3000 Switch Software Configuration Guide 10-32 OL-13018-01...
Page 235 To return to the default value, use the no dot1x auth-fail max-attempts interface configuration command. This example shows how to set 2 as the number of authentication attempts allowed before the port moves to the restricted VLAN: Switch(config-if)# dot1x auth-fail max-attempts 2 Cisco IE 3000 Switch Software Configuration Guide 10-33 OL-13018-01...
Page 236: Configuring The Inaccessible Authentication Bypass Feature
(Optional) Set the number of minutes that a RADIUS server is not sent requests. The range is from 0 to 1440 minutes (24 hours). The default is 0 minutes. Cisco IE 3000 Switch Software Configuration Guide 10-34 OL-13018-01...
Page 237 Step 6 interface interface-id Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the “IEEE 802.1x Authentication Configuration Guidelines” section on page 10-20. Cisco IE 3000 Switch Software Configuration Guide 10-35 OL-13018-01...
Page 238: Configuring Ieee 802.1X Authentication With Wol
By default, the port is bidirectional. in—Sets the port as unidirectional. The port can send packets to the • host but cannot receive packets from the host. Cisco IE 3000 Switch Software Configuration Guide 10-36 OL-13018-01...
Page 239: Configuring Mac Authentication Bypass
(Optional) Save your entries in the configuration file. To disable MAC authentication bypass, use the no dot1x mac-auth-bypass interface configuration command. This example shows how to enable MAC authentication bypass: Switch(config-if)# dot1x mac-auth-bypass Cisco IE 3000 Switch Software Configuration Guide 10-37 OL-13018-01...
Page 240: Configuring Nac Layer 2 Ieee 802.1X Validation
Beginning in privileged EXEC mode, follow these steps to configure authentication, authorization, accounting (AAA) and RADIUS on a switch before configuring web authentication. The steps enable AAA by using RADIUS authentication and enable device tracking. Cisco IE 3000 Switch Software Configuration Guide 10-38 OL-13018-01...
Page 241 Switch(config)# aaa authentication login default group radius Switch(config)# aaa authorization auth-proxy default group radius Switch(config)# radius-server host 1.1.1.2 key key1 Switch(config)# radius-server attribute 8 include-in-access-req Switch(config)# radius-server vsa send authentication Switch(config)# ip device tracking Switch(config) end Cisco IE 3000 Switch Software Configuration Guide 10-39 OL-13018-01...
Page 242 Step 6 Return to privileged EXEC mode. Step 7 interface interface-id Specify the port to be configured, and enter interface configuration mode. Cisco IE 3000 Switch Software Configuration Guide 10-40 OL-13018-01...
Page 243: Disabling Ieee 802.1X Authentication On The Port
Disable IEEE 802.1x authentication on the port. Step 4 Return to privileged EXEC mode. Step 5 show dot1x interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 10-41 OL-13018-01...
Page 244: Resetting The Ieee 802.1X Authentication Configuration To The Default Values
EXEC command. For detailed information about the fields in these displays, see the command reference for this release. Cisco IE 3000 Switch Software Configuration Guide 10-42 OL-13018-01...
Page 245: Understanding Interface Types
C H A P T E R Configuring Interface Characteristics This chapter defines the types of interfaces on the IE 3000 switch and describes how to configure them. The chapter consists of these sections: Understanding Interface Types, page 11-1 •...
Page 246: Port-Based Vlans
VLAN assigned to the port. If an access port receives a tagged packet (IEEE 802.1Q tagged), the packet is dropped, and the source address is not learned. Cisco IE 3000 Switch Software Configuration Guide 11-2...
Page 247: Trunk Ports
Catalyst 6500 series switch; the IE 3000 switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 15, “Configuring Voice VLAN.”...
Page 248: Dual-Purpose Uplink Ports
Using Interface Configuration Mode Dual-Purpose Uplink Ports Some IE 3000 switches support dual-purpose uplink ports. Each uplink port is considered as a single interface with dual front ends—an RJ-45 connector and a small form-factor pluggable (SFP) module connector. The dual front ends are not redundant interfaces, and the switch activates only one connector of the pair.
Page 249 You can identify physical interfaces by looking at the switch. You can also use the show privileged EXEC commands to display information about a specific interface or all the interfaces. The remainder of this chapter primarily provides physical interface configuration procedures. Cisco IE 3000 Switch Software Configuration Guide 11-5 OL-13018-01...
Page 250: Procedures For Configuring Interfaces
You can use the interface range global configuration command to configure multiple interfaces with the same configuration parameters. When you enter the interface-range configuration mode, all command parameters that you enter are attributed to all interfaces within that range until you exit this mode. Cisco IE 3000 Switch Software Configuration Guide 11-6 OL-13018-01...
Page 251 You must add a space between the first interface number and the hyphen when using the interface range command. For example, the command interface range gigabitethernet1/1 - 2 is a valid range; the command interface range gigabitethernet1/1-2 is not a valid range. Cisco IE 3000 Switch Software Configuration Guide 11-7 OL-13018-01...
Page 252: Configuring And Using Interface Range Macros
Show the defined interface range macro configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no define interface-range macro_name global configuration command to delete a macro. Cisco IE 3000 Switch Software Configuration Guide 11-8 OL-13018-01...
Page 253 This example shows how to delete the interface-range macro enet_list and to verify that it was deleted. Switch# configure terminal Switch(config)# no define interface-range enet_list Switch(config)# end Switch# show run | include define Switch# Cisco IE 3000 Switch Software Configuration Guide 11-9 OL-13018-01...
Page 254: Configuring Ethernet Interfaces
“Configuring Protected Ports” section on page 22-6. Port security Disabled. See the “Default Port Security Configuration” section on page 22-11. Port Fast Disabled. See the “Default Optional Spanning-Tree Configuration” section on page 18-9. Cisco IE 3000 Switch Software Configuration Guide 11-10 OL-13018-01...
Page 255: Setting The Type Of A Dual-Purpose Uplink Port
Disabled on SFP module ports; enabled on all other ports. Setting the Type of a Dual-Purpose Uplink Port Some IE 3000 switches support dual-purpose uplink ports.By default, the switch dynamically selects the interface type that first links up. However, you can use the media-type interface configuration command to manually select the RJ-45 connector or the SFP module connector.
Page 256 SFP module interface. In all other situations, the switch selects the active link based on which type first links up. Cisco IE 3000 Switch Software Configuration Guide 11-12...
Page 257: Configuring Interface Speed And Duplex Mode
For information about which SFP modules are supported on your switch, see the product release notes. If both ends of the line support autonegotiation, we highly recommend the default setting of auto • negotiation. Cisco IE 3000 Switch Software Configuration Guide 11-13 OL-13018-01...
Page 258: Setting The Interface Speed And Duplex Parameters
Use the no speed and no duplex interface configuration commands to return the interface to the default speed and duplex settings (autonegotiate). To return all interface settings to the defaults, use the default interface interface-id interface configuration command. Cisco IE 3000 Switch Software Configuration Guide 11-14 OL-13018-01...
Page 259: Configuring Ieee 802.3X Flow Control
Note IE 3000 ports can receive, but not send, pause frames. You use the flowcontrol interface configuration command to set the interface’s ability to receive pause frames to on, off, or desired. The default state is off.
Page 260: Configuring Auto-Mdix On An Interface
Verify the operational state of the auto-MDIX feature on the interface. interface-id phy Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable auto-MDIX, use the no mdix auto interface configuration command. Cisco IE 3000 Switch Software Configuration Guide 11-16 OL-13018-01...
Page 261: Adding A Description For An Interface
You can increase the MTU size to support jumbo frames on all Gigabit Ethernet interfaces by using the system mtu jumbo global configuration command. Cisco IE 3000 Switch Software Configuration Guide 11-17 OL-13018-01...
Page 262 Switch# reload This example shows the response when you try to set Gigabit Ethernet interfaces to an out-of-range number: Switch(config)# system mtu jumbo 25000 % Invalid input detected at '^' marker. Cisco IE 3000 Switch Software Configuration Guide 11-18 OL-13018-01...
Page 263: Monitoring And Maintaining The Interfaces
? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Page 264: Clearing And Resetting Interfaces And Counters
Use the no shutdown interface configuration command to restart the interface. To verify that an interface is disabled, enter the show interfaces privileged EXEC command. A disabled interface is shown as administratively down in the display. Cisco IE 3000 Switch Software Configuration Guide 11-20 OL-13018-01...
Page 265: Chapter 12 Configuring Smartports Macros
C H A P T E R Configuring Smartports Macros This chapter describes how to configure and apply Smartports macros on the IE 3000 switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 266: Configuring Smartports Macros
PC, to a switch port. cisco-phone Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Page 267: Smartports Macro Configuration Guidelines
• to the switch or interface. You can display the applied commands and macro names by using the show running-config user EXEC command. There are Cisco-default Smartports macros embedded in the switch software (see Table 12-1). You can display these macros and the commands they contain by using the show parser macro user EXEC command.
Page 268: Creating Smartports Macros
Cisco-default macro with the required values by using the parameter value keywords. The Cisco-default macros use the $ character to help identify required keywords. There is no restriction on using the $ character to define keywords when you create a macro.
Page 269: Applying Smartports Macros
You can delete a global macro-applied configuration on a switch only by entering the no version of each command that is in the macro. You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command. Cisco IE 3000 Switch Software Configuration Guide 12-5 OL-13018-01...
Page 270: Applying Cisco-Default Smartports Macros
Enter global configuration mode. Step 4 macro global {apply | trace} Append the Cisco-default macro with the required values by using the macro-name [parameter {value}] parameter value keywords and apply the macro to the switch. [parameter {value}] [parameter...
Page 271 You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command. This example shows how to display the cisco-desktop macro, how to apply the macro, and to set the access VLAN ID to 25 on an interface:...
Page 272: Displaying Smartports Macros
Displays a specific macro. show parser macro brief Displays the configured macro names. show parser macro description [interface Displays the macro description for all interfaces or for a specified interface-id] interface. Cisco IE 3000 Switch Software Configuration Guide 12-8 OL-13018-01...
Page 273: Chapter 13 Configuring Vlans
This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the IE 3000 switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS).
Page 274: Supported Vlans
VLAN Configuration Guidelines” section on page 13-5 for more information about the number of spanning-tree instances and the number of VLANs. The switch supports only IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports. Cisco IE 3000 Switch Software Configuration Guide 13-2 OL-13018-01...
Page 275: Vlan Port Membership Modes
Configure the VMPS and the client with the VMPS can be a Catalyst 5000 or Catalyst 6500 series same VTP domain name. switch, for example, but never a IE 3000 switch. The IE To participate in VTP, at least one trunk 3000 switch is a VMPS client.
Page 276: Configuring Normal-Range Vlans
This section does not provide configuration details for most of these parameters. For complete information on the commands and parameters that control VLAN configuration, see the command reference for this release. Cisco IE 3000 Switch Software Configuration Guide 13-4 OL-13018-01...
Page 277: Token Ring Vlans
VLANs), the new VLAN is carried on all trunk ports. Depending on the topology of the network, this could create a loop in the new VLAN that would not be broken, particularly if there Cisco IE 3000 Switch Software Configuration Guide 13-5...
Page 278: Vlan Configuration Mode Options
VTP mode is transparent, they are also saved in the switch running configuration file. You can enter the copy running-config startup-config privileged EXEC command to save the configuration in the startup configuration file. To display the VLAN configuration, enter the show vlan privileged EXEC command. Cisco IE 3000 Switch Software Configuration Guide 13-6 OL-13018-01...
Page 279: Default Ethernet Vlan Configuration
1 to 4294967294 VLAN ID) MTU size 1500 1500 to 18190 Translational bridge 1 0 to 1005 Translational bridge 2 0 to 1005 VLAN state active active, suspend Remote SPAN disabled enabled, disabled Cisco IE 3000 Switch Software Configuration Guide 13-7 OL-13018-01...
Page 280: Creating Or Modifying An Ethernet Vlan
This example shows how to use config-vlan mode to create Ethernet VLAN 20, name it test20, and add it to the VLAN database: Switch# configure terminal Switch(config)# vlan 20 Switch(config-vlan)# name test20 Switch(config-vlan)# end Cisco IE 3000 Switch Software Configuration Guide 13-8 OL-13018-01...
Page 281: Deleting A Vlan
VTP transparent mode, the VLAN is deleted only on that specific switch. You cannot delete the default VLANs for the different media types: Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005. Cisco IE 3000 Switch Software Configuration Guide 13-9 OL-13018-01...
Page 282: Assigning Static-Access Ports To A Vlan
Assign the port to a VLAN. Valid VLAN IDs are 1 to 4094. Step 5 Return to privileged EXEC mode. Step 6 show running-config interface interface-id Verify the VLAN membership mode of the interface. Cisco IE 3000 Switch Software Configuration Guide 13-10 OL-13018-01...
Page 283: Configuring Extended-Range Vlans
Ethernet VLANs. You can change only the MTU size and the remote SPAN configuration state on extended-range VLANs; all other characteristics must remain at the default state. Cisco IE 3000 Switch Software Configuration Guide 13-11 OL-13018-01...
Page 284: Extended-Range Vlan Configuration Guidelines
Beginning in privileged EXEC mode, follow these steps to create an extended-range VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp mode transparent Configure the switch for VTP transparent mode, disabling VTP. Cisco IE 3000 Switch Software Configuration Guide 13-12 OL-13018-01...
Page 285: Displaying Vlans
Purpose show VLAN database configuration Display status of VLANs in the VLAN database. show current [vlan-id] VLAN database configuration Display status of all or the specified VLAN in the VLAN database. Cisco IE 3000 Switch Software Configuration Guide 13-13 OL-13018-01...
Page 286: Configuring Vlan Trunks
To enable trunking to a device that does not support DTP, use the switchport mode trunk and • switchport nonegotiate interface configuration commands to cause the interface to become a trunk but to not generate DTP frames. Cisco IE 3000 Switch Software Configuration Guide 13-14 OL-13018-01...
Page 287: Ieee 802.1Q Configuration Considerations
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q switch.
Page 288: Default Layer 2 Ethernet Interface Vlan Configuration
– We recommend that you configure no more than 24 trunk ports in PVST mode and no more than 40 • trunk ports in MST mode. Cisco IE 3000 Switch Software Configuration Guide 13-16 OL-13018-01...
Page 289: Configuring A Trunk Port
IEEE 802.1Q trunking. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet1/2 Switch(config-if)# switchport mode dynamic desirable Switch(config-if)# end Cisco IE 3000 Switch Software Configuration Guide 13-17 OL-13018-01...
Page 290: Defining The Allowed Vlans On A Trunk
Note VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.
Page 291: Changing The Pruning-Eligible List
VLAN configured for the port. The native VLAN is VLAN 1 by default. The native VLAN can be assigned any VLAN ID. Note Cisco IE 3000 Switch Software Configuration Guide 13-19 OL-13018-01...
Page 292: Configuring Trunk Ports For Load Sharing
• VLANs 3 through 6 retain the default port priority of 128 on Trunk 1. • VLANs 3 through 6 are assigned a port priority of 16 on Trunk 2. • Cisco IE 3000 Switch Software Configuration Guide 13-20 OL-13018-01...
Page 293 When the trunk links come up, VTP passes the VTP and VLAN information to Switch B. Verify that Switch B has learned the VLAN configuration. Step 15 configure terminal Enter global configuration mode on Switch A. Cisco IE 3000 Switch Software Configuration Guide 13-21 OL-13018-01...
Page 294: Load Sharing Using Stp Path Cost
Enter global configuration mode on Switch A. Step 2 interface gigabitethernet0/1 Define the interface to be configured as a trunk, and enter interface configuration mode. Step 3 switchport mode trunk Configure the port as a trunk port. Cisco IE 3000 Switch Software Configuration Guide 13-22 OL-13018-01...
Page 295: Configuring Vmps
“Configuring the VMPS Client” section on page 13-25 • “Monitoring the VMPS” section on page 13-28 • “Troubleshooting Dynamic-Access Port VLAN Membership” section on page 13-29 • “VMPS Configuration Example” section on page 13-29 • Cisco IE 3000 Switch Software Configuration Guide 13-23 OL-13018-01...
Page 296: Understanding Vmps
If the link goes down on a dynamic-access port, the port returns to an isolated state and does not belong to a VLAN. Any hosts that come online through the port are checked again through the VQP with the VMPS before the port is assigned to a VLAN. Cisco IE 3000 Switch Software Configuration Guide 13-24 OL-13018-01...
Page 297: Default Vmps Client Configuration
The VLAN configured on the VMPS server should not be a voice VLAN. • Configuring the VMPS Client You configure dynamic VLANs by using the VMPS (server). The switch can be a VMPS client; it cannot be a VMPS server. Cisco IE 3000 Switch Software Configuration Guide 13-25 OL-13018-01...
