Page 1 Catalyst 3550 Multilayer Switch Software Configuration Guide Cisco IOS Release 12.1(19)EA1 October 2003 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7811194=...
Page 2 CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,...
Page 3 Long-Distance, High-Bandwidth Transport Configuration 1-19 Where to Go Next 1-19 Using the Command-Line Interface C H A P T E R Cisco IOS Command Modes Getting Help Specifying Ports in Interface Configuration Mode Catalyst 3550 Multilayer Switch Software Configuration Guide 78-11194-09...
Page 4 Contents Abbreviating Commands Using no and default Forms of Commands Understanding CLI Messages Using Command History Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features Enabling and Disabling Editing Features Editing Commands through Keystrokes Editing Command Lines that Wrap Searching and Filtering Output of show and more Commands Accessing the CLI...
Page 5 Contents Front Panel View 3-13 Topology View 3-14 CMS Icons 3-15 Where to Go Next 3-15 Assigning the Switch IP Address and Default Gateway C H A P T E R Understanding the Boot Process Assigning Switch Information Default Switch Information Understanding DHCP-Based Autoconfiguration DHCP Client Request Process Configuring DHCP-Based Autoconfiguration...
Page 6 Contents Host Name and DeviceID Using Host Name, DeviceID, and ConfigID Understanding CNS Embedded Agents Initial Configuration Incremental (Partial) Configuration Synchronized Configuration Configuring CNS Embedded Agents Enabling Automated CNS Configuration Enabling the CNS Event Agent Enabling the CNS Configuration Agent Enabling an Initial Configuration Enabling a Partial Configuration 5-12...
Page 7 Contents LRE Profiles 6-18 Availability of Switch-Specific Features in Switch Clusters 6-18 Creating a Switch Cluster 6-19 Enabling a Command Switch 6-19 Adding Member Switches 6-20 Creating a Cluster Standby Group 6-22 Verifying a Switch Cluster 6-24 Using the CLI to Manage Switch Clusters 6-25 Catalyst 1900 and Catalyst 2820 CLI Considerations 6-25...
Page 8 Contents Configuring a Message-of-the-Day Login Banner 7-19 Configuring a Login Banner 7-20 Managing the MAC Address Table 7-20 Building the Address Table 7-21 MAC Addresses and VLANs 7-21 Default MAC Address Table Configuration 7-22 Changing the Address Aging Time 7-22 Removing Dynamic Address Entries 7-23 Configuring MAC Address Notification Traps...
Page 9 Contents Controlling Switch Access with RADIUS 8-18 Understanding RADIUS 8-18 RADIUS Operation 8-19 Configuring RADIUS 8-20 Default RADIUS Configuration 8-20 Identifying the RADIUS Server Host 8-20 Configuring RADIUS Login Authentication 8-23 Defining AAA Server Groups 8-25 Configuring RADIUS Authorization for User Privileged Access and Network Services 8-27 Starting RADIUS Accounting 8-28...
Page 10 Contents Using 802.1X with Voice VLAN Ports Using 802.1X with VLAN Assignment Using 802.1X with Guest VLAN Using 802.1X with Per-User ACLs Configuring 802.1X Authentication Default 802.1X Configuration 802.1X Configuration Guidelines 9-10 Upgrading from a Previous Software Release 9-11 Enabling 802.1X Authentication 9-11 Configuring the Switch-to-RADIUS-Server Communication 9-13...
Page 11 Contents Setting the Interface Speed and Duplex Parameters 10-14 Configuring Inline Power on the Catalyst 3550-24PWR Ports 10-14 Configuring IEEE 802.3X Flow Control 10-15 Adding a Description for an Interface 10-17 Configuring Layer 3 Interfaces 10-18 Monitoring and Maintaining the Interfaces 10-19 Monitoring Interface and Controller Status 10-19...
Page 12 Contents Displaying VLANs 12-15 Configuring VLAN Trunks 12-16 Trunking Overview 12-16 Encapsulation Types 12-18 802.1Q Configuration Considerations 12-18 Default Layer 2 Ethernet Interface VLAN Configuration 12-19 Configuring an Ethernet Interface as a Trunk Port 12-19 Interaction with Other Features 12-19 Configuring a Trunk Port 12-20 Defining the Allowed VLANs on a Trunk...
Page 13 Default Voice VLAN Configuration 14-2 Voice VLAN Configuration Guidelines 14-3 Configuring a Port to Connect to a Cisco 7960 IP Phone 14-3 Configuring Ports to Carry Voice Traffic in 802.1Q Frames 14-4 Configuring Ports to Carry Voice Traffic in 802.1P Priority-Tagged Frames...
Page 14 Contents Understanding Layer 2 Protocol Tunneling 15-7 Configuring Layer 2 Protocol Tunneling 15-9 Default Layer 2 Protocol Tunneling Configuration 15-10 Layer 2 Protocol Tunneling Configuration Guidelines 15-10 Configuring Layer 2 Tunneling 15-11 Configuring Layer 2 Tunneling for EtherChannels 15-13 Configuring the SP Edge Switch 15-13 Configuring the Customer Switch 15-14...
Page 15 Contents Configuring the Switch Priority of a VLAN 16-20 Configuring Spanning-Tree Timers 16-20 Configuring the Hello Time 16-21 Configuring the Forwarding-Delay Time for a VLAN 16-22 Configuring the Maximum-Aging Time for a VLAN 16-22 Configuring Spanning Tree for Use in a Cascaded Stack 16-23 Displaying the Spanning-Tree Status 16-24...
Page 16 Contents Specifying the Link Type to Ensure Rapid Transitions 17-22 Restarting the Protocol Migration Process 17-22 Displaying the MST Configuration and Status 17-23 Configuring Optional Spanning-Tree Features 18-1 C H A P T E R Understanding Optional Spanning-Tree Features 18-1 Understanding Port Fast 18-2 Understanding BPDU Guard...
Page 17 Contents DHCP Snooping Configuration Guidelines 19-3 Upgrading from a Previous Software Release 19-4 Enabling DHCP Snooping and Option 82 19-4 Enabling the DHCP Relay Agent and Option 82 19-6 Validating the Relay Agent Information Option 82 19-6 Configuring the Reforwarding Policy 19-7 Specifying the Packet Forwarding Address 19-7...
Page 18 Contents Configuring IGMP Profiles 20-22 Applying IGMP Profiles 20-23 Setting the Maximum Number of IGMP Groups 20-24 Configuring the IGMP Throttling Action 20-25 Displaying IGMP Filtering and Throttling Configuration 20-27 Configuring Port-Based Traffic Control 21-1 C H A P T E R Configuring Storm Control 21-1 Understanding Storm Control...
Page 19 Contents Modes of Operation 23-1 Methods to Detect Unidirectional Links 23-2 Configuring UDLD 23-4 Default UDLD Configuration 23-4 Configuration Guidelines 23-4 Enabling UDLD Globally 23-5 Enabling UDLD on an Interface 23-5 Resetting an Interface Shut Down by UDLD 23-6 Displaying UDLD Status 23-7 Configuring SPAN and RSPAN 24-1...
Page 20 Contents Configuring RMON 25-1 C H A P T E R Understanding RMON 25-1 Configuring RMON 25-2 Default RMON Configuration 25-3 Configuring RMON Alarms and Events 25-3 Configuring RMON Collection on an Interface 25-5 Displaying RMON Status 25-6 Configuring System Message Logging 26-1 C H A P T E R Understanding System Message Logging...
Page 21 Contents Configuring SNMP Groups and Users 27-9 Configuring SNMP Notifications 27-11 Configuring SNMP Trap Notification Priority 27-14 Setting the Agent Contact and Location Information 27-15 Limiting TFTP Servers Used Through SNMP 27-15 SNMP Examples 27-16 Displaying SNMP Status 27-17 Configuring Network Security with ACLs 28-1 C H A P T E R Understanding ACLs...
Page 22 Contents Applying a VLAN Map to a VLAN 28-33 Using VLAN Maps in Your Network 28-33 Wiring Closet Configuration 28-33 Denying Access to a Server on Another VLAN 28-35 Using VLAN Maps with Router ACLs 28-36 Guidelines for Using Router ACLs and VLAN Maps 28-36 Examples of Router ACLs and VLAN Maps Applied to VLANs 28-37...
Page 23 Contents Standard QoS Configuration Guidelines 29-26 Enabling QoS Globally 29-28 Configuring Classification By Using Port Trust States 29-29 Configuring the Trust State on Ports within the QoS Domain 29-29 Configuring the CoS Value for an Interface 29-31 Configuring a Trusted Boundary to Ensure Port Security 29-32 Enabling Pass-Through Mode 29-33...
Page 24 Contents Configuring EtherChannels 30-1 C H A P T E R Understanding EtherChannels 30-1 Understanding Port-Channel Interfaces 30-2 Understanding the Port Aggregation Protocol and Link Aggregation Protocol 30-3 PAgP and LACP Modes 30-4 Physical Learners and Aggregate-Port Learners 30-5 PAgP and LACP Interaction with Other Features 30-6 Understanding Load Balancing and Forwarding Methods 30-6...
Page 25 Contents Configuring Broadcast Packet Handling 31-13 Enabling Directed Broadcast-to-Physical Broadcast Translation 31-13 Forwarding UDP Broadcast Packets and Protocols 31-14 Establishing an IP Broadcast Address 31-15 Flooding IP Broadcasts 31-16 Monitoring and Maintaining IP Addressing 31-17 Enabling IP Unicast Routing 31-18 Configuring RIP 31-19 Default RIP Configuration...
Page 26 Configuring BGP PE to CE Routing Sessions 31-70 Multi-VRF CE Configuration Example 31-71 Displaying Multi-VRF CE Status 31-75 Configuring Protocol-Independent Features 31-75 Configuring Cisco Express Forwarding 31-75 Configuring the Number of Equal-Cost Routing Paths 31-76 Configuring Static Unicast Routes 31-77 Specifying Default Routes and Networks 31-78...
Page 27 Enabling the Web Cache Service, Setting the Password, and Redirecting Traffic Received From a Client 33-6 Monitoring and Maintaining WCCP 33-9 Configuring IP Multicast Routing 34-1 C H A P T E R Cisco Implementation of IP Multicast Routing 34-2 Understanding IGMP 34-3 IGMP Version 1 34-3 IGMP Version 2 34-4...
Page 28 Contents Configuring IP Multicast Routing 34-13 Default Multicast Routing Configuration 34-13 Multicast Routing Configuration Guidelines 34-14 PIMv1 and PIMv2 Interoperability 34-14 Auto-RP and BSR Configuration Guidelines 34-15 Configuring Basic Multicast Routing 34-15 Configuring a Rendezvous Point 34-17 Manually Assigning an RP to Multicast Groups 34-17 Configuring Auto-RP 34-18...
Page 29 Contents Configuring Advanced DVMRP Interoperability Features 34-50 Enabling DVMRP Unicast Routing 34-50 Rejecting a DVMRP Nonpruning Neighbor 34-51 Controlling Route Exchanges 34-53 Limiting the Number of DVMRP Routes Advertised 34-53 Changing the DVMRP Route Threshold 34-54 Configuring a DVMRP Summary Address 34-54 Disabling DVMRP Autosummarization 34-56...
Page 30 Contents Default Fallback Bridging Configuration 36-3 Fallback Bridging Configuration Guidelines 36-3 Creating a Bridge Group 36-4 Preventing the Forwarding of Dynamically Learned Stations 36-5 Configuring the Bridge Table Aging Time 36-6 Filtering Frames by a Specific MAC Address 36-6 Adjusting Spanning-Tree Parameters 36-7 Changing the Switch Priority 36-8...
Page 31 A P P E N D I X MIB List Using FTP to Access the MIB Files Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System...
Page 32 Working with Software Images B-18 Image Location on the Switch B-19 tar File Format of Images on a Server or Cisco.com B-19 Copying Image Files By Using TFTP B-20 Preparing to Download or Upload an Image File By Using TFTP...
Page 33 Contents IP Unicast Routing Unsupported Privileged EXEC or User EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands Unsupported BGP Router Configuration Commands Unsupported VPN Configuration Commands Unsupported Route Map Commands MSDP Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Network Address Translation (NAT) commands Unsupported User EXEC Commands Unsupported Global Configuration Commands...
Page 34 Contents Catalyst 3550 Multilayer Switch Software Configuration Guide xxxiv 78-11194-09...
Page 35 This guide is for the networking professional managing the Catalyst 3550 switch, hereafter referred to as the switch or the multilayer switch. Before using this guide, you should have experience working with the Cisco IOS and be familiar with the concepts and terminology of Ethernet and local area networking. Purpose This guide provides the information you need to configure Layer 2 and Layer 3 software features on your switch.
Page 36: Related Publications
These documents provide complete information about the switch and are available from this Cisco.com site: http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/index.htm You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the“Obtaining Documentation” section on page xxxvii.
Page 37: Obtaining Documentation
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems. Cisco.com You can access the most current Cisco documentation on the World Wide Web at this URL: http://www.cisco.com/univercd/home/home.htm You can access the Cisco website at this URL: http://www.cisco.com...
Page 38: Documentation Feedback
24 hours a day, 365 days a year. Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL: http://tools.cisco.com/RPF/register/register.do...
Page 39: Obtaining Additional Publications And Information
TAC Case Priority Definitions To ensure that all cases are reported in a standard format, Cisco has established case priority definitions. Priority 1 (P1)—Your network is “down” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Page 40 Preface Obtaining Additional Publications and Information • iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL: http://www.cisco.com/go/iqmagazine • Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets.
Page 41: Features
C H A P T E R Overview This chapter provides these topics about the Catalyst 3550 multilayer switch software: • Features, page 1-1 Management Options, page 1-7 • • Network Configuration Examples, page 1-9 Where to Go Next, page 1-19 •...
Page 42: Chapter 1 Overview
• Port blocking on forwarding unknown unicast and multicast traffic • Cisco Group Management Protocol (CGMP) server support and Internet Group Management Protocol (IGMP) snooping for IGMP versions 1, 2, and 3: – (For CGMP devices) CGMP for limiting multicast traffic to specified end stations and reducing overall network traffic –...
Page 43 Network Time Protocol (NTP) for providing a consistent timestamp to all switches from an external • source • Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • In-band management access through CMS •...
Page 44 • flooded traffic to links destined for stations receiving the traffic Voice VLAN for creating subnets for voice traffic from Cisco IP Phones • VLAN 1 minimization to reduce the risk of spanning-tree loops or storms by allowing VLAN 1 to •...
Page 45 Trusted port states (CoS, DSCP, and IP precedence) within a QoS domain and with a port – bordering another QoS domain – Trusted boundary for detecting the presence of a Cisco IP phone, trusting the CoS value received, and ensuring port security • Policing –...
Page 46 Chapter 1 Overview Features – Aggregate policing for policing traffic flows in aggregate to restrict specific applications or traffic flows to metered, predefined rates – Up to 128 policers on ingress Gigabit-capable Ethernet ports Up to eight policers on ingress 10/100 ports Up to eight policers per egress port (aggregate policers only) Out-of-Profile •...
Page 47: Management Options
Inline Power Support for the Catalyst 3550-24PWR Switch • Ability to provide inline power to Cisco IP Phones and Cisco Aironet Access Points from all 24 10/100 Ethernet ports • Autodetection and control of inline phone power on a per-port basis on all 10/100 ports •...
Page 48: Advantages Of Using Cms And Clustering Switches
Using CMS and switch clusters can simplify and minimize your configuration and monitoring tasks. You can use Cisco switch clustering technology to manage up to 16 interconnected, supported Catalyst switches through one IP address. This can conserve IP addresses if you have a limited number of them.
Page 49: Network Configuration Examples
Chapter 1 Overview Network Configuration Examples • Use a wizard that prompts you to provide only the minimum required information to configure complex features such as QoS priorities for video traffic, priority levels for data applications, and security. For more information about CMS, see Chapter 3, “Getting Started with CMS.”...
Page 50 Chapter 1 Overview Network Configuration Examples Bandwidth alone is not the only consideration when designing your network. As your network traffic profiles evolve, consider providing network services that can support applications for voice and data integration, multimedia integration, application prioritization, and security. Table 1-2 describes some network demands and how you can meet those demands.
Page 51 Chapter 1 Overview Network Configuration Examples • High-performance workgroup—For high-speed access to network resources, you can use Catalyst 3550 switches in the access layer to provide Gigabit Ethernet to the desktop. To prevent congestion, use QoS DSCP marking priorities on these switches. For high-speed IP forwarding at the distribution layer, connect the Catalyst 3550 switches in the access layer to a Gigabit multilayer switch (such as the Catalyst 3550 multilayer switch) in the backbone.
Page 52 Chapter 1 Overview Network Configuration Examples Figure 1-1 Example Configurations Catalyst 3550-12T or Catalyst 3550-12G Gigabit switch server Catalyst 3550 GigaStack cluster Cost-Effective Wiring Closet Catalyst 3550 switch High-Performance Workgroup Catalyst 3550 cluster Catalyst 3550 switch Catalyst 3550 switch 1-Gbps HSRP Redundant Gigabit Backbone Catalyst switches Catalyst 3550 Multilayer Switch Software Configuration Guide...
Page 53: Small To Medium-Sized Network Using Mixed Switches
Data and multimedia traffic are configured on the same VLAN. Voice traffic from the Cisco IP Phones are configured on separate VVIDs. You can have up to four VVIDs per wiring closet. If data, multimedia, and voice traffic are assigned to the same VLAN, only one VLAN can be configured per wiring closet.
Page 54 Chapter 1 Overview Network Configuration Examples Figure 1-2 Catalyst 3550 Switches in a Collapsed Backbone Configuration Internet Cisco 2600 or 3600 routers Call Manager Catalyst 3550 Gigabit servers multilayer switches Cisco Access point Catalyst Catalyst GigaStack GigaStack cluster cluster Cisco IP...
Page 55: Large Network Using Only Catalyst 3550 Switches
The Catalyst 6000 switch provides the workgroups with Gigabit access to core resources. The server farm includes a call-processing server running Cisco CallManager software. Cisco CallManager controls call processing, routing, and IP phone features and configuration.
Page 56 Chapter 1 Overview Network Configuration Examples Figure 1-3 Catalyst 3550 Switches in Wiring Closets in a Backbone Configuration Cisco 7500 routers Catalyst 6000 Call Cisco multilayer switches Manager Access point Catalyst Catalyst Gigabit 3550 3550 servers cluster cluster Cisco IP...
Page 57: Multidwelling Network Using Catalyst 3550 Switches
Chapter 1 Overview Network Configuration Examples Multidwelling Network Using Catalyst 3550 Switches A growing segment of residential and commercial customers are requiring high-speed access to Ethernet metropolitan-area networks (MANs). Figure 1-4 shows a configuration for a Gigabit Ethernet MAN ring using Catalyst 3550 multilayer switches as aggregation switches in the mini-point-of-presence (POP) location.
Page 58 Chapter 1 Overview Network Configuration Examples Figure 1-4 Catalyst 3550 Switches in a MAN Configuration Cisco 12000 Service Gigabit switch routers Provider Catalyst 6500 switches Catalyst 3550 multilayer switches Mini-POP Gigabit MAN Catalyst switches Residential location Set-top box Residential gateway (hub)
Page 59: Long-Distance, High-Bandwidth Transport Configuration
Chapter 1 Overview Where to Go Next Long-Distance, High-Bandwidth Transport Configuration Figure 1-5 shows a configuration for transporting 8 Gigabits of data over a single fiber-optic cable. The Catalyst switches have Coarse Wave Division Multiplexer (CWDM) fiber-optic GBIC modules installed. Depending on the CWDM GBIC module, data is sent at wavelengths from 1470 nm to 1610 nm.
Page 60 Chapter 1 Overview Where to Go Next Catalyst 3550 Multilayer Switch Software Configuration Guide 1-20 78-11194-09...
Page 61: Cisco Ios Command Modes
C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) that you can use to configure your Catalyst 3550 switches. It contains these sections: Cisco IOS Command Modes, page 2-1 •...
Page 62: C H A P T E R 2 Using The Command-Line Interface
Chapter 2 Using the Command-Line Interface Cisco IOS Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the host name Switch.
Page 63: Getting Help
Chapter 2 Using the Command-Line Interface Getting Help Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method About This Mode Interface While in global To exit to global Use this mode to configure Switch(config-if)# configuration configuration mode, configuration mode, parameters for the Ethernet enter the interface...
Page 64: Specifying Ports In Interface Configuration Mode
Chapter 2 Using the Command-Line Interface Specifying Ports in Interface Configuration Mode Table 2-2 Help Summary (continued) Command Purpose command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword. For example: Switch(config)# cdp holdtime ? <10-255>...
Page 65: Understanding Cli Messages
Using Command History The Cisco IOS provides a history or record of commands that you have entered. This feature is particularly useful for recalling long or complex commands or entries, including access lists. You can customize the command history feature to suit your needs as described in these sections: •...
Page 66: Recalling Commands
Chapter 2 Using the Command-Line Interface Using Editing Features Recalling Commands To recall commands from the history buffer, perform one of the actions listed in Table 2-4: Table 2-4 Recalling Commands Action Result Press Ctrl-P or the up arrow key. Recall commands in the history buffer, beginning with the most recent command.
Page 67: Enabling And Disabling Editing Features
Chapter 2 Using the Command-Line Interface Using Editing Features Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled, you can disable it. To re-enable the enhanced editing mode for the current terminal session, enter this command in privileged EXEC mode: Switch# terminal editing To reconfigure a specific line to have enhanced editing mode, enter this command in line configuration...
Page 68: Editing Command Lines That Wrap
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke Purpose Delete entries if you make a mistake Press the Delete or Erase the character to the left of the cursor. or change your mind. Backspace key.
Page 69: Searching And Filtering Output Of Show And More Commands
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands In this example, the access-list global configuration command entry extends beyond one line. When the cursor first reaches the end of the line, the line is shifted ten spaces to the left and redisplayed. The dollar sign ($) shows that the line has been scrolled to the left.
Page 70: Accessing The Cli From A Browser
Access page. You can access the CLI by clicking Web Console - HTML access to the command line interface from a cached copy of the Cisco Systems Access page. To prevent unauthorized access to CMS and the CLI, exit your browser to end the browser session.
Page 71: Understanding Cms
C H A P T E R Getting Started with CMS This chapter contains these sections that describe the Cluster Management Suite (CMS) on the Catalyst 3550 switch: “Understanding CMS” section on page 3-1 • • “Configuring CMS” section on page 3-7 “Displaying CMS”...
Page 72: Chapter 3 Getting Started With Cm
Chapter 3 Getting Started with CMS Understanding CMS Front Panel View The Front Panel view displays the Front Panel image of a specific set of switches in a cluster. From this view, you can select multiple ports or multiple switches and configure them with the same settings. For more information, see the “Displaying CMS”...
Page 73 Chapter 3 Getting Started with CMS Understanding CMS Table 3-1 Toolbar Buttons Toolbar Option Icon Task Print Print a CMS window or help file. Preferences Set CMS display properties, such as polling intervals, the views to open at CMS startup, and the color of administratively shutdown ports.
Page 74: Online Help
Chapter 3 Getting Started with CMS Understanding CMS Figure 3-2 Feature Bar and Search Window 1 Feature bar 2 Search window Only features supported by the devices in your cluster are displayed in the feature bar. Note You can search for features that are available for your cluster by clicking Search and entering a feature name, as shown in Figure 3-2.
Page 75: Configuration Modes
You can send us feedback about the information provided in the online help. Click Feedback to display an online form. After completing the form, click Submit to send your comments to Cisco Systems Inc. We appreciate and value your comments.
Page 76: Expert Mode
Chapter 3 Getting Started with CMS Understanding CMS Guide mode is not available if your switch access level is read-only. For more information about the read-only access mode, see the “Privilege Levels” section on page 3-6. Expert Mode Expert mode is for users who prefer to display all the parameter fields of a feature in a single CMS window.
Page 77: Access To Older Switches In A Cluster
If your cluster has these member switches running earlier software releases and if you have read-only access to these member switches, some configuration windows for those switches display incomplete information: Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS Release 12.0(5)WC2 • or earlier Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier...
Page 78: Minimum Hardware Configuration
Chapter 3 Getting Started with CMS Configuring CMS Minimum Hardware Configuration The minimum PC requirement is a Pentium processor running at 233 MHz with 64 MB of DRAM. The minimum UNIX workstation requirement is a Sun Ultra 1 running at 143 MHz with 64 MB of DRAM. Table 3-2 lists the minimum platforms for running CMS.
Page 79: Cross-Platform Considerations
CMS on the Catalyst 1900 and Catalyst 2820 switches is referred to as Switch Manager. Cluster management options are not available on these switches. This is the earliest version of CMS. Refer to the documentation specific to the switch and its Cisco IOS release for descriptions of the CMS version.
Page 80: Configuring An Authentication Method (Nondefault Configuration Only)
Configure the HTTP server interface for the type of authentication you tacacs} want to use. enable—Enable password, which is the default method of HTTP • server user authentication. local—Local user database as defined on the Cisco router or access • server is used. tacacs—TACACS server is used. • Step 3 Return to privileged EXEC mode.
Page 81 Chapter 3 Getting Started with CMS Displaying CMS Figure 3-4 Switch Home Page The Switch Home Page has these tabs: • Express Setup—Opens the Express Setup page You can use Express Setup to assign an IP address to an unconfigured switch. For more Note information, refer to the hardware installation guide.
Page 82 Tools—Accesses diagnostic and monitoring tools, such as Telnet, Extended Ping, and the show interfaces privileged EXEC command • Help Resources—Provides links to the Cisco website, technical documentation, and the Cisco Technical Assistance Center (TAC) Step 3 Click Cluster Management Suite to launch the CMS interface. The CMS Startup Report runs and verifies that your PC or workstation can correctly run CMS.
Page 83: Front Panel View
Chapter 3 Getting Started with CMS Displaying CMS Front Panel View When CMS is launched from a noncommand switch, the Front Panel view displays by default, and the front-panel view displays only the front panel of the specific switch. When CMS is launched from a command switch, you can display the Front Panel view by clicking the Front Panel button on the tool bar, as shown in Figure 3-6.
Page 84: Topology View
Chapter 3 Getting Started with CMS Displaying CMS Note On Catalyst 1900 and Catalyst 2820 switches, CMS is referred to as Device Manager (also referred to as Switch Manager). Device Manager is for configuring an individual switch. When you select Device Manager for a specific switch in the cluster, you launch a separate CMS session.
Page 85: Cms Icons
Chapter 3 Getting Started with CMS Where to Go Next • Expand Cluster—When you right-click a cluster icon and select Expand Cluster, the Topology view displays the switch cluster in detail. This view shows the command switch and member switches in a cluster. It also shows candidate switches that can join the cluster. This view does not display the details of any neighboring switch clusters Collapse Cluster—When you right-click a command-switch icon and select Collapse Cluster, the •...
Page 86 Chapter 3 Getting Started with CMS Where to Go Next Catalyst 3550 Multilayer Switch Software Configuration Guide 3-16 78-11194-09...
Page 87: Understanding The Boot Process
C H A P T E R Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assign the switch IP address and default gateway information) by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration.
Page 88: C H A P T E R 4 Assigning The Switch Ip Address And Default Gateway
For more information about the setup program, refer to the release notes on Cisco.com. If you are a new user on a switch running Cisco IOS Release 12.1(14)EA1 or later, you can also use the Express Setup program. Use a DHCP server or the DHCP server feature running on the switch for centralized control and automatic assignment of IP information when the server is configured.
Page 89: Default Switch Information
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Default Switch Information Table 4-1 shows the default switch information. Table 4-1 Default Switch Information Feature Default Setting IP address and subnet mask No IP address or subnet mask are defined. Default gateway No default gateway is defined.
Page 90 Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information • When a configuration file is present and the service config global configuration command is enabled on the switch. In this case, the switch broadcasts TFTP requests for the configuration file. Figure 4-1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server.
Page 91: Configuring Dhcp-Based Autoconfiguration
Example Configuration, page 4-8 • If your DHCP server is a Cisco device, or if you are configuring the switch as a DHCP server, refer to the “IP Addressing and Services” section in the Cisco IOS IP and IP Routing Configuration Guide for Cisco IOS Release 12.1 for additional information about configuring DHCP.