Page 298: Entering The Ip Address Of The Vmps
Step 4 switchport access vlan dynamic Configure the port as eligible for dynamic VLAN membership. The dynamic-access port must be connected to an end station. Step 5 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 13-26 OL-13018-01...
Page 299: Reconfirming Vlan Memberships
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no vmps reconfirm global configuration command. Cisco IE 3000 Switch Software Configuration Guide 13-27 OL-13018-01...
Page 300: Changing The Retry Count
Switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.87 Reconfirmation status --------------------- VMPS Action: other Cisco IE 3000 Switch Software Configuration Guide 13-28 OL-13018-01...
Page 301: Troubleshooting Dynamic-Access Port Vlan Membership
The Catalyst 6500 series Switch C and Switch J are secondary VMPS servers. End stations are connected to the clients, Switch B and Switch I. • The database configuration file is stored on the TFTP server with the IP address 172.20.22.7. • Cisco IE 3000 Switch Software Configuration Guide 13-29 OL-13018-01...
Page 302 Switch E 172.20.26.155 Switch F 172.20.26.156 Switch G 172.20.26.157 Switch H Client switch I Dynamic-access port 172.20.26.158 station 2 Trunk port 172.20.26.159 Catalyst 6500 series Secondary VMPS Switch J Server 3 Cisco IE 3000 Switch Software Configuration Guide 13-30 OL-13018-01...
Page 303: Chapter 14 Configuring Vtp
Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the IE 3000 switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 304: The Vtp Domain
For domain name and password configuration guidelines, see the “VTP Configuration Guidelines” section on page 14-8. Cisco IE 3000 Switch Software Configuration Guide 14-2 OL-13018-01...
Page 305: Vtp Modes
Otherwise, the switch cannot receive any VTP advertisements. For more information on trunk ports, see “Configuring VLAN Trunks” section on page 13-14. VTP advertisements distribute this global domain information: VTP domain name • VTP configuration revision number • Update identity and update timestamp • Cisco IE 3000 Switch Software Configuration Guide 14-3 OL-13018-01...
Page 306: Vtp Version 2
VLANs 2 through 1001 are pruning eligible switch trunk ports. If the VLANs are configured as pruning-ineligible, the flooding continues. VTP pruning is supported with VTP Version 1 and Version 2. Cisco IE 3000 Switch Software Configuration Guide 14-4 OL-13018-01...
Page 307 Enabling VTP pruning on a VTP server enables pruning for the entire management domain. Making VLANs pruning-eligible or pruning-ineligible affects pruning eligibility for those VLANs on that trunk only (not on all switches in the VTP domain). Cisco IE 3000 Switch Software Configuration Guide 14-5 OL-13018-01...
Page 308: Default Vtp Configuration
VTP configuration. Table 14-2 Default VTP Configuration Feature Default Setting VTP domain name Null. VTP mode Server. VTP version Version 1 (Version 2 is disabled). VTP password None. VTP pruning Disabled. Cisco IE 3000 Switch Software Configuration Guide 14-6 OL-13018-01...
Page 309: Vtp Configuration Options
If VTP mode is transparent, the domain name and the mode (transparent) are saved in the switch running configuration, and you can save this information in the switch startup configuration file by entering the copy running-config startup-config privileged EXEC command. Cisco IE 3000 Switch Software Configuration Guide 14-7 OL-13018-01...
Page 310: Vtp Configuration Guidelines
A VTP Version 2-capable switch can operate in the same VTP domain as a switch running VTP • Version 1 if Version 2 is disabled on the Version 2-capable switch (Version 2 is disabled by default). Cisco IE 3000 Switch Software Configuration Guide 14-8 OL-13018-01...
Page 311: Configuration Requirements
Step 5 Return to privileged EXEC mode. Step 6 show vtp status Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display. Cisco IE 3000 Switch Software Configuration Guide 14-9 OL-13018-01...
Page 312 This example shows how to use VLAN database configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# vlan database Switch(vlan)# vtp server Switch(vlan)# vtp domain eng_group Switch(vlan)# vtp password mypassword Switch(vlan)# exit APPLY completed. Exiting..Switch# Cisco IE 3000 Switch Software Configuration Guide 14-10 OL-13018-01...
Page 313: Configuring A Vtp Client
VLAN database configuration command to return the switch to a no-password state. When you configure a domain name, it cannot be removed; you can only reassign a switch to a different domain. Cisco IE 3000 Switch Software Configuration Guide 14-11...
Page 314: Disabling Vtp (Vtp Transparent Mode)
VLAN database configuration command to return the switch to VTP server mode. If extended-range VLANs are configured on the switch, you cannot change VTP mode to server. You receive an error message, and the configuration is not allowed. Cisco IE 3000 Switch Software Configuration Guide 14-12 OL-13018-01...
Page 315: Enabling Vtp Version 2
You can also enable VTP Version 2 by using the vlan database privileged EXEC command to enter Note VLAN database configuration mode and by entering the vtp v2-mode VLAN database configuration command. To disable VTP Version 2, use the no vtp v2-mode VLAN database configuration command. Cisco IE 3000 Switch Software Configuration Guide 14-13 OL-13018-01...
Page 316: Enabling Vtp Pruning
If you add a switch that has a revision number higher than the revision number in the VTP domain, it can erase all VLAN information from the VTP server and VTP domain. Cisco IE 3000 Switch Software Configuration Guide 14-14...
Page 317 You can use the vtp mode transparent global configuration command or the vtp transparent VLAN Note database configuration command to disable VTP on the switch, and then change its VLAN information without affecting the other switches in the VTP domain. Cisco IE 3000 Switch Software Configuration Guide 14-15 OL-13018-01...
Page 318: Monitoring Vtp
EXEC commands for monitoring VTP activity. Table 14-3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information. show vtp counters Display counters about VTP messages that have been sent and received. Cisco IE 3000 Switch Software Configuration Guide 14-16 OL-13018-01...
Page 319: Chapter 15 Configuring Voice Vlan
C H A P T E R Configuring Voice VLAN This chapter describes how to configure the voice VLAN feature on the IE 3000 switch. Voice VLAN is referred to as an auxiliary VLAN in some Catalyst 6500 family switch documentation.
Page 320: Cisco Ip Phone Voice Traffic
Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports on...
Page 321: Configuring Voice Vlan
For more information, see Chapter 32, “Configuring QoS.” You must enable CDP on the switch port connected to the Cisco IP Phone to send the configuration • to the phone. (CDP is globally enabled by default on all switch interfaces.) The Port Fast feature is automatically enabled when voice VLAN is configured.
Page 322: Configuring A Port Connected To A Cisco 7960 Ip Phone
Configuring Voice VLAN • If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the same IP subnet. These conditions indicate that they are in the same VLAN: –...
Page 323 Configuring Cisco IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value.
Page 324: Displaying Voice Vlan
Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.1p frames), you can configure the switch to send CDP packets to instruct the phone how to send data packets from the device attached to the access port on the Cisco IP Phone.
Page 325 This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the IE3000 switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.
Page 326: Configuring Stp
The default is for the switch to send keepalive messages (to ensure the connection is up) only on Note interfaces that do not have small form-factor pluggable (SFP) modules. You can use the [no] keepalive interface configuration command to change the default for an interface. Cisco IE 3000 Switch Software Configuration Guide 16-2 OL-13018-01...
Page 327: Spanning-Tree Topology And Bpdus
LAN is called the designated port. All paths that are not needed to reach the root switch from anywhere in the switched network are placed in the spanning-tree blocking mode. Cisco IE 3000 Switch Software Configuration Guide 16-3 OL-13018-01...
Page 328: Bridge Id, Switch Priority, And Extended System Id
Forwarding—The interface forwards frames. • Disabled—The interface is not participating in spanning tree because of a shutdown port, no link on • the port, or no spanning-tree instance running on the port. Cisco IE 3000 Switch Software Configuration Guide 16-4 OL-13018-01...
Page 329 In the learning state, the interface continues to block frame forwarding as the switch learns end-station location information for the forwarding database. When the forward-delay timer expires, spanning tree moves the interface to the forwarding state, where both learning and frame forwarding are enabled. Cisco IE 3000 Switch Software Configuration Guide 16-5 OL-13018-01...
Page 330: Blocking State
An interface in the forwarding state performs these functions: Receives and forwards frames received on the interface • Forwards frames switched from another interface • Learns addresses • Receives BPDUs • Cisco IE 3000 Switch Software Configuration Guide 16-6 OL-13018-01...
Page 331: Disabled State
Ethernet link. By changing the spanning-tree port priority on the Gigabit Ethernet port to a higher priority (lower numerical value) than the root port, the Gigabit Ethernet port becomes the new root port. Cisco IE 3000 Switch Software Configuration Guide 16-7...
Page 332: Spanning Tree And Redundant Connectivity
The accelerated aging is the same as the forward-delay parameter value (spanning-tree vlan vlan-id forward-time seconds global configuration command) when the spanning tree reconfigures. Cisco IE 3000 Switch Software Configuration Guide 16-8 OL-13018-01...
Page 333: Spanning-Tree Modes And Protocols
Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary • extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
Page 334: Spanning-Tree Interoperability And Backward Compatibility
VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.
Page 335: Default Spanning-Tree Configuration
Spanning-tree VLAN port cost (configurable on a per-VLAN basis) 1000 Mb/s: 4. 100 Mb/s: 19. 10 Mb/s: 100. Spanning-tree timers Hello time: 2 seconds. Forward-delay time: 15 seconds. Maximum-aging time: 20 seconds. Transmit hold count: 6 BPDUs Cisco IE 3000 Switch Software Configuration Guide 16-11 OL-13018-01...
Page 336: Spanning-Tree Configuration Guidelines
Configuration Guidelines” section on page 18-10. Caution Loop guard works only on point-to-point links. We recommend that each end of the link has a directly connected device that is running STP. Cisco IE 3000 Switch Software Configuration Guide 16-12 OL-13018-01...
Page 337: Changing The Spanning-Tree Mode
(Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree mode global configuration command. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Cisco IE 3000 Switch Software Configuration Guide 16-13 OL-13018-01...
Page 338: Disabling Spanning Tree
ID support will become the root switch. The extended system ID increases the switch priority value every time the VLAN number is greater than the priority of the connected switches running older software. Cisco IE 3000 Switch Software Configuration Guide 16-14 OL-13018-01...
Page 339 Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id root global configuration command. Cisco IE 3000 Switch Software Configuration Guide 16-15 OL-13018-01...
Page 340: Configuring A Secondary Root Switch
(higher numerical values) that you want selected last. If all interfaces have the same priority value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Cisco IE 3000 Switch Software Configuration Guide 16-16 OL-13018-01...
Page 341 To return to the default setting, use the no spanning-tree [vlan vlan-id] port-priority interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree port priorities, see the “Configuring Trunk Ports for Load Sharing” section on page 13-20. Cisco IE 3000 Switch Software Configuration Guide 16-17 OL-13018-01...
Page 342: Configuring Path Cost
The show spanning-tree interface interface-id privileged EXEC command displays information only for ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. Cisco IE 3000 Switch Software Configuration Guide 16-18 OL-13018-01...
Page 343: Configuring The Switch Priority Of A Vlan
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id priority global configuration command. Cisco IE 3000 Switch Software Configuration Guide 16-19 OL-13018-01...
Page 344: Configuring Spanning-Tree Timers
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id hello-time global configuration command. Cisco IE 3000 Switch Software Configuration Guide 16-20 OL-13018-01...
Page 345: Configuring The Forwarding-Delay Time For A Vlan
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id max-age global configuration command. Cisco IE 3000 Switch Software Configuration Guide 16-21 OL-13018-01...
Page 346: Configuring The Transmit Hold-Count
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Cisco IE 3000 Switch Software Configuration Guide 16-22 OL-13018-01...
Page 347: Chapter 17 Configuring Mstp
C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the IE 3000 switch. The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard.
Page 348: Understanding Mstp
Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance for a region, known as the internal spanning tree (IST). All other MST instances are numbered from 1 to 4094. Cisco IE 3000 Switch Software Configuration Guide 17-2 OL-13018-01...
Page 349: Operations Within An Mst Region
CST, which includes all MST regions and all legacy STP switches in the network. The MST instances combine with the IST at the boundary of the region to become the CST. Cisco IE 3000 Switch Software Configuration Guide 17-3...
Page 350 VLAN cost, and port VLAN priority) can be configured on both the CST instance and the MST instance. MSTP switches use Version 3 RSTP BPDUs or IEEE 802.1D STP BPDUs to communicate with legacy IEEE 802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches. Cisco IE 3000 Switch Software Configuration Guide 17-4 OL-13018-01...
Page 351: Ieee 802.1S Terminology
Understanding MSTP IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network. Because the CIST is the only spanning-tree instance that spans the whole network, only the CIST parameters require the external rather than the internal or regional qualifiers.
Page 352: Boundary Ports
The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary, unless it is running in an STP-compatible mode.
Page 353: Interoperation Between Legacy And Standard Switches
Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
Page 354: Interoperability With Ieee 802.1D Stp
Rapid Convergence, page 17-9 • • Synchronization of Port Roles, page 17-11 Bridge Protocol Data Unit Format and Processing, page 17-12 • For configuration information, see the “Configuring MSTP Features” section on page 17-13. Cisco IE 3000 Switch Software Configuration Guide 17-8 OL-13018-01...
Page 355: Port Roles And The Active Topology
Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of discarding. Designated ports start in the listening state. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN.
Page 356 Proposal and Agreement Handshaking for Rapid Convergence Switch A Switch B Proposal Designated Root switch Agreement Designated Switch C switch Root Proposal Designated Root switch Agreement DP = designated port RP = root port F = forwarding Cisco IE 3000 Switch Software Configuration Guide 17-10 OL-13018-01...
Page 357: Synchronization Of Port Roles
Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5. Forward Edge port 2. Block 3. Block 9. Forward 11. Forward 8. Agreement 6. Proposal 7. Proposal 10. Agreement Root port Designated port Cisco IE 3000 Switch Software Configuration Guide 17-11 OL-13018-01...
Page 358: Bridge Protocol Data Unit Format And Processing
RSTP sets the port to the blocking state but does not send the agreement message. The designated port continues sending BPDUs with the proposal flag set until the forward-delay timer expires, at which time the port transitions to the forwarding state. Cisco IE 3000 Switch Software Configuration Guide 17-12 OL-13018-01...
Page 359: Processing Inferior Bpdu Information
Default MSTP Configuration, page 17-14 • MSTP Configuration Guidelines, page 17-14 • Specifying the MST Region Configuration and Enabling MSTP, page 17-15 (required) • Configuring the Root Switch, page 17-17 (optional) • Cisco IE 3000 Switch Software Configuration Guide 17-13 OL-13018-01...
Page 360: Default Mstp Configuration
• For two or more switches to be in the same MST region, they must have the same VLAN-to-instance map, the same configuration revision number, and the same name. Cisco IE 3000 Switch Software Configuration Guide 17-14 OL-13018-01...
Page 361: Specifying The Mst Region Configuration And Enabling Mstp
Beginning in privileged EXEC mode, follow these steps to specify the MST region configuration and enable MSTP. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst configuration Enter MST configuration mode. Cisco IE 3000 Switch Software Configuration Guide 17-15 OL-13018-01...
Page 362 Switch(config)# spanning-tree mst configuration Switch(config-mst)# instance 1 vlan 10-20 Switch(config-mst)# name region1 Switch(config-mst)# revision 1 Switch(config-mst)# show pending Pending MST configuration Name [region1] Revision Instance Vlans Mapped -------- --------------------- Cisco IE 3000 Switch Software Configuration Guide 17-16 OL-13018-01...
Page 363: Configuring The Root Switch
After configuring the switch as the root switch, we recommend that you avoid manually configuring the Note hello time, forward-delay time, and maximum-age time through the spanning-tree mst hello-time, spanning-tree mst forward-time, and the spanning-tree mst max-age global configuration commands. Cisco IE 3000 Switch Software Configuration Guide 17-17 OL-13018-01...
Page 364: Configuring A Secondary Root Switch
You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree mst instance-id root primary global configuration command. Cisco IE 3000 Switch Software Configuration Guide 17-18 OL-13018-01...
Page 365: Configuring Port Priority
Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports and port-channel logical interfaces. The port-channel range is 1 to 6. Cisco IE 3000 Switch Software Configuration Guide 17-19 OL-13018-01...
Page 366: Configuring Path Cost
Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports and port-channel logical interfaces. The port-channel range is 1 to 6. Cisco IE 3000 Switch Software Configuration Guide 17-20 OL-13018-01...
Page 367: Configuring The Switch Priority
Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority. Cisco IE 3000 Switch Software Configuration Guide 17-21 OL-13018-01...
Page 368: Configuring The Hello Time
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst hello-time global configuration command. Cisco IE 3000 Switch Software Configuration Guide 17-22 OL-13018-01...
Page 369: Configuring The Forwarding-Delay Time
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst max-age global configuration command. Cisco IE 3000 Switch Software Configuration Guide 17-23 OL-13018-01...
Page 370: Configuring The Maximum-Hop Count
Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Cisco IE 3000 Switch Software Configuration Guide 17-24 OL-13018-01...
Page 371: Designating The Neighbor Type
To restart the protocol migration process (force the renegotiation with neighboring switches) on the switch, use the clear spanning-tree detected-protocols privileged EXEC command. To restart the protocol migration process on a specific interface, use the clear spanning-tree detected-protocols interface interface-id privileged EXEC command. Cisco IE 3000 Switch Software Configuration Guide 17-25 OL-13018-01...
Page 372: Displaying The Mst Configuration And Status
Displays MST information for the specified interface. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Cisco IE 3000 Switch Software Configuration Guide 17-26 OL-13018-01...
Page 373 C H A P T E R Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the IE 3000 switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+).
Page 374: Understanding Optional Spanning-Tree Features
To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred. Cisco IE 3000 Switch Software Configuration Guide 18-2 OL-13018-01...
Page 375: Understanding Bpdu Filtering
Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 18-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops. Cisco IE 3000 Switch Software Configuration Guide 18-3 OL-13018-01...
Page 376 Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in a blocking state. Cisco IE 3000 Switch Software Configuration Guide 18-4...
Page 377: Understanding Backbonefast
(an indirect link) has failed (that is, the designated switch has lost its connection to the root switch). Under spanning-tree rules, the switch ignores inferior BPDUs for the configured maximum aging time specified by the spanning-tree vlan vlan-id max-age global configuration command. Cisco IE 3000 Switch Software Configuration Guide 18-5 OL-13018-01...
Page 378 Switch B to Switch A. The root-switch election takes approximately 30 seconds, twice the Forward Delay time if the default Forward Delay time of 15 seconds is set. Figure 18-6 shows how BackboneFast reconfigures the topology to account for the failure of link L1. Cisco IE 3000 Switch Software Configuration Guide 18-6 OL-13018-01...
Page 379: Understanding Etherchannel Guard
If the switch detects a misconfiguration on the other device, EtherChannel guard places the switch interfaces in the error-disabled state, and displays an error message. You can enable this feature by using the spanning-tree etherchannel guard misconfig global configuration command. Cisco IE 3000 Switch Software Configuration Guide 18-7 OL-13018-01...
Page 380: Understanding Root Guard
Desired root switch Enable the root-guard feature on these interfaces to prevent switches in the customer network from becoming the root switch or being in the path to the root. Cisco IE 3000 Switch Software Configuration Guide 18-8 OL-13018-01...
Page 381: Understanding Loop Guard
Globally disabled (unless they are individually configured per interface). UplinkFast Globally disabled. BackboneFast Globally disabled. EtherChannel guard Globally enabled. Root guard Disabled on all interfaces. Loop guard Disabled on all interfaces. Cisco IE 3000 Switch Software Configuration Guide 18-9 OL-13018-01...
Page 382: Optional Spanning-Tree Configuration Guidelines
By default, Port Fast is disabled on all interfaces. Step 4 Return to privileged EXEC mode. Step 5 show spanning-tree interface interface-id Verify your entries. portfast Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 18-10 OL-13018-01...
Page 383: Enabling Bpdu Guard
Enable the Port Fast feature. Step 5 Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 18-11 OL-13018-01...
Page 384: Enabling Bpdu Filtering
To disable BPDU filtering, use the no spanning-tree portfast bpdufilter default global configuration command. You can override the setting of the no spanning-tree portfast bpdufilter default global configuration command by using the spanning-tree bpdufilter enable interface configuration command. Cisco IE 3000 Switch Software Configuration Guide 18-12 OL-13018-01...
Page 385: Enabling Uplinkfast For Use With Redundant Links
If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not Note supported on Token Ring VLANs. This feature is supported for use with third-party switches. Cisco IE 3000 Switch Software Configuration Guide 18-13 OL-13018-01...
Page 386: Enabling Etherchannel Guard
EXEC command to verify the EtherChannel configuration. After the configuration is corrected, enter the shutdown and no shutdown interface configuration commands on the port-channel interfaces that were misconfigured. Cisco IE 3000 Switch Software Configuration Guide 18-14 OL-13018-01...
Page 387: Enabling Root Guard
Beginning in privileged EXEC mode, follow these steps to enable loop guard. This procedure is optional. Command Purpose Step 1 show spanning-tree active Verify which interfaces are alternate or root ports. show spanning-tree mst Step 2 configure terminal Enter global configuration mode. Cisco IE 3000 Switch Software Configuration Guide 18-15 OL-13018-01...
Page 388: Displaying The Spanning-Tree Status
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Cisco IE 3000 Switch Software Configuration Guide 18-16 OL-13018-01...
Page 389: Understanding Flex Links And The Mac Address-Table Move Update
Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the IE 3000 switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature.
Page 390: Vlan Flex Link Load Balancing And Support
VLANs. This way, apart from providing the redundancy, this Flex Link pair can be used for load balancing. Also, Flex Link VLAN load-balancing does not impose any restrictions on uplink switches. Cisco IE 3000 Switch Software Configuration Guide 19-2 OL-13018-01...
Page 391: Flex Link Multicast Fast Convergence
When the backup link starts forwarding, to achieve faster convergence of multicast data, the downstream switch immediately sends proxy reports for all the learned groups on this port without waiting for a general query. Cisco IE 3000 Switch Software Configuration Guide 19-3 OL-13018-01...
Page 392: Leaking Igmp Reports
Gi1/1 Here is output for the show ip igmp snooping mrouter command for VLANs 1 and 401: Switch# show ip igmp snooping mrouter Vlan ports ---- ----- Gi1/5(dynamic), Gi1/2(dynamic) Gi1/5(dynamic), Gi1/2(dynamic) Cisco IE 3000 Switch Software Configuration Guide 19-4 OL-13018-01...
Page 393 Gi1/1 This is output for the show ip igmp snooping mrouter command for VLAN 1 and 401: Switch# show ip igmp snooping mrouter Vlan ports ---- ----- Gi1/1(dynamic), Gi1/2(dynamic) Gi1/1(dynamic), Gi1/2(dynamic) Cisco IE 3000 Switch Software Configuration Guide 19-5 OL-13018-01...
Page 394: Mac Address-Table Move Update
100 milliseconds (ms). The PC is directly connected to switch A, and the connection status does not change. Switch A does not need to update the PC entry in the MAC address table. Cisco IE 3000 Switch Software Configuration Guide 19-6...
Page 395: Configuring Flex Links And The Mac Address-Table Move Update
Configuration Guidelines, page 19-8 • Configuring Flex Links, page 19-9 • Configuring VLAN Load Balancing on Flex Links, page 19-11 • • Configuring the MAC Address-Table Move Update Feature, page 19-12 Cisco IE 3000 Switch Software Configuration Guide 19-7 OL-13018-01...
Page 396: Default Configuration
You can enable and configure this feature on the access switch to send the MAC address-table move updates. • You can enable and configure this feature on the uplink switches to receive the MAC address-table move updates. Cisco IE 3000 Switch Software Configuration Guide 19-8 OL-13018-01...
Page 397: Configuring Flex Links
Specify the interface, and enter interface configuration mode. The interface can be a physical Layer 2 interface or a port channel (logical interface). The port-channel range is 1 to 6. Cisco IE 3000 Switch Software Configuration Guide 19-9 OL-13018-01...
Page 398 GigabitEthernet1/1 GigabitEthernet1/2 Active Up/Backup Standby Interface Pair : Gi1/1, Gi1/2 Preemption Mode : forced Preemption Delay : 50 seconds Bandwidth : 100000 Kbit (Gi1/1), 100000 Kbit (Gi1/2) Mac Address Move Update Vlan : auto Cisco IE 3000 Switch Software Configuration Guide 19-10 OL-13018-01...
Page 399: Configuring Vlan Load Balancing On Flex Links
Switch#show interfaces switchport backup Switch Backup Interface Pairs: Active Interface Backup Interface State ------------------------------------------------------------------------ GigabitEthernet1/1 GigabitEthernet1/2 Active Down/Backup Up Vlans Preferred on Active Interface: 1-50 Vlans Preferred on Backup Interface: 60, 100-120 Cisco IE 3000 Switch Software Configuration Guide 19-11 OL-13018-01...
Page 400: Configuring The Mac Address-Table Move Update Feature
VLAN ID on the interface, which is used for sending the MAC address-table move update. When one link is forwarding traffic, the other interface is in standby mode. Cisco IE 3000 Switch Software Configuration Guide 19-12 OL-13018-01...
Page 401 Enter global configuration mode. Step 2 mac address-table move update receive Enable the switch to get and process the MAC address-table move updates. Step 3 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 19-13 OL-13018-01...
Page 402: Monitoring Flex Links And The Mac Address-Table Move Update
When VLAN load balancing is enabled, the output displays the preferred VLANS on Active and Backup interfaces. show mac address-table move update Displays the MAC address-table move update information on the switch. Cisco IE 3000 Switch Software Configuration Guide 19-14 OL-13018-01...
Page 403: Understanding Dhcp Features
For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release, and see the “DHCP Commands” section in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 from the Cisco.com page under Documentation >...
Page 404: Dhcp Server
DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware address. If the addresses match (the default), the switch forwards the packet. If the addresses do not match, the switch drops the packet. Cisco IE 3000 Switch Software Configuration Guide 20-2 OL-13018-01...
Page 405: Option-82 Data Insertion
The DHCP option-82 feature is supported only when DHCP snooping is globally enabled and on the Note VLANs to which subscriber devices using this feature are assigned. Cisco IE 3000 Switch Software Configuration Guide 20-3 OL-13018-01...
Page 406 Circuit-ID suboption fields • Suboption type – Length of the suboption type – Circuit-ID type – Length of the circuit-ID type – Remote-ID suboption fields • Suboption type – Cisco IE 3000 Switch Software Configuration Guide 20-4 OL-13018-01...
Page 407: Dhcp Snooping Binding Database
DHCP snooping might not prevent DHCP spoofing attacks. When reloading, the switch reads the binding file to build the DHCP snooping binding database. The switch updates the file when the database changes. Cisco IE 3000 Switch Software Configuration Guide 20-5 OL-13018-01...
Page 408: Configuring Dhcp Features
DHCP Snooping Configuration Guidelines, page 20-7 • Configuring the DHCP Relay Agent, page 20-8 • Enabling DHCP Snooping and Option 82, page 20-9 Enabling the DHCP Snooping Binding Database Agent, page 20-11 • Cisco IE 3000 Switch Software Configuration Guide 20-6 OL-13018-01...
Page 409: Default Dhcp Configuration
• DHCP server and the DHCP relay agent are configured and enabled. When you globally enable DHCP snooping on the switch, these Cisco IOS commands are not • available until snooping is disabled. If you enter these commands, the switch returns an error message, and the configuration is not applied.
Page 410: Configuring The Dhcp Relay Agent
Enable the DHCP server and relay agent on your switch. By default, this feature is enabled. Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 20-8 OL-13018-01...
Page 411: Enabling Dhcp Snooping And Option 82
To disable the DHCP server and relay agent, use the no service dhcp global configuration command. See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software >...
Page 412: Enabling The Cisco Ios Dhcp Server Database
Switch(config-if)# ip dhcp snooping limit rate 100 Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database, see the “DHCP Configuration Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation >...
Page 413: Enabling The Dhcp Snooping Binding Database Agent
To delete binding entries from the DHCP snooping binding database, use the no ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id privileged EXEC command. Enter this command for each entry that you want to delete. Cisco IE 3000 Switch Software Configuration Guide 20-11 OL-13018-01...
Page 414: Displaying Dhcp Snooping Information
Displays the DHCP snooping statistics in summary or detail form. If DHCP snooping is enabled and an interface changes to the down state, the switch does not delete the Note statically configured bindings. Cisco IE 3000 Switch Software Configuration Guide 20-12 OL-13018-01...
Page 415: Understanding Igmp Snooping
For complete syntax and usage information for the commands used in this chapter, see the switch Note command reference for this release and the “IP Multicast Routing Commands” section in the Cisco IOS IP Command Reference, Volume 3 of 3:Multicast, Release 12.2 from the Cisco.com page under Documentation >...
Page 416: Igmp Versions
Note The switch supports IGMPv3 snooping based only on the destination multicast MAC address. It does not support snooping based on the source MAC address or on proxy reports. Cisco IE 3000 Switch Software Configuration Guide 21-2 OL-13018-01...
Page 417: Joining A Multicast Group
The host associated with that interface receives multicast traffic for that multicast group. See Figure 21-1. Figure 21-1 Initial IGMP Join Message Router A IGMP report 224.1.2.3 VLAN Forwarding table Host 1 Host 2 Host 3 Host 4 Cisco IE 3000 Switch Software Configuration Guide 21-3 OL-13018-01...
Page 418 Router A VLAN Forwarding table Host 1 Host 2 Host 3 Host 4 Table 21-2 Updated IGMP Snooping Forwarding Table Destination Address Type of Packet Ports 224.1.2.3 IGMP 1, 2, 5 Cisco IE 3000 Switch Software Configuration Guide 21-4 OL-13018-01...
Page 419: Leaving A Multicast Group
21-10. IGMP Report Suppression IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. Note This feature is not supported when the query includes IGMPv3 reports. Cisco IE 3000 Switch Software Configuration Guide 21-5 OL-13018-01...
Page 420: Configuring Igmp Snooping
Enabled globally and per VLAN Multicast routers None configured Multicast router learning (snooping) method PIM-DVMRP IGMP snooping Immediate Leave Disabled Static groups None configured flood query count TCN query solicitation Disabled Cisco IE 3000 Switch Software Configuration Guide 21-6 OL-13018-01...
Page 421: Enabling Or Disabling Igmp Snooping
(Optional) Save your entries in the configuration file. To disable IGMP snooping on a VLAN interface, use the no ip igmp snooping vlan vlan-id global configuration command for the specified VLAN number. Cisco IE 3000 Switch Software Configuration Guide 21-7 OL-13018-01...
Page 422: Setting The Snooping Method
• Snooping on IGMP queries, Protocol Independent Multicast (PIM) packets, and Distance Vector Multicast Routing Protocol (DVMRP) packets Listening to Cisco Group Management Protocol (CGMP) packets from other routers • • Statically connecting to a multicast router port with the ip igmp snooping mrouter global...
Page 423: Configuring A Multicast Router Port
IP address. • interface-id is the member port. It can be a physical • interface or a port channel (1 to 6). Step 3 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 21-9 OL-13018-01...
Page 424: Enabling Igmp Immediate Leave
Follows these guidelines when configuring the IGMP leave timer: You can configure the leave time globally or on a per-VLAN basis. • Configuring the leave time on a VLAN overrides the global setting. • Cisco IE 3000 Switch Software Configuration Guide 21-10 OL-13018-01...
Page 425: Configuring Tcn-Related Commands
1 general query. If you set the count to 7, the flooding until 7 general queries are received. Groups are relearned based on the general queries received during the TCN event. Cisco IE 3000 Switch Software Configuration Guide 21-11 OL-13018-01...
Page 426: Recovering From Flood Mode
If the switch has many ports with attached hosts that are subscribed to different multicast groups, this flooding might exceed the capacity of the link and cause packet loss. You can use the ip igmp snooping tcn flood interface configuration command to control this behavior. Cisco IE 3000 Switch Software Configuration Guide 21-12 OL-13018-01...
Page 427: Configuring The Igmp Snooping Querier
Beginning in privileged EXEC mode, follow these steps to enable the IGMP snooping querier feature in a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping querier Enable the IGMP snooping querier. Cisco IE 3000 Switch Software Configuration Guide 21-13 OL-13018-01...
Page 428: Disabling Igmp Report Suppression
Disabling IGMP Report Suppression IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. Note This feature is not supported when the query includes IGMPv3 reports. Cisco IE 3000 Switch Software Configuration Guide 21-14 OL-13018-01...
Page 429: Displaying Igmp Snooping Information
• command options instead of the actual entries. • dynamic—Display entries learned through IGMP snooping. • user—Display only the user-configured multicast entries. Cisco IE 3000 Switch Software Configuration Guide 21-15 OL-13018-01...
Page 430: Understanding Multicast Vlan Registration
MVR reacts only to join and leave messages from multicast groups configured under MVR. Join and leave messages from all other multicast groups are managed by IGMP snooping. Cisco IE 3000 Switch Software Configuration Guide 21-16 OL-13018-01...
Page 431: Using Mvr In A Multicast Television Application