Page 92: Configuring The Tftp Server
TFTP packets. You must configure this relay device to forward received broadcast packets on an interface to the destination host. If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
Page 93: Obtaining Configuration Files
For more information, see the “Routed Ports” section on page 10-4 and the “Configuring Layer 3 Interfaces” section on page 10-18. Figure 4-2 Relay Device Used in Autoconfiguration Switch Cisco router (DHCP client) (Relay) 10.0.0.2 10.0.0.1 20.0.0.1 20.0.0.2 20.0.0.3 20.0.0.4...
Page 94: Example Configuration
Figure 4-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (maritsu) Table 4-2 shows the configuration of the reserved leases on the DHCP server or the DHCP server feature running on your switch.
Page 95 Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Table 4-2 DHCP Server Configuration (continued) Switch-1 Switch-2 Switch-3 Switch-4 Router address 10.0.0.10 10.0.0.10 10.0.0.10 10.0.0.10 DNS server address 10.0.0.2 10.0.0.2 10.0.0.2 10.0.0.2 TFTP server name maritsu or 10.0.0.3 maritsu or 10.0.0.3 maritsu or 10.0.0.3 maritsu or 10.0.0.3...
Page 96: Manually Assigning Ip Information
Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs) or ports: Command Purpose Step 1...
Page 97 Flash memory, use the show startup-config or more startup-config privileged EXEC command. For more information about alternative locations to copy the configuration file, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Catalyst 3550 Multilayer Switch Software Configuration Guide 4-11...
Page 98: Modifying The Startup Configuration
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Modifying the Startup Configuration This section describes how to modify the switch startup configuration. It contains this configuration information: • Default Boot Configuration, page 4-12 • Automatically Downloading a Configuration File, page 4-12 Booting Manually, page 4-13 •...
Page 99: Specifying The Filename To Read And Write The System Configuration
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot cycle.
Page 100: Booting A Specific Software Image
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Command Purpose Step 4 show boot Verify your entries. The boot manual global command changes the setting of the MANUAL_BOOT environment variable. The next time you reboot the system, the switch is in boot loader mode, shown by the switch: prompt.
Page 101: Controlling Environment Variables
Cisco IOS configuration file can be stored as an environment variable. You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
Page 102 Table 4-5 describes the function of the most common environment variables. Table 4-5 Environment Variables Variable Boot Loader Command Cisco IOS Global Configuration Command MANUAL_BOOT set MANUAL_BOOT yes boot manual Determines whether the switch Enables manually booting the switch during automatically or manually boots.
Page 103: Scheduling A Reload Of The Software Image
Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Scheduling a Reload of the Software Image You can schedule a reload of the software image to occur on the switch at a later time (for example, late at night or during the weekend when the switch is used less), or you can synchronize a reload network-wide (for example, to perform a software upgrade on all switches in the network).
Page 104: Displaying Scheduled Reload Information
Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image This example shows how to reload the software on the switch at a future time: Switch# reload at 02:00 jun 20 Reload scheduled for 02:00:00 UTC Thu Jun 20 1996 (in 344 hours and 53 minutes) Proceed with reload? [confirm] To cancel a previously scheduled reload, use the reload cancel privileged EXEC command.
Page 105: Understanding Ie2100 Series Configuration Registrar Software
Services (CNS) embedded agents on your Catalyst 3550switch. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco Intelligence Engine 2100 Series Configuration Registrar Manual, and select Cisco IOS Software Release 12.2 > New Feature Documentation > 12.2(2)T on Cisco.com.
Page 106: Chapter 5 Configuring Ie2100 Cn Agent
Chapter 5 Configuring IE2100 CNS Agents Understanding IE2100 Series Configuration Registrar Software Figure 5-1 Configuration Registrar Architectural Overview Service provider network Data service Configuration directory registrar Configuration server Event service Web-based user interface Order entry configuration management These sections contain this conceptual information: •...
Page 107: Cns Event Service
ID or group ID, and event. Cisco IOS devices recognize only event subject-names that match those configured in Cisco IOS software; for example, cisco.cns.config.load. You can use the namespace mapping service to designate events by using any desired naming convention.
Page 108: Deviceid
Configuration Registrar. The origin of the deviceID is defined by the Cisco IOS host name of the switch. However, the deviceID variable and its usage reside within the event gateway, which is adjacent to the switch.
Page 109: Understanding Cns Embedded Agents
Chapter 5 Configuring IE2100 CNS Agents Understanding CNS Embedded Agents Understanding CNS Embedded Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the CNS configuration agent. The CNS configuration agent feature supports the switch by providing: •...
Page 110: Incremental (Partial) Configuration
NVRAM for use at the next reboot. Configuring CNS Embedded Agents The CNS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 5-6.
Page 111 Note For more information about running the setup program and creating templates on the Configuration Registrar, refer to the Cisco Intelligence Engine 2100 Series Configuration Registrar Manual. Catalyst 3550 Multilayer Switch Software Configuration Guide 78-11194-09...
Page 112: Enabling The Cns Event Agent
Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Enabling the CNS Event Agent Note You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch: Command Purpose Step 1...
Page 113: Enabling The Cns Configuration Agent
Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents To disable the CNS event agent, use the no cns event {ip-address | hostname} global configuration command. This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count.
Page 114 Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Command Purpose Step 3 config-cli Enter config-cli to connect to the Configuration Registrar through the interface defined in cns config line-cli connect-intf. Enter line-cli to connect to the Registrar through modem dialup lines. The config-cli interface configuration Note command accepts the special directive...
Page 115 Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Command Purpose Step 8 cns config initial {ip-address | hostname} [port-number] Enable the configuration agent, and initiate an initial [event] [no-persist] [page page] [source ip-address] configuration. [syntax-check] • For {ip-address | hostname}, enter the IP address or the host name of the configuration server.
Page 116: Enabling A Partial Configuration
Chapter 5 Configuring IE2100 CNS Agents Configuring CNS Embedded Agents Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the CNS configuration agent and to initiate a partial configuration on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 117: Displaying Cns Configuration
Chapter 5 Configuring IE2100 CNS Agents Displaying CNS Configuration Displaying CNS Configuration You can use the privileged EXEC commands in Table 5-2 to display CNS Configuration information. Table 5-2 Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS configuration agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed.
Page 118 Chapter 5 Configuring IE2100 CNS Agents Displaying CNS Configuration Catalyst 3550 Multilayer Switch Software Configuration Guide 5-14 78-11194-09...
Page 119: Clustering Switches
C H A P T E R Clustering Switches This chapter provides these topics to help you get started with switch clustering: • Understanding Switch Clusters, page 6-2 Planning a Switch Cluster, page 6-5 • • Creating a Switch Cluster, page 6-19 Using the CLI to Manage Switch Clusters, page 6-25 •...
Page 120: Chapter 6 Clustering Switche
Chapter 6 Clustering Switches Understanding Switch Clusters Understanding Switch Clusters A switch cluster is a group of connected Catalyst switches that are managed as a single entity. In a switch cluster, 1 switch must be the command switch and up to 15 switches can be member switches. The total number of switches in a cluster cannot exceed 16 switches.
Page 121: Command Switch Characteristics
Catalyst 2950 LRE switches. – When the command switch is a non-LRE Catalyst 2950 switch running Cisco IOS Release 12.1(9)EA1 or later, all standby command switches must be non-LRE Catalyst 2950 switches running Cisco IOS Release 12.1(9)EA1 or later.
Page 122: Candidate Switch And Member Switch Characteristics
Clustering Switches Understanding Switch Clusters – When the command switch is running Cisco IOS Release 12.0(5)WC2 or earlier, the standby command switches can be these switches: Catalyst 2900 XL, non-LRE Catalyst 2950, and Catalyst 3500 XL switches. We strongly recommend that the command switch and standby command switches are of the same •...
Page 123: Planning A Switch Cluster
Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The command switch uses Cisco Discovery Protocol (CDP) to discover member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
Page 124: Discovery Through Cdp Hops
Switch 15 Discovery through Non-CDP-Capable and Noncluster-Capable Devices If a command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Page 125: Discovery Through Different Vlans
VLAN 16 in the first column because the command switch has no VLAN connectivity to it. Catalyst 2900 XL member switches, Catalyst 2950 member switches running a release earlier than Cisco IOS Release 12.1(9)EA1, and Catalyst 3500 XL member switches must be connected to the command switch through their management VLAN.
Page 126: Discovery Through The Same Management Vlan
A Catalyst 2900 XL command switch, a non-LRE Catalyst 2950 command switch running a release earlier than Cisco IOS Release 12.1(9)EA1, or a Catalyst 3500 XL command switch must connect to all cluster members through its management VLAN. The default management VLAN is VLAN 1. For more information about management VLANs, refer to the software configuration guide for the specific switch.
Page 127: Discovery Through Different Management Vlans
Catalyst 2950 LRE member switches, and non-LRE Catalyst 2950 member switches running Cisco IOS Release 12.1(9)EA1 or later must be connected through at least one VLAN in common with the command switch. All other member switches must be connected to the command switch through their management VLAN.
Page 128: Discovery Through Routed Ports
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-6 Discovery through Different Management VLANs with a Layer 3 Command Switch Catalyst 3550 Catalyst 3550 command switch standby command switch VLAN 9 VLAN 16 VLAN 62 VLAN 9 Switch 3 (management VLAN 16) Switch 5...
Page 129: Discovery Of Newly Installed Switches
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-7 Discovery through Routed Ports Command switch VLAN 9 VLAN 62 VLAN VLAN 62 VLAN 9 Member (management switch 7 VLAN 62) VLAN 4 Discovery of Newly Installed Switches To join a cluster, the new, out-of-the-box switch must be connected to the cluster through one of its access ports.
Page 130: Hsrp And Standby Command Switches
Cisco IOS Release 12.1(6)EA2 or later. • When the command switch is running Cisco IOS Release 12.0(5)WC2 or earlier, the standby command switches can be these switches: Catalyst 2900 XL, non-LRE Catalyst 2950, and Catalyst 3500 XL switches.
Page 131: Virtual Ip Addresses
Chapter 6 Clustering Switches Planning a Switch Cluster The switches in the cluster standby group are ranked according to HSRP priorities. The switch with the highest priority in the group is the active command switch (AC). The switch with the next highest priority is the standby command switch (SC).
Page 132 Release 12.1(6)EA2 or later, all standby command switches must be non-LRE Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later. When the command switch is running Cisco IOS Release 12.0(5)WC2 or earlier, the standby – command switches can be these switches: Catalyst 2900 XL, non-LRE Catalyst 2950, and Catalyst 3500 XL switches.
Page 133: Automatic Recovery Of Cluster Configuration
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-9 VLAN Connectivity between Standby-Group Members and Cluster Members Catalyst 3550 active Catalyst 3550 passive Catalyst 3550 standby command switch command switch command switch VLANs 9,16 VLANs 9,16 Management VLAN 9 VLAN 9 VLAN 16 Catalyst 2900 XL or...
Page 134: Ip Addresses
Chapter 6 Clustering Switches Planning a Switch Cluster IP Addresses You must assign IP information to a command switch. You can assign more than one IP address to the command switch, and you can access the cluster through any of the command-switch IP addresses. If you configure a cluster standby group, you must use the standby-group virtual IP address to manage the cluster from the active command switch.
Page 135: Snmp Community Strings
Chapter 6 Clustering Switches Planning a Switch Cluster If you change the member-switch password to be different from the command-switch password and save the change, the switch is not manageable by the command switch until you change the member-switch password to match the command-switch password. Rebooting the member switch does not revert the password back to the command-switch password.
Page 136: Lre Profiles
In read-only mode, these switches appear as unavailable devices and cannot be configured from CMS. LRE Profiles In Cisco IOS Release 12.1(14)EA1 or later, the Catalyst 2950 LRE switches do not support public profiles. In software releases earlier than Cisco IOS Release 12.1(14)EA1, a configuration conflict occurs if a switch cluster has LRE switches that use both private and public profiles.
Page 137: Creating A Switch Cluster
Chapter 6 Clustering Switches Creating a Switch Cluster Creating a Switch Cluster Using CMS to create a cluster is easier than using the CLI commands. This section provides this information: • Enabling a Command Switch, page 6-19 • Adding Member Switches, page 6-20 Creating a Cluster Standby Group, page 6-22 •...
Page 138: Adding Member Switches
Chapter 6 Clustering Switches Creating a Switch Cluster Figure 6-10 Create Cluster Window C3550-12T Enter up to 31 characters to name the cluster. Adding Member Switches As explained in the “Automatic Discovery of Cluster Candidates and Members” section on page 6-5, the command switch automatically discovers candidate switches.
Page 139 Chapter 6 Clustering Switches Creating a Switch Cluster For additional authentication considerations in switch clusters, see the “TACACS+ and RADIUS” section on page 6-17. Figure 6-11 Add to Cluster Window Select a switch, and click 2900-LRE-24-1 Add. Press Ctrl and left- click to select more than one switch.
Page 140: Creating A Cluster Standby Group
When the command switch is a Catalyst 2950 LRE switch, all standby command switches must be Catalyst 2950 LRE switches. When the command switch is a non-LRE Catalyst 2950 switch running Cisco IOS • Release 12.1(9)EA1 or later, all standby command switches must be non-LRE Catalyst 2950 switches running Cisco IOS Release 12.1(9)EA1 or later.
Page 141 Release 12.1(6)EA2 or later, all standby command switches must be non-LRE Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later. When the command switch is running Cisco IOS Release 12.0(5)WC2 or earlier, the standby • command switches can be these switches: Catalyst 2900 XL, non-LRE Catalyst 2950, and Catalyst 3500 XL switches.
Page 142: Verifying A Switch Cluster
Chapter 6 Clustering Switches Creating a Switch Cluster Figure 6-13 Standby Command Configuration Window 3550C (cisco WS-C3550-C-24, HC, ... Active command switch. NMS-3550-12T-149 (cisco WS-C3550-1 3550-150 (cisco WS-C3550-12T, SC, ... Standby command switch. Must be a valid IP address in the same subnet as the active command switch.
Page 143: Using The Cli To Manage Switch Clusters
Chapter 6 Clustering Switches Using the CLI to Manage Switch Clusters Figure 6-14 Inventory Window 12.1(4)EA1 10.10.10.6 10.10.10.7 12.0(5)WC2 10.1.1.2, 10.10.10.1, 10. 12.1(4)EA1 10.10.10.2 10.10.10.3 12.1(6)EA2 10.10.10.9 13.0(5)XU If you lose connectivity with a member switch or if a command switch fails, see the “Using Recovery Procedures”...
Page 144: Using Snmp To Manage Switch Clusters
Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Command-switch privilege levels map to the Catalyst 1900 and Catalyst 2820 member switches running standard and Enterprise Edition Software as follows: • If the command-switch privilege level is 1 to 14, the member switch is accessed at privilege level 1. •...
Page 145 Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Figure 6-15 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 Member 1 Member 2 Member 3 Catalyst 3550 Multilayer Switch Software Configuration Guide 6-27 78-11194-09...
Page 146 Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Catalyst 3550 Multilayer Switch Software Configuration Guide 6-28 78-11194-09...
Page 147: Managing The System Time And Date
You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Note Configuration Fundamentals Command Reference for Cisco IOS Release 12.1.
Page 148: Chapter 7 Administering The Switch
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Page 149: Configuring Ntp
Chapter 7 Administering the Switch Managing the System Time and Date Several manufacturers include NTP software for their host systems, and a publicly available version for systems running UNIX and its various derivatives is also available. This software allows host systems to be time-synchronized as well.
Page 150: Default Ntp Configuration
Chapter 7 Administering the Switch Managing the System Time and Date Default NTP Configuration Table 7-1 shows the default NTP configuration. Table 7-1 Default NTP Configuration Feature Default Setting NTP authentication Disabled. No authentication key is specified. NTP peer or server associations None configured.
Page 151: Configuring Ntp Associations
Chapter 7 Administering the Switch Managing the System Time and Date Command Purpose Step 5 Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable NTP authentication, use the no ntp authenticate global configuration command.
Page 152: Configuring Ntp Broadcast Service
Chapter 7 Administering the Switch Managing the System Time and Date Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. You need to configure only one end of an association;...
Page 153: Configuring Ntp Access Restrictions
Chapter 7 Administering the Switch Managing the System Time and Date Command Purpose Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 7 Configure the connected peers to receive NTP broadcast packets as described in the next procedure. To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface configuration command.
Page 154 Chapter 7 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1...
Page 155: Configuring The Source Ip Address For Ntp Packets
Chapter 7 Administering the Switch Managing the System Time and Date If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted.
Page 156: Displaying The Ntp Configuration
[detail] • show ntp status For detailed information about the fields in these displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1. Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted.
Page 157: Setting The System Clock
Chapter 7 Administering the Switch Managing the System Time and Date Setting the System Clock If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock. Beginning in privileged EXEC mode, follow these steps to set the system clock: Command Purpose...
Page 158: Configuring The Time Zone
Chapter 7 Administering the Switch Managing the System Time and Date Configuring the Time Zone Beginning in privileged EXEC mode, follow these steps to manually configure the time zone: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock timezone zone hours-offset Set the time zone.
Page 159: Configuring Summer Time (Daylight Saving Time)
Chapter 7 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1...
Page 160 Chapter 7 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1...
Page 161: Configuring A System Name And Prompt
Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1 and the Cisco IOS IP and IP Routing Command Reference for Cisco IOS Release 12.1.
Page 162: Configuring A System Prompt
Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.
Page 163: Default Dns Configuration
Chapter 7 Administering the Switch Configuring a System Name and Prompt Default DNS Configuration Table 7-2 shows the default DNS configuration. Table 7-2 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
Page 164: Displaying The Dns Configuration
The login banner also displays on all connected terminals. It appears after the MOTD banner and before the login prompts. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1. This section contains this configuration information: •...
Page 165: Configuring A Message-Of-The-Day Login Banner
Chapter 7 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1...
Page 166: Configuring A Login Banner
Chapter 7 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1...
Page 167: Building The Address Table
Chapter 7 Administering the Switch Managing the MAC Address Table This section contains this configuration information: • Building the Address Table, page 7-21 • MAC Addresses and VLANs, page 7-21 • Default MAC Address Table Configuration, page 7-22 Changing the Address Aging Time, page 7-22 •...
Page 168: Default Mac Address Table Configuration
Chapter 7 Administering the Switch Managing the MAC Address Table Default MAC Address Table Configuration Table 7-3 shows the default MAC address table configuration. Table 7-3 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned Static addresses None configured...
Page 169: Removing Dynamic Address Entries
Chapter 7 Administering the Switch Managing the MAC Address Table Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode. You can also remove a specific MAC address (clear mac address-table dynamic address mac-address), remove all addresses on the specified physical port or port channel (clear mac address-table dynamic interface interface-id), or remove all addresses on a specified VLAN (clear mac address-table dynamic vlan vlan-id).
Page 170 Chapter 7 Administering the Switch Managing the MAC Address Table Command Purpose Step 5 mac address-table notification [interval value] | Enter the trap interval time and the history table size. [history-size value] • (Optional) For interval value, specify the notification trap interval in seconds between each set of traps that are generated to the NMS.
Page 171: Adding And Removing Static Address Entries
Chapter 7 Administering the Switch Managing the MAC Address Table Adding and Removing Static Address Entries A static address has these characteristics: • It is manually entered in the address table and must be manually removed. • It can be a unicast or multicast address. •...
Page 172: Configuring Unicast Mac Address Filtering
Chapter 7 Administering the Switch Managing the MAC Address Table Configuring Unicast MAC Address Filtering When unicast MAC address filtering is enabled, the switch drops packets with specific source or destination MAC addresses. This feature is disabled by default and only supports unicast static addresses.
Page 173: Displaying Address Table Entries
Chapter 7 Administering the Switch Optimizing System Resources for User-Selected Features This example shows how to enable unicast MAC address filtering and to configure the switch to drop packets that have a source or destination address of c2f3.220a.12f4. When a packet is received in VLAN 4 with this MAC address as its source or destination, the packet is dropped: Switch(config)# mac address-table static c2f3.220a.12f4 vlan 4 drop Displaying Address Table Entries...
Page 174 Chapter 7 Administering the Switch Optimizing System Resources for User-Selected Features You can also enable the switch to support 144-bit Layer 3 TCAM, allowing extra fields in the stored routing tables, by reformatting the routing table memory allocation. Using the extended-match keyword with the default, access, or routing templates reformats the allocated TCAM by reducing the number of allowed unicast routes, and storing extra routing information in the lower 72 bits of the Layer 3 TCAM.
Page 175: Using The Templates
Chapter 7 Administering the Switch Optimizing System Resources for User-Selected Features Table 7-6 Approximate Resources Allowed in Each Template for Fast Ethernet Switches (continued) Resource Default Template Access Template Routing Template VLAN Template QoS classification ACEs Security ACEs Unicast routes 8 K or 4 K 2 K or 1 K 16 K or 8 K...
Page 176 Chapter 7 Administering the Switch Optimizing System Resources for User-Selected Features Beginning in privileged EXEC mode, follow these steps to use the SDM template to maximize feature usage: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 sdm prefer {access [extended-match] | Specify the SDM template to be used on the switch: extended-match | routing...
Page 177: Preventing Unauthorized Access To Your Switch
C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 3550 switch. This chapter consists of these sections: Preventing Unauthorized Access to Your Switch, page 8-1 • • Protecting Access to Privileged EXEC Commands, page 8-2 Controlling Switch Access with TACACS+, page 8-10 •...
Page 178: C H A P T E R 8 Configuring Switch-Based Authentication
Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Cisco IOS Release 12.1.
Page 179: Setting Or Changing A Static Enable Password
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1...
Page 180: Protecting Enable And Enable Secret Passwords With Encryption
By default, no password is defined. • (Optional) For encryption-type, only type 5, a Cisco proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password you copy...
Page 181: Disabling Password Recovery
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level.
Page 182: Setting A Telnet Password For A Terminal Line
Disable password recovery. This setting is saved in an area of the Flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
Page 183: Configuring Username And Password Pairs
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Command Purpose Step 7 show running-config Verify your entries. The password is listed under the command line vty 0 15. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the password, use the no password global configuration command.
Page 184: Configuring Multiple Privilege Levels
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command.
Page 185: Changing The Default Privilege Level For Lines
Chapter 8 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Command Purpose Step 5 show running-config Verify your entries. The first command displays the password and access level configuration. The second command displays the privilege level configuration. show privilege Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Page 186: Logging Into And Exiting A Privilege Level
(AAA) and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Cisco IOS Release 12.1. This section contains this configuration information: •...
Page 187 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 8-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ Catalyst 6500 server 1) series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) Catalyst 2950, 2955, or 3550 switches 171.20.10.8 Configure the switches with the TACACS+ server addresses.
Page 188: Tacacs+ Operation
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch by using TACACS+, this process occurs: When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user.
Page 189: Default Tacacs+ Configuration
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ This section contains this configuration information: • Default TACACS+ Configuration, page 8-13 • Identifying the TACACS+ Server Host and Setting the Authentication Key, page 8-13 • Configuring TACACS+ Login Authentication, page 8-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page •...
Page 190: Configuring Tacacs+ Login Authentication
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 4 aaa group server tacacs+ group-name (Optional) Define the AAA server-group with a group name. This command puts the switch in a server group subconfiguration mode. Step 5 server ip-address (Optional) Associate a particular TACACS+ server with the defined server group.
Page 191 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication login {default | Create a login authentication method list.
Page 192: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Page 193: Starting Tacacs+ Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco IOS privilege level and for network services:...
Page 194: Controlling Switch Access With Radius
RADIUS is facilitated through AAA and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Cisco IOS Release 12.1. This section contains this configuration information: •...
Page 195: Radius Operation
• Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
Page 196: Configuring Radius
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication.
Page 197 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS You identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Page 198 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or host name of the remote RADIUS server host.
Page 199: Configuring Radius Login Authentication
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2 This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting: Switch(config)# radius-server host host1...
Page 200 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 3 aaa authentication login {default | Create a login authentication method list. list-name} method1 [method2...] • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations.
Page 201: Defining Aaa Server Groups
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Page 202 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or host name of the remote RADIUS server host.
Page 203: Configuring Radius Authorization For User Privileged Access And Network Services
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 8-23.
Page 204: Starting Radius Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
Page 205: Configuring Settings For All Radius Servers
1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Page 206 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP’s IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“...
Page 207: Configuring The Switch For Vendor-Proprietary Radius Server Communication
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Page 208: Controlling Switch Access With Kerberos
Kerberos Operation, page 8-34 • Configuring Kerberos, page 8-35 For Kerberos configuration examples, refer to the “Kerberos Configuration Examples” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.1, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt2/ scdkerb.htm#xtocid1540022.
Page 209 Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos The Kerberos credential scheme uses a process called single logon. This process authenticates a user once and then allows secure authentication (without encrypting another password) wherever that user credential is accepted. This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts (such as UNIX servers and PCs).
Page 210: Kerberos Operation
Chapter 8 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 8-2 Kerberos Terms (continued) Term Definition Kerberos server A daemon that is running on a network host. Users and network services register their identity with the Kerberos server. Network services query the Kerberos server to authenticate to other network services.
Page 211: Authenticating To A Boundary Switch
KDC and obtain a TGT from the KDC to access network services. For instructions about how to authenticate to a KDC, refer to the “Obtaining a TGT from a KDC” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.1, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt2/...
Page 212: Configuring The Switch For Local Authentication And Authorization
Configure the switch to use the Kerberos protocol. • For instructions, refer to the “Kerberos Configuration Task List” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.1, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt2/ scdkerb.htm#xtocid154007. Configuring the Switch for Local Authentication and...
Page 213: Configuring The Switch For Secure Shell
For complete syntax and usage information for the commands used in this section, refer to the command Note reference for this release and the command reference for Cisco IOS Release 12.2 at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Catalyst 3550 Multilayer Switch Software Configuration Guide...
Page 214: Understanding Ssh
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
Page 215: Configuring Ssh
Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: Download the cryptographic software image from Cisco.com. This step is required. For more information, refer to the release notes for this release.
Page 216: Configuring The Ssh Server
Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Command Purpose Step 4 crypto key generate rsa Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair. We recommend that a minimum modulus size of 1024 bits. When you generate RSA keys, you are prompted to enter a modulus length.
Page 217: Displaying The Ssh Configuration And Status
Shows the status of the SSH server. For more information about these commands, refer to the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fothercr/...
Page 218 Chapter 8 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Catalyst 3550 Multilayer Switch Software Configuration Guide 8-42 78-11194-09...
Page 219: Understanding 802.1X Port-Based Authentication
Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
Page 220: C H A P T E R 9 Configuring 802.1X Port-Based Authentication
(RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 221: Authentication Initiation And Message Exchange
Chapter 9 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Authentication Initiation and Message Exchange The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the port link state transitions from down to up.
Page 222: Ports In Authorized And Unauthorized States
Chapter 9 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Ports in Authorized and Unauthorized States The switch port state determines whether or not the client is granted access to the network. The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1X protocol packets.
Page 223: Using 802.1X With Port Security
Chapter 9 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication In a point-to-point configuration (see Figure 9-1 on page 9-2), only one client can be connected to the 802.1X-enabled switch port. The switch detects the client when the port link state changes to the up state. If a client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state.
Page 224: Using 802.1X With Voice Vlan Ports
CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one directly connected to it. When 802.1X is enabled on a voice VLAN port, the switch drops packets from unrecognized Cisco IP phones more than one hop away.
Page 225: Using 802.1X With Guest Vlan
Chapter 9 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication • If 802.1X authorization is enabled and all information from the RADIUS server is valid, the port is placed in the specified VLAN after authentication. • If the multiple-hosts mode is enabled on an 802.1X port, all hosts are placed in the same VLAN (specified by the RADIUS server) as the first authenticated host.
Page 226: Using 802.1X With Per-User Acls
Chapter 9 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Using 802.1X with Per-User ACLs You can enable per-user access control lists (ACLs) to provide different levels of network access and service to an 802.1X-authenticated user. When the RADIUS server authenticates a user connected to an 802.1X port, it retrieves the ACL attributes based on the user identity and sends them to the switch.
Page 227: Configuring 802.1X Authentication
Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Configuring 802.1X Authentication These sections describe how to configure 802.1X port-based authentication on your switch: • Default 802.1X Configuration, page 9-9 802.1X Configuration Guidelines, page 9-10 • Upgrading from a Previous Software Release, page 9-11 •...
Page 228: X Configuration Guidelines
Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Table 9-1 Default 802.1X Configuration (continued) Feature Default Setting Retransmission time 30 seconds (number of seconds that the switch should wait for a response to an EAP request/identity frame from the client before resending the request). Maximum retransmission number 2 times (number of times that the switch will send an EAP-request/identity frame before restarting the...
Page 229: Upgrading From A Previous Software Release
Some global configuration commands became interface configuration commands, and new commands were added. If you have 802.1X configured on the switch and you upgrade to Cisco IOS Release 12.1(14)EA1 or later, the configuration file will not contain the new commands, and 802.1X will not operate. After the upgrade is complete, make sure to globally enable 802.1X by using the dot1x system-auth-control...
Page 230 Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Command Purpose Step 3 aaa authentication dot1x {default} Create an 802.1X authentication method list. method1 [method2...] To create a default list that is used when a named list is not specified in the authentication command, use the default keyword followed by the methods that are to be used in default situations.
Page 231: Configuring The Switch-To-Radius-Server Communication
Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Configuring the Switch-to-RADIUS-Server Communication RADIUS security servers are identified by their host name or IP address, host name and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address.
Page 232: Enabling Periodic Re-Authentication
Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, refer to the RADIUS server documentation.
Page 233: Changing The Quiet Period
Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Changing the Quiet Period When the switch cannot authenticate the client, the switch remains idle for a set period of time, and then tries again. The idle time is determined by the quiet-period value. A failed authentication of the client might occur because the client provided an invalid password.
Page 234: Setting The Switch-To-Client Frame-Retransmission Number
Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Command Purpose Step 3 dot1x timeout tx-period seconds Set the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request. The range is 1 to 65535 seconds;...
Page 235: Configuring The Host Mode
Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Configuring the Host Mode You can configure an 802.1X port for single-host or for multiple-hosts mode. In single-host mode, only one host is allowed on an 802.1X port. When the host is authenticated, the port is placed in the authorized state.
Page 236: Resetting The 802.1X Configuration To The Default Values
Chapter 9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be configured. For the supported interface types, see the “802.1X Configuration Guidelines”...
Page 237: Displaying 802.1X Statistics And Status
Chapter 9 Configuring 802.1X Port-Based Authentication Displaying 802.1X Statistics and Status Displaying 802.1X Statistics and Status To display 802.1X statistics for all interfaces, use the show dot1x all statistics privileged EXEC command. To display 802.1X statistics for a specific interface, use the show dot1x statistics interface interface-id privileged EXEC command.
Page 238 Chapter 9 Configuring 802.1X Port-Based Authentication Displaying 802.1X Statistics and Status Catalyst 3550 Multilayer Switch Software Configuration Guide 9-20 78-11194-09...
Page 239: Understanding Interface Types
• For complete syntax and usage information for the commands used in this chapter, refer to the switch Note command reference for this release and the online Cisco IOS Interface Command Reference for Release 12.1. Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface types.
Page 240: C H A P T E R 10 Configuring Interface Characteristics
Chapter 10 Configuring Interface Characteristics Understanding Interface Types Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 12, “Configuring VLANs.”...
Page 241: Access Ports
6000 series switch; the Catalyst 3550 switch does not support the function of a VMPS. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 14, “Configuring Voice VLAN.”...
Page 242: Tunnel Ports
Chapter 10 Configuring Interface Characteristics Understanding Interface Types Tunnel Ports Tunnel ports are used in 802.1Q tunneling to segregate the traffic of customers in a service provider network from other customers who appear to be on the same VLAN. You configure an asymmetric link from a tunnel port on a service provider edge switch to an 802.1Q trunk port on the customer switch.
Page 243: Etherchannel Port Groups
Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. Exceptions are the DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP), which operate only on physical ports.
Page 244 Chapter 10 Configuring Interface Characteristics Understanding Interface Types Figure 10-1 Connecting VLANs with Layer 2 Switches Cisco router Switch Host A Host B VLAN 20 VLAN 30 By using the Catalyst 3550 with routing enabled, when you configure VLAN 20 and VLAN 30 each with...
Page 245: Using The Interface Command
You can identify physical interfaces by physically checking the interface location on the switch. You can also use the Cisco IOS show privileged EXEC commands to display information about a specific interface or all the interfaces on the switch. The remainder of this chapter primarily provides physical interface configuration procedures.
Page 246: Configuring A Range Of Interfaces
Chapter 10 Configuring Interface Characteristics Using the Interface Command Note You do not need to add a space between the interface type and interface number. For example, in the preceding line, you can specify either gigabitethernet 0/1, gigabitethernet0/1, gi 0/1, or gi0/1.
Page 247 Chapter 10 Configuring Interface Characteristics Using the Interface Command When using the interface range global configuration command, note these guidelines: • Valid entries for port-range: – vlan vlan-ID - vlan-ID, where VLAN ID is from 1 to 4094 – fastethernet slot/{first port} - {last port}, where slot is 0 gigabitethernet slot/{first port} - {last port}, where slot is 0 –...
Page 248: Configuring And Using Interface Range Macros
Chapter 10 Configuring Interface Characteristics Using the Interface Command If you enter multiple configuration commands while you are in interface range mode, each command is executed as it is entered. The commands are not batched together and executed after you exit interface range mode.
Page 249: Configuring Ethernet Interfaces
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces • The VLAN interfaces (SVIs) must have been configured with the interface vlan command. The show running-config privileged EXEC command displays the configured VLAN interfaces. VLAN interfaces not displayed by the show running-config command cannot be used as interface-ranges. All interfaces in a range must be the same type;...
Page 250: Default Ethernet Interface Configuration
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Default Ethernet Interface Configuration Table 10-1 shows the Ethernet interface default configuration. For more details on the VLAN parameters listed in the table, see Chapter 12, “Configuring VLANs.” For details on controlling traffic to the port, Chapter 21, “Configuring Port-Based Traffic Control.”...
Page 251: Configuring Interface Speed And Duplex Mode
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Interface Speed and Duplex Mode Ethernet interfaces on the switch operate in 10, 100, or 1000 Mbps and in either full- or half-duplex mode. In full-duplex mode, two stations can send and receive at the same time. When packets can flow in both directions simultaneously, effective Ethernet bandwidth doubles to 20 Mbps for 10-Mbps interfaces, to 200 Mbps for Fast Ethernet interfaces, and to 2 Gbps for Gigabit interfaces.
Page 252: Setting The Interface Speed And Duplex Parameters
The Catalyst 3550-24PWR switch automatically supplies inline power to connected Cisco IP Phones, Cisco Aironet Access Points, and IEEE Power Devices if it senses no power on the circuit. If there is power on the circuit, the switch does not supply it. You can also configure the Catalyst 3550-24PWR switch to never supply power to these devices and to disable the inline-power detection.
Page 253: Configuring Ieee 802.3X Flow Control
Configuring Interface Characteristics Configuring Ethernet Interfaces Cisco IP Phones and access points can also be connected to an AC power source and supply their own power. For information about configuring a switch port to forward IP voice traffic to and from connected Cisco IP Phones, see the “Configuring a Port to Connect to a Cisco 7960 IP Phone”...
Page 254 Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces • receive on (or desired) and send desired: The port can receive pause frames and can send pause frames if the attached device supports flow control. • receive on (or desired) and send off: The port cannot send pause frames but can operate with an attached device that is required to or can send pause frames;...
Page 255: Adding A Description For An Interface
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Adding a Description for an Interface You can add a description about an interface to help you remember its function. The description appears in the output of these commands: show configuration show running-config and show interfaces.
Page 256: Configuring Layer 3 Interfaces
Chapter 10 Configuring Interface Characteristics Configuring Layer 3 Interfaces Configuring Layer 3 Interfaces The Catalyst 3550 supports three types of Layer 3 interfaces: • SVIs: You should configure SVIs for any VLANs for which you want to route traffic. SVIs are created when you enter a VLAN ID following the interface vlan global configuration command.
Page 257: Monitoring And Maintaining The Interfaces
(You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference for Release 12.1. Catalyst 3550 Multilayer Switch Software Configuration Guide...
Page 258 Chapter 10 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Table 10-2 show Commands for Interfaces Command Purpose show interfaces [interface-id] Display the status and configuration of all interfaces or a specific interface. show interfaces [interface-id] capabilities [module Display the capabililities of an interface. If you do not specify a {module-number}] module, the capabilities for all ports on the switch appear.
Page 259: Clearing And Resetting Interfaces And Counters
Chapter 10 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Voice VLAN: dot1p (Inactive) Appliance trust: 5 This example shows how to display the running configuration of Fast Ethernet interface 0/2: Switch# show running-config interface fastethernet0/2 Building configuration... Current configuration : 131 bytes interface FastEthernet0/2 switchport mode access switchport protected...
Page 260: Shutting Down And Restarting The Interface
Chapter 10 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Use the clear interface or clear line privileged EXEC command to clear and reset an interface or serial line. Under most circumstances, you do not need to clear the hardware logic on interfaces or serial lines. This example shows how to clear and reset Fast Ethernet interface 0/5: Switch# clear interface fastethernet0/5 Shutting Down and Restarting the Interface...
Page 261: Understanding Smartport Macros
C H A P T E R Configuring SmartPort Macros This chapter describes how to configure and apply SmartPort macros on your Catalyst 3550 switch. For complete syntax and usage information for the commands used in this chapter, refer to the command Note reference for this release.
Page 262: C H A P T E R 11 Configuring Smartport Macros
Chapter 11 Configuring SmartPort Macros Configuring Smart-Port Macros Configuring Smart-Port Macros You can create a new SmartPort macro or use an existing macro as a template to create a new macro that is specific to your application. After you create the macro, you can apply it to an interface or a range of interfaces.
Page 263: Creating And Applying Smartport Macros
Chapter 11 Configuring SmartPort Macros Configuring Smart-Port Macros Creating and Applying SmartPort Macros Beginning in privileged EXEC mode, follow these steps to to create and apply a SmartPort macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro name macro-name Create a macro definition, and enter a macro name.
Page 264: Displaying Smartport Macros
Chapter 11 Configuring SmartPort Macros Displaying SmartPort Macros Switch(config)# interface fastethernet0/9 Switch(config-if)# macro apply desktop-config Switch(config-if)# macro description desktop-config Switch(config-if)# end Switch# show parser macro name desktop-config Macro name : desktop-config Macro type : customizable macro description desktop-config # Put the switch in access mode switchport mode access # Allow port to move to forwarding state quickly spanning-tree portfast...
Page 265: Understanding Vlans
C H A P T E R Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on your Catalyst 3550 switch. It includes information about VLAN modes and the VLAN Membership Policy Server (VMPS). For complete syntax and usage information for the commands used in this chapter, refer to the command Note reference for this release.
Page 266: Chapter 12 Configuring Vlan
Figure 12-1 VLANs as Logically Defined Networks Engineering Marketing Accounting VLAN VLAN VLAN Cisco router Floor 3 Fast Ethernet Floor 2 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Page 267: Vlan Port Membership Modes
Dynamic Access Ports on VMPS Clients” section on page 12-32. Voice VLAN A voice VLAN port is an access port attached to a Cisco VTP is not required; it has no affect on IP Phone, configured to use one VLAN for voice traffic voice VLAN.
Page 268: Configuring Normal-Range Vlans
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs For more detailed definitions of the modes and their functions, see Table 12-4 on page 12-17. When a port belongs to a VLAN, the switch learns and manages the addresses associated with the port on a per-VLAN basis.
Page 269: Token Ring Vlans
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Note This section does not provide configuration details for most of these parameters. For complete information on the commands and parameters that control VLAN configuration, refer to the command reference for this release. This section includes information about these topics about normal-range VLANs: •...
Page 270: Vlan Configuration Mode Options
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs • The switch supports 128 spanning-tree instances. If a switch has more active VLANs than supported spanning-tree instances, spanning tree can be enabled on 128 VLANs and is disabled on the remaining VLANs. If you have already used all available spanning-tree instances on a switch, adding another VLAN anywhere in the VTP domain creates a VLAN on that switch that is not running spanning-tree.
Page 271: Saving Vlan Configuration
If VTP mode is server, the domain name and VLAN configuration for the first 1005 VLANs use the • VLAN database information If the switch is running Cisco IOS Release 12.1(9)EA1 or later and you use an older startup • configuration file to boot up the switch, the configuration file does not contain VTP or VLAN information, and the switch uses the VLAN database configurations.
Page 272: Creating Or Modifying An Ethernet Vlan
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Table 12-2 Ethernet VLAN Defaults and Ranges Parameter Default Range VLAN ID 1 to 4094. Note Extended-range VLANs (VLAN IDs 1006 to 4094) are not saved in the VLAN database. VLAN name VLANxxxx, where xxxx No range represents four numeric digits (including leading zeros) equal...
Page 273 Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Command Purpose Step 3 name vlan-name (Optional) Enter a name for the VLAN. If no name is entered for the VLAN, the default is to append the vlan-id with leading zeros to the word VLAN.
Page 274: Deleting A Vlan
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Note You cannot configure an RSPAN VLAN in VLAN database configuration mode. To return the VLAN name to the default settings, use the no vlan vlan-id name or no vlan vlan-id mtu VLAN configuration command. This example shows how to use VLAN database configuration mode to create Ethernet VLAN 20, name it test20, and add it to the VLAN database: Switch# vlan database...
Page 275: Assigning Static-Access Ports To A Vlan
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Assigning Static-Access Ports to a VLAN You can assign a static-access port to a VLAN without having VTP globally propagate VLAN configuration information by disabling VTP (VTP transparent mode). If you are assigning a port on a cluster member switch to a VLAN, first use the rcommand privileged EXEC command to log in to the member switch.
Page 276: Configuring Extended-Range Vlans
Chapter 12 Configuring VLANs Configuring Extended-Range VLANs Configuring Extended-Range VLANs When the switch is in VTP transparent mode (VTP disabled), you can create extended-range VLANs (in the range 1006 to 4094). Extended-range VLANs enable service providers to extend their infrastructure to a greater number of customers.
Page 277: Creating An Extended-Range Vlan
Chapter 12 Configuring VLANs Configuring Extended-Range VLANs • VLANs in the extended range are not supported by VQP. They cannot be configured by VMPS. • STP is enabled by default on extended-range VLANs, but you can disable it by using the no spanning-tree vlan vlan-id global configuration command.
Page 278: Creating An Extended-Range Vlan With An Internal Vlan Id
Chapter 12 Configuring VLANs Configuring Extended-Range VLANs Command Purpose Step 3 vlan vlan-id Enter an extended-range VLAN ID and enter config-vlan mode. The range is 1006 to 4094. Step 4 mtu mtu-size (Optional) Modify the VLAN by changing the MTU size. Note Although all commands appear in the CLI help in config-vlan mode, only the mtu mtu-size command is supported for...
Page 279: Displaying Vlans
Chapter 12 Configuring VLANs Displaying VLANs Command Purpose Step 8 exit Exit from config-vlan mode, and return to global configuration mode. Step 9 interface interface-id Enter the interface ID for the routed port that you shut down in Step 4. Step 10 no shutdown Re-enable the routed port.
Page 280: Configuring Vlan Trunks
Fast Ethernet and Gigabit Ethernet trunks carry the traffic of multiple VLANs over a single link, and you can extend the VLANs across an entire network. Two trunking encapsulations are available on all Ethernet interfaces: Inter-Switch Link (ISL)—ISL is Cisco-proprietary trunking encapsulation. • •...
Page 281 Chapter 12 Configuring VLANs Configuring VLAN Trunks To avoid this, you should configure interfaces connected to devices that do not support DTP to not forward DTP frames, that is, to turn off DTP. • If you do not intend to trunk across those links, use the switchport mode access interface configuration command to disable trunking.
Page 282: Encapsulation Types
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco 802.1Q switch.
Page 283: Default Layer 2 Ethernet Interface Vlan Configuration
Chapter 12 Configuring VLANs Configuring VLAN Trunks Default Layer 2 Ethernet Interface VLAN Configuration Table 12-6 shows the default Layer 2 Ethernet interface VLAN configuration. Table 12-6 Default Layer 2 Ethernet Interface VLAN Configuration Feature Default Setting Interface mode switchport mode dynamic desirable Trunk encapsulation switchport trunk encapsulation negotiate Allowed VLAN range...
Page 284: Configuring A Trunk Port
Chapter 12 Configuring VLANs Configuring VLAN Trunks – trunk status (If one port in a port group ceases to be a trunk, all ports cease to be trunks.) • We recommend that you configure no more than 24 trunk ports in PVST+ mode and no more than 40 trunk ports in MST mode.
Page 285: Defining The Allowed Vlans On A Trunk
VLAN 1 from the allowed list. This is known as VLAN 1 minimization. VLAN 1 minimization disables VLAN 1 (the default VLAN on all Cisco switch trunk ports) on an individual VLAN trunk link. As a result, no user traffic, including spanning-tree advertisements, is sent or received on VLAN 1.
Page 286: Changing The Pruning-Eligible List
Chapter 12 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 4 switchport trunk allowed vlan {add | (Optional) Configure the list of VLANs allowed on the trunk. all | except | remove} vlan-list For explanations about using the add, all, except, and remove keywords, refer to the command reference for this release.
Page 287: Configuring The Native Vlan For Untagged Traffic
Chapter 12 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 5 show interfaces interface-id switchport Verify your entries in the Pruning VLANs Enabled field of the display. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default pruning-eligible list of all VLANs, use the no switchport trunk pruning vlan interface configuration command.
Page 288: Load Sharing Using Stp Port Priorities
Chapter 12 Configuring VLANs Configuring VLAN Trunks You configure load sharing on trunk ports by using STP port priorities or STP path costs. For load sharing using STP port priorities, both load-sharing links must be connected to the same switch. For load sharing using STP path costs, each load-sharing link can be connected to the same switch or to two different switches.
Page 289: Load Sharing Using Stp Path Cost
Chapter 12 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 6 show vlan Verify that the VLANs exist in the database on Switch 1. Step 7 configure terminal Enter global configuration mode. Step 8 interface fastethernet 0/1 Enter interface configuration mode, and define Fast Ethernet port 0/1 as the interface to be configured as a trunk.
Page 290 Chapter 12 Configuring VLANs Configuring VLAN Trunks Figure 12-4, Trunk ports 1 and 2 are 100BASE-T ports. The path costs for the VLANs are assigned as follows: • VLANs 2 through 4 are assigned a path cost of 30 on Trunk port 1. •...
Page 291: Configuring Vmps
Chapter 12 Configuring VLANs Configuring VMPS Command Purpose Step 12 spanning-tree vlan 2 cost 30 Set the spanning-tree path cost to 30 for VLAN 2. Step 13 spanning-tree vlan 3 cost 30 Set the spanning-tree path cost to 30 for VLAN 3. Step 14 spanning-tree vlan 4 cost 30 Set the spanning-tree path cost to 30 for VLAN 4.
Page 292: Dynamic Port Vlan Membership
Chapter 12 Configuring VLANs Configuring VMPS • If the VLAN in the database does not match the current VLAN on the port and active hosts exist on the port, the VMPS sends an access-denied or a port-shutdown response, depending on the secure mode of the VMPS.
Page 293 Chapter 12 Configuring VLANs Configuring VMPS This example shows a example of a VMPS database configuration file as it appears on a Catalyst 6000 series switch. The file has these characteristics: • The security mode is open. • The default is used for the fallback VLAN. •...
Page 294: Default Vmps Configuration
Chapter 12 Configuring VLANs Configuring VMPS vmps-vlan-group Engineering vlan-name hardware vlan-name software !VLAN port Policies !vmps-port-policies {vlan-name <vlan_name> | vlan-group <group-name> } ! { port-group <group-name> | device <device-id> port <port-name> } vmps-port-policies vlan-group Engineering port-group WiringCloset1 vmps-port-policies vlan-name Green device 198.92.30.32 port 0/8 vmps-port-policies vlan-name Purple device 198.4.254.22 port 0/2...
Page 295: Configuring The Vmps Client
Chapter 12 Configuring VLANs Configuring VMPS • Dynamic access ports cannot be monitor ports. • Secure ports cannot be dynamic access ports. You must disable port security on a port before it becomes dynamic. • Dynamic access ports cannot be members of an EtherChannel group. •...
Page 296: Configuring Dynamic Access Ports On Vmps Clients
Chapter 12 Configuring VLANs Configuring VMPS Configuring Dynamic Access Ports on VMPS Clients If you are configuring a port on a cluster member switch as a dynamic port, first use the rcommand privileged EXEC command to log into the member switch. Caution Dynamic port VLAN membership is for end stations or hubs connected to end stations.
Page 297: Changing The Reconfirmation Interval
Chapter 12 Configuring VLANs Configuring VMPS Changing the Reconfirmation Interval VMPS clients periodically reconfirm the VLAN membership information received from the VMPS. You can set the number of minutes after which reconfirmation occurs. If you are configuring a member switch in a cluster, this parameter must be equal to or greater than the reconfirmation setting on the command switch.
Page 298: Monitoring The Vmps
Chapter 12 Configuring VLANs Configuring VMPS Monitoring the VMPS You can display information about the VMPS by using the show vmps privileged EXEC command. The switch displays this information about the VMPS: VMPS VQP Version The version of VQP used to communicate with the VMPS. The switch queries the VMPS that is using VQP version 1.
Page 299: Vmps Configuration Example
Chapter 12 Configuring VLANs Configuring VMPS VMPS Configuration Example Figure 12-5 shows a network with a VMPS server switch and VMPS client switches with dynamic ports. In this example, these assumptions apply: • The VMPS server and the VMPS client are separate switches. •...
Page 300 Chapter 12 Configuring VLANs Configuring VMPS Catalyst 3550 Multilayer Switch Software Configuration Guide 12-36 78-11194-09...
Page 301: Understanding Vtp
C H A P T E R Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs on your Catalyst 3550switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Page 302: Chapter 13 Configuring Vtp
Chapter 13 Configuring VTP Understanding VTP The VTP Domain A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name. A switch can be in only one VTP domain.You make global VLAN configuration changes for the domain by using the command-line interface (CLI), Cluster Management Suite (CMS) software, or Simple Network Management Protocol (SNMP).
Page 303: Vtp Modes
Chapter 13 Configuring VTP Understanding VTP VTP Modes You can configure a supported switch to be in one of the VTP modes listed in Table 13-1. Table 13-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
Page 304: Vtp Version 2
Chapter 13 Configuring VTP Understanding VTP VTP advertisements distribute this VLAN information for each configured VLAN: • VLAN IDs (ISL and 802.1Q) • VLAN name • VLAN type VLAN state • Additional VLAN configuration information specific to the VLAN type •...
Page 305 Chapter 13 Configuring VTP Understanding VTP Figure 13-1 Flooding Traffic without VTP Pruning Switch 4 Port 2 Switch 5 Switch 2 VLAN Port 1 Switch 6 Switch 3 Switch 1 Figure 13-2 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch 2 and Port 4 on Switch 4).
Page 306: Configuring Vtp
Chapter 13 Configuring VTP Configuring VTP VTP pruning is not designed to function in VTP transparent mode. If one or more switches in the network are in VTP transparent mode, you should do one of these: • Turn off VTP pruning in the entire network. •...
Page 307: Vtp Configuration Options
Chapter 13 Configuring VTP Configuring VTP VTP Configuration Options You can configure VTP by using these configuration modes. • VTP Configuration in Global Configuration Mode, page 13-7 • VTP Configuration in VLAN Configuration Mode, page 13-7 You access VLAN configuration mode by entering the vlan database privileged EXEC command. For detailed information about vtp commands, refer to the command reference for this release.
Page 308: Vtp Configuration Guidelines
Chapter 13 Configuring VTP Configuring VTP VTP Configuration Guidelines These sections describe guidelines you should follow when implementing VTP in your network. Domain Names When configuring VTP for the first time, you must always assign a domain name. You must configure all switches in the VTP domain with the same domain name.
Page 309: Configuration Requirements
Chapter 13 Configuring VTP Configuring VTP • If there are TrBRF and TrCRF Token Ring networks in your environment, you must enable VTP version 2 for Token Ring VLAN switching to function properly. To run Token Ring and Token Ring-Net, disable VTP version 2. Configuration Requirements When you configure VTP, you must configure a trunk port so that the switch can send and receive VTP advertisements.
Page 310: Configuring A Vtp Client
Chapter 13 Configuring VTP Configuring VTP This example shows how to use global configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# config terminal Switch(config)# vtp mode server Switch(config)# vtp domain eng_group Switch(config)# vtp password mypassword Switch(config)# end You can also use VLAN configuration mode to configure VTP parameters.
Page 311: Disabling Vtp (Vtp Transparent Mode)
Chapter 13 Configuring VTP Configuring VTP Note If extended-range VLANs are configured on the switch, you cannot change VTP mode to client. You receive an error message, and the configuration is not allowed. If all switches are operating in VTP client mode, do not configure a VTP domain name. If you do, it is Caution impossible to make changes to the VLAN configuration of that domain.
Page 312: Enabling Vtp Version 2
Chapter 13 Configuring VTP Configuring VTP Note Before you create extended-range VLANs (VLAN IDs 1006 to 4094), you must set VTP mode to transparent by using the vtp mode transparent global configuration command. Save this configuration to the startup configuration so that the switch boots up in VTP transparent mode. Otherwise, you lose the extended-range VLAN configuration if the switch resets and boots up in VTP server mode (the default).
Page 313: Enabling Vtp Pruning
Chapter 13 Configuring VTP Configuring VTP Note In TrCRF and TrBRF Token ring environments, you must enable VTP version 2 for Token Ring VLAN switching to function properly. For Token Ring and Token Ring-Net media, VTP version 2 must be disabled.
Page 314: Adding A Vtp Client Switch To A Vtp Domain
Chapter 13 Configuring VTP Configuring VTP Pruning is supported with VTP version 1 and version 2. If you enable pruning on the VTP server, it is enabled for the entire VTP domain. Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning eligible on trunk ports.
Page 315: Monitoring Vtp
Chapter 13 Configuring VTP Monitoring VTP Note You can use the vtp mode transparent global configuration command or the vtp transparent VLAN configuration command to disable VTP on the switch, and then change its VLAN information without affecting the other switches in the VTP domain. Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs.
Page 316 Chapter 13 Configuring VTP Monitoring VTP Catalyst 3550 Multilayer Switch Software Configuration Guide 13-16 78-11194-09...
Page 317: Understanding Voice Vlan
The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. The switch can connect to a Cisco 7960 IP Phone and carry IP voice traffic. Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1P class of service (CoS).
Page 318: Chapter 14 Configuring Voice Vlan
Default Voice VLAN Configuration, page 14-2 • Voice VLAN Configuration Guidelines, page 14-3 • Configuring a Port to Connect to a Cisco 7960 IP Phone, page 14-3 • Default Voice VLAN Configuration The voice VLAN feature is disabled by default.
Page 319: Voice Vlan Configuration Guidelines
Configuring a Port to Connect to a Cisco 7960 IP Phone Because a Cisco 7960 IP Phone also supports a connection to a PC or other device, a port connecting the switch to a Cisco 7960 IP Phone can carry mixed traffic.
Page 320: Configuring Ports To Carry Voice Traffic In 802.1Q Frames
CoS value. Step 5 switchport voice vlan vlan-id Instruct the Cisco IP Phone to forward all voice traffic through the specified VLAN. By default, the Cisco IP Phone forwards the voice traffic with an 802.1Q priority of 5.
Page 321: Overriding The Cos Priority Of Incoming Data Frames
Overriding the CoS Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco 7960 IP Phone port. The PC can generate packets with an assigned CoS value. You can configure the switch to override the priority of frames arriving on the IP phone port from connected devices.
Page 322: Configuring The Ip Phone To Trust The Cos Priority Of Incoming Data Frames
Configuring the IP Phone to Trust the CoS Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco 7960 IP Phone port. The PC can generate packets with an assigned CoS value. You can configure the switch to trust the priority of frames arriving on the IP phone port from connected devices.