VLAN as a forwarding destination of the specified multicast stream when it is received from the multicast VLAN. Uplink ports that send and receive multicast data to and from the multicast VLAN are called MVR source ports. Cisco IE 3000 Switch Software Configuration Guide 21-17 OL-13018-01...
Page 432 Multicast traffic for all channels is only sent around the VLAN trunk once—only on the multicast VLAN. The IGMP leave and join messages are in the VLAN to which the subscriber port is assigned. Cisco IE 3000 Switch Software Configuration Guide 21-18...
Page 433: Configuring Mvr
(that is, the maximum number of television channels that can be received) is 256. • MVR multicast data received in the source VLAN and leaving from receiver ports has its time-to-live (TTL) decremented by 1 in the switch. Cisco IE 3000 Switch Software Configuration Guide 21-19 OL-13018-01...
Page 434: Configuring Mvr Global Parameters
Step 7 Return to privileged EXEC mode. Step 8 show mvr or show mvr members Verify the configuration. Step 9 copy running-config (Optional) Save your entries in the configuration file. startup-config Cisco IE 3000 Switch Software Configuration Guide 21-20 OL-13018-01...
Page 435: Configuring Mvr Interfaces
Note This command applies to only receiver ports and should only be enabled on receiver ports to which a single receiver device is connected. Step 7 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 21-21 OL-13018-01...
Page 436: Displaying Mvr Information
If the members keyword is entered, displays all multicast group members on this port or, if a VLAN identification is entered, all multicast group members on the VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094. Cisco IE 3000 Switch Software Configuration Guide 21-22 OL-13018-01...
Page 437: Configuring Igmp Filtering And Throttling
Configuring IGMP Profiles, page 21-24 (optional) • Applying IGMP Profiles, page 21-25 (optional) • Setting the Maximum Number of IGMP Groups, page 21-26 (optional) • Configuring the IGMP Throttling Action, page 21-26 (optional) • Cisco IE 3000 Switch Software Configuration Guide 21-23 OL-13018-01...
Page 438: Default Igmp Filtering And Throttling Configuration
| deny (Optional) Set the action to permit or deny access to the IP multicast address. If no action is configured, the default for the profile is to deny access. Cisco IE 3000 Switch Software Configuration Guide 21-24 OL-13018-01...
Page 439: Applying Igmp Profiles
Apply the specified IGMP profile to the interface. The range is 1 to 4294967295. Step 4 Return to privileged EXEC mode. Step 5 show running-config interface Verify the configuration. interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 21-25 OL-13018-01...
Page 440: Setting The Maximum Number Of Igmp Groups
Use the no form of this command to return to the default, which is to drop the IGMP join report. Cisco IE 3000 Switch Software Configuration Guide 21-26 OL-13018-01...
Page 441 (Optional) Save your entries in the configuration file. To return to the default action of dropping the report, use the no ip igmp max-groups action interface configuration command. Cisco IE 3000 Switch Software Configuration Guide 21-27 OL-13018-01...
Page 442: Displaying Igmp Filtering And Throttling Configuration
Displays the configuration of the specified interface or the configuration of all interfaces interface-id] on the switch, including (if configured) the maximum number of IGMP groups to which an interface can belong and the IGMP profile applied to the interface. Cisco IE 3000 Switch Software Configuration Guide 21-28 OL-13018-01...
Page 443: Configuring Storm Control
C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the IE 3000 switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 444 When the storm control threshold for multicast traffic is reached, all multicast traffic except control Note traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. The graph in Figure 22-1 shows broadcast traffic patterns on an interface over a given period of time.
Page 445: Default Storm Control Configuration
Beginning in privileged EXEC mode, follow these steps to storm control and threshold levels: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode. Cisco IE 3000 Switch Software Configuration Guide 22-3 OL-13018-01...
Page 446 Select the shutdown keyword to error-disable the port during a storm. Select the trap keyword to generate an SNMP trap when a • storm is detected. Step 5 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 22-4 OL-13018-01...
Page 447: Configuring Small-Frame Arrival Rate
Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by the switch, but they do not cause the switch storm-control counters to increment. In Cisco IOS Release 12.2(44)SE and later, you can configure a port to be error disabled if small frames arrive at a specified rate (threshold).
Page 448: Configuring Protected Ports
Default Protected Port Configuration, page 22-6 • Protected Port Configuration Guidelines, page 22-7 • Configuring a Protected Port, page 22-7 • Default Protected Port Configuration The default is to have no protected ports defined. Cisco IE 3000 Switch Software Configuration Guide 22-6 OL-13018-01...
Page 449: Protected Port Configuration Guidelines
Blocking Flooded Traffic on an Interface, page 22-8 • Default Port Blocking Configuration The default is to not block flooding of unknown multicast and unicast traffic out of a port, but to flood these packets to all ports. Cisco IE 3000 Switch Software Configuration Guide 22-7 OL-13018-01...
Page 450: Blocking Flooded Traffic On An Interface
These sections contain this conceptual and configuration information: • Understanding Port Security, page 22-9 • Default Port Security Configuration, page 22-11 • Port Security Configuration Guidelines, page 22-11 Cisco IE 3000 Switch Software Configuration Guide 22-8 OL-13018-01...
Page 451: Understanding Port Security
MAC addresses allowed in the system. This number is the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. Cisco IE 3000 Switch Software Configuration Guide 22-9 OL-13018-01...
Page 452: Security Violations
1. Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses. 2. The switch returns an error message if you manually configure an address that would cause a security violation. 3. Shuts down only the VLAN on which the violation occurred. Cisco IE 3000 Switch Software Configuration Guide 22-10 OL-13018-01...
Page 453: Default Port Security Configuration
IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
Page 454: Enabling And Configuring Port Security
Step 4 switchport voice vlan vlan-id Enable voice VLAN on a port. vlan-id—Specify the VLAN to be used for voice traffic. Step 5 switchport port-security Enable port security on the interface. Cisco IE 3000 Switch Software Configuration Guide 22-12 OL-13018-01...
Page 455 The voice keyword is available only if a voice VLAN is configured on a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses. Cisco IE 3000 Switch Software Configuration Guide 22-13 OL-13018-01...
Page 456 You can manually re-enable it by entering the shutdown and no shutdown interface configuration commands or by using the clear errdisable interface vlan privileged EXEC command. Cisco IE 3000 Switch Software Configuration Guide 22-14 OL-13018-01...
Page 457 VLAN. Step 11 Return to privileged EXEC mode. Step 12 show port-security Verify your entries. Step 13 copy running-config (Optional) Save your entries in the configuration file. startup-config Cisco IE 3000 Switch Software Configuration Guide 22-15 OL-13018-01...
Page 458 Switch(config-if)# switchport mode access Switch(config-if)# switchport voice vlan 22 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 20 Switch(config-if)# switchport port-security violation restrict Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0002 Cisco IE 3000 Switch Software Configuration Guide 22-16 OL-13018-01...
Page 459: Enabling And Configuring Port Security Aging
Step 4 Return to privileged EXEC mode. Step 5 show port-security [interface interface-id] Verify your entries. [address] Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 22-17 OL-13018-01...
Page 460: Displaying Port-Based Traffic Control Settings
[interface interface-id] address Displays all secure MAC addresses configured on all switch interfaces or on a specified interface with aging information for each address. show port-security interface interface-id vlan Displays the number of secure MAC addresses configured per VLAN on the specified interface. Cisco IE 3000 Switch Software Configuration Guide 22-18 OL-13018-01...
Page 461: Chapter 23 Configuring Lldp And Lldp-Med
Understanding LLDP-MED, page 23-2 Understanding LLDP The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches). CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network.
Page 462: Understanding Lldp-Med
Allows an endpoint to send detailed inventory information about itself to the switch, including information hardware revision, firmware version, software version, serial number, manufacturer name, model name, and asset ID TLV. Cisco IE 3000 Switch Software Configuration Guide 23-2 OL-13018-01...
Page 463: Configuring Lldp And Lldp-Med
LLDP reinitialization delay 2 seconds LLDP tlv-select Disabled to send and receive all TLVs. LLDP interface state Disabled LLDP receive Disabled LLDP transmit Disabled LLDP med-tlv-select Disabled to send all LLDP-MED TLVs Cisco IE 3000 Switch Software Configuration Guide 23-3 OL-13018-01...
Page 464: Configuring Lldp Characteristics
Disabling and Enabling LLDP Globally LLDP is disabled by default. Beginning in privileged EXEC mode, follow these steps to globally disable LLDP: Command Purpose Step 1 configure terminal Enter global configuration mode. Cisco IE 3000 Switch Software Configuration Guide 23-4 OL-13018-01...
Page 465: Disabling And Enabling Lldp On An Interface
No LLDP packets are received on the interface. Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 23-5 OL-13018-01...
Page 466: Configuring Lldp-Med Tlvs
Step 3 no lldp med-tlv-select tlv Specify the TLV to disable. Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 23-6 OL-13018-01...
Page 467: Monitoring And Maintaining Lldp And Lldp-Med
You can limit the display to neighbors of a specific interface or expand the display to provide more detailed information. show lldp traffic Display LLDP counters, including the number of packets sent and received, number of packets discarded, and number of unrecognized TLVs. Cisco IE 3000 Switch Software Configuration Guide 23-7 OL-13018-01...
Page 468 Chapter 23 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Cisco IE 3000 Switch Software Configuration Guide 23-8 OL-13018-01...
Page 469: Chapter 24 Configuring Cdp
• Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
Page 470: Configuring Cdp
The range is 10 to 255 seconds; the default is 180 seconds. Step 4 cdp advertise-v2 (Optional) Configure CDP to send Version-2 advertisements. This is the default state. Step 5 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 24-2 OL-13018-01...
Page 471: Disabling And Enabling Cdp
24-4. Disabling and Enabling CDP CDP is enabled by default. Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Note Disabling CDP can interrupt cluster discovery and device connectivity. For more information, see Chapter 6, “Clustering Switches”...
Page 472: Disabling And Enabling Cdp On An Interface
Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors. show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent. Cisco IE 3000 Switch Software Configuration Guide 24-4 OL-13018-01...
Page 473 You can limit the display to neighbors of a specific interface or expand the display to provide more detailed information. show cdp traffic Display CDP counters, including the number of packets sent and received and checksum errors. Cisco IE 3000 Switch Software Configuration Guide 24-5 OL-13018-01...
Page 474 Chapter 24 Configuring CDP Monitoring and Maintaining CDP Cisco IE 3000 Switch Software Configuration Guide 24-6 OL-13018-01...
Page 475: Chapter 25 Configuring Udld
A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. Cisco IE 3000 Switch Software Configuration Guide 25-1 OL-13018-01...
Page 476: Methods To Detect Unidirectional Links
UDLD sends at least one message to inform the neighbors to flush the part of their caches affected by the status change. The message is intended to keep the caches synchronized. Cisco IE 3000 Switch Software Configuration Guide 25-2...
Page 477: Configuring Udld
Default UDLD Configuration, page 25-4 • Configuration Guidelines, page 25-4 • Enabling UDLD Globally, page 25-5 • Enabling UDLD on an Interface, page 25-5 • • Resetting an Interface Disabled by UDLD, page 25-6 Cisco IE 3000 Switch Software Configuration Guide 25-3 OL-13018-01...
Page 478: Default Udld Configuration
• both sides of the link. Loop guard works only on point-to-point links. We recommend that each end of the link has a directly Caution connected device that is running STP. Cisco IE 3000 Switch Software Configuration Guide 25-4 OL-13018-01...
Page 479: Enabling Udld Globally
UDLD on a port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be enabled for UDLD, and enter interface configuration mode. Cisco IE 3000 Switch Software Configuration Guide 25-5 OL-13018-01...
Page 480: Resetting An Interface Disabled By Udld
To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release. Cisco IE 3000 Switch Software Configuration Guide 25-6 OL-13018-01...
Page 481: Chapter 26 Configuring Span And Rspan
You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device can send TCP reset packets to close down the TCP session of a suspected attacker.
Page 482: Local Span
VLAN to a destination session monitoring the RSPAN VLAN. Each RSPAN source switch must have either ports or VLANs as RSPAN sources. The destination is always a physical port, as shown on Switch C in the figure. Cisco IE 3000 Switch Software Configuration Guide 26-2 OL-13018-01...
Page 483: Span And Rspan Concepts And Terminology
RSPAN VLAN. To configure an RSPAN destination session on another device, you associate the destination port with the RSPAN VLAN. The destination session collects all RSPAN VLAN traffic and sends it out the RSPAN destination port. Cisco IE 3000 Switch Software Configuration Guide 26-3 OL-13018-01...
Page 484: Monitored Traffic
SPAN; the destination port receives a copy of the packet even if the actual incoming packet is dropped. These features include IP standard and extended input access control lists (ACLs), ingress QoS policing, and egress QoS policing. Cisco IE 3000 Switch Software Configuration Guide 26-4 OL-13018-01...
Page 485: Source Ports
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
Page 486: Source Vlans
Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user, usually a network analyzer. Cisco IE 3000 Switch Software Configuration Guide 26-6 OL-13018-01...
Page 487: Rspan Vlan
RSPAN VLANs must be configured in VLAN configuration mode by using the remote-span VLAN • configuration mode command. STP can run on RSPAN VLAN trunks but not on SPAN destination ports. • Cisco IE 3000 Switch Software Configuration Guide 26-7 OL-13018-01...
Page 488: Span And Rspan Interaction With Other Features
For SPAN sessions, do not enable port security on ports with monitored egress when ingress forwarding is enabled on the destination port. For RSPAN source sessions, do not enable port security on any ports with monitored egress. Cisco IE 3000 Switch Software Configuration Guide 26-8 OL-13018-01...
Page 489: Configuring Span And Rspan
SPAN Configuration Guidelines, page 26-10 • Creating a Local SPAN Session, page 26-10 Creating a Local SPAN Session and Configuring Incoming Traffic, page 26-13 • • Specifying VLANs to Filter, page 26-14 Cisco IE 3000 Switch Software Configuration Guide 26-9 OL-13018-01...
Page 490: Span Configuration Guidelines
| remote} For session_number, the range is 1 to 66. Specify all to remove all SPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. Cisco IE 3000 Switch Software Configuration Guide 26-10 OL-13018-01...
Page 491 If not selected, the default is to send packets in native form (untagged). You can use monitor session session_number destination Note command multiple times to configure multiple destination ports. Cisco IE 3000 Switch Software Configuration Guide 26-11 OL-13018-01...
Page 492 Switch(config)# no monitor session 2 Switch(config)# monitor session 2 source vlan 1 - 3 rx Switch(config)# monitor session 2 destination interface gigabitethernet1/2 Switch(config)# monitor session 2 source vlan 10 Switch(config)# end Cisco IE 3000 Switch Software Configuration Guide 26-12 OL-13018-01...
Page 493: Creating A Local Span Session And Configuring Incoming Traffic
VLANs and the destination ports, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating a Local SPAN Session”...
Page 494: Specifying Vlans To Filter
(Optional) Use a comma (,) to specify a series of VLANs, or use a hyphen (-) to specify a range of VLANs. Enter a space before and after the comma; enter a space before and after the hyphen. Cisco IE 3000 Switch Software Configuration Guide 26-14 OL-13018-01...
Page 495: Configuring Rspan
Creating an RSPAN Source Session, page 26-17 • Creating an RSPAN Destination Session, page 26-19 • Creating an RSPAN Destination Session and Configuring Incoming Traffic, page 26-20 • Specifying VLANs to Filter, page 26-21 • Cisco IE 3000 Switch Software Configuration Guide 26-15 OL-13018-01...
Page 496: Rspan Configuration Guidelines
Use VTP pruning to get an efficient flow of RSPAN traffic, or manually delete the RSPAN VLAN from all trunks that do not need to carry the RSPAN traffic. Cisco IE 3000 Switch Software Configuration Guide 26-16 OL-13018-01...
Page 497: Creating An Rspan Source Session
| remote} For session_number, the range is 1 to 66. Specify all to remove all RSPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. Cisco IE 3000 Switch Software Configuration Guide 26-17 OL-13018-01...
Page 498 Switch(config)# monitor session 1 source interface gigabitethernet1/1 tx Switch(config)# monitor session 1 source interface gigabitethernet1/2 rx Switch(config)# monitor session 1 source interface port-channel 2 Switch(config)# monitor session 1 destination remote vlan 901 Switch(config)# end Cisco IE 3000 Switch Software Configuration Guide 26-18 OL-13018-01...
Page 499: Creating An Rspan Destination Session
To remove a destination port from the SPAN session, use the no monitor session session_number destination interface interface-id global configuration command. To remove the RSPAN VLAN from the session, use the no monitor session session_number source remote vlan vlan-id. Cisco IE 3000 Switch Software Configuration Guide 26-19 OL-13018-01...
Page 500: Creating An Rspan Destination Session And Configuring Incoming Traffic
RSPAN VLAN and the destination port, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating an RSPAN Destination...
Page 501: Specifying Vlans To Filter
(Optional) Use a comma (,) to specify a series of VLANs or use a hyphen (-) to specify a range of VLANs. Enter a space before and after the comma; enter a space before and after the hyphen. Cisco IE 3000 Switch Software Configuration Guide 26-21 OL-13018-01...
Page 502: Displaying Span And Rspan Status
To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions. Cisco IE 3000 Switch Software Configuration Guide 26-22 OL-13018-01...
Page 503: Chapter 27 Configuring Rmon
C H A P T E R Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the IE 3000 switch. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes.
Page 504: Configuring Rmon
Configuring RMON Alarms and Events, page 27-3 (required) • Collecting Group History Statistics on an Interface, page 27-5 (optional) • Collecting Group Ethernet Statistics on an Interface, page 27-5 (optional) • Cisco IE 3000 Switch Software Configuration Guide 27-2 OL-13018-01...
Page 505: Default Rmon Configuration
2147483647. • (Optional) For event-number, specify the event number to trigger when the rising or falling threshold exceeds its limit. (Optional) For owner string, specify the owner • of the alarm. Cisco IE 3000 Switch Software Configuration Guide 27-3 OL-13018-01...
Page 506 This example also generates an SNMP trap when the event is triggered. Switch(config)# rmon event 1 log trap eventtrap description "High ifOutErrors" owner jjones Cisco IE 3000 Switch Software Configuration Guide 27-4 OL-13018-01...
Page 507: Collecting Group History Statistics On An Interface
This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which to collect statistics, and enter interface configuration mode. Cisco IE 3000 Switch Software Configuration Guide 27-5 OL-13018-01...
Page 508: Displaying Rmon Status
For information about the fields in these displays, see the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Page 509: Chapter 28 Configuring System Message Logging
Configuring System Message Logging This chapter describes how to configure system message logging on the IE 3000 switch. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation >...
Page 510: Configuring System Message Logging
The part of the message preceding the percent sign depends on the setting of the service sequence-numbers, service timestamps log datetime, service timestamps log datetime [localtime] [msec] [show-timezone], or service timestamps log uptime global configuration command. Cisco IE 3000 Switch Software Configuration Guide 28-2 OL-13018-01...
Page 511: Default System Message Logging Configuration
System message logging to the console Enabled. Console severity Debugging (and numerically lower levels; see Table 28-3 on page 28-9). Logging file configuration No filename specified. Logging buffer size 4096 bytes. Logging history size 1 message. Cisco IE 3000 Switch Software Configuration Guide 28-3 OL-13018-01...
Page 512: Disabling Message Logging
When this command is enabled, messages appear only after you press Return. For more information, see the “Synchronizing Log Messages” section on page 28-6. To re-enable message logging after it has been disabled, use the logging on global configuration command. Cisco IE 3000 Switch Software Configuration Guide 28-4 OL-13018-01...
Page 513: Setting The Message Display Destination Device
You must perform this step for each session to see the debugging messages. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 28-5 OL-13018-01...
Page 514: Synchronizing Log Messages
Or you can change the setting of the single vty line being used for your current connection. For example, to change the setting for vty line 2, enter: line vty 2 When you enter this command, the mode changes to line configuration. Cisco IE 3000 Switch Software Configuration Guide 28-6 OL-13018-01...
Page 515: Enabling And Disabling Time Stamps On Log Messages
To disable time stamps for both debug and log messages, use the no service timestamps global configuration command. This example shows part of a logging display with the service timestamps log datetime global configuration command enabled: *Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Cisco IE 3000 Switch Software Configuration Guide 28-7 OL-13018-01...
Page 516: Enabling And Disabling Sequence Numbers In Log Messages
Table 28-3 on page 28-9). Step 3 logging monitor level Limit messages logged to the terminal lines. By default, the terminal receives debugging messages and numerically lower levels (see Table 28-3 on page 28-9). Cisco IE 3000 Switch Software Configuration Guide 28-8 OL-13018-01...
Page 517 Technical Assistance Center. Interface up or down transitions and system restart messages, displayed at the notifications level. • This message is only for information; switch functionality is not affected. Cisco IE 3000 Switch Software Configuration Guide 28-9 OL-13018-01...
Page 518: Limiting Syslog Messages Sent To The History Table And To Snmp
You can configure the size of the configuration log from 1 to 1000 entries (the default is 100). You can clear the log at any time by entering the no logging enable command followed by the logging enable command to disable and reenable logging. Cisco IE 3000 Switch Software Configuration Guide 28-10 OL-13018-01...
Page 519 [end-number] | statistics} [provisioning] privileged EXEC command to display the complete configuration log or the log for specified parameters. The default is that configuration logging is disabled. For information about the commands, see the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3 T at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter0918 6a00801a8086.html#wp1114989...
Page 520: Configuring Unix Syslog Servers
Log messages to a UNIX syslog server host by entering its IP address. To build a list of syslog servers that receive logging messages, enter this command more than once. Cisco IE 3000 Switch Software Configuration Guide 28-12 OL-13018-01...
Page 521: Displaying The Logging Configuration
To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation >...
Page 522 Chapter 28 Configuring System Message Logging Displaying the Logging Configuration Cisco IE 3000 Switch Software Configuration Guide 28-14 OL-13018-01...
Page 523: Chapter 29 Configuring Snmp
For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References. This chapter consists of these sections: Understanding SNMP, page 29-1 •...
Page 524: Snmp Versions
A combination of the security level and the security model determine which security mechanism is used when handling an SNMP packet. Available security models are SNMPv1, SNMPv2C, and SNMPv3. Cisco IE 3000 Switch Software Configuration Guide 29-2 OL-13018-01...
Page 525: Snmp Manager Functions
Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS. • The SNMP agent changes the value of the MIB variable to the value requested by the NMS. Cisco IE 3000 Switch Software Configuration Guide 29-3 OL-13018-01...
Page 526: Snmp Community Strings
(@esN, where N is the switch number) to the first configured RW and RO community strings on the command switch and propagates them to the member switches. For more information, see Chapter 6, “Clustering Switches” and see Getting Started with Cisco Network Assistant, available on Cisco.com. Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software.
Page 527: Snmp Notifications
Physical (such as Gigabit Ethernet or SFP -module interfaces) 10000–14500 Null 14501 1. SVI = switch virtual interface 2. SFP = small form-factor pluggable The switch might not use sequential values within a range. Note Cisco IE 3000 Switch Software Configuration Guide 29-5 OL-13018-01...
Page 528: Configuring Snmp
An SNMP group is a table that maps SNMP users to SNMP views. An SNMP user is a member of an SNMP group. An SNMP host is the recipient of an SNMP trap operation. An SNMP engine ID is a name for the local or remote SNMP engine. Cisco IE 3000 Switch Software Configuration Guide 29-6 OL-13018-01...
Page 529: Disabling The Snmp Agent
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
Page 530: Configuring Community Strings
MIB objects. By default, the community string permits read-only access to all objects. (Optional) For access-list-number, enter an IP standard access • list numbered from 1 to 99 and 1300 to 1999. Cisco IE 3000 Switch Software Configuration Guide 29-8 OL-13018-01...
Page 531: Configuring Snmp Groups And Users
You can specify an identification name (engine ID) for the local or remote SNMP server engine on the switch. You can configure an SNMP server group that maps SNMP users to SNMP views, and you can add new users to the SNMP group. Cisco IE 3000 Switch Software Configuration Guide 29-9 OL-13018-01...
Page 532 64 characters) that is the name of the view in which you specify a notify, inform, or trap. (Optional) Enter access access-list with a string (not to exceed • 64 characters) that is the name of the access list. Cisco IE 3000 Switch Software Configuration Guide 29-10 OL-13018-01...
Page 533: Configuring Snmp Notifications
A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Note Many commands use the word traps in the command syntax.
Page 534 Generates a trap for Open Shortest Path First (OSPF) changes. You can enable any or all of these traps: Cisco specific, errors, link-state advertisement, rate limit, retransmit, and state changes. Generates a trap for Protocol-Independent Multicast (PIM) changes. You can enable any or all of these traps: invalid PIM messages, neighbor changes, and rendezvous point (RP)-mapping changes.
Page 535 Step 4 snmp-server group groupname {v1 | Configure an SNMP group. v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] [access access-list] Cisco IE 3000 Switch Software Configuration Guide 29-13 OL-13018-01...
Page 536 1000; the default is 30 seconds. Step 10 Return to privileged EXEC mode. Step 11 show running-config Verify your entries. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 29-14 OL-13018-01...
Page 537: Setting The Agent Contact And Location Information
Limit TFTP servers used for configuration file copies through access-list-number SNMP to the servers in the access list. For access-list-number, enter an IP standard access list numbered from 1 to 99 and 1300 to 1999. Cisco IE 3000 Switch Software Configuration Guide 29-15 OL-13018-01...
Page 538: Snmp Examples
This example shows how to allow read-only access for all objects to members of access list 4 that use the comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco.com using the community string public.
Page 539: Displaying Snmp Status
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
Page 540 Chapter 29 Configuring SNMP Displaying SNMP Status Cisco IE 3000 Switch Software Configuration Guide 29-18 OL-13018-01...
Page 541: Chapter 30 Configuring Network Security With Acls
C H A P T E R Configuring Network Security with ACLs This chapter describes how to configure network security on the IE 3000 switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists.
Page 542: Port Acls
2 input would allow Host A to access the Human Resources network, but prevent Host B from accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction. Cisco IE 3000 Switch Software Configuration Guide 30-2...
Page 543: Handling Fragmented And Unfragmented Traffic
TCP, UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4 information might have been. Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains • Layer 4 information. Cisco IE 3000 Switch Software Configuration Guide 30-3 OL-13018-01...
Page 544: Configuring Ipv4 Acls
ACEs were checking different hosts. Configuring IPv4 ACLs Configuring IP v4ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. The process is briefly described here. For more detailed information on configuring ACLs, see the “Configuring IP Services”...
Page 545: Creating Standard And Extended Ipv4 Acls
Resequencing ACEs in an ACL, page 30-12 • Creating Named Standard and Extended ACLs, page 30-12 • Using Time Ranges with ACLs, page 30-14 • Including Comments in ACLs, page 30-15 • Cisco IE 3000 Switch Software Configuration Guide 30-5 OL-13018-01...
Page 546: Access List Numbers
IP ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list. Cisco IE 3000 Switch Software Configuration Guide 30-6...
Page 547: Creating A Numbered Standard Acl
Switch (config)# access-list 2 deny host 171.69.198.102 Switch (config)# access-list 2 permit any Switch(config)# end Switch# show access-lists Standard IP access list 2 10 deny 171.69.198.102 20 permit any Cisco IE 3000 Switch Software Configuration Guide 30-7 OL-13018-01...
Page 548: Creating A Numbered Extended Acl
For more details on the specific keywords for each protocol, see these command references: • Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2 •...
Page 549 0.0.0.0 [fragments] [time-range 255.255.255.255. time-range-name] [dscp dscp] You can use the any keyword in place of source and destination address and wildcard. Cisco IE 3000 Switch Software Configuration Guide 30-9 OL-13018-01...
Page 550 TCP port. To see TCP port names, use the ? or see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2. Use only TCP port numbers or names when filtering TCP.
Page 551 ICMP message type and code name. To see a list of ICMP message type names and code names, use the ?, or see the “Configuring IP Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. Step access-list access-list-number (Optional) Define an extended IGMP access list and the access conditions.
Page 552: Resequencing Aces In An Acl
• host source—A source and source wildcard of source 0.0.0.0. permit {source [source-wildcard] | host source any—A source and source wildcard of 0.0.0.0 • | any} 255.255.255.255. Cisco IE 3000 Switch Software Configuration Guide 30-12 OL-13018-01...
Page 553 Being able to selectively remove lines from a named ACL is one reason you might use named ACLs instead of numbered ACLs. After creating a named ACL, you can apply it to interfaces (see the “Applying an IPv4 ACL to an Interface” section on page 30-16). Cisco IE 3000 Switch Software Configuration Guide 30-13 OL-13018-01...
Page 554: Using Time Ranges With Acls
This example shows how to configure time ranges for workhours and to configure January 1, 2006, as a company holiday and to verify your configuration. Switch(config)# time-range workhours Switch(config-time-range)# periodic weekdays 8:00 to 12:00 Switch(config-time-range)# periodic weekdays 13:00 to 17:00 Switch(config-time-range)# exit Cisco IE 3000 Switch Software Configuration Guide 30-14 OL-13018-01...
Page 555: Including Comments In Acls
Smith is not allowed access: Switch(config)# access-list 1 remark Permit only Jones workstation through Switch(config)# access-list 1 permit 171.69.2.88 Switch(config)# access-list 1 remark Do not allow Smith through Switch(config)# access-list 1 deny 171.69.3.13 Cisco IE 3000 Switch Software Configuration Guide 30-15 OL-13018-01...
Page 556: Applying An Ipv4 Acl To A Terminal Line
This section describes how to apply IPv4 ACLs to network interfaces. Note these guidelines: • Apply an ACL only to inbound Layer 2 interfaces. When controlling access to an interface, you can use a named or numbered ACL. • Cisco IE 3000 Switch Software Configuration Guide 30-16 OL-13018-01...
Page 557: Hardware And Software Treatment Of Ip Acls
This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Page 558: Numbered Acls
TCP traffic. It permits any other IP traffic. Switch(config)# ip access-list extended marketing_group Switch(config-ext-nacl)# permit tcp any 171.69.0.0 0.0.255.255 eq telnet Switch(config-ext-nacl)# deny tcp any any Switch(config-ext-nacl)# permit ip any any Switch(config-ext-nacl)# exit Cisco IE 3000 Switch Software Configuration Guide 30-18 OL-13018-01...
Page 559: Time Range Applied To An Ip Acl
You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named MAC extended ACLs. The procedure is similar to that of configuring other extended named ACLs. Cisco IE 3000 Switch Software Configuration Guide 30-19...
Page 560 Switch(config)# mac access-list extended mac1 Switch(config-ext-macl)# deny any any decnet-iv Switch(config-ext-macl)# permit any any Switch(config-ext-macl)# end Switch # show access-lists Extended MAC access list mac1 10 deny any any decnet-iv 20 permit any any Cisco IE 3000 Switch Software Configuration Guide 30-20 OL-13018-01...
Page 561: Applying A Mac Acl To A Layer 2 Interface
ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets. Remember this behavior if you use undefined ACLs for network security. Cisco IE 3000 Switch Software Configuration Guide 30-21 OL-13018-01...
Page 562: Displaying Ipv4 Acl Configuration
MAC and IP access lists and which access groups are applied to an interface. show mac access-group [interface interface-id] Displays MAC access lists applied to all Layer 2 interfaces or the specified Layer 2 interface. Cisco IE 3000 Switch Software Configuration Guide 30-22 OL-13018-01...
Page 563: Chapter 31 Configuring Cisco Ios Ip Slas Operations
Configuring Cisco IOS IP SLAs Operations This chapter describes how to use Cisco IOS IP Service Level Agreements (SLAs) on the IE 3000 switch. Cisco IP SLAs is a part of Cisco IOS software that allows Cisco customers to analyze IP service levels for IP applications and services by using active traffic monitoring—the generation of traffic in a...
Page 564: Using Cisco Ios Ip Slas To Measure Network Performance
Virtual Private Network (VPN) routing/forwarding instance (VRF), and URL web address. Because Cisco IP SLAs is Layer 2 transport independent, you can configure end-to-end operations over disparate networks to best reflect the metrics that an end user is likely to experience. IP SLAs collects a...
Page 565 Schedule the operation to run, then let the operation run for a period of time to gather statistics. Display and interpret the results of the operation using the Cisco IOS CLI or a network management system (NMS) system with SNMP.
Page 566: Ip Slas Responder And Ip Slas Control Protocol
The IP SLAs responder can be a Cisco IOS Layer 2, responder-configurable switch, such as a Note Catalyst 2960 or Cisco ME 2400 switch, or a Catalyst 3560 or 3750 switch running the IP base image. The responder does not need to support full IP SLAs functionality.
Page 567: Configuring Ip Slas Operations
This section does not include configuration information for all available operations as the configuration information details are included in the Cisco IOS IP SLAs Configuration Guide. It includes only the procedure for configuring the responder, as the switch includes only responder support.