Page 323: Understanding 802.1Q Tunneling
C H A P T E R Configuring 802.1Q and Layer 2 Protocol Tunneling Virtual private networks (VPNs) provide enterprise-scale connectivity on a shared infrastructure, often Ethernet-based, with the same security, prioritization, reliability, and manageability requirements of private networks. Tunneling is a feature designed for service providers (SPs) who carry traffic of multiple customers across their networks and who are required to maintain the VLAN and Layer 2 protocol configurations of each customer without impacting the traffic of other customers.
Page 324: C H A P T E R 15 Configuring 802.1Q And Layer 2 Protocol Tunneling
Chapter 15 Configuring 802.1Q and Layer 2 Protocol Tunneling Understanding 802.1Q Tunneling Customer traffic tagged in the normal way with appropriate VLAN IDs comes from an 802.1Q trunk port on the customer device and into a tunnel port on the SP edge switch. The link between the customer device and the edge switch is asymmetric because one end is configured as an 802.1Q trunk port, and the other end is configured as a tunnel port.
Page 325 Chapter 15 Configuring 802.1Q and Layer 2 Protocol Tunneling Understanding 802.1Q Tunneling Figure 15-2 Original (Normal), 802.1Q, and Double-Tagged Ethernet Packet Formats Source address Destination Length/ Frame Check address EtherType Sequence Original Ethernet frame Len/Etype Data 802.1Q frame from Etype Len/Etype Data customer network...
Page 326: Configuring 802.1Q Tunneling
Chapter 15 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring 802.1Q Tunneling Configuring 802.1Q Tunneling This section includes this information about configuring 802.1Q tunneling: • Default 802.1Q Tunneling Configuration, page 15-4 802.1Q Tunneling Configuration Guidelines, page 15-4 • 802.1Q Tunneling and Other Features, page 15-5 •...
Page 327: System Mtu
Chapter 15 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring 802.1Q Tunneling • Ensure that the native VLAN ID on the edge-switch trunk port is not within the customer VLAN range. For example, if the trunk port carries traffic of VLANs 100 to 200, assign the native VLAN a number outside that range.
Page 328: Configuring An 802.1Q Tunneling Port
• When a port is configured as an 802.1Q tunnel port, spanning-tree bridge protocol data unit (BPDU) • filtering is automatically enabled on the interface. Cisco Discovery Protocol (CDP) is automatically disabled on the interface. Configuring an 802.1Q Tunneling Port Beginning in privileged EXEC mode, follow these steps to configure a port as an 802.1Q tunnel port:...
Page 329: Understanding Layer 2 Protocol Tunneling
Users on each of a customer’s sites can properly run STP, and every VLAN can build a correct • spanning tree, based on parameters from all sites and not just from the local site. CDP discovers and shows information about the other Cisco devices connected through the SP • network.
Page 330 Chapter 15 Configuring 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling As an example, Customer A in Figure 15-4 has four switches in the same VLAN that are connected through the SP network. If the network does not tunnel PDUs, switches on the far ends of the network cannot properly run STP, CDP, and VTP.
Page 331: Configuring Layer 2 Protocol Tunneling
SP network, the switch overwrites the customer PDU-destination MAC address with a well-known Cisco proprietary multicast address (01-00-0c-cd-cd-d0). If 802.1Q tunneling is enabled, packets are also double-tagged; the outer tag is the customer metro tag, and the inner tag is the customer’s VLAN tag.
Page 332: Default Layer 2 Protocol Tunneling Configuration
Chapter 15 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Figure 15-4, with Customer A and Customer B in access VLANs 30 and 40, respectively. Asymmetric links connect the Customers in Site 1 to edge switches in the SP network. The Layer 2 PDUs (for example, BPDUs) coming into Switch 2 from Customer B in Site 1 are forwarded to the infrastructure as double-tagged packets with the well-known MAC address as the destination MAC address.
Page 333: Configuring Layer 2 Tunneling
Chapter 15 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling • Dynamic Trunking Protocol (DTP) is not compatible with Layer 2 protocol tunneling because you must manually configure asymmetric links with tunnel ports and trunk ports. •...
Page 334 Chapter 15 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Command Purpose Step 5 l2protocol-tunnel (Optional) Configure the threshold for packets-per-second accepted for shutdown-threshold [cdp | stp | vtp] encapsulation. The interface is disabled if the configured threshold is value exceeded.
Page 335: Configuring Layer 2 Tunneling For Etherchannels
Chapter 15 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Switch# show l2protocol COS for Encapsulated Packets: 7 Port Protocol Shutdown Drop Encapsulation Decapsulation Drop Threshold Threshold Counter Counter Counter ------- -------- --------- --------- ------------- ------------- ------------- Fa0/11 1500 1000 2288...
Page 336: Configuring The Customer Switch
Chapter 15 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Command Purpose Step 6 l2protocol-tunnel drop-threshold (Optional) Configure the threshold for packets-per-second accepted for [point-to-point [pagp | lacp | udld]] encapsulation. The interface drops packets if the configured threshold is value exceeded.
Page 337 Chapter 15 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Command Purpose Step 6 channel-group channel-group-number Assign the interface to a channel group, and specify desirable for the PAgP mode desirable mode. For more information about configuring EtherChannels, see Chapter 30, “Configuring EtherChannels.”...
Page 338 Chapter 15 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Switch(config)# interface fastethernet0/2 Switch(config-if)# switchport access vlan 20 Switch(config-if)# switchport mode dot1q-tunnel Switch(config-if)# l2protocol-tunnel point-to-point pagp Switch(config-if)# l2protocol-tunnel point-to-point udld Switch(config-if)# l2protocol-tunnel drop-threshold point-to-point pagp 1000 Switch(config-if)# exit Switch(config)# interface fastethernet0/3 Switch(config-if)# switchport trunk encapsulation isl...
Page 339: Monitoring And Maintaining Tunneling Status
Chapter 15 Configuring 802.1Q and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status Monitoring and Maintaining Tunneling Status Table 15-2 shows the privileged EXEC commands for monitoring and maintaining 802.1Q and Layer 2 protocol tunneling. Table 15-2 Commands for Monitoring and Maintaining Tunneling Command Purpose clear l2protocol-tunnel counters...
Page 340 Chapter 15 Configuring 802.1Q and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status Catalyst 3550 Multilayer Switch Software Configuration Guide 15-18 78-11194-09...
Page 341: Understanding Spanning-Tree Features
Catalyst 3550 switch. The switch uses the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or it can use the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1W standard.
Page 342: Chapter 16 Configuring Stp
Chapter 16 Configuring STP Understanding Spanning-Tree Features • Spanning-Tree Interoperability and Backward Compatibility, page 16-10 • STP and IEEE 802.1Q Trunks, page 16-10 • VLAN-Bridge Spanning Tree, page 16-10 For configuration information, see the “Configuring Spanning-Tree Features” section on page 16-11.
Page 343: Bridge Id, Switch Priority, And Extended System Id
Chapter 16 Configuring STP Understanding Spanning-Tree Features When the switches in a network are powered up, each functions as the root switch. Each switch sends a configuration BPDU through all of its ports. The BPDUs communicate and compute the spanning-tree topology.
Page 344: Spanning-Tree Interface States
Configuring STP Understanding Spanning-Tree Features In Cisco IOS Release 12.1(8)EA1 and later, Catalyst 3550 switches support the 802.1T spanning-tree extensions. Some of the bits previously used for the switch priority are now used as the VLAN identifier. The result is that fewer MAC addresses are reserved for the switch, and a larger range of VLAN IDs can be supported, all while maintaining the uniqueness of the bridge ID.
Page 345: Blocking State
Chapter 16 Configuring STP Understanding Spanning-Tree Features Figure 16-1 illustrates how an interface moves through the states. Figure 16-1 Spanning-Tree Interface States Power-on initialization Blocking state Listening Disabled state state Learning state Forwarding state When you power up the switch, spanning tree is enabled by default, and every interface in the switch, VLAN, or network goes through the blocking state and the transitory states of listening and learning.
Page 346: Listening State
Chapter 16 Configuring STP Understanding Spanning-Tree Features An interface in the blocking state performs as follows: • Discards frames received on the port • Discards frames switched from another interface for forwarding • Does not learn addresses Receives BPDUs • Listening State The listening state is the first state a Layer 2 interface enters after the blocking state.
Page 347: How A Switch Or Port Becomes The Root Switch Or Root Port
Chapter 16 Configuring STP Understanding Spanning-Tree Features A disabled interface performs as follows: • Discards frames received on the port • Discards frames switched from another interface for forwarding • Does not learn addresses Does not receive BPDUs • How a Switch or Port Becomes the Root Switch or Root Port If all switches in a network are enabled with default spanning-tree settings, the switch with the lowest MAC address becomes the root switch.
Page 348: Spanning-Tree Address Management
Chapter 16 Configuring STP Understanding Spanning-Tree Features Figure 16-3 Spanning Tree and Redundant Connectivity Switch A Catalyst 2950, 2955, or 3550 switch Switch C Catalyst 2950, 2955, Catalyst 2950, 2955, or 3550 switch or 3550 switch Switch B Active link Blocked link Workstations You can also create redundant links between switches by using EtherChannel groups.
Page 349: Spanning-Tree Modes And Protocols
Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary extensions. It is the default spanning-tree mode used on all Ethernet, Fast Ethernet, and Gigabit Ethernet port-based VLANs.
Page 350: Spanning-Tree Interoperability And Backward Compatibility
VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.
Page 351: Configuring Spanning-Tree Features
Chapter 16 Configuring STP Configuring Spanning-Tree Features To support VLAN-bridge spanning tree, some of the spanning-tree timers are increased. To use the fallback bridging feature, you must have the enhanced multilayer software image installed on your switch. For more information, see Chapter 36, “Configuring Fallback Bridging.”...
Page 352: Spanning-Tree Configuration Guidelines
Chapter 16 Configuring STP Configuring Spanning-Tree Features Table 16-3 Default Spanning-Tree Configuration (continued) Feature Default Setting Spanning-tree VLAN port cost (configurable on a per-VLAN basis) 1000 Mbps: 4. 100 Mbps: 19. 10 Mbps: 100. Spanning-tree timers Hello time: 2 seconds. Forward-delay time: 15 seconds.
Page 353: Changing The Spanning-Tree Mode
Chapter 16 Configuring STP Configuring Spanning-Tree Features The switch supports PVST+, rapid PVST+, and MSTP, but only one version can be active at any time. (For example, all VLANs run PVST+, all VLANs run rapid PVST+, or all VLANs run MSTP.) For information about the different spanning-tree modes and how they interoperate, see the “Spanning-Tree Interoperability and Backward Compatibility”...
Page 354: Disabling Spanning Tree
Chapter 16 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree mode global configuration command. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Disabling Spanning Tree Spanning tree is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit specified in the “Supported Spanning-Tree Instances”...
Page 355 For Catalyst 3550 switches without the extended system ID (software earlier than Cisco IOS Release 12.1(8)EA1), if all network devices in VLAN 100 have the default priority of 32768, entering the spanning-tree vlan 100 root primary command on the switch sets the switch priority for VLAN 100 to 8192, which causes this switch to become the root switch for VLAN 100.
Page 356: Configuring A Secondary Root Switch
For Catalyst 3550 switches without the extended system ID support (software earlier than Cisco IOS Release 12.1(8)EA1), the switch priority is changed to 16384. You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values as you used when you configured the primary root switch with the spanning-tree vlan vlan-id root primary global configuration command.
Page 357: Configuring The Port Priority
Chapter 16 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure a switch to become the secondary root for the specified VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root secondary Configure a switch to become the secondary root for the specified...
Page 358: Configuring The Path Cost
Chapter 16 Configuring STP Configuring Spanning-Tree Features Command Purpose Step 3 spanning-tree port-priority priority Configure the port priority for an interface. For priority, the range is 0 to 240 in increments of 16. The default is 128. The lower the number, the higher the priority.
Page 359 Chapter 16 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure the cost of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify an interface to configure.
Page 360: Configuring The Switch Priority Of A Vlan
Chapter 16 Configuring STP Configuring Spanning-Tree Features Configuring the Switch Priority of a VLAN You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands to modify the switch priority.
Page 361: Configuring The Hello Time
Chapter 16 Configuring STP Configuring Spanning-Tree Features The sections that follow provide the configuration steps. Configuring the Hello Time You can configure the interval between the generation of configuration messages by the root switch by changing the hello time. Note Exercise care when using this command.
Page 362: Configuring The Forwarding-Delay Time For A Vlan
Chapter 16 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 363: Configuring Spanning Tree For Use In A Cascaded Stack
STP Default Acceptable for Option 1 Acceptable for Option 2 Acceptable for Option 3 Hello Time Max Age Forwarding Delay Figure 16-4 Gigabit Ethernet Stack Catalyst 2950, Cisco 7000 Catalyst 3550 2955, or 3550 router series switch switches Layer 3 Catalyst...
Page 364: Displaying The Spanning-Tree Status
Chapter 16 Configuring STP Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 16-6: Table 16-6 Commands for Displaying Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information on active interfaces only.
Page 365 C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1S Multiple STP (MSTP) on on your Catalyst 3550 switch. The MSTP enables multiple VLANs to be mapped to the same spanning-tree instance, thereby reducing the number of spanning-tree instances needed to support a large number of VLANs.
Page 366: Chapter 17 Configuring Mstp
Chapter 17 Configuring MSTP Understanding MSTP Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning-tree instances required to support a large number of VLANs.
Page 367: Operations Within An Mst Region
Chapter 17 Configuring MSTP Understanding MSTP All MST instances within the same region share the same protocol timers, but each MST instance has its own topology parameters, such as root switch ID, root path cost, and so forth. By default, all VLANs are assigned to the IST.
Page 368: Hop Count
Chapter 17 Configuring MSTP Understanding MSTP Figure 17-1 MST Regions, IST Masters, and the CST Root IST master and CST root Legacy 802.1D MST Region 1 IST master IST master MST Region 2 MST Region 3 Figure 17-1 does not show additional MST instances for each region. Note that the topology of MST instances can be different from that of the IST for the same region.
Page 369: Boundary Ports
Chapter 17 Configuring MSTP Understanding MSTP received remaining hop count by one and propagates this value as the remaining hop count in the BPDUs it generates. When the count reaches zero, the switch discards the BPDU and ages the information held for the port.
Page 370: Understanding Rstp
Chapter 17 Configuring MSTP Understanding RSTP Understanding RSTP The RSTP takes advantage of point-to-point wiring and provides rapid convergence of the spanning tree. Reconfiguration of the spanning tree can occur in less than 1 second (in contrast to 50 seconds with the default settings in the 802.1D spanning tree), which is critical for networks carrying delay-sensitive traffic such as voice and video.
Page 371: Rapid Convergence
Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide documents the port state as blocking instead of discarding. Designated ports start in the listening state. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN.
Page 372: Synchronization Of Port Roles
Chapter 17 Configuring MSTP Understanding RSTP Figure 17-2 Proposal and Agreement Handshaking for Rapid Convergence Switch A Switch B Proposal Designated Root switch Agreement Designated Switch C Root switch Proposal Designated Root switch Agreement DP = designated port RP = root port F = forwarding Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new root...
Page 373: Bridge Protocol Data Unit Format And Processing
Chapter 17 Configuring MSTP Understanding RSTP Figure 17-3 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5. Forward Edge port 2. Block 3. Block 9. Forward 11. Forward 8. Agreement 6. Proposal 7. Proposal 10. Agreement Root port Designated port Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802.1D BPDU format except that the protocol version...
Page 374: Processing Superior Bpdu Information
Chapter 17 Configuring MSTP Understanding RSTP The RSTP does not have a separate topology change notification (TCN) BPDU. It uses the topology change (TC) flag to show the topology changes. However, for interoperability with 802.1D switches, the RSTP switch processes and generates TCN BPDUs. The learning and forwarding flags are set according to the state of the sending port.
Page 375: Configuring Mstp Features
Chapter 17 Configuring MSTP Configuring MSTP Features • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them.
Page 376: Default Mstp Configuration
• When you enable MST by using the spanning-tree mode mst global configuration command, RSTP is automatically enabled. Per-VLAN RSTP is not supported in software releases earlier than Cisco IOS Release 12.1(13)EA1. For two or more switches to be in the same MST region, they must have the same VLAN-to-instance •...
Page 377: Specifying The Mst Region Configuration And Enabling Mstp
Chapter 17 Configuring MSTP Configuring MSTP Features • All MST boundary ports must be forwarding for load balancing between a PVST+ and an MST cloud or between a rapid-PVST+ and an MST cloud. For this to occur, the IST master of the MST cloud should also be the root of the CST.
Page 378: Configuring The Root Switch
Chapter 17 Configuring MSTP Configuring MSTP Features Command Purpose Step 8 spanning-tree mode mst Enable MSTP. RSTP is also enabled. Changing spanning-tree modes can disrupt traffic because all Caution spanning-tree instances are stopped for the previous mode and restarted in the new mode. You cannot run both MSTP and PVST+ or both MSTP and rapid PVST+ at the same time.
Page 379 Table 16-1 on page 16-4.) Note Catalyst 3550 switches running software earlier than Cisco IOS Release 12.1(8)EA1 do not support the extended system ID. Catalyst 3550 switches running software earlier than Cisco IOS Release 12.1(9)EA1 do not support the MSTP.
Page 380: Configuring A Secondary Root Switch
For Catalyst 3550 switches without the extended system ID support (software earlier than Cisco IOS Release 12.1(8)EA1), the switch priority is changed to 16384. You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree mst instance-id root primary global configuration command.
Page 381: Configuring The Port Priority
Chapter 17 Configuring MSTP Configuring MSTP Features Configuring the Port Priority If a loop occurs, the MSTP uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last.
Page 382: Configuring The Path Cost
Chapter 17 Configuring MSTP Configuring MSTP Features Configuring the Path Cost The MSTP path cost default value is derived from the media speed of an interface. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Page 383: Configuring The Switch Priority
Chapter 17 Configuring MSTP Configuring MSTP Features Configuring the Switch Priority You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority.
Page 384: Configuring The Forwarding-Delay Time
Chapter 17 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the hello time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst hello-time seconds Configure the hello time for all MST instances.
Page 385: Configuring The Maximum-Aging Time
Chapter 17 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Aging Time Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-age seconds Configure the maximum-aging time for all MST instances.
Page 386: Specifying The Link Type To Ensure Rapid Transitions
Chapter 17 Configuring MSTP Configuring MSTP Features Specifying the Link Type to Ensure Rapid Transitions If you connect a port to another port through a point-to-point link and the local port becomes a designated port, the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the “Rapid Convergence”...
Page 387: Displaying The Mst Configuration And Status
Chapter 17 Configuring MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 17-4: Table 17-4 Commands for Displaying MST Status Command Purpose show spanning-tree mst configuration...
Page 388 Chapter 17 Configuring MSTP Displaying the MST Configuration and Status Catalyst 3550 Multilayer Switch Software Configuration Guide 17-24 78-11194-09...
Page 389: Understanding Optional Spanning-Tree Features
C H A P T E R Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on your Catalyst 3550 switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+).
Page 390: Understanding Port Fast
Chapter 18 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. You can use Port Fast on ports connected to a single workstation or server, as shown in Figure 18-1, to allow those devices to...
Page 391: C H A P T E R 18 Configuring Optional Spanning-Tree Features
Chapter 18 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences. At the global level, you can enable BPDU guard on Port Fast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command.
Page 392: Understanding Uplinkfast
Chapter 18 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding UplinkFast Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 18-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops. Figure 18-2 Switches in a Hierarchical Network Backbone switches Root bridge...
Page 393: Understanding Cross-Stack Uplinkfast
Chapter 18 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 18-3 shows an example topology with no link failures. Switch A, the root switch, is connected directly to Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in a blocking state.
Page 394: How Csuf Works
Chapter 18 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root. As shown in Figure 18-5, Switches A, B, and C are cascaded through the GigaStack GBIC to form a multidrop backbone, which communicates control and data traffic across the switches at the access layer.
Page 395: Events That Cause Fast Convergence
Chapter 18 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features The switch sending the fast-transition request needs to do a fast transition to the forwarding state of a port that it has chosen as the root port, and it must obtain an acknowledgement from each stack switch before performing the fast transition.
Page 396: Limitations
Chapter 18 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Limitations These limitations apply to CSUF: CSUF uses the GigaStack GBIC and runs on all Catalyst 3550 switches, all Catalyst 3500 XL • switches, Catalyst 2950 switches with GBIC module slots, and only on modular Catalyst 2900 XL switches that have the 1000BASE-X module installed.
Page 397 Chapter 18 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 18-6 GigaStack GBIC Connections and Spanning-Tree Convergence GigaStack GBIC connection for fast convergence Catalyst 3550-12T Catalyst 3550-12T Catalyst 3500 Catalyst 3500 Catalyst 3508G XL Catalyst 2950G-24 Catalyst 3500 Catalyst 2950 11 12 13 14 15 16...
Page 398: Understanding Backbonefast
Chapter 18 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding BackboneFast BackboneFast detects indirect failures in the core of the backbone. BackboneFast is a complementary technology to the UplinkFast feature, which responds to failures on links directly connected to access switches.
Page 399 Chapter 18 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 18-7 BackboneFast Example Before Indirect Link Failure Switch A (Root) Switch B Blocked port Switch C If link L1 fails as shown in Figure 18-8, Switch C cannot detect this failure because it is not connected directly to link L1.
Page 400: Understanding Etherchannel Guard
Chapter 18 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 18-9 Adding a Switch in a Shared-Medium Topology Switch A (Root) Switch B Switch C (Designated bridge) Blocked port Added switch Understanding EtherChannel Guard You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device.
Page 401: Understanding Loop Guard
Chapter 18 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If the switch is operating in multiple spanning-tree (MST) mode, root guard forces the port to be a designated port. If a boundary port is blocked in an internal spanning-tree (IST) instance because of root guard, the port also is blocked in all MST instances.
Page 402: Configuring Optional Spanning-Tree Features
Chapter 18 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features These sections describe how to configure optional spanning-tree features: • Default Optional Spanning-Tree Configuration, page 18-14 Optional Spanning-Tree Configuration Guidelines, page 18-14 • Enabling Port Fast, page 18-14 (optional) •...
Page 403: Enabling Bpdu Guard
Chapter 18 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Use Port Fast only when connecting a single end station to an access or trunk port. Enabling this feature Caution on a port connected to a switch or hub could prevent spanning tree from detecting and disabling loops in your network, which could cause broadcast storms and address-learning problems.
Page 404: Enabling Bpdu Filtering
Chapter 18 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features secure response to invalid configurations because you must manually put the port back in service. Use the BPDU guard feature in a service-provider network to prevent an access port from participating in the spanning tree.
Page 405: Enabling Uplinkfast For Use With Redundant Links
Chapter 18 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in Caution spanning-tree loops. You can enable the BPDU filtering feature if your switch is running PVST+, rapid PVST+, or MSTP. Beginning in privileged EXEC mode, follow these steps to globally enable the BPDU filtering feature.
Page 406 Chapter 18 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features The UplinkFast feature is supported only when the switch is running PVST+. It is not supported when the switch is running rapid PVST+ or MSTP. Beginning in privileged EXEC mode, follow these steps to enable UplinkFast. This procedure is optional.
Page 407: Enabling Cross-Stack Uplinkfast
Chapter 18 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Cross-Stack UplinkFast Before enabling CSUF, make sure your stack switches are properly connected. For more information, see the “Connecting the Stack Ports” section on page 18-8. The CSUF feature is supported only when the switch is running PVST+. It is not supported when the switch is running rapid PVST+ or MSTP.
Page 408: Enabling Backbonefast
Chapter 18 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BackboneFast You can enable BackboneFast to detect indirect link failures and to start the spanning-tree reconfiguration sooner. Note If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not supported on Token Ring VLANs.
Page 409: Enabling Root Guard
Chapter 18 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can use the show interfaces status err-disabled privileged EXEC command to determine which switch ports are disabled because of an EtherChannel misconfiguration. On the remote device, you can enter the show etherchannel summary privileged EXEC command to verify the EtherChannel configuration.
Page 410: Displaying The Spanning-Tree Status
Chapter 18 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Beginning in privileged EXEC mode, follow these steps to enable loop guard. This procedure is optional. Command Purpose Step 1 show spanning-tree active Determine which ports are alternate or root ports. show spanning-tree mst Step 2 configure terminal...
Page 411: Understanding Dhcp Features
For complete syntax and usage information for the commands used in this chapter, see the command reference for this release, and refer to the “IP Addressing and Services” section in the Cisco IOS IP and IP Routing Command Reference for Release 12.1.
Page 412: Chapter 19 Configuring Dhcp Feature
Chapter 19 Configuring DHCP Features Understanding DHCP Features Option-82 Data Insertion In residential, metropolitan Ethernet-access environments, DHCP can centrally manage the IP address assignments for a large number of subscribers. When the DHCP option-82 feature is enabled on the switch, a subscriber is identified by the switch port through which it connects to the network (in addition to its MAC address).
Page 413: Configuring Dhcp Features
Chapter 19 Configuring DHCP Features Configuring DHCP Features • The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. When the client and server are on the same subnet, the server broadcasts the reply. The switch verifies that it originally inserted the option-82 data by inspecting the remote ID and possibly the circuit ID fields.
Page 414: Upgrading From A Previous Software Release
– If your DHCP server is a Cisco device, refer to the “IP Addressing and Services” section in the “Configuring DHCP” chapter of the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1. Otherwise, refer to the documentation that shipped with the server.
Page 415 Chapter 19 Configuring DHCP Features Configuring DHCP Features Command Purpose Step 3 ip dhcp snooping vlan vlan-id [vlan-id] Enable DHCP snooping on a VLAN or range of VLANs. You can specify a single VLAN identified by VLAN ID number or a start and end VLAN ID to specify a range of VLANs.
Page 416: Enabling The Dhcp Relay Agent And Option 82
Configuring DHCP Features Enabling the DHCP Relay Agent and Option 82 In Cisco IOS Release 12.1(19)EA1, the implementation for the Option 82 Subscriber Identification changed from the previous release. For more information about configuring the relay agent and option 82 when using DHCP snooping, see the “Upgrading from a Previous Software Release”...
Page 417: Configuring The Reforwarding Policy
Chapter 19 Configuring DHCP Features Configuring DHCP Features Configuring the Reforwarding Policy By default, the reforwarding policy of the switch is to replace existing relay information in packets received from DHCP clients with switch DHCP relay information. If the default action is not suitable for your network configuration, you can use the ip dhcp relay information policy {drop | keep | replace} global configuration command to change it.
Page 418 Chapter 19 Configuring DHCP Features Configuring DHCP Features Beginning in privileged EXEC mode, follow these steps to specify the packet forwarding address. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface vlan vlan-id Enter interface configuration mode, and create a switch virtual interface.
Page 419: Displaying Dhcp Information
Chapter 19 Configuring DHCP Features Displaying DHCP Information Displaying DHCP Information You can display a DHCP snooping binding table and configuration information for all interfaces on a switch. To display the status of the insertion and removal of the DHCP option-82 field on all interfaces, use the show running-config privideged EXEC command.
Page 420: Displaying The Dhcp Snooping Configuration
Chapter 19 Configuring DHCP Features Displaying DHCP Information Displaying the DHCP Snooping Configuration This example shows how to display the DHCP snooping configuration for a switch. Switch# show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 40-42 Insertion of option 82 is enabled Interface...
Page 421: Understanding Igmp Snooping
Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and the Cisco IOS Release Network Protocols Command Reference, Part 1, for Cisco IOS Release 12.1. This chapter consists of these sections: Understanding IGMP Snooping, page 20-1 •...
Page 422: Chapter 20 Configuring Igmp Snooping And Mvr
Chapter 20 Configuring IGMP Snooping and MVR Understanding IGMP Snooping the switch adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients.
Page 423: Joining A Multicast Group
An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast (SSM) feature. For more information, refer to the “Configuring IP Multicast Layer 3 Switching” chapter in the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, Cisco IOS Release 12.1(12c)EW at this URL: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_12/config/mcastmls.htm...
Page 424: Leaving A Multicast Group
Chapter 20 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Note that the switch hardware can distinguish IGMP information packets from other packets for the multicast group. • The first entry in the table tells the switching engine to send IGMP packets to only the switch CPU. This prevents the CPU from becoming overloaded with multicast frames.
Page 425: Immediate-Leave Processing
Chapter 20 Configuring IGMP Snooping and MVR Understanding IGMP Snooping When hosts want to leave a multicast group, they can either silently leave, or they can send a leave message. When the switch receives a leave message from a host, it sends out a MAC-based general query to determine if any other devices connected to that interface are interested in traffic for the specific multicast group.
Page 426: Configuring Igmp Snooping
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping The default learning method for traffic that aliases with reserved, destination, multicast IP addresses is IP multicast-source-only learning. Traffic that does not alias with these multicast addresses is forwarded to both the multicast source ports and multicast router ports. You cannot disable IP multicast-source-only learning for the traffic with reserved, destination, multicast IP addresses.
Page 427: Enabling Or Disabling Igmp Snooping
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Table 20-3 Default IGMP Snooping Configuration (continued) Feature Default Setting Aging forward-table entries (for traffic that aliases Enabled. The default is 600 seconds with reserved, destination, multicast IP addresses) (10 minutes). IGMP report suppression Enabled.
Page 428: Setting The Snooping Method
• Snooping on IGMP queries, Protocol Independent Multicast (PIM) packets, and Distance Vector Multicast Routing Protocol (DVMRP) packets Listening to Cisco Group Management Protocol (CGMP) packets from other routers • • Statically connecting to a multicast router port with the ip igmp snooping mrouter global...
Page 429: Configuring A Multicast Router Port
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping TCN flood query count Vlan 1: -------- IGMP snooping :Enabled Immediate leave :Disabled Multicast router learning mode :pim-dvmrp Source only learning age timer CGMP interoperability mode :IGMP_ONLY To return to the default learning method, use the no ip igmp snooping vlan vlan-id mrouter learn cgmp global configuration command.
Page 430: Enabling Igmp Immediate-Leave Processing
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to add a Layer 2 port as a member of a multicast group: Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan-id static Statically configure a Layer 2 port as a member of a multicast...
Page 431: Disabling Igmp Report Suppression
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to enable IGMP Immediate-Leave processing: Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan-id Enable IGMP Immediate-Leave processing on the VLAN interface.
Page 432: Configuring The Aging Time
Chapter 20 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Configuring the Aging Time You can set the aging time for forwarding-table entries that the switch learns by using the IP multicast-source-only learning method. Beginning in privileged EXEC mode, follow these steps to configure the aging time: Command Purpose Step 1...
Page 433: Understanding Multicast Vlan Registration
Chapter 20 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Table 20-4 Commands for Displaying IGMP Snooping Information (continued) Command Purpose show ip igmp snooping querier [vlan vlad-id] Display information about the IGMP version that an interface supports. (Optional) Enter vlan vlan-id to display information for a single VLAN. show mac address-table multicast [vlan vlan-id] Display the Layer 2 MAC address table entries for a VLAN.
Page 434: Using Mvr In A Multicast Television Application
Chapter 20 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration interface only if it has received a join message from the interface for the group. Receiver ports are treated as members of the multicast VLAN for MVR multicast control and data traffic. IGMP reports for MVR groups are sent out source ports in the multicast VLAN.
Page 435 Chapter 20 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Figure 20-3 Multicast VLAN Registration Example Multicast VLAN Cisco router Multicast server Catalyst 3550 switch Catalyst 2950 Catalyst 2950 or 2955 or 2955 switch switch Catalyst 3550 switch Multicast...
Page 436: Configuring Mvr
Chapter 20 Configuring IGMP Snooping and MVR Configuring MVR Configuring MVR These sections include basic MVR configuration information: • Default MVR Configuration, page 20-16 MVR Configuration Guidelines and Limitations, page 20-16 • Configuring MVR Global Parameters, page 20-17 • Configuring MVR Interfaces, page 20-18 •...
Page 437: Configuring Mvr Global Parameters
Chapter 20 Configuring IGMP Snooping and MVR Configuring MVR Configuring MVR Global Parameters You do not need to set the optional MVR parameters if you choose to use the default settings. If you do want to change the default parameters (except for the MVR VLAN), you must first enable MVR. Beginning in privileged EXEC mode, follow these steps to configure MVR parameters: Command Purpose...
Page 438: Configuring Mvr Interfaces
Chapter 20 Configuring IGMP Snooping and MVR Configuring MVR This example shows how to enable MVR, configure the MVR group address, set the query time to 1 second (10 tenths), specify the MVR multicast VLAN as VLAN 22, set the MVR mode as dynamic, and verify the results: Switch(config)# mvr Switch(config)# mvr group 228.1.23.4...
Page 439 Chapter 20 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 6 mvr immediate (Optional) Enable the Immediate Leave feature of MVR on the port. Note This command applies to only receiver ports and should only be enabled on receiver ports to which a single receiver device is connected.
Page 440: Displaying Mvr Information
Chapter 20 Configuring IGMP Snooping and MVR Displaying MVR Information Displaying MVR Information You can display MVR information for the switch or for a specified interface. Beginning in privileged EXEC mode, use the commands in Table 20-6 to display MVR configuration: Table 20-6 Commands for Displaying MVR Information show mvr Displays MVR status and values for the switch—whether MVR is enabled or disabled,...
Page 441: Configuring Igmp Filtering And Throttling
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling This is an example of output from the show mvr interface privileged EXEC command when the members keyword is included: Switch# show mvr interface gigabitethernet0/6 members 239.255.0.0 DYNAMIC ACTIVE 239.255.0.1 DYNAMIC ACTIVE 239.255.0.2...
Page 442: Default Igmp Filtering And Throttling Configuration
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling With the IGMP throttling feature, you can also set the maximum number of IGMP groups that a Layer 2 interface can join. If the maximum number of IGMP groups is set, the IGMP snooping forwarding table contains the maximum number of entries, and the interface receives an IGMP join report, you can configure an interface to drop the IGMP report or to remove a randomly selected multicast entry in the forwarding table and then to add the IGMP group in the report to the table.
Page 443: Applying Igmp Profiles
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Beginning in privileged EXEC mode, follow these steps to create an IGMP profile: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp profile profile number Enter IGMP profile configuration mode, and assign a number to the profile you are configuring.
Page 444: Setting The Maximum Number Of Igmp Groups
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Beginning in privileged EXEC mode, follow these steps to apply an IGMP profile to a switch port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the physical interface to configure, for example fastethernet0/3.
Page 445: Configuring The Igmp Throttling Action
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Beginning in privileged EXEC mode, follow these steps to set the maximum number of IGMP groups in the forwarding table: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the physical interface to...
Page 446 Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling • If you configure the throttling action and set the maximum group limitation after an interface has added multicast entries to the forwarding table, the forwarding-table entries are either aged out or removed, depending on the throttling action.
Page 447: Displaying Igmp Filtering And Throttling Configuration
Chapter 20 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Displaying IGMP Filtering and Throttling Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface. You can also display the IGMP throttling configuration for all interfaces on the switch or for a specified interface.
Page 448 Chapter 20 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Catalyst 3550 Multilayer Switch Software Configuration Guide 20-28 78-11194-09...
Page 449: Configuring Storm Control
C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on your Catalyst 3550 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Page 450 Chapter 21 Configuring Port-Based Traffic Control Configuring Storm Control Storm control (or traffic suppression) monitors incoming traffic statistics over a time period and compares the measurement with a predefined suppression level threshold. The threshold represents the percentage of the total available bandwidth of the port. The switch supports separate storm control thresholds for broadcast, multicast, and unicast traffic.
Page 451: C H A P T E R 21 Configuring Port-Based Traffic Control
You use the storm-control interface configuration commands to set the threshold value for each traffic type. Note Before Cisco IOS Release 12.1(8)EA1, you set up storm control threshold values by using the switchport broadcast, switchport multicast, and switchport unicast interface configuration commands. These commands are now obsolete, replaced by the storm-control interface configuration commands.
Page 452: Disabling Storm Control
Chapter 21 Configuring Port-Based Traffic Control Configuring Storm Control Command Purpose Step 5 storm-control unicast level level [.level] Specify the unicast traffic suppression level for an interface as a percentage of total bandwidth. The level can be from 1 to 100; the optional fraction of a level can be from 0 to 99.
Page 453: Configuring Protected Ports
Chapter 21 Configuring Port-Based Traffic Control Configuring Protected Ports Switch# show storm-control fastethernet0/17 multicast Interface Filter State Level Current --------- ------------- ------- ------- Fa0/17 inactive 100.00% Configuring Protected Ports Some applications require that no traffic be forwarded between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor.
Page 454: Configuring Port Blocking
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Blocking To disable protected port, use the no switchport protected interface configuration command. This example shows how to configure Gigabit Ethernet interface 0/1 as a protected port and verify the configuration: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport protected Switch(config-if)# end...
Page 455: Resuming Normal Forwarding On A Port
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Blocking Command Purpose Step 6 show interfaces interface-id switchport Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the interface to the default condition where no traffic is blocked, use the no switchport block {multicast | unicast} interface configuration commands.
Page 456: Configuring Port Security
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security Configuring Port Security You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.
Page 457: Security Violations
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security Security Violations It is a security violation when one of these situations occurs: The maximum number of secure MAC addresses have been added to the address table, and a station • whose MAC address is not in the address table attempts to access the interface.
Page 458: Default Port Security Configuration
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security Default Port Security Configuration Table 21-2 shows the default port security configuration for an interface. Table 21-2 Default Port Security Configuration Feature Default Setting Port security Disabled. Maximum number of secure MAC addresses One.
Page 459: Enabling And Configuring Port Security
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security Enabling and Configuring Port Security Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port: Command Purpose Step 1...
Page 460 Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 6 switchport port-security violation (Optional) Set the violation mode, the action to be taken when a security {protect | restrict | shutdown} violation is detected, as one of these: •...
Page 461 Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table.
Page 462: Enabling And Configuring Port Security Aging
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# end Switch# show port-security address Secure Mac Address Table ------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 0000.0000.000a SecureDynamic Fa0/1 0000.0002.0300 SecureDynamic...
Page 463 Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security Beginning in privileged EXEC mode, follow these steps to configure port security aging: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port on which you want to enable port security aging, and enter interface configuration mode.
Page 464: Displaying Port-Based Traffic Control Settings
Chapter 21 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Displaying Port-Based Traffic Control Settings The show interfaces interface-id switchport privileged EXEC command displays (among other characteristics) the interface traffic suppression and control configuration. The show interfaces counters privileged EXEC commands display the count of discarded packets. The show storm-control and show port-security privileged EXEC commands display those features.
Page 465: Understanding Cdp
Monitoring and Maintaining CDP, page 22-5 Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
Page 466: Configuring Cdp
Chapter 22 Configuring CDP Configuring CDP Configuring CDP These sections include CDP configuration information and procedures: • Default CDP Configuration, page 22-2 Configuring the CDP Characteristics, page 22-2 • Disabling and Enabling CDP, page 22-3 • Disabling and Enabling CDP on an Interface, page 22-4 •...
Page 467: Chapter 22 Configuring Cdp
Chapter 22 Configuring CDP Configuring CDP Command Purpose Step 6 show cdp Verify configuration by displaying global information about CDP on the device. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure and verify CDP characteristics.
Page 468: Disabling And Enabling Cdp On An Interface
Chapter 22 Configuring CDP Configuring CDP This example shows how to enable CDP if it has been disabled. Switch# configure terminal Switch(config)# cdp run Switch(config)# end Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface: Command Purpose...
Page 469: Monitoring And Maintaining Cdp
Chapter 22 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors.
Page 470 Chapter 22 Configuring CDP Monitoring and Maintaining CDP Catalyst 3550 Multilayer Switch Software Configuration Guide 22-6 78-11194-09...
Page 471: Understanding Udld
C H A P T E R Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on your Catalyst 3550 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Page 472: Chapter 23 Configuring Udld
Chapter 23 Configuring UDLD Understanding UDLD A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic interface are misconnected and the Layer 1 mechanisms do not detect this misconnection.
Page 473 Chapter 23 Configuring UDLD Understanding UDLD • Event-driven detection and echoing UDLD relies on echoing as its detection mechanism. Whenever a UDLD device learns about a new neighbor or receives a resynchronization request from an out-of-sync neighbor, it restarts the detection window on its side of the connection and sends echo messages in reply.
Page 474: Configuring Udld
Chapter 23 Configuring UDLD Configuring UDLD Configuring UDLD This section describes how to configure UDLD on your switch. It contains this configuration information: • Default UDLD Configuration, page 23-4 • Configuration Guidelines, page 23-4 Enabling UDLD Globally, page 23-5 • Enabling UDLD on an Interface, page 23-5 •...
Page 475: Enabling Udld Globally
Chapter 23 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic interfaces on the switch: Command Purpose Step 1...
Page 476: Resetting An Interface Shut Down By Udld
Chapter 23 Configuring UDLD Configuring UDLD Command Purpose Step 3 udld port [aggressive] Specify the UDLD mode of operation: • aggressive—(Optional) Enables UDLD in aggressive mode on the specified interface. UDLD is disabled by default. If you do not enter the aggressive keyword, the switch enables UDLD in normal mode.
Page 477: Displaying Udld Status
Chapter 23 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified interface or for all interfaces, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the display, refer to the command reference for this release. Catalyst 3550 Multilayer Switch Software Configuration Guide 23-7 78-11194-09...
Page 478 Chapter 23 Configuring UDLD Displaying UDLD Status Catalyst 3550 Multilayer Switch Software Configuration Guide 23-8 78-11194-09...
Page 479: Understanding Span And Rspan
C H A P T E R Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on your Catalyst 3550 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release.
Page 480: Chapter 24 Configuring Span And Rspan
You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) Sensor Appliance to a destination port, the IDS device can send TCP Reset packets to close down the TCP session of a suspected attacker.
Page 481: Span And Rspan Concepts And Terminology
Chapter 24 Configuring SPAN and RSPAN Understanding SPAN and RSPAN SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration. SPAN Session A local SPAN session is an association of a destination port with source ports and source VLANs. An RSPAN session is an association of source ports and source VLANs across your network with an RSPAN VLAN.
Page 482: Source Port
Chapter 24 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Some features that can cause a packet to be dropped during receive processing have no effect on SPAN; the destination port receives a copy of the packet even if the actual incoming packet is dropped.
Page 483: Destination Port
Chapter 24 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Destination Port Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports and VLANs. The destination port has these characteristics: It must reside on the same switch as the source port (for a local SPAN session).
Page 484: Vlan-Based Span
You can use local SPAN to monitor all network traffic, including multicast and bridge protocol data unit (BPDU) packets, and Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), Port Aggregation Protocol (PagP), and Link Aggregation Control Protocol (LACP) packets.
Page 485: Span And Rspan Interaction With Other Features
SPAN or RSPAN session is disabled. On a source port, SPAN does not affect the STP status. STP can be active on trunk ports carrying an RSPAN VLAN. Cisco Discovery Protocol (CDP)—A SPAN destination port does not participate in CDP while the •...
Page 486: Span And Rspan Session Limits
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN • 802.1X—You can enable 802.1X on a port that is a SPAN destination or reflector port; however, 802.1X is disabled until the port is removed as a SPAN destination or reflector port. You can enable 802.1X on a SPAN source port.
Page 487: Span Configuration Guidelines
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN SPAN Configuration Guidelines Follow these guidelines when configuring SPAN: • SPAN sessions can coexist with RSPAN sessions within the limits described in the “SPAN and RSPAN Session Limits” section on page 24-8. •...
Page 488: Creating A Span Session And Specifying Ports To Monitor
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN Creating a SPAN Session and Specifying Ports to Monitor Beginning in privileged EXEC mode, follow these steps to create a SPAN session and specify the source (monitored) and destination (monitoring) ports: Command Purpose Step 1 configure terminal...
Page 489: Creating A Span Session And Enabling Ingress Traffic
Beginning in privileged EXEC mode, follow these steps to create a SPAN session, to specify the source and destination ports, and to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance): Command...
Page 490 Chapter 24 Configuring SPAN and RSPAN Configuring SPAN Command Purpose Step 4 monitor session session_number Specify the SPAN session, the destination port (monitoring port), the destination interface interface-id packet encapsulation, and the ingress VLAN. [encapsulation {dot1q [ingress vlan vlan id] For session_number, specify 1 or 2.
Page 491: Removing Ports From A Span Session
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN Removing Ports from a SPAN Session Beginning in privileged EXEC mode, follow these steps to remove a port as a SPAN source for a session: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session session_number source Specify the characteristics of the source port (monitored port) and...
Page 492: Specifying Vlans To Monitor
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN Specifying VLANs to Monitor VLAN monitoring is similar to port monitoring. Beginning in privileged EXEC mode, follow these steps to specify VLANs to monitor: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all Clear any existing SPAN configuration for the session.
Page 493: Specifying Vlans To Filter
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to limit SPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | Clear any existing SPAN configuration for the session.
Page 494: Configuring Rspan
Chapter 24 Configuring SPAN and RSPAN Configuring RSPAN Configuring RSPAN This section describes how to configure RSPAN on your switch. It contains this configuration information: • RSPAN Configuration Guidelines, page 24-16 • Creating an RSPAN Session, page 24-17 Creating an RSPAN Destination Session, page 24-18 •...
Page 495: Creating An Rspan Session
Chapter 24 Configuring SPAN and RSPAN Configuring RSPAN Note The RSPAN VLAN cannot be VLAN 1 (the default VLAN) or VLAN IDs 1002 through 1005 (reserved to Token Ring and FDDI VLANs). • You should create an RSPAN VLAN before configuring an RSPAN source or destination session. •...
Page 496: Creating An Rspan Destination Session
Chapter 24 Configuring SPAN and RSPAN Configuring RSPAN Command Purpose Step 4 monitor session session_number Specify the RSPAN session, the destination remote VLAN, and the destination remote vlan vlan-id reflector port. reflector-port interface For session_number, enter 1 or 2. For vlan-id, specify the RSPAN VLAN to carry the monitored traffic to the destination port.
Page 497: Creating An Rspan Destination Session And Enabling Ingress Traffic
Beginning in privileged EXEC mode, follow these steps to create an RSPAN destination session, to specify the source RSPAN VLAN, and to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance): Command...
Page 498: Removing Ports From An Rspan Session
Chapter 24 Configuring SPAN and RSPAN Configuring RSPAN Command Purpose Step 5 show monitor [session session_number] Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. This example shows how to configure VLAN 901 as the source remote VLAN and how to configure the destination port for ingress traffic on VLAN 5 by using a security device that supports 802.1Q encapsulation: Switch(config)# monitor session 1 source remote vlan 901...
Page 499: Specifying Vlans To Monitor
Chapter 24 Configuring SPAN and RSPAN Configuring RSPAN Specifying VLANs to Monitor VLAN monitoring is similar to port monitoring. Beginning in privileged EXEC mode, follow these steps to specify VLANs to monitor: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all Clear any existing SPAN configuration for the session.
Page 500: Specifying Vlans To Filter
Chapter 24 Configuring SPAN and RSPAN Configuring RSPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to limit RSPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | Clear any existing SPAN configuration for the session.
Page 501: Displaying Span And Rspan Status
Chapter 24 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the status of the current SPAN or RSPAN configuration, use the show monitor privileged EXEC command. This is an example of output for the show monitor privileged EXEC command for SPAN source session 1: Switch# show monitor session 1 Session 1...
Page 502 Chapter 24 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Catalyst 3550 Multilayer Switch Software Configuration Guide 24-24 78-11194-09...
Page 503: Understanding Rmon
Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1. This chapter consists of these sections: •...
Page 504: Chapter 25 Configuring Rmon
Event (RMON group 9)—Determines the action to take when an event is triggered by an alarm. The action can be to generate a log entry or an SNMP trap. Because switches supported by this Cisco IOS release use hardware counters for RMON data processing, the monitoring is more efficient, and little processing power is required.
Page 505: Default Rmon Configuration
Chapter 25 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station.
Page 506 Chapter 25 Configuring RMON Configuring RMON Command Purpose Step 3 rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535.
Page 507: Configuring Rmon Collection On An Interface
Chapter 25 Configuring RMON Configuring RMON Configuring RMON Collection on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface: Command Purpose Step 1...
Page 508: Displaying Rmon Status
Displays the RMON history table. show rmon statistics Displays the RMON statistics table. For information about the fields in these displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1. Catalyst 3550 Multilayer Switch Software Configuration Guide...
Page 509: Understanding System Message Logging
Configuring System Message Logging This chapter describes how to configure system message logging on your Catalyst 3550 switch. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Configuration Fundamentals Command Reference for Cisco IOS Release 12.1.
Page 510: Configuring System Message Logging
Chapter 26 Configuring System Message Logging Configuring System Message Logging Configuring System Message Logging These sections describe how to configure system message logging: • System Log Message Format, page 26-2 Default System Message Logging Configuration, page 26-3 • Disabling and Enabling Message Logging, page 26-4 •...
Page 511: C H A P T E R 26 Configuring System Message Logging
Chapter 26 Configuring System Message Logging Configuring System Message Logging Table 26-1 System Log Message Elements (continued) Element Description MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported. This example shows a partial switch system message: 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up...
Page 512: Disabling And Enabling Message Logging
Chapter 26 Configuring System Message Logging Configuring System Message Logging Disabling and Enabling Message Logging Message logging is enabled by default. It must be enabled to send messages to any destination other than the console. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages.
Page 513 Chapter 26 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 3 logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server.
Page 514: Synchronizing Log Messages
Chapter 26 Configuring System Message Logging Configuring System Message Logging Synchronizing Log Messages You can configure the system to synchronize unsolicited messages and debug privileged EXEC command output with solicited device output and prompts for a specific console port line or virtual terminal line.
Page 515: Enabling And Disabling Timestamps On Log Messages
Chapter 26 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command.
Page 516: Enabling And Disabling Sequence Numbers In Log Messages
Chapter 26 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Sequence Numbers in Log Messages Because there is a chance that more than one log message can have the same time stamp, you can display messages with sequence numbers so that you can unambiguously refer to a single message. By default, sequence numbers in log messages are not displayed.
Page 517 Chapter 26 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 6 show running-config Verify your entries. show logging Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Specifying a level causes messages at that level and numerically lower levels to be displayed at the Note destination.
Page 518: Limiting Syslog Messages Sent To The History Table And To Snmp
Chapter 26 Configuring System Message Logging Configuring System Message Logging Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the switch history table.
Page 519: Logging Messages To A Unix Syslog Daemon
Add a line such as the following to the file /etc/syslog.conf: Step 1 local7.debug /usr/adm/logs/cisco.log The local7 keyword specifies the logging facility to be used; see Table 26-4 on page 26-12 information on the facilities. The debug keyword specifies the syslog level; see Table 26-3 on page 26-9 for information on the severity levels.
Page 520: Displaying The Logging Configuration
To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12.1.
Page 521: Understanding Snmp
Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This chapter consists of these sections: Understanding SNMP, page 27-1 •...
Page 522: Chapter 27 Configuring Snmp
Chapter 27 Configuring SNMP Understanding SNMP • Using SNMP to Access MIB Variables, page 27-4 • SNMP Notifications, page 27-5 SNMP Versions This software release supports these SNMP versions: SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in •...
Page 523: Snmp Manager Functions
Chapter 27 Configuring SNMP Understanding SNMP Table 27-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv3 noAuthNoPriv Username...
Page 524: Snmp Agent Functions
Chapter 27 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. •...
Page 525: Snmp Notifications
Chapter 27 Configuring SNMP Configuring SNMP Figure 27-1 SNMP Network Get-request, Get-next-request, Network device Get-bulk, Set-request Get-response, traps SNMP Agent SNMP Manager For information on supported MIBs and how to access them, see Appendix A, “Supported MIBs.” SNMP Notifications SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP notifications can be sent as traps or inform requests.
Page 526: Default Snmp Configuration
Modifying the group's notify view affects all users associated with that group. Refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1 for information about when you should configure notify views.
Page 527: Disabling The Snmp Agent
The no snmp-server global configuration command disables all running versions (version 1, version 2C, and version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
Page 528 Chapter 27 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure a community string on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server community string [view Configure the community string. view-name] [ro | rw] [access-list-number] •...
Page 529: Configuring Snmp Groups And Users
Chapter 27 Configuring SNMP Configuring SNMP This example shows how to assign the string comaccess to SNMP, to allow read-only access, and to specify that IP access list 4 can use the community string to gain access to the switch SNMP agent: Switch(config)# snmp-server community comaccess ro 4 Configuring SNMP Groups and Users You can specify an identification name (engineID) for the local or remote SNMP server engine on the...
Page 530 Chapter 27 Configuring SNMP Configuring SNMP Command Purpose Step 3 snmp-server group groupname {v1 | v2c | v3 Configure a new SNMP group on the remote device. [auth | noauth | priv]}] [read readview] • For groupname, specify the name of the group. [write writeview] [notify notifyview] [access •...
Page 531: Configuring Snmp Notifications
A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Note Many commands use the word traps in the command syntax.
Page 532 Generates a trap for SNMP-type notifications. stpx Generates SNMP STP Extended MIB traps. syslog Generates SNMP syslog traps. Sends Cisco enterprise-specific notifications when a Transmission Control Protocol (TCP) connection closes. udp-port Sends notification of the User Datagram Protocol (UDP) port number of the host.
Page 533 Chapter 27 Configuring SNMP Configuring SNMP Command Purpose Step 4 snmp-server group [groupname {v1 | Configure an SNMP group. v2c | v3 [auth | noauth | priv]}] [read readview] [write writeview] [notify notifyview] [access access-list] Step 5 snmp-server host host-addr Specify the recipient of an SNMP trap operation.
Page 534: Configuring Snmp Trap Notification Priority
Chapter 27 Configuring SNMP Configuring SNMP To remove the specified host from receiving traps, use the no snmp-server host host global configuration command. The no snmp-server host command with no keywords disables traps, but not informs, to the host. To disable informs, use the no snmp-server host informs global configuration command.
Page 535: Setting The Agent Contact And Location Information
Chapter 27 Configuring SNMP Configuring SNMP Setting the Agent Contact and Location Information Beginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file: Command Purpose Step 1...
Page 536: Snmp Examples
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
Page 537: Displaying Snmp Status
EXEC commands in Table 27-5 to display SNMP information. For information about the fields in the output displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. Table 27-5 Commands for Displaying SNMP Information Feature...
Page 538 Chapter 27 Configuring SNMP Displaying SNMP Status Catalyst 3550 Multilayer Switch Software Configuration Guide 27-18 78-11194-09...
Page 539: Understanding Acls
For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and the “Configuring IP Services” section of the Cisco IOS IP and IP Routing Configuration Guide and the Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1.
Page 540: C H A P T E R 28 Configuring Network Security With Acls
Chapter 28 Configuring Network Security with ACLs Understanding ACLs the switch accepts or rejects the packets. Because the switch stops testing conditions after the first match, the order of conditions in the list is critical. If no conditions match, the switch rejects the packets. If there are no restrictions, the switch forwards the packet;...
Page 541: Router Acls
Chapter 28 Configuring Network Security with ACLs Understanding ACLs If 802.1Q tunneling is configured on an interface, any 802.1Q encapsulated IP packets received on the tunnel port can be filtered by MAC ACLs, but not by IP ACLs. This is because the switch does not recognize the protocol inside the 802.1Q header.
Page 542: Port Acls
Chapter 28 Configuring Network Security with ACLs Understanding ACLs Port ACLs You can also apply ACLs to Layer 2 interfaces on a switch. Port ACLs are supported on physical interfaces only and not on EtherChannel interfaces. Port ACLs are applied on interfaces for inbound traffic only.
Page 543: Handling Fragmented And Unfragmented Traffic
Chapter 28 Configuring Network Security with ACLs Understanding ACLs Figure 28-2 Using VLAN Maps to Control Traffic Catalyst 3550 switch Host A Host B bridging traffic (VLAN 10) (VLAN 10) = VLAN map denying specific type of traffic from Host A = Packet Handling Fragmented and Unfragmented Traffic IP packets can be fragmented as they cross the network.