Page 568: Configuring The Ip Slas Responder
The IP SLAs responder is available only on Cisco IOS software-based devices, including some Layer 2 switches that do not support full IP SLAs functionality, such as the Catalyst 2960 or the Cisco ME 2400 switch. Beginning in privileged EXEC mode, follow these steps to configure the IP SLAs responder on...
Page 569: Chapter 32 Configuring Qos
This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the IE 3000 switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size.
Page 570 Start frame Preamble Data delimiter 3 bits used for CoS (user priority) Layer 3 IPv4 Packet Version Offset TTL Proto FCS IP-SA IP-DA Data length (1 byte) IP precedence or DSCP Cisco IE 3000 Switch Software Configuration Guide 32-2 OL-13018-01...
Page 571: Basic Qos Model
• which of the four egress queues to use. Because congestion can occur when multiple ingress ports simultaneously send data to an egress port, WTD differentiates traffic classes and subjects the Cisco IE 3000 Switch Software Configuration Guide 32-3 OL-13018-01...
Page 572: Classification
CoS value and generates an internal DSCP value from the CoS-to-DSCP map. The switch uses the internal DSCP value to generate a CoS value representing the priority of the traffic. Cisco IE 3000 Switch Software Configuration Guide 32-4 OL-13018-01...
Page 573 For configuration information on port trust states, see the “Configuring Classification Using Port Trust States” section on page 32-31. After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Cisco IE 3000 Switch Software Configuration Guide 32-5 OL-13018-01...
Page 574: Classification Based On Qos Acls
When creating an access list, remember that, by default, the end of the access list contains an implicit Note deny statement for everything if it did not find a match before reaching the end. Cisco IE 3000 Switch Software Configuration Guide 32-6 OL-13018-01...
Page 575: Classification Based On Class Maps And Policy Maps
To enable the policy map, you attach it to a port by using the service-policy interface configuration command. For more information, see the “Policing and Marking” section on page 32-8. For configuration information, see the “Configuring a QoS Policy” section on page 32-38. Cisco IE 3000 Switch Software Configuration Guide 32-7 OL-13018-01...
Page 576: Policing And Marking
If the burst is short, the bucket does not overflow, and no action is taken against the traffic flow. However, if a burst is long and at a higher rate, the bucket overflows, and the policing actions are taken against the frames in that burst. Cisco IE 3000 Switch Software Configuration Guide 32-8 OL-13018-01...
Page 577 Pass through Drop Check out-of-profile action Drop packet. configured for this policer. Mark Modify DSCP according to the policed-DSCP map. Generate a new QoS label. Done Cisco IE 3000 Switch Software Configuration Guide 32-9 OL-13018-01...
Page 578: Mapping Tables
Scheduling on Ingress Queues” section on page 32-13. For information about the DSCP and CoS output queue threshold maps, see the “Queueing and Scheduling on Egress Queues” section on page 32-14. Cisco IE 3000 Switch Software Configuration Guide 32-10 OL-13018-01...
Page 579: Queueing And Scheduling Overview
Suppose the queue is already filled with 600 frames, and a new frame arrives. It contains CoS values 4 and 5 and is subjected to the 60-percent threshold. If this frame is added to the queue, the threshold will be exceeded, so the switch drops it. Cisco IE 3000 Switch Software Configuration Guide 32-11 OL-13018-01...
Page 580: Srr Shaping And Sharing
“Allocating Bandwidth Between the Ingress Queues” section on page 32-58, the “Configuring SRR Shaped Weights on Egress Queues” section on page 32-64, and the “Configuring SRR Shared Weights on Egress Queues” section on page 32-65. Cisco IE 3000 Switch Software Configuration Guide 32-12 OL-13018-01...
Page 581: Queueing And Scheduling On Ingress Queues
The expedite queue has guaranteed bandwidth. 1. The switch uses two nonconfigurable queues for traffic that is essential for proper network operation. Cisco IE 3000 Switch Software Configuration Guide 32-13 OL-13018-01...
Page 582: Queueing And Scheduling On Egress Queues
Figure 32-8 shows the queueing and scheduling flowchart for egress ports. If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Note Cisco IE 3000 Switch Software Configuration Guide 32-14 OL-13018-01...
Page 583 (under-limit), whether it has consumed all of its maximum buffers (over limit), and whether the common pool is empty (no free Cisco IE 3000 Switch Software Configuration Guide 32-15...
Page 584 You assign the two WTD threshold percentages for threshold ID 1 and ID 2. The drop threshold for threshold ID 3 is preset to the queue-full state, and you cannot Cisco IE 3000 Switch Software Configuration Guide 32-16...
Page 585: Packet Modification
The input mutation causes the DSCP to be rewritten depending on the new value of DSCP chosen. The set action in a policy map also causes the DSCP to be rewritten. Cisco IE 3000 Switch Software Configuration Guide 32-17 OL-13018-01...
Page 586: Configuring Auto-Qos
The switch uses the resulting classification to choose the appropriate egress queue. You use auto-QoS commands to identify ports connected to Cisco IP Phones and to devices running the Cisco SoftPhone application. You also use the commands to identify ports that receive trusted traffic through an uplink.
Page 587 DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet. The...
Page 588 Configuring QoS Configuring Auto-QoS When you enable auto-QoS by using the auto qos voip cisco-phone, the auto qos voip cisco-softphone, or the auto qos voip trust interface configuration command, the switch automatically generates a QoS configuration based on the traffic type and ingress packet label and applies the commands listed in Table 32-5 to the port.
Page 589 Switch(config)# mls qos queue-set output 1 buffers 10 10 26 54 Switch(config)# mls qos queue-set output 2 buffers 16 6 17 61 Switch(config-if)# priority-que out Switch(config-if)# srr-queue bandwidth share 10 10 60 20 Cisco IE 3000 Switch Software Configuration Guide 32-21 OL-13018-01...
Page 590 If you entered the auto qos voip cisco-phone command, the Switch(config-if)# mls qos trust device cisco-phone switch automatically enables the trusted boundary feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone.
Page 591: Effects Of Auto-Qos On The Configuration
By default, the CDP is enabled on all ports. For auto-QoS to function properly, do not disable the • CDP. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address • to the IP phone.
Page 592: Enabling Auto-Qos For Voip
Step 2 interface interface-id Specify the port that is connected to a Cisco IP Phone, the port that is connected to a device running the Cisco SoftPhone feature, or the uplink port that is connected to another trusted switch or router in the interior of the network, and enter interface configuration mode.
Page 593: Auto-Qos Configuration Example
You should not configure any standard QoS commands before entering the auto-QoS commands. You Note can fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoS configuration is completed. Cisco IE 3000 Switch Software Configuration Guide 32-25 OL-13018-01...
Page 594: Displaying Auto-Qos Information
Return to global configuration mode. Step 7 Repeat Steps 4 to 6 for as many ports as are connected to the Cisco IP Phone. Step 8 interface interface-id Specify the switch port identified as connected to a trusted switch or router, and enter interface configuration mode.
Page 595: Configuring Standard Qos
No policy maps are configured. The default port trust state on all ports is untrusted. The default ingress and egress queue settings are described in the “Default Ingress Queue Configuration” section on page 32-28 and the “Default Egress Queue Configuration” section on page 32-28. Cisco IE 3000 Switch Software Configuration Guide 32-27 OL-13018-01...
Page 596: Default Ingress Queue Configuration
WTD drop threshold 1 100 percent 200 percent 100 percent 100 percent WTD drop threshold 2 100 percent 200 percent 100 percent 100 percent Reserved threshold 50 percent 50 percent 50 percent 50 percent Cisco IE 3000 Switch Software Configuration Guide 32-28 OL-13018-01...
Page 597: Default Mapping Table Configuration
The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value. The default policed-DSCP map is a null map, which maps an incoming DSCP value to the same DSCP value (no markdown). Cisco IE 3000 Switch Software Configuration Guide 32-29 OL-13018-01...
Page 598: Standard Qos Configuration Guidelines
If you have EtherChannel ports configured on your switch, you must configure QoS classification, • policing, mapping, and queueing on the individual physical ports that comprise the EtherChannel. You must decide whether the QoS configuration should match on all ports in the EtherChannel. Cisco IE 3000 Switch Software Configuration Guide 32-30 OL-13018-01...
Page 599: General Qos Guidelines
Configuring a Trusted Boundary to Ensure Port Security, page 32-34 • • Enabling DSCP Transparency Mode, page 32-35 • Configuring the DSCP Trust State on a Port Bordering Another QoS Domain, page 32-36 Cisco IE 3000 Switch Software Configuration Guide 32-31 OL-13018-01...
Page 600: Configuring The Trust State On Ports Within The Qos Domain
Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be trusted, and enter interface configuration mode. Valid interfaces include physical ports. Cisco IE 3000 Switch Software Configuration Guide 32-32 OL-13018-01...
Page 601: Configuring The Cos Value For An Interface
CoS to all incoming packets on the port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Valid interfaces include physical ports. Cisco IE 3000 Switch Software Configuration Guide 32-33 OL-13018-01...
Page 602: Configuring A Trusted Boundary To Ensure Port Security
CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the Cisco IE 3000 Switch Software Configuration Guide...
Page 603: Enabling Dscp Transparency Mode
In some situations, you can prevent a PC connected to the Cisco IP Phone from taking advantage of a high-priority data queue. You can use the switchport priority extend cos interface configuration command to configure the telephone through the switch CLI to override the priority of the traffic received from the PC.
Page 604: Configuring The Dscp Trust State On A Port Bordering Another Qos Domain
QoS. If the two domains use different DSCP values, you can configure the DSCP-to-DSCP-mutation map to translate a set of DSCP values to match the definition in the other domain. Cisco IE 3000 Switch Software Configuration Guide 32-36 OL-13018-01...
Page 605 Step 6 Return to privileged EXEC mode. Step 7 show mls qos maps dscp-mutation Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 32-37 OL-13018-01...
Page 606: Configuring A Qos Policy
Classifying Traffic by Using Class Maps, page 32-42 • Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps, page 32-44 Classifying, Policing, and Marking Traffic by Using Aggregate Policers, page 32-47 • Cisco IE 3000 Switch Software Configuration Guide 32-38 OL-13018-01...
Page 607: Classifying Traffic By Using Acls
Switch(config)# access-list 1 permit 192.5.255.0 0.0.0.255 Switch(config)# access-list 1 permit 128.88.0.0 0.0.255.255 Switch(config)# access-list 1 permit 36.0.0.0 0.0.0.255 ! (Note: all other access implicitly denied) Cisco IE 3000 Switch Software Configuration Guide 32-39 OL-13018-01...
Page 608 This example shows how to create an ACL that permits PIM traffic from any source to a destination group address of 224.0.0.2 with a DSCP set to 32: Switch(config)# access-list 102 permit pim any 224.0.0.2 dscp 32 Cisco IE 3000 Switch Software Configuration Guide 32-40 OL-13018-01...
Page 609 MAC address 0001.0000.0002 to the host with MAC address 0002.0000.0002. Switch(config)# mac access-list extended maclist1 Switch(config-ext-macl)# permit 0001.0000.0001 0.0.0 0002.0000.0001 0.0.0 Switch(config-ext-macl)# permit 0001.0000.0002 0.0.0 0002.0000.0002 0.0.0 xns-idp ! (Note: all other access implicitly denied) Cisco IE 3000 Switch Software Configuration Guide 32-41 OL-13018-01...
Page 610: Classifying Traffic By Using Class Maps
If neither the match-all or match-any keyword is specified, the default is match-all. Because only one match command per class map is supported, Note the match-all and match-any keywords function the same. Cisco IE 3000 Switch Software Configuration Guide 32-42 OL-13018-01...
Page 611 This example shows how to create a class map called class3, which matches incoming traffic with IP-precedence values of 5, 6, and 7: Switch(config)# class-map class3 Switch(config-cmap)# match ip precedence 5 6 7 Switch(config-cmap)# end Switch# Cisco IE 3000 Switch Software Configuration Guide 32-43 OL-13018-01...
Page 612: Classifying, Policing, And Marking Traffic On Physical Ports By Using Policy Maps
If neither the match-all or match-any keyword is specified, the default is match-all. Because only one match command per class map is supported, Note the match-all and match-any keywords function the same. Cisco IE 3000 Switch Software Configuration Guide 32-44 OL-13018-01...
Page 613 The range is 0 to 63. For ip precedence new-precedence, enter a new IP-precedence • value to be assigned to the classified traffic. The range is 0 to 7. Cisco IE 3000 Switch Software Configuration Guide 32-45 OL-13018-01...
Page 614 8000 bytes, its DSCP is marked down (based on the policed-DSCP map) and sent: Switch(config)# access-list 1 permit 10.1.0.0 0.0.255.255 Switch(config)# class-map ipclass1 Switch(config-cmap)# match access-group 1 Switch(config-cmap)# exit Switch(config)# policy-map flow1t Cisco IE 3000 Switch Software Configuration Guide 32-46 OL-13018-01...
Page 615: Classifying, Policing, And Marking Traffic By Using Aggregate Policers
By using an aggregate policer, you can create a policer that is shared by multiple traffic classes within the same policy map. However, you cannot use the aggregate policer across different policy maps or ports. Cisco IE 3000 Switch Software Configuration Guide 32-47 OL-13018-01...
Page 616 Step 7 exit Return to global configuration mode. Step 8 interface interface-id Specify the port to attach to the policy map, and enter interface configuration mode. Valid interfaces include physical ports. Cisco IE 3000 Switch Software Configuration Guide 32-48 OL-13018-01...
Page 617: Configuring Dscp Maps
Configuring the CoS-to-DSCP Map, page 32-50 (optional) • Configuring the IP-Precedence-to-DSCP Map, page 32-51 (optional) • Configuring the Policed-DSCP Map, page 32-52 (optional, unless the null settings in the map are • not appropriate) Cisco IE 3000 Switch Software Configuration Guide 32-49 OL-13018-01...
Page 618: Configuring The Cos-To-Dscp Map
This example shows how to modify and display the CoS-to-DSCP map: Switch(config)# mls qos map cos-dscp 10 15 20 25 30 35 40 45 Switch(config)# end Switch# show mls qos maps cos-dscp Cisco IE 3000 Switch Software Configuration Guide 32-50 OL-13018-01...
Page 619: Configuring The Ip-Precedence-To-Dscp Map
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default map, use the no mls qos ip-prec-dscp global configuration command. Cisco IE 3000 Switch Software Configuration Guide 32-51 OL-13018-01...
Page 620: Configuring The Policed-Dscp Map
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 00 00 00 00 00 00 00 00 58 59 60 61 62 63 Cisco IE 3000 Switch Software Configuration Guide 32-52 OL-13018-01...
Page 621: Configuring The Dscp-To-Cos Map
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default map, use the no mls qos dscp-cos global configuration command. Cisco IE 3000 Switch Software Configuration Guide 32-53 OL-13018-01...
Page 622: Configuring The Dscp-To-Dscp-Mutation Map
• The DSCP range is 0 to 63. Step 3 interface interface-id Specify the port to which to attach the map, and enter interface configuration mode. Valid interfaces include physical ports. Cisco IE 3000 Switch Software Configuration Guide 32-54 OL-13018-01...
Page 623: Configuring Ingress Queue Characteristics
What drop percentage thresholds apply to each queue, and which CoS or DSCP values map to each • threshold? How much of the available buffer space is allocated between the queues? • Cisco IE 3000 Switch Software Configuration Guide 32-55 OL-13018-01...
Page 624: Mapping Dscp Or Cos Values To An Ingress Queue And Setting Wtd Thresholds
100. Separate each value with a space. Each threshold value is a percentage of the total number of queue descriptors allocated for the queue. Step 4 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 32-56 OL-13018-01...
Page 625: Allocating Buffer Space Between The Ingress Queues
For percentage1 percentage2, the range is 0 to 100. Separate each value with a space. You should allocate the buffers so that the queues can handle any incoming bursty traffic. Step 3 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 32-57 OL-13018-01...
Page 626: Allocating Bandwidth Between The Ingress Queues
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos srr-queue input bandwidth global configuration command. Cisco IE 3000 Switch Software Configuration Guide 32-58 OL-13018-01...
Page 627: Configuring The Ingress Priority Queue
To return to the default setting, use the no mls qos srr-queue input priority-queue queue-id global configuration command. To disable priority queueing, set the bandwidth weight to 0, for example, mls qos srr-queue input priority-queue queue-id bandwidth 0. Cisco IE 3000 Switch Software Configuration Guide 32-59 OL-13018-01...
Page 628: Configuring Egress Queue Characteristics
1, and SRR services this queue in shaped mode. • If the egress expedite queue is disabled and the SRR shaped weights are not configured, SRR services this queue in shared mode. Cisco IE 3000 Switch Software Configuration Guide 32-60 OL-13018-01...
Page 629: Allocating Buffer Space To And Setting Wtd Thresholds For An Egress Queue-Set
0 to 99. For allocation2, the range is 1 to 100 (including the CPU buffer). Allocate buffers according to the importance of the traffic; for example, give a large percentage of the buffer to the queue with the highest-priority traffic. Cisco IE 3000 Switch Software Configuration Guide 32-61 OL-13018-01...
Page 630 200 percent as the maximum memory that this queue can have before packets are dropped: Switch(config)# mls qos queue-set output 2 buffers 40 20 20 20 Switch(config)# mls qos queue-set output 2 threshold 2 40 60 100 200 Switch(config)# interface gigabitethernet1/1 Switch(config-if)# queue-set 2 Cisco IE 3000 Switch Software Configuration Guide 32-62 OL-13018-01...