Page 544: Configuring Ip Acls
Cisco routers. The process is briefly described here. For more detailed information on configuring router ACLs, refer to the “Configuring IP Services” chapter in the Cisco IP and IP Routing Configuration Guide for IOS Release 12.1. For detailed information about the commands, refer to Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1.
Page 545: Unsupported Features
CPU only for logging. If the ACE is a permit statement, the packet is still switched and routed in hardware. Note Logging is not supported on Layer 2 interfaces (port ACLs). Unsupported Features The Catalyst 3550 switch does not support these Cisco IOS router ACL-related features: • Non-IP protocol ACLs (see Table 28-1 on page 28-8).
Page 546: Creating Standard And Extended Ip Acls
Chapter 28 Configuring Network Security with ACLs Configuring IP ACLs Creating Standard and Extended IP ACLs This section summarizes how to create router IP ACLs. An ACL is a sequential collection of permit and deny conditions. The switch tests packets against the conditions in an access list one by one. The first match determines whether the switch accepts or rejects the packet.
Page 547: Creating A Numbered Standard Acl
Chapter 28 Configuring Network Security with ACLs Configuring IP ACLs Table 28-1 Access List Numbers (continued) Access List Number Type Supported 700–799 48-bit MAC address access list 800–899 IPX standard access list 900–999 IPX extended access list 1000–1099 IPX SAP access list 1100–1199 Extended 48-bit MAC address access list 1200–1299...
Page 548 Chapter 28 Configuring Network Security with ACLs Configuring IP ACLs Command Purpose Step 4 show access-lists [number | name] Show the access list configuration. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no access-list access-list-number global configuration command to delete the entire ACL. You cannot delete individual ACEs from numbered access lists.
Page 549: Creating A Numbered Extended Acl
ICMP echo-reply cannot be filtered. All other ICMP codes or types can be filtered. Note For more details on the specific keywords relative to each protocol, refer to Cisco IP and IP Routing Command Reference for IOS Release 12.1. Note The Catalyst 3550 switch does not support dynamic or reflexive access lists.
Page 550 Chapter 28 Configuring Network Security with ACLs Configuring IP ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2a access-list access-list-number Define an extended IP access list and the access conditions. {deny | permit} protocol The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
Page 551 TCP port. To see TCP port names, use the ? or refer to “Configuring IP Services” section of Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1. Use only TCP port numbers or names when filtering TCP.
Page 552 ICMP message type and code name. To see a list of ICMP message type names and ICMP message type and code names, use the ? or refer to the “Configuring IP Services” section of Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1.
Page 553: Creating Named Standard And Extended Ip Acls
Chapter 28 Configuring Network Security with ACLs Configuring IP ACLs Creating Named Standard and Extended IP ACLs You can identify IP ACLs with an alphanumeric string (a name) rather than a number. You can use named ACLs to configure more IP access lists in a switch than if you were to use numbered access lists. If you identify your access list with a name rather than a number, the mode and command syntax are slightly different.
Page 554 Chapter 28 Configuring Network Security with ACLs Configuring IP ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL using names: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip access-list extended name Define an extended IP access list using a name and enter access-list configuration mode.
Page 555: Using Time Ranges With Acls
Chapter 28 Configuring Network Security with ACLs Configuring IP ACLs Using Time Ranges with ACLs You can selectively apply extended ACLs based on the time of day and week by using the time-range global configuration command. First, define a time-range name and set the times and the dates or the days of the week in the time range.
Page 556 Chapter 28 Configuring Network Security with ACLs Configuring IP ACLs This example shows how to configure time ranges for workhours and for company holidays and how to verify your configuration. Switch(config)# time-range workhours Switch(config-time-range)# periodic weekdays 8:00 to 12:00 Switch(config-time-range)# periodic weekdays 13:00 to 17:00 Switch(config-time-range)# exit Switch(config)# time-range new_year_day_2000 Switch(config-time-range)# absolute start 00:00 1 Jan 2000 end 23:59 1 Jan 2000...
Page 557: Including Comments In Acls
Chapter 28 Configuring Network Security with ACLs Configuring IP ACLs Including Comments in ACLs You can use the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.
Page 558 Chapter 28 Configuring Network Security with ACLs Configuring IP ACLs • A Layer 2 interface can have one IP access list applied to the input; a Layer 3 interface can have one IP access list applied to the input and one IP access list applied to the output. If you apply an IP ACL to an interface that already has an IP ACL configured (in that direction), the new ACL replaces the previously configured one.
Page 559: Ip Acl Configuration Examples
IP ACL Configuration Examples This section provides examples of configuring IP ACLs. For detailed information about compiling ACLs, refer to the Security Configuration Guide and the “IP Services” chapter of the Cisco IOS IP and IP Routing Configuration Guide for IOS Release 12.1.
Page 560 Chapter 28 Configuring Network Security with ACLs Configuring IP ACLs Figure 28-3 Using Router ACLs to Control Traffic Server A Server B Benefits Payroll Port 0/2 Port 0/3 Catalyst 3550 switch Human Resources Accounting 172.20.128.0-31 172.20.128.64-95 This example uses a standard ACL to filter traffic coming into Server B from port 0/3, permitting traffic only from Accounting’s source addresses 172.20.128.64 to 172.20.128.95.
Page 561: Numbered Acls
Chapter 28 Configuring Network Security with ACLs Configuring IP ACLs Numbered ACLs In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host.
Page 562: Time Range Applied To An Ip Acl
Chapter 28 Configuring Network Security with ACLs Configuring IP ACLs The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.255 and denies any other TCP traffic. It permits any ICMP traffic, denies UDP traffic from any source to the destination address range 171.69.0.0 through 179.69.255.255 with a destination port less than 1024, denies any other IP traffic, and provides a log of the result.
Page 563: Acl Logging
Chapter 28 Configuring Network Security with ACLs Configuring IP ACLs In this example of a named ACL, the Jones subnet is not allowed access: Switch(config)# ip access-list standard prevention Switch(config-std-nacl)# remark Do not allow Jones subnet through Switch(config-std-nacl)# deny 171.69.0.0 0.0.255.255 In this example of a named ACL, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out...
Page 564: Configuring Named Mac Extended Acls
Chapter 28 Configuring Network Security with ACLs Configuring Named MAC Extended ACLs This is a an example of a log for an extended IP ACL: 01:24:23:%SEC-6-IPACCESSLOGDP:list ext1 permitted icmp 10.1.1.15 -> 10.1.1.61 (0/0), 1 packet 01:25:14:%SEC-6-IPACCESSLOGDP:list ext1 permitted icmp 10.1.1.15 -> 10.1.1.61 (0/0), 7 packets 01:26:12:%SEC-6-IPACCESSLOGP:list ext1 denied udp 0.0.0.0(0) ->...
Page 565 Chapter 28 Configuring Network Security with ACLs Configuring Named MAC Extended ACLs Command Purpose Step 3 {deny | permit} {any | host source MAC In extended MAC access-list configuration mode, specify to address | source MAC address mask} {any | permit or deny any source MAC address, a source MAC address host destination MAC address | destination with a mask, or a specific host source MAC address and any...
Page 566: Applying A Mac Acl To A Layer 2 Interface
Chapter 28 Configuring Network Security with ACLs Configuring Named MAC Extended ACLs Applying a MAC ACL to a Layer 2 Interface After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming into that interface.
Page 567: Configuring Vlan Maps
Chapter 28 Configuring Network Security with ACLs Configuring VLAN Maps Configuring VLAN Maps This section describes how to configure VLAN maps, which is the only way to control filtering within a VLAN. VLAN maps have no direction. To filter traffic in a specific direction by using a VLAN map, you need to include an ACL with specific source or destination addresses.
Page 568: Vlan Map Configuration Guidelines
Chapter 28 Configuring Network Security with ACLs Configuring VLAN Maps VLAN Map Configuration Guidelines Follow these guidelines when configuring VLAN maps: • If there is no router ACL configured to deny traffic on a routed VLAN interface (input or output), and no VLAN map configured, all traffic is permitted.
Page 569: Examples Of Acls And Vlan Maps
Chapter 28 Configuring Network Security with ACLs Configuring VLAN Maps Use the no vlan access-map name number global configuration command to delete a single sequence entry from within the map. Use the no action access-map configuration command to enforce the default action, which is to forward. VLAN maps do not use the specific permit or deny keywords.
Page 570 Chapter 28 Configuring Network Security with ACLs Configuring VLAN Maps Switch(config-access-map)# match ip address 101 Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan access-map drop-ip-default 20 Switch(config-access-map)# match ip address igmp-match Switch(config-access-map)# action drop Switch(config-access-map)# exit Switch(config)# vlan access-map drop-ip-default 30 Switch(config-access-map)# match ip address tcp-match Switch(config-access-map)# action forward Example 3...
Page 571: Applying A Vlan Map To A Vlan
Chapter 28 Configuring Network Security with ACLs Configuring VLAN Maps Applying a VLAN Map to a VLAN Beginning in privileged EXEC mode, follow these steps to apply a VLAN map to one or more VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 572 Chapter 28 Configuring Network Security with ACLs Configuring VLAN Maps Figure 28-4 Wiring Closet Configuration Catalyst 3550 switch Switch B Switch A Switch C VLAN map: Deny HTTP from X to Y. HTTP is dropped at entry point. Host X Host Y 10.1.1.32 10.1.1.34...
Page 573: Denying Access To A Server On Another Vlan
Chapter 28 Configuring Network Security with ACLs Configuring VLAN Maps Denying Access to a Server on Another VLAN You can restrict access to a server on another VLAN. For example, server 10.1.1.100 in VLAN 10 needs to have access restricted as follows (see Figure 28-5): Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access.
Page 574: Using Vlan Maps With Router Acls
Chapter 28 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Using VLAN Maps with Router ACLs To access control both bridged and routed traffic, you can use VLAN maps only or a combination of router ACLs and VLAN maps. You can define router ACLs on both input and output routed VLAN interfaces, and you can define a VLAN map to access control the bridged traffic.
Page 575: Examples Of Router Acls And Vlan Maps Applied To Vlans
Chapter 28 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs • Avoid including Layer 4 information in an ACL; adding this information complicates the merging process. The best merge results are obtained if the ACLs are filtered based on IP addresses (source and destination) and not on the full flow (source IP address, destination IP address, protocol, and protocol ports).
Page 576: Acls And Bridged Packets
Chapter 28 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs ACLs and Bridged Packets Figure 28-7 shows how an ACL is applied on fallback-bridged packets. For bridged packets, only Layer 2 ACLs are applied to the input VLAN. Only non-IP, non-ARP packets can be fallback-bridged. Figure 28-7 Applying ACLs on Bridged Packets Catalyst 3550 switch VLAN 10...
Page 577: Acls And Routed Packets
Chapter 28 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs ACLs and Routed Packets Figure 28-8 shows how ACLs are applied on routed packets. For routed packets, the ACLs are applied in this order: VLAN map for input VLAN Input router ACL Output router ACL VLAN map for output VLAN...
Page 578: Acls And Multicast Packets
Chapter 28 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs ACLs and Multicast Packets Figure 28-9 shows how ACLs are applied on packets that are replicated for IP multicasting. A multicast packet being routed has two different kinds of filters applied: one for destinations that are other ports in the input VLAN and another for each of the destinations that are in other VLANs to which the packet has been routed.
Page 579: Displaying Acl Information
Chapter 28 Configuring Network Security with ACLs Displaying ACL Information Displaying ACL Information You can display the ACLs that are configured on the switch, and you can display the ACLs that have been applied to interfaces and VLANs. You can also display information about configuration conflicts or resource usage related to ACLs.
Page 580 Chapter 28 Configuring Network Security with ACLs Displaying ACL Information This is an example of output from the show ip access-lists privileged EXEC command. It displays only IP standard and extended ACLs. Note that the named MAC extended ACL displayed in the previous example is not included in this display.
Page 581: Displaying Acl Resource Usage And Configuration Problems
Other keywords available for the command are used primarily to display output for use by Cisco technical support. Refer to the command reference for this release for more detailed information about these commands. This section describes how to display this information about these ACL issues: •...
Page 582: Configuration Conflicts
Chapter 28 Configuring Network Security with ACLs Displaying ACL Information Configuration Conflicts If you attempt to enter an ACL configuration that is not allowed, for example, applying a port ACL to an interface on a switch that has router ACLs already configured, an error message is logged. In this example, Gigabit port 1 is a Layer 2 interface.
Page 583: Acl Configuration Fitting In Hardware
Chapter 28 Configuring Network Security with ACLs Displaying ACL Information ACL Configuration Fitting in Hardware As previously stated, ACL processing in the Catalyst 3550 switch is mostly accomplished in hardware. However, if the hardware reaches its capacity to store ACL configurations, the switch software attempts to fit a simpler configuration into the hardware.
Page 584 Chapter 28 Configuring Network Security with ACLs Displaying ACL Information When you enter the show fm port-label command for label 4, the display shows which TCAMs have the feature loaded and which do not: Switch# show fm port-label 4 Needed in CAM(s):1 3 Loaded into CAM(s):3 Sent to CPU by CAM(s):1 Interfaces: Gi0/3, Gi0/10...
Page 585: Tcam Usage
Chapter 28 Configuring Network Security with ACLs Displaying ACL Information This output from the show fm vlan-label privileged EXEC command shows insufficient room for an input access group in the hardware: Switch# show fm vlan-label 1 Unloaded due to merge failure or lack of space: InputAccessGroup Input Features: Interfaces or VLANs: Vl1...
Page 586 Chapter 28 Configuring Network Security with ACLs Displaying ACL Information The show tcam statistics command for an input or output TCAM region displays how full that region is, including allocated and available masks and entries. This is an example of the output from the command: Switch# show tcam inacl 1 statistics Ingress ACL TCAM#1:Number of active labels:3...
Page 587: Configuring Qos
C H A P T E R Configuring QoS This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands. With QoS, you can give preferential treatment to certain traffic at the expense of others. Without QoS, the Catalyst 3550 switch offers best-effort service to each packet, regardless of the packet contents or size.
Page 588: Chapter 29 Configuring Qo
Chapter 29 Configuring QoS Understanding QoS Understanding QoS Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Page 589 Chapter 29 Configuring QoS Understanding QoS Figure 29-1 QoS Classification Bits in Frames and Packets Encapsulated Packet Layer 2 IP header Data header Layer 2 ISL Frame ISL header Encapsulated frame 1... (26 bytes) (24.5 KB) (4 bytes) 3 bits used for CoS Layer 2 802.1Q/P Frame Start frame Preamble...
Page 590: Basic Qos Model
Chapter 29 Configuring QoS Understanding QoS Basic QoS Model Figure 29-2 shows the basic QoS model. Actions at the ingress interface include classifying traffic, policing, and marking: • Classifying distinguishes one kind of traffic from another. The process generates an internal DSCP for a packet, which identifies all the future QoS actions to be performed on this packet.
Page 591: Classification
Chapter 29 Configuring QoS Understanding QoS Classification Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification is enabled only if QoS is globally enabled on the switch. By default, QoS is globally disabled, so no classification occurs.
Page 592 Chapter 29 Configuring QoS Understanding QoS Figure 29-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface Trust DSCP (IP traffic). configuration for classification. IP and non-IP Use port Trust IP traffic default precedence (non-IP traffic). (IP traffic). Assign DSCP identical to DSCP in packet.
Page 593: Classification Based On Qos Acls
Chapter 29 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, and Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: •...
Page 594: Policing And Marking
Chapter 29 Configuring QoS Understanding QoS You create and name a policy map by using the policy-map global configuration command. When you enter this command, the switch enters the policy-map configuration mode. In this mode, you specify the actions to take on a specific traffic class by using the class, trust, or set policy-map configuration and policy-map class configuration commands.
Page 595 Chapter 29 Configuring QoS Understanding QoS How quickly the bucket fills is a function of the bucket depth (burst-byte), the rate at which the tokens are removed (rate-bps), and the duration of the burst above the average rate. The size of the bucket imposes an upper limit on the burst length and determines the number of frames that can be sent back-to-back.
Page 596: Mapping Tables
Chapter 29 Configuring QoS Understanding QoS Figure 29-4 Policing and Marking Flowchart Start Read the DSCP of the packet. Is a policer configured for this DSCP? Check if the packet is in profile by querying the policer. Pass through Drop Check out-of-profile action Drop packet.
Page 597: Queueing And Scheduling
Chapter 29 Configuring QoS Understanding QoS The CoS-to-DSCP, DSCP-to-CoS, and the IP-precedence-to-DSCP map have default values that might or might not be appropriate for your network. The default DSCP-to-DSCP-mutation map and the default policed-DSCP map are null maps; they map an incoming DSCP value to the same DSCP value.
Page 598 Chapter 29 Configuring QoS Understanding QoS Figure 29-5 Queueing and Scheduling Flowchart for Gigabit-Capable Ethernet Ports Start Read CoS value and the CoS-to-queue map. Queue number Determine high and low threshold of the queue, and determine the queue size. T1 and T2 thresholds Queue size Determine which DSCPs are mapped to each threshold.
Page 599 Chapter 29 Configuring QoS Understanding QoS You assign two drop thresholds to each queue, map DSCPs to the thresholds through the DSCP-to-threshold map, and enable either tail drop or WRED on the interface. The queue size, drop thresholds, tail-drop or WRED algorithm, and the DSCP-to-threshold map work together to determine when and which packets are dropped when the thresholds are exceeded.
Page 600 Configuring QoS Understanding QoS WRED Cisco’s implementation of Random Early Detection (RED), called Weighted Random Early Detection (WRED), differs from other congestion-avoidance techniques because it attempts to anticipate and avoid congestion, rather than controlling congestion when it occurs. WRED takes advantage of the Transmission Control Protocol (TCP) congestion control to try to control the average queue size by indicating to end hosts when they should temporarily stop sending packets.
Page 601: Queueing And Scheduling On 10/100 Ethernet Ports
Chapter 29 Configuring QoS Understanding QoS Queueing and Scheduling on 10/100 Ethernet Ports Figure 29-6 shows the queueing and scheduling flowchart for 10/100 Ethernet ports. Figure 29-6 Queueing and Scheduling Flowchart for 10/100 Ethernet Ports Start Read the CoS value of CoS-to-queue map.
Page 602 Chapter 29 Configuring QoS Understanding QoS Each minimum-reserve level is configured with a buffer size. As shown in the figure, queue 4 of Fast Ethernet port 0/1 has a buffer size of 70 packets, queue 4 of Fast Ethernet port 0/2 has a buffer size of 80 packets, queue 4 of Fast Ethernet port 0/3 has a buffer size of 40 packets, and Fast Ethernet port 0/4 has a buffer size of 80 packets.
Page 603: Packet Modification
The switch uses the resulting classification to choose the appropriate egress queue. You use auto-QoS commands to identify ports connected to Cisco IP phones and to identify ports that receive trusted voice over IP (VoIP) traffic through an uplink. Auto-QoS then performs these functions: •...
Page 604: Generated Auto-Qos Configuration
Cisco IP phone. When a Cisco IP phone is detected, the ingress classification on the interface is set to trust the QoS label received in the packet. When a Cisco IP phone is absent, the ingress classification is set to not trust the QoS label in the packet. The egress queues on the...
Page 605 Ensure Port Security” section on page 29-32. When you enable auto-QoS by using the auto qos voip cisco-phone or the auto qos voip trust interface configuration command, the switch automatically generates a QoS configuration based on the traffic type and ingress packet label and applies the commands listed in Table 29-3 to the interface.
Page 606: Effects Of Auto-Qos On The Configuration
Before configuring auto-QoS, you should be aware of this information: • In this release, auto-QoS configures the switch only for VoIP with Cisco IP phones. • To take advantage of the auto-QoS defaults, do not configure any standard-QoS commands before entering the auto-QoS commands.
Page 607: Enabling Auto-Qos For Voip
QoS on all interfaces and enables pass-through mode. This example shows how to enable auto-QoS and to trust the QoS labels in incoming packets when the device connected to Fast Ethernet interface 0/1 is detected as a Cisco IP phone: Switch(config)# interface fastethernet0/1...
Page 608: Displaying Auto-Qos Information
Chapter 29 Configuring QoS Displaying Auto-QoS Information Displaying Auto-QoS Information To display the inital auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings.
Page 609: Auto-Qos Configuration Example
Fast Ethernet 0/3 Fast Ethernet 0/3 QoS domain QoS domain Cisco IP phones Cisco IP phones The intelligent wiring closets in Figure 29-8 contain Catalyst 2950 switches running the enhanced software image (EI) and Catalyst 3550 switches. The object of this example is to prioritize the VoIP traffic over all other traffic.
Page 610 Step 5 auto qos voip cisco-phone Enable auto-QoS on the interface, and specify that the interface is connected to a Cisco IP phone. The QoS labels of incoming packets are trusted only when the Cisco IP phone is detected. Step 6 interface fastethernet0/5 Enter interface configuration mode.
Page 611: Configuring Standard Qos
Chapter 29 Configuring QoS Configuring Standard QoS Configuring Standard QoS Before configuring standard QoS, you must have a thorough understanding of these items: • The types of applications used and the traffic patterns on your network. Traffic characteristics and needs of your network. Is the traffic bursty? Do you need to reserve •...
Page 612: Standard Qos Configuration Guidelines
Chapter 29 Configuring QoS Configuring Standard QoS Table 29-5 Default Standard QoS Configuration when QoS is Enabled Egress traffic Port (DSCP and CoS Queue Tail-drop CoS Mapping Type State Value) Queue Weights Thresholds to Queue Gigabit-capable Enabled DSCP=0 Four queues are Each queue has 100%, 100% 0, 1: queue 1...
Page 613 Chapter 29 Configuring QoS Configuring Standard QoS • Only one ACL per class map and only one match class-map configuration command per class map are supported. The ACL can have multiple access control entries, which are commands that match fields against the contents of the packet. When classifying traffic on a per-port per-VLAN basis, you must use the match-all keyword with •...
Page 614: Enabling Qos Globally
Chapter 29 Configuring QoS Configuring Standard QoS • Layer 3 QoS ACLs and other QoS features related to Layer 3 information are not supported on tunnel ports. MAC-based QoS is supported on tunnel ports. When applied to trunk ports, Layer 3 QoS ACLs do not work for VLANs that include tunnel ports.
Page 615: Configuring Classification By Using Port Trust States
Chapter 29 Configuring QoS Configuring Standard QoS Configuring Classification By Using Port Trust States These sections describe how to classify incoming traffic by using port trust states: • Configuring the Trust State on Ports within the QoS Domain, page 29-29 •...
Page 616 Chapter 29 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS globally.
Page 617: Configuring The Cos Value For An Interface
Chapter 29 Configuring QoS Configuring Standard QoS Configuring the CoS Value for an Interface QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports. Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port: Command Purpose...
Page 618: Configuring A Trusted Boundary To Ensure Port Security
The trusted boundary feature solves this problem by using the CDP to detect the presence of a Cisco IP phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue.
Page 619: Enabling Pass-Through Mode
DSCP) to be modified when using the mls qos trust [cos | dscp] interface configuration command. By default, in software releases earlier than Cisco IOS Release 12.1(11)EA1, if you configure the interface to trust the DSCP, the switch does not modify the DSCP field of the IP packet. However, the switch modifies the CoS value of the packet according to the DSCP-to-CoS map.
Page 620: Configuring The Dscp Trust State On A Port Bordering Another Qos Domain
Chapter 29 Configuring QoS Configuring Standard QoS Configuring the DSCP Trust State on a Port Bordering Another QoS Domain If you are administering two separate QoS domains between which you want to implement QoS features for IP traffic, you can configure the switch ports bordering the domains to a DSCP-trusted state as shown Figure 29-10.
Page 621: Configuring A Qos Policy
Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 6 mls qos dscp-mutation Apply the map to the specified ingress DSCP-trusted port. dscp-mutation-name You can apply the map to different Gigabit-capable Ethernet ports. However, on 10/100 Ethernet ports, you can attach only one DSCP-to-DSCP-mutation map to a group of twelve ports.
Page 622: Classifying Traffic By Using Acls
Chapter 29 Configuring QoS Configuring Standard QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify non-IP traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1...
Page 623 Chapter 29 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on the switch. Step 3 access-list access-list-number {deny | Create an IP extended ACL, repeating the command as many times as...
Page 624 Chapter 29 Configuring QoS Configuring Standard QoS This example shows how to create an ACL that permits PIM traffic with a DSCP set to 32 from any source to a destination group address of 224.0.0.2: Switch(config)# access-list 102 permit pim any 224.0.0.2 dscp 32 Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose...
Page 625: Classifying Traffic On A Physical-Port Basis By Using Class Maps
Chapter 29 Configuring QoS Configuring Standard QoS This example shows how to create a Layer 2 MAC ACL with two permit statements. The first statement allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001. The second statement allows only Ethertype XNS-IDP traffic from the host with MAC address 0001.0000.0002 to the host with MAC address 0002.0000.0002.
Page 626 Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 4 class-map [match-all | match-any] Create a class map, and enter class-map configuration mode. class-map-name By default, no class maps are defined. • (Optional) Use the match-all keyword to perform a logical-AND of all matching statements under this class map.
Page 627: Classifying Traffic On A Per-Port Per-Vlan Basis By Using Class Maps
Chapter 29 Configuring QoS Configuring Standard QoS This example shows how to create a class map called class2, which matches incoming traffic with DSCP values of 10, 11, and 12. Switch(config)# class-map class2 Switch(config-cmap)# match ip dscp 10 11 12 Switch(config-cmap)# end This example shows how to create a class map called class3, which matches incoming traffic with IP-precedence values of 5, 6, and 7:...
Page 628 Chapter 29 Configuring QoS Configuring Standard QoS Note You can also create class-maps during policy map creation by using the class policy-map configuration command. For more information, see the “Classifying, Policing, and Marking Traffic by Using Policy Maps” section on page 29-43.
Page 629: Classifying, Policing, And Marking Traffic By Using Policy Maps
Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 8 match class-map class-map-name Specify the name of the class map created in Step 3. Step 9 Return to privileged EXEC mode. Step 10 show class-map Verify your entries. Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file.
Page 630 Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 3 access-list access-list-number {deny | Create an IP standard or extended ACL for IP traffic or a Layer 2 MAC permit} source [source-wildcard] ACL for non-IP traffic, repeating the command as many times as necessary.
Page 631 Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 8 trust [cos | dscp | ip-precedence] Configure the trust state, which selects the value that QoS uses as the source of the internal DSCP value. Note This command is mutually exclusive with the set command within the same policy map.
Page 632 Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 10 police rate-bps burst-byte [exceed-action Define a policer for the classified traffic. {drop | policed-dscp-transmit}] You can configure up to 128 policers on ingress Gigabit-capable Ethernet ports, up to 8 policers on ingress 10/100 Ethernet ports, and up to 8 policers on egress ports.
Page 633 Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 15 Return to privileged EXEC mode. Step 16 show policy-map [policy-map-name [class Verify your entries. class-name]] Step 17 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete an existing policy map, use the no policy-map policy-map-name global configuration command.
Page 634 Chapter 29 Configuring QoS Configuring Standard QoS This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to an ingress interface. The first permit statement allows traffic from the host with MAC address 0001.0000.0001 destined for the host with MAC address 0002.0000.0001.
Page 635: Classifying, Policing, And Marking Traffic By Using Aggregate Policers
Chapter 29 Configuring QoS Configuring Standard QoS Switch (config-pmap-c)# trust dscp Switch (config-pmap-c)# set cos 3 Switch (config-pmap-c)# exit Switch (config-pmap)# exit Switch (config)# interface gigabitethernet0/1 Switch(config-if)# service-policy input policymap1 Classifying, Policing, and Marking Traffic by Using Aggregate Policers By using an aggregate policer, you can create a policer that is shared by multiple traffic classes within the same policy map.
Page 636 Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 5 policy-map policy-map-name Create a policy map by entering the policy map name, and enter policy-map configuration mode. For more information, see the “Classifying, Policing, and Marking Traffic by Using Policy Maps” section on page 29-43.
Page 637: Configuring Dscp Maps
Chapter 29 Configuring QoS Configuring Standard QoS To remove the specified aggregate policer from a policy map, use the no police aggregate aggregate-policer-name policy map configuration mode. To delete an aggregate policer and its parameters, use the no mls qos aggregate-policer aggregate-policer-name global configuration command.
Page 638: Configuring The Cos-To-Dscp Map
Chapter 29 Configuring QoS Configuring Standard QoS Configuring the CoS-to-DSCP Map You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. Table 29-6 shows the default CoS-to-DSCP map.
Page 639: Configuring The Policed-Dscp Map
Chapter 29 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the IP-precedence-to-DSCP map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map ip-prec-dscp Modify the IP-precedence-to-DSCP map. dscp1...dscp8 For dscp1...dscp8, enter eight DSCP values that correspond to the IP precedence values 0 to 7.
Page 640: Configuring The Dscp-To-Cos Map
Chapter 29 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 50 to 57 to a marked-down DSCP value of 0: Switch# configure terminal Switch(config)# mls qos map policed-dscp 50 51 52 53 54 55 56 57 to 0 Switch(config)# end Switch# show mls qos maps policed-dscp Policed-dscp map:...
Page 641: Configuring The Dscp-To-Dscp-Mutation Map
Chapter 29 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 0, 8, 16, 24, 32, 40, 48, and 50 to CoS value 0: Switch# configure terminal Switch(config)# mls qos map dscp-cos 0 8 16 24 32 40 48 50 to 0 Switch(config)# end Switch# show mls qos maps dscp-cos Dscp-cos map:...
Page 642 Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 5 mls qos dscp-mutation Apply the map to the specified ingress DSCP-trusted port. dscp-mutation-name For dscp-mutation-name, enter the mutation map name specified in Step 2. You can apply the map to different Gigabit-capable Ethernet ports. However, on 10/100 Ethernet ports, you can attach only one DSCP-to-DSCP-mutation map to a group of twelve ports.
Page 643: Configuring Egress Queues On Gigabit-Capable Ethernet Ports
Chapter 29 Configuring QoS Configuring Standard QoS Configuring Egress Queues on Gigabit-Capable Ethernet Ports This section describes how to configure the egress queues on Gigabit-capable Ethernet ports. For information on configuring 10/100 Ethernet ports, see “Configuring Egress Queues on 10/100 Ethernet Ports”...
Page 644: Configuring The Egress Queue Size Ratios
Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 4 wrr-queue cos-map queue-id cos1 ... cos8 Map assigned CoS values to select one of the egress queues. The default map has these values: CoS value 0, 1 selects queue 1. CoS value 2, 3 selects queue 2.
Page 645: Configuring Tail-Drop Threshold Percentages
Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 4 wrr-queue queue-limit weight1 weight2 Configure the egress queue size ratios. weight3 weight4 The defaults weights are 25 (1/4 of the buffer size is allocated to each queue). For weight1, weight2, weight3, and weight4, specify a weight from 1 to 100.
Page 646 Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 4 wrr-queue threshold queue-id Configure tail-drop threshold percentages on each egress queue. threshold-percentage1 The default threshold is 100 percent for thresholds 1 and 2. threshold-percentage2 • For queue-id, specify the ID of the egress queue. The range is 1 to 4.
Page 647: Configuring Wred Drop Thresholds Percentages
Chapter 29 Configuring QoS Configuring Standard QoS As a result of this configuration, when queue 1 is filled above 10 percent, packets with DSCPs 0, 8, 16, 24, 32, 40, 48, and 56 are dropped. The same packets are dropped when queue 2 is filled above 40 percent, queue 3 above 60 percent, and queue 4 above 80 percent.
Page 648: Configuring The Egress Expedite Queue
Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 8 show running-config Verify the DSCP-to-threshold map. show mls qos interface interface-id queueing Step 9 show mls qos interface buffers Verify the thresholds. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable WRED, use the no wrr-queue random-detect max-threshold queue-id interface configuration command.
Page 649: Allocating Bandwidth Among Egress Queues
Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 4 priority-queue out Enable the egress expedite queue, which is disabled by default. When you configure this command, the WRR weight and queue size ratios are affected because there is one fewer queue participating in WRR.
Page 650: Configuring Egress Queues On 10/100 Ethernet Ports
Chapter 29 Configuring QoS Configuring Standard QoS This example shows how to configure the weight ratio of the WRR scheduler running on the egress queues. In this example, four queues are used (no expedite queue), and the ratio of the bandwidth allocated for each queue is 1/(1+2+3+4), 2/(1+2+3+4), 3/(1+2+3+4), and 4/(1+2+3+4), which is 1/10, 1/5, 3/10, and 2/5 for queues 1, 2, 3, and 4.
Page 651: Configuring The Minimum-Reserve Levels
Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 4 wrr-queue cos-map queue-id cos1 ... cos8 Map assigned CoS values to select one of the egress queues. Theses are the default map values: CoS value 0, 1 selects queue 1. CoS value 2, 3 selects queue 2.
Page 652: Configuring The Egress Expedite Queue
Chapter 29 Configuring QoS Configuring Standard QoS Command Purpose Step 3 mls qos min-reserve min-reserve-level Configure the buffer size of the minimum-reserve level, if necessary, min-reserve-buffersize for all the 10/100 Ethernet ports. By default, the buffer size for all eight minimum-reserve levels is 100 packets.
Page 653: Allocating Bandwidth Among Egress Queues
Chapter 29 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on the switch. Step 3 interface interface-id Enter interface configuration mode, and specify the egress 10/100...
Page 654 Chapter 29 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to allocate bandwidth to each queue: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on the switch. Step 3 interface interface-id Enter interface configuration mode, and specify the egress 10/100...
Page 655: Displaying Standard Qos Information
Chapter 29 Configuring QoS Displaying Standard QoS Information Displaying Standard QoS Information To display standard QoS information, use one or more of the privileged EXEC commands in Table 29-9: Table 29-9 Commands for Displaying Standard QoS Information Command Purpose show class-map [class-map-name] Display QoS class maps, which define the match criteria to classify traffic.
Page 656: Qos Configuration For The Existing Wiring Closet
Figure 29-11 consists of Catalyst 3500 XL and 2900 XL switches. These switches are running Cisco IOS release 12.0(5)XP or later, which supports the QoS-based IEEE 802.1P CoS values. QoS classifies frames by assigning priority-indexed CoS values to them and gives preference to higher-priority traffic.
Page 657: Qos Configuration For The Intelligent Wiring Closet
Chapter 29 Configuring QoS Standard QoS Configuration Examples For the Catalyst 3500 XL and 2900 XL switches, CoS configures each egress port with a normal-priority transmit queue and a high-priority transmit queue, depending on the frame tag or the port information. Frames in the normal-priority queue are forwarded only after frames in the high-priority queue are forwarded.
Page 658: Qos Configuration For The Distribution Layer
Chapter 29 Configuring QoS Standard QoS Configuration Examples Command Purpose Step 17 wrr-queue cos-map 4 6 7 Configure the CoS-to-egress-queue map so that CoS values 6 and 7 select queue 4 (this is the default setting). Because the default DSCP-to-CoS map has DSCP values 56 to 63 mapped to CoS value 7, the matched traffic that is set to DSCP 56 goes to the queue 4, the priority queue.
Page 659 Chapter 29 Configuring QoS Standard QoS Configuration Examples Command Purpose Step 5 switchport mode trunk Configure this port as a trunk port. Step 6 exit Return to global configuration mode. Step 7 interface gigabitethernet0/2 Enter interface configuration mode, and specify the ingress interface connected to the intelligent wiring closet.
Page 660 Chapter 29 Configuring QoS Standard QoS Configuration Examples Command Purpose Step 17 Return to privileged EXEC mode. Step 18 show mls qos interface Verify your entries. show interfaces Step 19 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3550 Multilayer Switch Software Configuration Guide 29-74 78-11194-09...
Page 661: Understanding Etherchannels
C H A P T E R Configuring EtherChannels This chapter describes how to configure EtherChannel on the Layer 2 and Layer 3 interfaces of a Catalyst 3550 switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Page 662: C H A P T E R 30 Configuring Etherchannels
Chapter 30 Configuring EtherChannels Understanding EtherChannels Figure 30-1 Typical EtherChannel Configuration Catalyst 8500, 6000, 5500, or 4000 series switch Gigabit EtherChannel Catalyst 3550-12T switch 1000BASE-X 1000BASE-X Catalyst 3550-12T Catalyst 2950G-24 switch switch 10/100 10/100 Switched Switched links links Workstations Workstations Each EtherChannel can consist of up to eight compatibly configured Ethernet interfaces.
Page 663: Understanding The Port Aggregation Protocol And Link Aggregation Protocol
EtherChannels by exchanging packets between Ethernet interfaces. PAgP is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by licensed vendors to support PAgP. LACP is defined in IEEE 802.3AD and allows Cisco switches to manage Ethernet channels between switches that conform to the 802.3AD protocol.
Page 664: Pagp And Lacp Modes
Chapter 30 Configuring EtherChannels Understanding EtherChannels PAgP and LACP Modes Table 30-1 shows the user-configurable EtherChannel modes for the channel-group interface configuration command. Switch interfaces exchange PAgP packets only with partner interfaces configured in the auto or desirable modes. Switch interfaces exchange LACP packets only with partner interfaces configured in the active or passive modes.
Page 665: Physical Learners And Aggregate-Port Learners
Chapter 30 Configuring EtherChannels Understanding EtherChannels Note An Etherchannel cannot be configured in both the PAgP and LACP modes. Exchanging LACP Packets Both the active and passive LACP modes allow interfaces to negotiate with partner interfaces to determine if they can form an EtherChannel based on criteria such as interface speed and, for Layer 2 EtherChannels, trunking state and VLAN numbers.
Page 666: Pagp And Lacp Interaction With Other Features
Understanding EtherChannels PAgP and LACP Interaction with Other Features The Dynamic Trunking Protocol (DTP) and Cisco Discovery Protocol (CDP) send and receive packets over the physical interfaces in the EtherChannel. Trunk ports send and receive PAgP and LACP protocol data units (PDUs) on the lowest numbered VLAN.
Page 667: Configuring Etherchannels
Figure 30-3 Load Distribution and Forwarding Methods Catalyst 2950, 2955, or 3550 switch with source-based forwarding enabled EtherChannel Cisco router with destination-based forwarding enabled Configuring EtherChannels These sections describe how to configure EtherChannel on Layer 2 and Layer 3 interfaces: •...
Page 668: Default Etherchannel Configuration
Chapter 30 Configuring EtherChannels Configuring EtherChannels Default EtherChannel Configuration Table 30-2 shows the default EtherChannel configuration. Table 30-2 Default EtherChannel Configuration Feature Default Setting Channel groups None assigned. Layer 3 port-channel logical interface None defined. PAgP mode No default. PAgP learn method Aggregate-port learning on all interfaces.
Page 669: Configuring Layer 2 Etherchannels
Layer 2 interface into a manually created port-channel interface. Note Layer 2 interfaces must be connected and functioning for Cisco the software to create port-channel interfaces. Beginning in privileged EXEC mode, follow these steps to assign a Layer 2 Ethernet interface to a...
Page 670 Chapter 30 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 4 channel-group channel-group-number mode Assign the interface to a channel group, and specify the PAgP or {{auto [non-silent] | desirable [non-silent] | on} | LACP mode. {active | passive}} For channel-group-number, the range is 1 to 64. Each EtherChannel can have up to eight compatibly configured Ethernet interfaces.
Page 671: Configuring Layer 3 Etherchannels
Chapter 30 Configuring EtherChannels Configuring EtherChannels This example shows how to assign Gigabit Ethernet interfaces 0/4 and 0/5 as static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable: Switch# configure terminal Switch(config)# interface range gigabitethernet0/4 -5 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 10 Switch(config-if-range)# channel-group 5 mode desirable...
Page 672: Configuring The Physical Interfaces
Chapter 30 Configuring EtherChannels Configuring EtherChannels Switch(config-if)# ip address 172.10.20.10 255.255.255.0 Switch(config-if)# end Configuring the Physical Interfaces Beginning in privileged EXEC mode, follow these steps to assign an Ethernet interface to a Layer 3 EtherChannel: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 673 Chapter 30 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 4 channel-group channel-group-number mode Assign the interface to a channel group, and specify the PAgP or {auto [non-silent] | desirable [non-silent] | on | LACP mode. active | passive } For channel-group-number, the range is 1 to 64. This number must be the same as the port-channel-number (logical port) configured in the “Creating Port-Channel Logical Interfaces”...
Page 674: Configuring Etherchannel Load Balancing
Chapter 30 Configuring EtherChannels Configuring EtherChannels This example shows how to assign Gigabit Ethernet interfaces 0/4 and 0/5 to channel 5 with the PAgP mode desirable: Switch# configure terminal Switch(config)# interface range gigabitethernet0/4 -5 Switch(config-if-range)# no ip address Switch(config-if-range)# channel-group 5 mode desirable Switch(config-if-range)# end Configuring EtherChannel Load Balancing This section describes how to configure EtherChannel load balancing by using source-based or...
Page 675: Configuring The Pagp Learn Method And Priority
Chapter 30 Configuring EtherChannels Configuring EtherChannels Configuring the PAgP Learn Method and Priority Network devices are classified as PAgP physical learners or aggregate-port learners. A device is a physical learner if it learns addresses by physical ports and directs transmissions based on that knowledge.
Page 676: Configuring The Lacp Port Priority
Chapter 30 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 6 show running-config Verify your entries. show pagp channel-group-number internal Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the priority to its default setting, use the no pagp port-priority interface configuration command.
Page 677: Configuring The Lacp System Priority
Chapter 30 Configuring EtherChannels Configuring EtherChannels All ports default to the same port priority. You can change the port priority of LACP EtherChannel ports to specify which hot standby links become active first by using the lacp port-priority interface configuration command to set the port priority to a value lower than the default of 32768. The hot standby ports that have lower port numbers become active in the channel first unless the port priority is configured to be a lower number than the default value of 32768.
Page 678: Displaying Etherchannel, Pagp, And Lacp Status
Chapter 30 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Displaying EtherChannel, PAgP, and LACP Status You can use the privileged EXEC commands described in Table 30-3 to display EtherChannel, PAgP, and LACP status information: Table 30-3 Commands for Displaying EtherChannel, PAgP , and LACP Status Command Description show etherchannel [channel-group-number] {detail |...
Page 679: Configuring Ip Unicast Routing
Note Configuration Guide for Release 12.1. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. This chapter consists of these sections: Understanding IP Routing, page 31-2 •...
Page 680: Understanding Ip Routing
Chapter 31 Configuring IP Unicast Routing Understanding IP Routing Understanding IP Routing In some network environments, VLANs are associated with individual networks or subnetworks. In an IP network, each subnetwork is mapped to an individual VLAN. Configuring VLANs helps control the size of the broadcast domain and keeps local traffic local.
Page 681: Chapter 31 Configuring Ip Unicast Routing
By default, IP routing is disabled on the Catalyst 3550 switch, and you must enable it before routing can take place. For detailed IP routing configuration information, refer to the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1.
Page 682: Configuring Ip Addressing On Layer 3 Interfaces
Chapter 31 Configuring IP Unicast Routing Configuring IP Addressing on Layer 3 Interfaces Configuring IP Addressing on Layer 3 Interfaces A required task for configuring IP routing is to assign IP addresses to Layer 3 network interfaces to enable the interfaces and allow communication with the hosts on those interfaces that use IP. These sections describe how to configure various IP addressing features.
Page 683: Assigning Ip Addresses To Network Interfaces
Chapter 31 Configuring IP Unicast Routing Configuring IP Addressing on Layer 3 Interfaces Table 31-1 Default Addressing Configuration (continued) Feature Default Setting IRDP Disabled. Defaults when enabled: Broadcast IRDP advertisements. • Maximum interval between advertisements: 600 seconds. • Minimum interval between advertisements: 0.75 times max interval •...
Page 684: Use Of Subnet Zero
Chapter 31 Configuring IP Unicast Routing Configuring IP Addressing on Layer 3 Interfaces Beginning in privileged EXEC mode, follow these steps to assign an IP address and a network mask to a Layer 3 interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 685: Classless Routing
Chapter 31 Configuring IP Unicast Routing Configuring IP Addressing on Layer 3 Interfaces Classless Routing By default, classless routing behavior is enabled on the switch when it is configured to route. With classless routing, if a router receives packets for a subnet of a network with no default route, the router forwards the packet to the best supernet route.
Page 686: Configuring Address Resolution Methods
Using RARP requires a RARP server on the same network segment as the router interface. Use the ip rarp-server address interface configuration command to identify the server. For more information on RARP, refer to the Cisco IOS Configuration Fundamentals Configuration Guide for Release 12.1.
Page 687: Define A Static Arp Cache
Chapter 31 Configuring IP Unicast Routing Configuring IP Addressing on Layer 3 Interfaces You can perform these tasks to configure address resolution: • Define a Static ARP Cache, page 31-9 • Set ARP Encapsulation, page 31-10 • Enable Proxy ARP, page 31-10 Define a Static ARP Cache ARP and other address resolution protocols provide dynamic mapping between IP addresses and MAC addresses.
Page 688: Set Arp Encapsulation
Chapter 31 Configuring IP Unicast Routing Configuring IP Addressing on Layer 3 Interfaces Set ARP Encapsulation By default, Ethernet ARP encapsulation (represented by the arpa keyword) is enabled on an IP interface. You can change the encapsulation methods to SNAP if required by your network. Beginning in privileged EXEC mode, follow these steps to specify the ARP encapsulation type: Command Purpose...
Page 689: Routing Assistance When Ip Routing Is Disabled
Chapter 31 Configuring IP Unicast Routing Configuring IP Addressing on Layer 3 Interfaces Routing Assistance When IP Routing is Disabled These mechanisms allow the switch to learn about routes to other networks when it does not have IP routing enabled: •...
Page 690: Icmp Router Discovery Protocol (Irdp)
Chapter 31 Configuring IP Unicast Routing Configuring IP Addressing on Layer 3 Interfaces ICMP Router Discovery Protocol (IRDP) Router discovery allows the switch to dynamically learn about routes to other networks using IRDP. IRDP allows hosts to locate routers. When operating as a client, the switch generates router discovery packets.
Page 691: Configuring Broadcast Packet Handling
Chapter 31 Configuring IP Unicast Routing Configuring IP Addressing on Layer 3 Interfaces If you change the maxadvertinterval value, the holdtime and minadvertinterval values also change, so it is important to first change the maxadvertinterval value, before manually changing either the holdtime or minadvertinterval values.
Page 692: Forwarding Udp Broadcast Packets And Protocols
By default, both UDP and ND forwarding are enabled if a helper address has been defined for an interface. The description for the ip forward-protocol interface configuration command in the Cisco IOS IP and IP Routing Command Reference for Release 12.1 lists the ports that are forwarded by default if you do not specify any UDP ports.
Page 693: Establishing An Ip Broadcast Address
Chapter 31 Configuring IP Unicast Routing Configuring IP Addressing on Layer 3 Interfaces If you do not specify any UDP ports when you configure the forwarding of UDP broadcasts, you are configuring the router to act as a BOOTP forwarding agent. BOOTP packets carry Dynamic Host Configuration Protocol (DHCP) information.
Page 694: Flooding Ip Broadcasts
Chapter 31 Configuring IP Unicast Routing Configuring IP Addressing on Layer 3 Interfaces Flooding IP Broadcasts You can allow IP broadcasts to be flooded throughout your internetwork in a controlled fashion by using the database created by the bridging STP. Using this feature also prevents loops. To support this capability, bridging must be configured on each interface that is to participate in the flooding.
Page 695: Monitoring And Maintaining Ip Addressing
Chapter 31 Configuring IP Unicast Routing Configuring IP Addressing on Layer 3 Interfaces Beginning in privileged EXEC mode, follow these steps to increase spanning-tree-based flooding: Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip forward-protocol turbo-flood Use the spanning-tree database to speed up flooding of UDP datagrams.
Page 696: Enabling Ip Unicast Routing
(RIP) router configuration command. For information on specific protocols, refer to sections later in this chapter and to the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1. Note The SMI supports only RIP as a routing protocol.
Page 697: Configuring Rip
It is a distance-vector routing protocol that uses broadcast User Datagram Protocol (UDP) data packets to exchange routing information. The protocol is documented in RFC 1058. You can find detailed information about RIP in IP Routing Fundamentals, published by Cisco Press. Note RIP is the only routing protocol supported by the SMI;...
Page 698: Configuring Basic Rip Parameters
Chapter 31 Configuring IP Unicast Routing Configuring RIP Table 31-5 Default RIP Configuration (continued) Feature Default Setting IP split horizon Varies with media. Neighbor None defined. Network None specified. Offset list Disabled. Output delay 0 milliseconds. Timers basic Update: 30 seconds. •...
Page 699 Chapter 31 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 7 timers basic update invalid holddown (Optional) Adjust routing protocol timers. Valid ranges for all timers are 0 flush to 4294967295 seconds. • update—Time between sending routing updates. The default is 30 seconds.
Page 700: Configuring Rip Authentication
Chapter 31 Configuring IP Unicast Routing Configuring RIP Configuring RIP Authentication RIP version 1 does not support authentication. If you are sending and receiving RIP Version 2 packets, you can enable RIP authentication on an interface. The key chain determines the set of keys that can be used on the interface.
Page 701 Chapter 31 Configuring IP Unicast Routing Configuring RIP Beginning in privileged EXEC mode, follow these steps to set an interface to advertise a summarized local IP address and to disable split horizon on the interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 702: Configuring Igrp
Configuring IGRP Configuring IGRP Interior Gateway Routing Protocol (IGRP) is a dynamic, distance-vector routing, proprietary Cisco protocol for routing in an autonomous system (AS) that contains large, arbitrarily complex networks with diverse bandwidth and delay characteristics. IGRP uses a combination of user-configurable metrics, including internetwork delay, bandwidth, reliability, and load.
Page 703: Default Igrp Configuration
Chapter 31 Configuring IP Unicast Routing Configuring IGRP Default IGRP Configuration Table 31-6 shows the default IGRP configuration. Table 31-6 Default IGRP Configuration Feature Default Setting IP split horizon Varies with media. Metric holddown Disabled. Metric maximum-hops 100 hops. Neighbor None defined.
Page 704: Configuring Basic Igrp Parameters
Use the traffic-share router configuration command to control distribution of traffic among multiple routes of unequal cost. For more information and examples, refer to the Cisco IOS IP and IP Routing Configuration Guide for Note Release 12.1.
Page 705 Chapter 31 Configuring IP Unicast Routing Configuring IGRP Command Purpose Step 8 timers basic update invalid holddown (Optional) Adjust routing protocol timers. flush [sleeptime] • update—The time (in seconds) between sending of routing updates. The default is 90 seconds. • invalid—The timer interval (in seconds) after which a route is declared invalid.
Page 706: Configuring Split Horizon
Chapter 31 Configuring IP Unicast Routing Configuring IGRP Configuring Split Horizon Routers connected to broadcast-type IP networks and using distance-vector routing protocols normally use the split-horizon mechanism to reduce the possibility of routing loops. Split horizon blocks information about routes from being advertised by a router on any interface from which that information originated.
Page 707: Configuring Ospf
Configuring OSPF This section briefly describes how to configure Open Shortest Path First (OSPF). For a complete description of the OSPF commands, refer to the “OSPF Commands” chapter of the Cisco IOS IP and IP Routing Command Reference for Release 12.1.
Page 708: Default Ospf Configuration
Chapter 31 Configuring IP Unicast Routing Configuring OSPF Default OSPF Configuration Table 31-7 shows the default OSPF configuration. Table 31-7 Default OSPF Configuration Feature Default Setting Interface parameters Cost: No default cost predefined. Retransmit interval: 5 seconds. Transmit delay: 1 second. Priority: 1.
Page 709: Configuring Basic Ospf Parameters
Chapter 31 Configuring IP Unicast Routing Configuring OSPF Table 31-7 Default OSPF Configuration (continued) Feature Default Setting Timers shortest path first (spf) spf delay: 5 seconds. spf-holdtime: 10 seconds. Virtual link No area ID or router ID defined. Hello interval: 10 seconds. Retransmit interval: 5 seconds.
Page 710: Configuring Ospf Interfaces
Chapter 31 Configuring IP Unicast Routing Configuring OSPF Configuring OSPF Interfaces You can use the ip ospf interface configuration commands to modify interface-specific OSPF parameters. You are not required to modify any of these parameters, but some interface parameters (hello interval, dead interval, and authentication key) must be consistent across all routers in an attached network.
Page 711: Configuring Ospf Area Parameters
Chapter 31 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 13 show ip ospf interface [interface-name] Display OSPF-related interface information. Step 14 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of these commands to remove the configured parameter value or return to the default value.
Page 712: Configuring Other Ospf Parameters
Chapter 31 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 7 area area-id range address mask (Optional) Specify an address range for which a single route is advertised. Use this command only with area border routers. Step 8 Return to privileged EXEC mode. Step 9 show ip ospf [process-id] Display information about the OSPF routing process in general or for...
Page 713 Chapter 31 Configuring IP Unicast Routing Configuring OSPF • Route calculation timers: You can configure the delay time between when OSPF receives a topology change and when it starts the shortest path first (SPF) calculation and the hold time between two SPF calculations.
Page 714: Changing Lsa Group Pacing
Chapter 31 Configuring IP Unicast Routing Configuring OSPF Changing LSA Group Pacing The OSPF LSA group pacing feature allows the router to group OSPF LSAs and pace the refreshing, check-summing, and aging functions for more efficient router use. This feature is enabled by default with a 4-minute default pacing interval, and you will not usually need to modify this parameter.
Page 715: Monitoring Ospf
EXEC commands for displaying statistics. For more show ip ospf database privileged EXEC command options and for explanations of fields in the resulting display, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. Table 31-8 Show IP OSPF Statistics Commands...
Page 716: Configuring Eigrp
Configuring EIGRP Configuring EIGRP Enhanced IGRP (EIGRP) is a Cisco proprietary enhanced version of the IGRP. Enhanced IGRP uses the same distance vector algorithm and distance information as IGRP; however, the convergence properties and the operating efficiency of Enhanced IGRP are significantly improved.
Page 717: Default Eigrp Configuration
Chapter 31 Configuring IP Unicast Routing Configuring EIGRP feasible successors, but there are neighbors advertising the destination, a recomputation must occur. This is the process whereby a new successor is determined. The amount of time it takes to recompute the route affects the convergence time. Recomputation is processor-intensive; it is advantageous to avoid recomputation if it is not necessary.
Page 718: Configuring Basic Eigrp Parameters
Chapter 31 Configuring IP Unicast Routing Configuring EIGRP Table 31-9 Default EIGRP Configuration (continued) Feature Default Setting IP authentication mode No authentication provided. IP bandwidth-percent 50 percent. IP hello interval For low-speed nonbroadcast multiaccess (NBMA) networks: 60 seconds; all other networks: 5 seconds. IP hold-time For low-speed NBMA networks: 180 seconds;...
Page 719: Configuring Eigrp Interfaces
Chapter 31 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 5 eigrp log-neighbor-changes (Optional) Enable logging of EIGRP neighbor changes to monitor routing system stability. Step 6 metric weights tos k1 k2 k3 k4 k5 (Optional) Adjust the EIGRP metric. Although the defaults have been carefully determined to provide excellent operation in most networks, you can adjust them.
Page 720: Configuring Eigrp Route Authentication
15 seconds for all other networks. Do not adjust the hold time without consulting Caution Cisco technical support. Step 7 no ip split-horizon eigrp autonomous-system-number (Optional) Disable split horizon to allow route information to be advertised by a router out any interface from which that information originated.
Page 721: Monitoring And Maintaining Eigrp
Table 31-10 lists the privileged EXEC commands for deleting neighbors and displaying statistics. For explanations of fields in the resulting display, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. Table 31-10 IP EIGRP Clear and Show Commands...
Page 722: Configuring Bgp
BGP in Internet Routing Architectures, published by Cisco Press, and in the “Configuring BGP” chapter in the Cisco IOS IP and IP Routing Configuration Guide. For details about BGP commands and keywords, refer to the Cisco IOS IP and IP Routing Command Note Reference for Release 12.1.
Page 723 AS-level policy decisions. A router or switch running Cisco IOS does not select or use an IBGP route unless it has a route available to the next-hop router and it has received synchronization from an IGP (unless IGP synchronization is disabled).