Page 631: Mapping Dscp Or Cos Values To An Egress Queue And To A Threshold Id
To return to the default DSCP output queue threshold map or the default CoS output queue threshold map, use the no mls qos srr-queue output dscp-map or the no mls qos srr-queue output cos-map global configuration command. Cisco IE 3000 Switch Software Configuration Guide 32-63 OL-13018-01...
Page 632: Configuring Srr Shaped Weights On Egress Queues
2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.5 percent: Switch(config)# interface gigabitethernet1/1 Switch(config-if)# srr-queue bandwidth shape 8 0 0 0 Cisco IE 3000 Switch Software Configuration Guide 32-64 OL-13018-01...
Page 633: Configuring Srr Shared Weights On Egress Queues
1, 2, 3, and 4. This means that queue 4 has four times the bandwidth of queue 1, twice the bandwidth of queue 2, and one-and-a-third times the bandwidth of queue 3. Switch(config)# interface gigabitethernet1/1 Switch(config-if)# srr-queue bandwidth share 1 2 3 4 Cisco IE 3000 Switch Software Configuration Guide 32-65 OL-13018-01...
Page 634: Configuring The Egress Expedite Queue
Specify the percentage of the port speed to which the port should be limited. The range is 10 to 90. By default, the port is not rate limited and is set to 100 percent. Cisco IE 3000 Switch Software Configuration Guide 32-66 OL-13018-01...
Page 635: Displaying Standard Qos Information
The control-plane and interface keywords are not supported, and the statistics shown in the display should be ignored. show running-config | include rewrite Display the DSCP transparency setting. Cisco IE 3000 Switch Software Configuration Guide 32-67 OL-13018-01...
Page 636 Chapter 32 Configuring QoS Displaying Standard QoS Information Cisco IE 3000 Switch Software Configuration Guide 32-68 OL-13018-01...
Page 637: Chapter 33 Configuring Etherchannels And Link-State Tracking
Configuring EtherChannels and Link-State Tracking This chapter describes how to configure EtherChannels on Layer 2 ports on the IE 3000 switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Page 638: Etherchannel Overview
EtherChannel, and the failed link. Inbound broadcast and multicast packets on one link in an EtherChannel are blocked from returning on any other link of the EtherChannel. Cisco IE 3000 Switch Software Configuration Guide 33-2...
Page 639: Port-Channel Interfaces
To change the parameters of all ports in an EtherChannel, apply configuration commands to the port-channel interface, for example, spanning-tree commands or commands to configure a Layer 2 EtherChannel as a trunk. Cisco IE 3000 Switch Software Configuration Guide 33-3 OL-13018-01...
Page 640: Port Aggregation Protocol
Understanding EtherChannels Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports.
Page 641: Pagp Interaction With Other Features
Link Aggregation Control Protocol The LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the IEEE 802.3ad protocol. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports.
Page 642: Lacp Interaction With Other Features
With source-and-destination MAC-address forwarding, packets sent from host A to host B, host A to host C, and host C to host B could all use different ports in the channel. Cisco IE 3000 Switch Software Configuration Guide 33-6 OL-13018-01...
Page 643 MAC address, using the destination-MAC address always chooses the same link in the channel. Using source addresses or IP addresses might result in better load balancing. Cisco IE 3000 Switch Software Configuration Guide 33-7...
Page 644: Configuring Etherchannels
After you configure an EtherChannel, configuration changes applied to the port-channel interface apply to all the physical ports assigned to the port-channel interface, and configuration changes applied to the physical port affect only the port where you apply the configuration. Cisco IE 3000 Switch Software Configuration Guide 33-8 OL-13018-01...
Page 645: Default Etherchannel Configuration
Spanning-tree path cost for each VLAN – Spanning-tree port priority for each VLAN – Spanning-tree Port Fast setting – Do not configure a port to be a member of more than one EtherChannel group. • Cisco IE 3000 Switch Software Configuration Guide 33-9 OL-13018-01...
Page 646: Configuring Layer 2 Etherchannels
For a LACP EtherChannel, you can configure up to 16 Ethernet ports of the same type. Up to eight ports can be active, and up to eight ports can be in standby mode. Cisco IE 3000 Switch Software Configuration Guide 33-10 OL-13018-01...
Page 647 Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a port from the EtherChannel group, use the no channel-group interface configuration command. Cisco IE 3000 Switch Software Configuration Guide 33-11 OL-13018-01...
Page 648: Configuring Etherchannel Load Balancing
Step 3 Return to privileged EXEC mode. Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 33-12 OL-13018-01...
Page 649: Configuring The Pagp Learn Method And Priority
When the link partner of the IE 3000 switch is a physical learner (such as a Catalyst 1900 series switch), we recommend that you configure the IE 3000 switch as a physical-port learner by using the pagp learn-method physical-port interface configuration command.
Page 650: Configuring Lacp Hot-Standby Ports
In priority comparisons, numerically lower values have higher priority. The priority decides which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating. Cisco IE 3000 Switch Software Configuration Guide 33-14 OL-13018-01...
Page 651: Configuring The Lacp System Priority
The hot-standby ports that have lower port numbers become active in the channel first. You can use the show etherchannel summary privileged EXEC command to see which ports are in the hot-standby mode (denoted with an H port-state flag). Cisco IE 3000 Switch Software Configuration Guide 33-15 OL-13018-01...
Page 652: Displaying Etherchannel, Pagp, And Lacp Status
Displays LACP information such as traffic information, the internal | neighbor} internal LACP configuration, and neighbor information. You can clear PAgP channel-group information and traffic counters by using the clear pagp {channel-group-number counters | counters} privileged EXEC command. Cisco IE 3000 Switch Software Configuration Guide 33-16 OL-13018-01...
Page 653: Understanding Link-State Tracking
2. Port 5 and port 6 are connected to distribution switch 2 through link-state group 2. Port 5 and – port 6 are the upstream interfaces in link-state group 2. Cisco IE 3000 Switch Software Configuration Guide 33-17 OL-13018-01...
Page 654 You can recover a downstream interface link-down condition by removing the failed downstream port from the link-state group. To recover multiple downstream interfaces, disable the link-state group. Cisco IE 3000 Switch Software Configuration Guide 33-18 OL-13018-01...
Page 655: Configuring Link-State Tracking
These sections describe how to configure link-state tracking ports: • Default Link-State Tracking Configuration, page 33-20 • Link-State Tracking Configuration Guidelines, page 33-20 • Configuring Link-State Tracking, page 33-20 Displaying Link-State Tracking Status, page 33-21 • Cisco IE 3000 Switch Software Configuration Guide 33-19 OL-13018-01...
Page 656: Default Link-State Tracking Configuration
Switch(config-if)# link state group 1 upstream Switch(config-if)# interface gigabitethernet1/1 Switch(config-if)# link state group 1 downstream Switch(config-if)# interface gigabitethernet1/1 Switch(config-if)# link state group 1 downstream Switch(config-if)# interface gigabitethernet1/2 Switch(config-if)# link state group 1 downstream Switch(config-if)# end Cisco IE 3000 Switch Software Configuration Guide 33-20 OL-13018-01...
Page 657: Displaying Link-State Tracking Status
Upstream Interfaces : Fa1/6(Dwn) Fa1/7(Dwn) Fa1/8(Dwn) Downstream Interfaces : Fa1/2(Dis) Fa1/3(Dis) Fa1/4(Dis) Fa1/5(Dis) (Up):Interface up (Dwn):Interface Down (Dis):Interface disabled For detailed information about the fields in the display, see the command reference for this release. Cisco IE 3000 Switch Software Configuration Guide 33-21 OL-13018-01...
Page 658 Chapter 33 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Cisco IE 3000 Switch Software Configuration Guide 33-22 OL-13018-01...
Page 659: Chapter 34 Troubleshooting
This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the IE 3000 switch. Depending on the nature of the problem, you can use the command-line interface (CLI), the device manager, or Network Assistant to identify and solve problems.
Page 660: Recovering From A Software Failure
From your PC, download the software image tar file (image_filename.tar) from Cisco.com. Step 1 The Cisco IOS image is stored as a bin file in a directory in the tar file. For information about locating the software image files on Cisco.com, see the release notes.
Page 661: Recovering From A Lost Or Forgotten Password
Enter a new password through the device manager by using the Express Setup window or through the Step 4 command line interface by using the enable secret global configuration command. Cisco IE 3000 Switch Software Configuration Guide 34-3 OL-13018-01...
Page 662: Recovering From A Command Switch Failure
This section describes how to recover from a failed command switch. You can configure a redundant command switch group by using the Hot Standby Router Protocol (HSRP). For more information, see Chapter 6, “Clustering Switches.” Also see the Getting Started with Cisco Network Assistant, available on Cisco.com. Note HSRP is the preferred method for supplying redundancy to a cluster.
Page 663 Start your browser, and enter the IP address of the new command switch. Step 17 Step 18 From the Cluster menu, select Add to Cluster to display a list of candidate switches to add to the cluster. Cisco IE 3000 Switch Software Configuration Guide 34-5 OL-13018-01...
Page 664: Replacing A Failed Command Switch With Another Switch
When prompted for the enable secret and enable passwords, enter the passwords of the failed command Step 8 switch again. Step 9 When prompted, make sure to enable the switch as the cluster command switch, and press Return. Cisco IE 3000 Switch Software Configuration Guide 34-6 OL-13018-01...
Page 665: Recovering From Lost Cluster Member Connectivity
If a remote device does not autonegotiate, configure the duplex settings on the two ports to match. The Note speed parameter can adjust itself even if the connected port does not autonegotiate. Cisco IE 3000 Switch Software Configuration Guide 34-7 OL-13018-01...
Page 666: Sfp Module Security And Identification
If you are using a non-Cisco SFP module, remove the SFP module from the switch, and replace it with a Cisco module. After inserting a Cisco SFP module, use the errdisable recovery cause gbic-invalid global configuration command to verify the port status, and enter a time interval for recovering from the error-disabled state.
Page 667: Understanding Ping
Each exclamation point means receipt of a reply. Each period means the network server timed out while waiting for a reply. A destination unreachable error PDU was received. A congestion experienced packet was received. User interrupted test. Cisco IE 3000 Switch Software Configuration Guide 34-9 OL-13018-01...
Page 668: Using Layer 2 Traceroute
Usage Guidelines These are the Layer 2 traceroute usage guidelines: Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 • traceroute to function properly, do not disable CDP. For a list of switches that support Layer 2 traceroute, see the “Usage Guidelines”...
Page 669: Displaying The Physical Path
You can use IP traceroute to identify the path that packets take through the network on a hop-by-hop basis. The command output displays all network layer (Layer 3) devices, such as routers, that the traffic passes through on the way to the destination. Cisco IE 3000 Switch Software Configuration Guide 34-11 OL-13018-01...
Page 670: Executing Ip Traceroute
4 171.9.4.5 0 msec 4 msec 0 msec 5 171.9.121.34 0 msec 4 msec 4 msec 6 171.9.15.9 120 msec 132 msec 128 msec 7 171.9.15.10 132 msec 128 msec 128 msec Switch# Cisco IE 3000 Switch Software Configuration Guide 34-12 OL-13018-01...
Page 671: Using Tdr
If one of the twisted-pair wires is open, TDR can find the length at which the wire is open. Use TDR to diagnose and resolve cabling problems in these situations: Replacing a switch • Setting up a wiring closet • Cisco IE 3000 Switch Software Configuration Guide 34-13 OL-13018-01...
Page 672: Running Tdr And Displaying The Results
For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Page 673: Enabling All-System Diagnostics
Depending upon the parameters entered about the packet, the output provides lookup table results and port maps used to calculate forwarding destinations, bitmaps, and egress information. Cisco IE 3000 Switch Software Configuration Guide 34-15 OL-13018-01...
Page 674 Switch# show platform forward gigabitethernet1/1 vlan 5 1.1.1 0009.43a8.0145 ip 13.1.1.1 13.2.2.2 udp 10 20 Global Port Number:24, Asic Number:5 Src Real Vlan Id:5, Mapped Vlan Id:5 Ingress: Lookup Key-Used Index-Hit A-Data Cisco IE 3000 Switch Software Configuration Guide 34-16 OL-13018-01...
Page 675: Using The Crashinfo Files
The crashinfo files save information that helps Cisco technical support representatives to debug problems that caused the Cisco IOS image to fail (crash). The switch writes the crash information to the console at the time of the failure. The switch creates two types of crashinfo files: Basic crashinfo file—The switch automatically creates this file the next time you boot up the Cisco...
Page 676: Extended Crashinfo Files
You provide this information to the Cisco technical support representative by manually accessing the file and using the more or the copy privileged EXEC command.
Page 677: Appendix
A P P E N D I X Supported MIBs This appendix lists the supported management information base (MIBs) for this release on the IE 3000 switch. It contains these sections: MIB List, page A-1 • Using FTP to Access the MIB Files, page A-3 •...
Page 678: Appendix A Supported Mib
Appendix A Supported MIBs MIB List • CISCO-MEMORY-POOL-MIB CISCO-PAGP-MIB • CISCO-PING-MIB • CISCO-PORT-QOS-MIB (only the packet counters are supported; the octet counters are not • supported) CISCO-PRODUCTS-MIB • CISCO-PROCESS-MIB • CISCO-RTTMON-MIB • CISCO-SMI-MIB • CISCO-STP-EXTENSIONS-MIB • CISCO-SYSLOG-MIB • CISCO-TC-MIB •...
Page 679: Using Ftp To Access The Mib Files
You can also use this URL for a list of supported MIBs for the IE3000 switch: Note ftp://ftp.cisco.com/pub/mibs/supportlists/ie3000/ie3000-supportlist.html You can access other information about MIBs and Cisco products on the Cisco web site: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Using FTP to Access the MIB Files You can get each MIB file by using this procedure: Make sure that your FTP client is in passive mode.
Page 680: Using Ftp To Access The Mib Files
Appendix A Supported MIBs Using FTP to Access the MIB Files Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 681: Appendix
Removing the compact flash card does not interrupt switch operation unless you need to reload the Cisco IOS software. However, when you remove the compact flash card, you do not have access to the flash file system, and any attempt to access it generates an error message.
Page 682: Displaying Available File Systems
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System These sections contain this configuration information: Displaying Available File Systems, page B-2 • Setting the Default File System, page B-3 •...
Page 683: Setting The Default File System
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Setting the Default File System Table B-1 show file systems Field Descriptions Field Value Size(b) Amount of memory in the file system in bytes.
Page 684: Changing Directories And Displaying The Working Directory
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System To display information about files on a file system, use one of the privileged EXEC commands in Table B-2: Table B-2...
Page 685: Copying Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Use the /recursive keyword to delete the named directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory.
Page 686: Creating, Displaying, And Extracting Tar Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Use the /recursive keyword for deleting a directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory.
Page 687: Displaying The Contents Of A Tar File
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System This example shows how to create a tar file. This command writes the contents of the new-configs directory on the local flash device to a file named saved.tar on the TFTP server at 172.20.10.30: Switch# archive tar /create tftp:172.20.10.30/saved.tar flash:/new-configs...
Page 688: Displaying The Contents Of A File
This section describes how to create, load, and maintain configuration files. Configuration files contain commands entered to customize the function of the Cisco IOS software. A way to create a basic configuration file is to use the setup program or to enter the setup privileged EXEC command.
Page 689: Guidelines For Creating And Using Configuration Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The protocol you use depends on which type of server you are using. The FTP and RCP transport mechanisms provide faster performance and more reliable delivery of data than TFTP. These improvements are possible because FTP and RCP are built on and use the TCP/IP stack, which is connection-oriented.
Page 690: Preparing To Download Or Upload A Configuration File B Y Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Configuration File Types and Location n Startup configuration files are used during system startup to configure the software. Running configuration files contain the current configuration of the software. The two configuration files can be different.
Page 691 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Make sure that the /etc/services file contains this line: tftp 69/udp You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files.
Page 692: Uploading The Configuration File By Using Tftp
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy a configuration file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
Page 693: Preparing To Download Or Upload A Configuration File By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files If the server has a directory structure, the configuration file is written to or copied from the directory associated with the username on the server. For example, if the configuration file resides in the home directory of a user on the server, specify that user's name as the remote username.
Page 694: Uploading A Configuration File By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 Return to privileged EXEC mode. Step 7 copy Using FTP, copy the configuration file from a network server...
Page 695: Copying Configuration Files By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 3 configure terminal Enter global configuration mode. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6).
Page 696: Preparing To Download Or Upload A Configuration File By Using Rcp
The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: •...
Page 697 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using RCP:...
Page 698: Clearing Configuration Information
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using RCP:...
Page 699: Clearing The Startup Configuration File
Replacing and Rolling Back Configurations The configuration replacement and rollback feature replaces the running configuration with any saved Cisco IOS configuration file. You can use the rollback function to roll back to a previous configuration. These sections contain this information: Understanding Configuration Replacement and Rollback, page B-19 •...
Page 700 EXEC command displays information for all the configuration files saved in the configuration archive. The Cisco IOS configuration archive, in which the configuration files are stored and available for use with the configure replace command, is in any of these file systems: FTP, HTTP, RCP, TFTP.
Page 701: Configuring The Configuration Archive
• replacement configuration file for the running configuration. The replacement file must be a complete configuration generated by a Cisco IOS device (for example, a configuration generated by the copy running-config destination-url command). If you generate the replacement configuration file externally, it must comply with the format of files Note generated by Cisco IOS devices.
Page 702: Performing A Configuration Replacement Or Rollback Operation
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Performing a Configuration Replacement or Rollback Operation Starting in privileged EXEC mode, follow these steps to replace the running configuration file with a...
Page 703: Working With Software Images
Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management. The image is stored on the system board flash memory (flash:).
Page 704 Cisco IOS image total_image_file_size Specifies the size of all the images (the Cisco IOS image and the web management files) in the tar file, which is an approximate measure of how much flash memory is required to hold them...
Page 705: Preparing To Download Or Upload An Image File By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images You upload a switch image file to a server for backup purposes; this uploaded image can be used for future downloads to the same or another switch of the same type.
Page 706 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Beginning in privileged EXEC mode, follow Steps 1 through 3 to download a new image from a TFTP server and overwrite the existing image. To keep the current image, go to Step 3.
Page 707: Uploading An Image File By Using Tftp
The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 708: Preparing To Download Or Upload An Image File By Using Ftp
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
Page 709 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images • If you are accessing the switch through the console or a Telnet session and you do not have a valid username, make sure that the current FTP username is the one that you want to use for the FTP download.
Page 710 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 7 archive download-sw /overwrite /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and overwrite the current image.
Page 711 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Page 712: Copying Image Files By Using Rcp
RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
Page 713 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images • The remote username associated with the current TTY (terminal) process. For example, if the user is connected to the router through Telnet and was authenticated through the username command, the switch software sends the Telnet username as the remote username.
Page 714 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 3 configure terminal Enter global configuration mode. This step is required only if you override the default remote username (see Steps 4 and 5).
Page 715 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images If the flash device has sufficient space to hold two images and you want to overwrite one of these images Note with the same version, you must specify the /overwrite option.
Page 716 The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 717: Access Control Lists
This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the IE 3000 switch prompt but are not supported in this release, either because they are not tested or because of IE 3000 switch hardware limitations. This is not a complete list. The unsupported commands are listed by software feature and command mode.
Page 718: A P P E N D I X C Unsupported Commands In Cisco Ios Release 12.2(44)Ex
[interface-id | vlan vlan-id] [crb | fair-queue | irb | mac-accounting | precedence | irb | random-detect | rate-limit | shape] Unsupported Global Configuration Commands interface tunnel Unsupported Interface Configuration Commands transmit-interface type number ip igmp helper-address ip-address Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 719: Mac Address Commands
Miscellaneous Unsupported Privileged EXEC Commands file verify auto show cable-diagnostics prbs test cable-diagnostics prbs Unsupported Global Configuration Commands errdisable recovery cause unicast flood l2protocol-tunnel global drop-threshold Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 720: Network Address Translation (Nat) Commands
RADIUS Unsupported Global Configuration Commands aaa nas port extended aaa authentication feature default enable aaa authentication feature default line aaa nas port extended radius-server attribute nas-port radius-server configure radius-server extended-portnames Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 721: Vlan
Unsupported Interface Configuration Command spanning-tree stack-port VLAN Unsupported Global Configuration Command vlan internal allocation policy {ascending | descending} Unsupported vlan-config Command private-vlan Unsupported User EXEC Commands show running-config vlan show vlan ifindex show vlan private-vlan Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 722: Vtp
Appendix C Unsupported Commands in Cisco IOS Release 12.2(44)EX Unsupported Privileged EXEC Commands vtp {password password | pruning | version number} This command has been replaced by the vtp global configuration command. Note Cisco IE 3000 Switch Software Configuration Guide OL-13018-01...
Page 723: I N D E X
IEEE 802.1x 10-8 implicit deny 30-7, 30-11, 30-13 with RADIUS 9-28 implicit masks 30-7 with TACACS+ 9-11, 9-17 matching criteria 30-5 ACEs undefined 30-17 and QoS 32-6 defined 30-2 Ethernet 30-2 30-2 Cisco IE 3000 Switch Software Configuration Guide IN-1 OL-13018-01...
Page 724 1-5, 7-26 dynamic table accelerated aging address resolution 16-8 7-26 changing the aging time 7-21 managing 7-26 default aging attributes, RADIUS 16-8 defined vendor-proprietary 7-19 9-31 learning vendor-specific 7-20 9-29 removing 7-21 Cisco IE 3000 Switch Software Configuration Guide IN-2 OL-13018-01...
Page 725 See DHCP snooping binding database See also HSRP blocking packets 22-7 auto-MDIX booting configuring 11-16 boot loader, function of described 11-16 boot process manually 4-17 specific image 4-18 Cisco IE 3000 Switch Software Configuration Guide IN-3 OL-13018-01...
Page 726 FCS Bit Error Rate alarm candidate switch methods to trigger automatic discovery SNMP traps defined syslog messages requirements CA trustpoint See also command switch, cluster standby group, and member switch configuring 9-40 defined 9-38 Cisco IE 3000 Switch Software Configuration Guide IN-4 OL-13018-01...
Page 727 CIST root described See MSTP LRE profile considerations 6-14 civic location 23-3 managing class maps for QoS through CLI 6-14 configuring 32-42 through SNMP 6-15 described 32-7 planning displaying 32-67 Cisco IE 3000 Switch Software Configuration Guide IN-5 OL-13018-01...
Page 728 IGMP 21-5 management functions configuration, initial command-line interface defaults 1-10 See CLI Express Setup command modes configuration changes, logging 28-10 configuration conflicts, recovering from lost member connectivity 34-7 Cisco IE 3000 Switch Software Configuration Guide IN-6 OL-13018-01...
Page 729 32-18 configuration replacement B-19 banners 7-17 configuration rollback B-19 booting 4-16 configuration settings, saving 4-15 24-2 configure terminal command 11-6 DHCP 20-7 configuring small-frame arrival rate 22-5 DHCP option 82 20-7 Cisco IE 3000 Switch Software Configuration Guide IN-7 OL-13018-01...
Page 730 IP address information UDLD 25-4 for receiving the configuration file VLAN, Layer 2 Ethernet interfaces 13-16 overview VLANs 13-7 relationship to BOOTP VMPS 13-25 relay support voice VLAN 15-3 support for 14-6 Cisco IE 3000 Switch Software Configuration Guide IN-8 OL-13018-01...
Page 731 20-12 setting up 7-16 binding file support for format 20-6 domain names location 20-5 7-15 bindings 20-5 14-8 clearing agent statistics 20-11 Domain Name System configuration guidelines 20-8 See DNS Cisco IE 3000 Switch Software Configuration Guide IN-9 OL-13018-01...
Page 732 33-16 dynamic addresses forwarding methods 33-6, 33-12 See addresses IEEE 802.3ad, described 33-5 dynamic auto trunking mode 13-15 interaction dynamic desirable trunking mode 13-15 with STP 33-9 with VLANs 33-10 Cisco IE 3000 Switch Software Configuration Guide IN-10 OL-13018-01...
Page 733 1-12 local file system names expedite queue for QoS 32-66 network file system names Express Setup setting the default See also getting started guide extended crashinfo file 34-17 Cisco IE 3000 Switch Software Configuration Guide IN-11 OL-13018-01...
Page 734 28-10 downloading B-13 host names, in clusters 6-12 overview B-12 hosts, limit on dynamic ports 13-29 preparing the server B-13 HP OpenView uploading B-14 Cisco IE 3000 Switch Software Configuration Guide IN-12 OL-13018-01...
Page 735 IEEE 802.1s setting the maximum number 21-26 See MSTP IGMP Immediate Leave IEEE 802.1w configuration guidelines 21-10 See RSTP described 21-5 IEEE 802.1x enabling 21-10 See port-based authentication IEEE 802.3ad See EtherChannel Cisco IE 3000 Switch Software Configuration Guide IN-13 OL-13018-01...
Page 736 6-3, 6-10, 6-12 auto-MDIX, configuring discovering 11-16 7-26 configuration guidelines redundant clusters 6-10 duplex and speed standby command switch 11-13 6-10, 6-12 See also IP information Cisco IE 3000 Switch Software Configuration Guide IN-14 OL-13018-01...
Page 737 See hardware installation guide supported metrics 31-2 lightweight directory access protocol IP traceroute See LDAP executing 34-12 line configuration mode overview 34-11 Link Aggregation Control Protocol See EtherChannel link failure, detecting unidirectional 17-7 Cisco IE 3000 Switch Software Configuration Guide IN-15 OL-13018-01...
Page 738 7-17 MAC authentication bypass 10-9 log messages MAC extended access lists See system message logging applying to Layer 2 interfaces 30-21 Long-Reach Ethernet (LRE) technology 1-13 configuring for QoS 32-41 Cisco IE 3000 Switch Software Configuration Guide IN-16 OL-13018-01...
Page 739 IP SLAs operations 31-6 marking IPv4 ACL configuration 30-22 action with aggregate policers 32-47 MAC address-table move update 19-14 described 32-3, 32-8 multicast router interfaces 21-16 matching, IPv4 ACLs 30-5 21-22 Cisco IE 3000 Switch Software Configuration Guide IN-17 OL-13018-01...
Page 740 17-24 described 18-9 MST region 17-15 enabling 18-15 neighbor type 17-25 mapping VLANs to MST instance 17-16 path cost 17-20 port priority 17-19 root switch 17-17 Cisco IE 3000 Switch Software Configuration Guide IN-18 OL-13018-01...
Page 741 22-1 Network Admission Control Software Configuration multicast storm-control command 22-4 Guide 10-40, 10-41 multicast television application 21-17 Network Assistant multicast VLAN 21-16 benefits Multicast VLAN Registration described See MVR Cisco IE 3000 Switch Software Configuration Guide IN-19 OL-13018-01...
Page 742 13-4 encrypting defined 13-1 for security in clusters 6-13 overview associations recovery of 34-3 authenticating setting defined enable enabling broadcast messages enable secret peer Telnet server with usernames default configuration Cisco IE 3000 Switch Software Configuration Guide IN-20 OL-13018-01...
Page 743 10-34 described 32-8 described 10-13 port ACLs, described 30-2 guidelines 10-22 Port Aggregation Protocol initiation and message exchange 10-5 See EtherChannel magic packet 10-15 Cisco IE 3000 Switch Software Configuration Guide IN-21 OL-13018-01...
Page 744 13-24 port blocking 1-3, 22-7 port VLAN ID TLV 23-2 port-channel power management TLV 23-2, 23-6 See EtherChannel preemption, default configuration 19-8 port description TLV 23-2 preemption delay, default configuration 19-8 Cisco IE 3000 Switch Software Configuration Guide IN-22 OL-13018-01...
Page 745 VTP pruning 14-4 trusted CoS, described 32-4 VLANs 14-14 trust IP precedence, described 32-4 PVST+ class maps described 16-9 configuring 32-42 IEEE 802.1Q trunking interoperability 16-10 displaying 32-67 instances supported 16-9 Cisco IE 3000 Switch Software Configuration Guide IN-23 OL-13018-01...
Page 746 DSCP or CoS values 32-63 policed-DSCP 32-52 scheduling, described 32-4 types of 32-10 setting WTD thresholds 32-61 marked-down actions 32-46 WTD, described 32-16 marking, described 32-3, 32-8 enabling globally 32-31 overview 32-1 Cisco IE 3000 Switch Software Configuration Guide IN-24 OL-13018-01...
Page 747 See rapid PVST+ within the domain 32-32 rapid PVST+ quality of service described 16-9 See QoS IEEE 802.1Q trunking interoperability 16-10 queries, IGMP 21-4 instances supported 16-9 query solicitation, IGMP 21-12 Cisco IE 3000 Switch Software Configuration Guide IN-25 OL-13018-01...
Page 748 27-3 Remote Network Monitoring groups supported 27-2 See RMON overview 27-1 Remote SPAN statistics See RSPAN collecting group Ethernet 27-5 remote SPAN collecting group history 26-2 27-5 support for 1-10 Cisco IE 3000 Switch Software Configuration Guide IN-26 OL-13018-01...
Page 749 17-9 types of designated switch, defined 17-9 Secure Copy Protocol interoperability with IEEE 802.1D secure HTTP client described 17-8 configuring 9-43 restarting migration process 17-25 displaying 9-43 topology changes 17-13 Cisco IE 3000 Switch Software Configuration Guide IN-27 OL-13018-01...
Page 750 6-14 29-6 show configuration command engine ID 11-17 29-7 show controllers lre profile mapping groups 29-6, 29-9 show forward command host 34-15 29-6 show interfaces command ifIndex values 11-14, 11-17 29-5 Cisco IE 3000 Switch Software Configuration Guide IN-28 OL-13018-01...
Page 751 26-13 SNMPv1 29-2 source ports 26-5 SNMPv2C 29-2 transmitted traffic 26-5 SNMPv3 29-2 VLAN-based 26-6 snooping, IGMP 21-1 spanning tree and native VLANs 13-15 Spanning Tree Protocol See STP Cisco IE 3000 Switch Software Configuration Guide IN-29 OL-13018-01...
Page 752 6-10 22-3 See also cluster standby group and HSRP described 22-1 standby group, cluster disabling 22-5 See cluster standby group and HSRP displaying 22-18 standby links support for 19-2 thresholds 22-1 Cisco IE 3000 Switch Software Configuration Guide IN-30 OL-13018-01...
Page 753 18-5 overview 16-2 disabling 16-14 path costs 13-22 displaying status 16-22 Port Fast EtherChannel guard described 18-2 described 18-7 enabling 18-10 disabling 18-14 port priorities 13-21 enabling 18-14 Cisco IE 3000 Switch Software Configuration Guide IN-31 OL-13018-01...
Page 754 22-8 28-13 switchport block unicast command system name 22-8 switchport protected command default configuration 22-7 7-15 switch priority default setting 7-15 MSTP manual configuration 17-21 7-15 See also DNS 16-19 Cisco IE 3000 Switch Software Configuration Guide IN-32 OL-13018-01...
Page 755 34-10 temporary self-signed certificate 9-38 described 34-10 Terminal Access Controller Access Control System Plus IP addresses and subnets 34-11 See TACACS+ MAC addresses and VLANs 34-11 terminal lines, setting a password Cisco IE 3000 Switch Software Configuration Guide IN-33 OL-13018-01...
Page 756 25-3 with system message logging 28-1 enabling with traceroute 34-11 globally 25-5 trunk failover per interface 25-5 See link-state tracking link-detection mechanism 25-1 trunking encapsulation neighbor database 25-2 Cisco IE 3000 Switch Software Configuration Guide IN-34 OL-13018-01...
Page 757 VLAN load balancing on flex links 19-2 reasons for configuration guidelines 19-8 using FTP B-14 VLAN management domain 14-2 using RCP B-18 VLAN Management Policy Server using TFTP B-12 See VMPS Cisco IE 3000 Switch Software Configuration Guide IN-35 OL-13018-01...
Page 758 CoS priority of incoming frame 15-6 number supported configuring ports for voice traffic in parameters 13-4 802.1p priority tagged frames 15-5 port membership modes 13-3 802.1Q frames 15-5 static-access ports 13-10 Cisco IE 3000 Switch Software Configuration Guide IN-36 OL-13018-01...
Page 759 14-12 consistency checks 14-4 default configuration 14-6 web authentication 10-9 described 14-1 configuring 10-38 to 10-41 disabling 14-12 described 1-7, 10-17 domain names 14-8 fallback for IEEE 802.1x 10-40 domains 14-2 Cisco IE 3000 Switch Software Configuration Guide IN-37 OL-13018-01...
Page 760 Index weighted tail drop See WTD wizards described 32-11 setting thresholds egress queue-sets 32-61 ingress queues 32-56 support for Xmodem protocol 34-2 Cisco IE 3000 Switch Software Configuration Guide IN-38 OL-13018-01...

Cisco IE 3000 Software Configuration Manual

Table of Contents

Chapter 1 Overview

Using the Command-Line Interface

CHAPTER 2 Using the Command-Line Interface

Chapter 3 Configuring Cisco IE 3000 Switch Alarm

Configuring Ie 3000 Switch Alarms/Default Ie 3000 Switch Alarm Configuration

Chapter 4 Assigning the Switch IP Address and Default Gateway

Chapter 5 Configuring Cisco IOS CNS Agents

Chapter 6 Clustering Switches

Chapter 7 Administering the Switch

Chapter 8 Configuring SDM Templates

CHAPTER 9 Configuring Switch-Based Authentication

CHAPTER 10 Configuring IEEE 802.1X Port-Based Authentication

Default Ieee 802.1X Authentication Configuration

CHAPTER 11 Configuring Interface Characteristics

Quick Links

Chapters

Troubleshooting

Related Manuals for Cisco IE 3000

Summary of Contents for Cisco IE 3000