Page 724: Default Bgp Configuration
For detailed descriptions of BGP configuration, refer to the “Configuring BGP” chapter in the Cisco IOS IP and IP Routing Configuration Guide. For details about specific commands, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. For a list of BGP commands that are visible but not supported by the switch, see Appendix C, “Unsupported CLI Commands in Cisco IOS Release...
Page 725 Chapter 31 Configuring IP Unicast Routing Configuring BGP Table 31-11 Default BGP Configuration (continued) Feature Default Setting Distribute list In (filter networks received in updates): Disabled. • Out (suppress networks from being advertised in updates): Disabled. • Internal route redistribution Disabled.
Page 726: Enabling Bgp Routing
Chapter 31 Configuring IP Unicast Routing Configuring BGP Enabling BGP Routing To enable BGP routing, you establish a BGP routing process and define the local network. Because BGP must completely understand the relationships with its neighbors, you must also specify a BGP neighbor. BGP supports two kinds of neighbors: internal and external.
Page 727 Chapter 31 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 9 bgp fast-external-fallover (Optional) Automatically reset a BGP session when a link between external neighbors goes down. By default, the session is not immediately reset. Step 10 Return to privileged EXEC mode. Step 11 show ip bgp network network-number Verify the configuration.
Page 728: Managing Routing Policy Changes
BGP sessions so that the configuration changes take effect. There are two types of reset, hard reset and soft reset. Cisco IOS software releases 12.1 and later support a soft reset without any prior configuration. To use a soft reset without preconfiguration, both BGP peers must support the soft route refresh capability, which is advertised in the OPEN message sent when the peers establish a TCP session.
Page 729: Configuring Bgp Decision Attributes
Prefer the path with the largest weight (a Cisco proprietary parameter). The weight attribute is local to the router and not propagated in routing updates. By default, the weight attribute is 32768 for paths that the router originates and zero for other paths.
Page 730 Chapter 31 Configuring IP Unicast Routing Configuring BGP Prefer the route with the highest local preference. Local preference is part of the routing update and exchanged among routers in the same AS. The default value of the local preference attribute is 100. You can set local preference by using the bgp default local-preference router configuration command or by using a route map.
Page 731: Configuring Bgp Filtering With Route Maps
Chapter 31 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 7 bgp bestpath med missing-as-worst (Optional) Configure the switch to consider a missing MED as having a value of infinity, making the path without a MED value the least desirable path. Step 8 bgp always-compare med (Optional) Configure the switch to compare MEDs for...
Page 732: Configuring Bgp Filtering By Neighbor
Chapter 31 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 3 set ip next-hop ip-address [...ip-address] (Optional) Set a route map to disable next-hop processing [peer-address] • In an inbound route map, set the next hop of matching routes to be the neighbor peering address, overriding third-party next hops.
Page 733: Configuring Prefix Lists For Bgp Filtering
BGP autonomous system paths. Each filter is an access list based on regular expressions. (Refer to the “Regular Expressions” appendix in the Cisco IOS Dial Services Command Reference for more information on forming regular expressions.) To use this method, define an autonomous system path access list, and apply it to updates to and from particular neighbors.
Page 734: Configuring Bgp Community Filtering
Chapter 31 Configuring IP Unicast Routing Configuring BGP You do not need to specify a sequence number when removing a configuration entry. Show commands include the sequence numbers in their output. Before using a prefix list in a command, you must set up the prefix list. Beginning in privileged EXEC mode, follow these steps to create a prefix list or to add an entry to a prefix list: Command Purpose...
Page 735 (Optional) Display and parse BGP communities in the format AA:NN. A BGP community appears in a 2-part format two bytes long. The Cisco default community format is in the format NNAA. In the most recent RFC for BGP, a community takes the form AA:NN, where the first part is the AS number and the second part is a 2-byte number.
Page 736: Configuring Bgp Neighbors And Peer Groups
Chapter 31 Configuring IP Unicast Routing Configuring BGP Configuring BGP Neighbors and Peer Groups Often many BGP neighbors are configured with the same update policies (that is, the same outbound route maps, distribute lists, filter lists, update source, and so on). Neighbors with the same update policies can be grouped into peer groups to simplify configuration and to make updating more efficient.
Page 737 Chapter 31 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 13 neighbor {ip-address | peer-group-name} (Optional) Control how many prefixes can be received from a maximum-prefix maximum [threshold] neighbor. The range is 1 to 4294967295. The threshold (optional) is the percentage of maximum at which a warning message is generated.
Page 738: Configuring Aggregate Addresses
Chapter 31 Configuring IP Unicast Routing Configuring BGP Configuring Aggregate Addresses Classless interdomain routing (CIDR) enables you to create aggregate routes (or supernets) to minimize the size of routing tables. You can configure aggregate routes in BGP either by redistributing an aggregate route into BGP or by creating an aggregate entry in the BGP routing table.
Page 739: Configuring Bgp Route Reflectors
Chapter 31 Configuring IP Unicast Routing Configuring BGP To configure a BGP confederation, you must specify a confederation identifier that acts as the autonomous system number for the group of autonomous systems. Beginning in privileged EXEC mode, use these commands to configure a BGP confederation: Command Purpose Step 1...
Page 740: Configuring Route Dampening
Chapter 31 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, use these commands to configure a route reflector and clients: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enter BGP router configuration mode. Step 3 neighbor ip-address | peer-group-name Configure the local router as a BGP route reflector and the...
Page 741: Monitoring And Maintaining Bgp
Table 31-10 lists the privileged EXEC commands for clearing and displaying BGP. For explanations of the display fields, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. Table 31-13 IP BGP Clear and Show Commands...
Page 742 Chapter 31 Configuring IP Unicast Routing Configuring BGP Table 31-13 IP BGP Clear and Show Commands (continued) Command Purpose show ip bgp neighbors [address] Display detailed information on the BGP and TCP connections to individual neighbors. show ip bgp neighbors [address] [advertised-routes | Display routes learned from a particular BGP neighbor.
Page 743: Configuring Multi-Vrf Ce
The switch does not use Multiprotocol Label Switching (MPLS) to support VPNs. For information about Note MPLS VRF, refer to the Cisco IOS Switching Services Configuration Guide for Release 12.1. This section includes these topics: Understanding Multi-VRF CE, page 31-65 •...
Page 744 Chapter 31 Configuring IP Unicast Routing Configuring Multi-VRF CE sites participate in the same VPN. Each VPN is mapped to a specified VRF. After learning local VPN routes from CEs, a PE router exchanges VPN routing information with other PE routers by using internal BGP (IBPG).
Page 745: Default Multi-Vrf Ce Configuration
Chapter 31 Configuring IP Unicast Routing Configuring Multi-VRF CE This is the packet-forwarding process in a multi-VRF-CE-enabled network: • When the switch receives a packet from a VPN, the switch looks up the routing table based on the input policy label number. When a route is found, the switch forwards the packet to the PE. •...
Page 746: Multi-Vrf Ce Configuration Guidelines
Chapter 31 Configuring IP Unicast Routing Configuring Multi-VRF CE Multi-VRF CE Configuration Guidelines Note To use multi-VRF CE, you must have the enhanced multilayer software image installed on your switch. These are considerations when configuring VRF in your network: • A switch with multi-VRF CE is shared by multiple customers, and each customer has its own routing table.
Page 747: Configuring Vrfs
Beginning in privileged EXEC mode, follow these steps to configure one or more VRFs. For complete syntax and usage information for the commands, refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference for Release 12.1. Command...
Page 748: Configuring A Vpn Routing Session
Chapter 31 Configuring IP Unicast Routing Configuring Multi-VRF CE Configuring a VPN Routing Session Routing within the VPN can be configured with any supported routing protocol (RIP, OSPF, IGRP, EIGRP, or BGP) or with static routing. The configuration shown here is for OSPF, but the process is the same for other protocols.
Page 749: Multi-Vrf Ce Configuration Example
Chapter 31 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 9 Return to privileged EXEC mode. Step 10 show ip bgp [ipv4] [neighbors] Verify BGP configuration. Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no router bgp autonomous-system-number global configuration command to delete the BGP routing process.
Page 750 Chapter 31 Configuring IP Unicast Routing Configuring Multi-VRF CE Configuring Switch S8 On Switch S8, enable routing and configure VRF. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ip routing Switch(config)# ip vrf v11 Switch(config-vrf)# rd 800:1 Switch(config-vrf)# route-target export 800:1 Switch(config-vrf)# route-target import 800:1 Switch(config-vrf)# exit...
Page 751 Chapter 31 Configuring IP Unicast Routing Configuring Multi-VRF CE Switch(config)# interface Vlan118 Switch(config-if)# ip vrf forwarding v12 Switch(config-if)# ip address 118.0.0.8 255.255.255.0 Switch(config-if)# exit Switch(config)# interface Vlan208 Switch(config-if)# ip vrf forwarding v11 Switch(config-if)# ip address 208.0.0.8 255.255.255.0 Switch(config-if)# exit Configure OSPF routing in VPN1 and VPN2. Switch(config)# router ospf 1 vrf vl1 Switch(config-router)# redistribute bgp 800 subnets Switch(config-router)# network 208.0.0.0 0.0.0.255 area 0...
Page 752 Chapter 31 Configuring IP Unicast Routing Configuring Multi-VRF CE Switch(config-if)# no ip address Switch(config-if)# exit Switch(config)# interface Vlan118 Switch(config-if)# ip address 118.0.0.11 255.255.255.0 Switch(config-if)# exit Switch(config)# router ospf 101 Switch(config-router)# network 118.0.0.0 0.0.0.255 area 0 Switch(config-router)# end Configuring the PE Switch S3 On Switch S3 (the router), these commands only configure the connections to the CE device, Switch S8.
Page 753: Displaying Multi-Vrf Ce Status
[brief | detail | interfaces] [vrf-name] Display information about the defined VRF instances. For more information about the information in the displays, refer to the Cisco IOS Switching Services Command Reference for Release 12.1. Configuring Protocol-Independent Features This section describes how to configure IP routing protocol-independent features.
Page 754: Configuring The Number Of Equal-Cost Routing Paths
Chapter 31 Configuring IP Unicast Routing Configuring Protocol-Independent Features process-switched by using the routing table, instead of fast-switched by using the route cache. CEF uses the forwarding information base (FIB) lookup table to perform destination-based switching of IP packets. The two main components in CEF are the FIB and adjacency tables. •...
Page 755: Configuring Static Unicast Routes
Chapter 31 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to change the maximum number of parallel paths installed in a routing table from the default: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router {bgp |rip | ospf | igrp | eigrp} Enter router configuration mode.
Page 756: Specifying Default Routes And Networks
Chapter 31 Configuring IP Unicast Routing Configuring Protocol-Independent Features Table 31-16 Dynamic Routing Protocol Default Administrative Distances (continued) Route Source Default Distance EIGRP summary route External BGP Internal Enhanced IGRP IGRP OSPF EIGRP summary route Internal BGP Unknown Static routes that point to an interface are advertised through RIP, IGRP, and other dynamic routing protocols, whether or not static redistribute router configuration commands were specified for those routing protocols.
Page 757: Using Route Maps To Redistribute Routing Information
Although each of Steps 3 through 16 in the following section is optional, you must enter at least one Note match route-map configuration command and one set route-map configuration command. For complete syntax information for the command, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. Catalyst 3550 Multilayer Switch Software Configuration Guide...
Page 758 Chapter 31 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to configure a route map for redistribution: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 route-map map-tag [permit | deny] [sequence number] Define any route maps used to control redistribution and enter route-map configuration mode.
Page 759 Chapter 31 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 15 set as-path {tag | prepend as-path-string} Modify the BGP autonomous system path. Step 16 set level {level-1 | level-2 | level-1-2 | stub-area | Set the level for routes that are advertised into the backbone} specified area of the routing domain.
Page 760: Configuring Policy-Based Routing
Chapter 31 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 3 redistribute protocol [process-id] {level-1 | level-1-2 | Redistribute routes from one routing protocol to another level-2} [metric metric-value] [metric-type type-value] routing protocol. [match internal | external type-value] [tag tag-value] [route-map map-tag] [weight weight] [subnets] Step 4 default-metric number...
Page 761: Pbr Configuration Guidelines
“Using Route Maps to Redistribute Routing Information” section on page 31-79. For details about PBR commands and keywords, refer to the Cisco IOS IP and IP Routing Command Note Reference for Release 12.1. For a list of PBR commands not supported by the switch, see Appendix C, “Unsupported CLI Commands in Cisco IOS Release 12.1(19)EA1.”...
Page 762: Enabling Pbr
Chapter 31 Configuring IP Unicast Routing Configuring Protocol-Independent Features Enabling PBR By default, PBR is disabled on the switch. To enable PBR, you must create a route map that specifies the match criteria and the resulting action if all of the match clauses are met. Then, you must enable PBR for that route map on an interface.
Page 763: Filtering Routing Information
Chapter 31 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 10 Return to privileged EXEC mode. Step 11 show route-map [map-name] Display all route maps configured or only the one specified to verify configuration. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file.
Page 764: Controlling Advertising And Processing In Routing Updates
Chapter 31 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to configure passive interfaces: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router {bgp |rip | ospf | igrp | eigrp} Enter router configuration mode.
Page 765: Filtering Sources Of Routing Information
Chapter 31 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 5 Return to privileged EXEC mode. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no distribute-list in router configuration command to change or cancel a filter. To cancel suppression of network advertisements in updates, use the no distribute-list out router configuration command.
Page 766: Managing Authentication Keys
Chapter 31 Configuring IP Unicast Routing Configuring Protocol-Independent Features Managing Authentication Keys Key management is a method of controlling authentication keys used by routing protocols. Not all protocols can use key management. Authentication keys are available for EIGRP and RIP Version 2. Before you manage authentication keys, you must enable authentication.
Page 767: Monitoring And Maintaining The Ip Network
Chapter 31 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Monitoring and Maintaining the IP Network You can remove all contents of a particular cache, table, or database. You can also display specific statistics. Use the privileged EXEC commands in Table 31-17 to clear routes or display status: Table 31-17 Commands to Clear IP Routes or Display Route Status...
Page 768 Chapter 31 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Catalyst 3550 Multilayer Switch Software Configuration Guide 31-90 78-11194-09...
Page 769: Understanding Hsrp
Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and the Cisco IOS IP and IP Routing Command Reference for Release 12.1. This chapter consists of these sections: Understanding HSRP, page 32-1 •...
Page 770: Chapter 32 Configuring Hsrp
Chapter 32 Configuring HSRP Understanding HSRP Note Routers in an HSRP group can be any router interface that supports HSRP, including Catalyst 3550 routed ports and switch virtual interfaces (SVIs). HSRP provides high network availability by providing redundancy for IP traffic from hosts on networks. In a group of router interfaces, the active router is the router of choice for routing packets.
Page 771 Chapter 32 Configuring HSRP Understanding HSRP You can verify the VLAN ID assigned to a routed port by using the show vlan internal usage privileged EXEC command. An interface can belong to multiple HSRP groups, and the same HSRP group can be applied to different interfaces.
Page 772: Configuring Hsrp
Chapter 32 Configuring HSRP Configuring HSRP Configuring HSRP These sections include HSRP configuration information: • Default HSRP Configuration, page 32-4 HSRP Configuration Guidelines and Limitations, page 32-4 • Enabling HSRP, page 32-5 • Configuring HSRP Group Attributes, page 32-6 • Configuring HSRP Groups and Clustering, page 32-10 •...
Page 773: Enabling Hsrp
Chapter 32 Configuring HSRP Configuring HSRP • The switch supports HSRP MAC address entries in hardware for up to 16 unique HSRP groups. Because of other switch feature configurations, we recommend that you do not assign more than 64 HSRP interfaces. An HSRP group can use the same HSRP MAC address on a single Layer 3 interface, several Layer 3 •...
Page 774: Configuring Hsrp Group Attributes
Chapter 32 Configuring HSRP Configuring HSRP Command Purpose Step 3 standby [group-number] ip [ip-address Create (or enable) the HSRP group using its number and virtual IP [secondary]] address. • (Optional) group-number—The group number on the interface for which HSRP is being enabled. The range is 0 to 255; the default is 0. If there is only one HSRP group, you do not need to enter a group number.
Page 775 Chapter 32 Configuring HSRP Configuring HSRP • The highest number (1 to 255) represents the highest priority (most likely to become the active router). • When setting the priority, preempt, or both, you must specify at least one keyword (priority, preempt, or both).
Page 776 Chapter 32 Configuring HSRP Configuring HSRP Command Purpose Step 4 standby [group-number] [priority Configure the router to preempt, which means that when the local router has priority] preempt [delay delay] a higher priority than the active router, it assumes control as the active router. •...
Page 777: Configuring Hsrp Authentication And Timers
[group-number] authentication string (Optional) authentication string—Enter a string to be carried in all HSRP messages. The authentication string can be up to eight characters in length; the default string is cisco. (Optional) group-number—The group number to which the command applies.
Page 778: Configuring Hsrp Groups And Clustering
Chapter 32 Configuring HSRP Configuring HSRP This example shows how to configure word as the authentication string required to allow Hot Standby routers in group 1 to interoperate: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# standby 1 authentication word Switch(config-if)# end Switch# This example shows how to set the timers on standby group 1 with the time between hello packets at 5 seconds and the time after which a router is considered down to be 15 seconds:...
Page 779: Displaying Hsrp Configurations
Chapter 32 Configuring HSRP Displaying HSRP Configurations Displaying HSRP Configurations From privileged EXEC mode, use this command to display HSRP settings: show standby [interface-id [group]] [brief] [detail] You can display HSRP information for the whole switch, for a specific interface, for an HSRP group, or for an HSRP group on an interface.
Page 780 Chapter 32 Configuring HSRP Displaying HSRP Configurations Catalyst 3550 Multilayer Switch Software Configuration Guide 32-12 78-11194-09...
Page 781 This chapter describes how to configure your Catalyst 3550 switch to redirect traffic to cache engines (web caches such as the Cisco Cache Engine 550) by using the Web Cache Communication Protocol (WCCP). WCCP is a Cisco-developed content-routing technology that you can use to integrate cache engines into your network infrastructure.
Page 782: C H A P T E R 33 Configuring Web Cache Services By Using Wccp
Understanding WCCP Understanding WCCP The WCCP and Cisco cache engines (or other caches running WCCP) localize web-traffic patterns in the network, enabling content requests to be fulfilled locally. WCCP enables supported Cisco routers and switches to transparently redirect content requests. With transparent redirection, users do not have to configure their browsers to use a web proxy.
Page 783: Wccp Message Exchange
The switch receives the returned packet through a generic-route encapsulation (GRE) tunnel. The switch CPU uses Cisco express forwarding (CEF) to send these packets to the target web server. When the server responds with the requested information, the switch uses the normal Layer 3 forwarding to return the information to the requesting client.
Page 784: Md5 Security
Chapter 33 Configuring Web Cache Services By Using WCCP Understanding WCCP MD5 Security WCCPv2 provides an optional security component in each protocol message to enable the switch to use MD5 authentication on messages between the switch and the cache engine. Messages that do not authenticate (when authentication of the switch is enabled) are discarded by the switch.
Page 785: Configuring Wccp
Make a direct Layer 2 connection from the cache engines to the switch so that the switch can • perform Layer 2 rewrites for WCCP redirection. The Cisco Cache Engines require the use of a Fast Ethernet interface for a direct connection. You also can connect the switch to the cache engine by using a 10/100/1000 port if the connection is a direct Layer 2 connection.
Page 786: Enabling The Web Cache Service, Setting The Password, And Redirecting Traffic Received From A Client
Chapter 33 Configuring Web Cache Services By Using WCCP Configuring WCCP Enabling the Web Cache Service, Setting the Password, and Redirecting Traffic Received From a Client MD5 password security requires that the switch and cache engines be configured with the same password.
Page 787 Chapter 33 Configuring Web Cache Services By Using WCCP Configuring WCCP Command Purpose Step 12 ip wccp web-cache redirect in Redirect packets received from the client to the cache engine. Step 13 exit Return to global configuration mode. Repeat Steps 8 through 13 for each client.
Page 788 Chapter 33 Configuring Web Cache Services By Using WCCP Configuring WCCP Switch(config)# interface fastethernet0/5 Switch(config-if)# no switchport Switch(config-if)# ip address 175.20.60.50 255.255.255.0 Switch(config-if)# no shutdown Switch(config-if)# ip wccp web-cache redirect in Switch(config-if)# exit This example shows how to configure SVIs and how to enable the web cache service. VLAN 299 is created and configured with an IP address of 175.20.20.10.
Page 789: Monitoring And Maintaining Wccp
Chapter 33 Configuring Web Cache Services By Using WCCP Monitoring and Maintaining WCCP Monitoring and Maintaining WCCP To monitor and maintain WCCP, use one or more of the privileged EXEC commands in Table 33-2: Table 33-2 Commands for Monitoring and Maintaining WCCP Command Purpose clear ip wccp web-cache...
Page 790 Chapter 33 Configuring Web Cache Services By Using WCCP Monitoring and Maintaining WCCP Catalyst 3550 Multilayer Switch Software Configuration Guide 33-10 78-11194-09...
Page 791: Configuring Ip Multicast Routing
Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. This chapter describes how to configure IP multicast routing on your Catalyst 3550 multilayer switch.
Page 792: C H A P T E R 34 Configuring Ip Multicast Routing
Internet (MBONE). The Cisco IOS software supports PIM-to-DVMRP interaction. • Cisco Group Management Protocol (CGMP) is used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP. Figure 34-1 shows where these protocols operate within the IP multicast environment.
Page 793: Understanding Igmp
Chapter 34 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing Understanding IGMP To participate in IP multicasting, multicast hosts, routers, and multilayer switches must have IGMP operating. This protocol is the group membership protocol used by hosts to inform routers and multilayer switches of the existence of members on their directly connected networks and to allow them to send and receive multicast datagrams.
Page 794: Igmp Version 2
Chapter 34 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing IGMP Version 2 IGMPv2 provides enhancements over IGMPv1. The query and membership report messages are identical to IGMPv1 message with two exceptions. The first difference is that the IGMPv2 query message is broken into two categories: general queries, which perform the same function as the IGMPv1 queries, and group-specific queries, which are queries directed to a single group.
Page 795: Understanding Pim
PIM Versions Two versions of PIM are supported in the Cisco IOS software. With PIM Version 1 (PIMv1), Cisco introduced support in Cisco IOS Release 11.1(6) for a new feature called Auto-RP. This proprietary feature eliminates the need to manually configure the rendezvous point (RP) information in every router and multilayer switch in the network.
Page 796 Chapter 34 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing The simplest form of a multicast distribution tree is a source tree whose root is the source of the multicast traffic and whose branches form a spanning tree through the network to the receivers. Because this tree uses the shortest path through the network, it is also referred to as a shortest-path tree (SPT).
Page 797 Chapter 34 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing PIM SM PIM SM uses shared trees and SPTs to distribute multicast traffic to multicast receivers in the network. In PIM SM, a router or multilayer switch assumes that other routers or switches do not forward multicast packets for a group, unless there is an explicit request for the traffic (join message).
Page 798: Auto-Rp
For Auto-RP to work, you configure a Cisco router or multilayer switch as the mapping agent. It uses IP multicast to learn which routers or switches in the network are possible candidate RPs by joining the well-known Cisco-RP-announce multicast group (224.0.1.39) to receive candidate RP announcements.
Page 799: Multicast Forwarding And Reverse Path Check
Chapter 34 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing travel hop-by-hop throughout the PIM domain. Because BSR messages contain the IP address of the current BSR, the flooding mechanism allows candidate RPs to automatically learn which device is the elected BSR.
Page 800: Neighbor Discovery
Chapter 34 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing Figure 34-6 RPF Check Multicast Multicast packet from packet from source 151.10.3.21 source 151.10.3.21 is forwarded. packet is discarded. Gigabit Ethernet 0/2 Gigabit Ethernet 0/1 Gigabit Ethernet 0/3...
Page 801: Understanding Dvmrp
(MBONE) and in other intradomain multicast networks. Cisco routers and multilayer switches run PIM and can forward multicast packets to and receive from a DVMRP neighbor. It is also possible to propagate DVMRP routes into and through a PIM cloud. The...
Page 802: Joining A Group With Cgmp
Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing CGMP is a protocol used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP. CGMP permits Layer 2 group membership information to be communicated from the CGMP server to the switch, which can learn on which ports multicast members reside instead of flooding multicast traffic to all switch ports.
Page 803: Leaving A Group With Cgmp
Table 34-1 Default Multicast Routing Configuration Feature Default Setting Multicast routing Disabled on all interfaces. PIM version Version 2 (for devices running Cisco IOS Release 11.3(2)T or later). PIM mode No mode is defined. PIM RP address None configured. PIM domain border Disabled.
Page 804: Multicast Routing Configuration Guidelines
PIMv1 interoperates with the PIMv2 RP feature. Although all PIMv2 devices can also use PIMv1, we recommend that the RPs be upgraded to PIMv2 (or at least upgraded to PIMv1 in the Cisco IOS Release 11.3 software). To ease the transition to PIMv2, we have these recommendations: •...
Page 805: Auto-Rp And Bsr Configuration Guidelines
If you have a network that includes non-Cisco routers, configure the Auto-RP mapping agent and • the BSR on a Cisco PIMv2 router or multilayer switch. Ensure that no PIMv1 device is on the path between the BSR and a non-Cisco PIMv2 router.
Page 806 By default, Version 2 is enabled and is the recommended setting. Note All IP multicast-capable Cisco PIM routers using Cisco IOS Release 11.3(2)T or later start in PIMv2 by default. An interface in PIMv2 mode automatically downgrades to PIMv1 mode if that interface has a PIMv1 neighbor.
Page 807: Configuring A Rendezvous Point
• Manually Assigning an RP to Multicast Groups, page 34-17 • Configuring Auto-RP, page 34-18 (a standalone, Cisco-proprietary protocol separate from PIMv1) • Configuring PIMv2 BSR, page 34-22 (a standards track protocol in the Internet Engineering Task Force (IETF) You can use Auto-RP, BSR, or a combination of both, depending on the PIM version you are running and the types of routers in your network.
Page 808: Configuring Auto-Rp
Switch(config)# access-list 1 permit 225.2.2.2 0.0.0.0 Switch(config)# ip pim rp-address 147.106.6.22 1 Configuring Auto-RP Auto-RP uses IP multicast to automate the distribution of group-to-RP mappings to all Cisco routers and multilayer switches in a PIM network. It has these benefits: •...
Page 809 Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing These sections describe how to configure Auto-RP: • Setting up Auto-RP in a New Internetwork, page 34-19 • Adding Auto-RP to an Existing Sparse-Mode Cloud, page 34-19 • Preventing Join Messages to False RPs, page 34-20 Preventing Candidate RP Spoofing, page 34-21 •...
Page 810 Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 4 access-list access-list-number {deny | Create a standard access list, repeating the command as many times as permit} source [source-wildcard] necessary. • For access-list-number, enter the access list number specified in Step 3.
Page 811 Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing If all interfaces are in sparse mode, use a default-configured RP to support the two well-known groups 224.0.1.39 and 224.0.1.40. Auto-RP uses these two well-known groups to collect and distribute RP-mapping information.
Page 812: Configuring Pimv2 Bsr
Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a filter on incoming RP announcement messages, use the no ip pim rp-announce-filter rp-list access-list-number group-list access-list-number global configuration command.
Page 813 Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to define the PIM domain border: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be configured.
Page 814 Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing Defining the IP Multicast Boundary You define a multicast boundary to prevent Auto-RP messages from entering the PIM domain. You create an access list to deny packets destined for 224.0.1.39 and 224.0.1.40, which carry Auto-RP information.
Page 815 Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Candidate BSRs You can configure one or more candidate BSRs. The devices serving as candidate BSRs should have good connectivity to other devices and be in the backbone portion of the network. Beginning in privileged EXEC mode, follow these steps to configure your multilayer switch as a candidate BSR: Command...
Page 816 IP multicast address space or a portion of it. Candidate RPs send candidate RP advertisements to the BSR. When deciding which devices should be RPs, consider these options: • In a network of Cisco routers and multilayer switches where only Auto-RP is used, any device can be configured as an RP. •...
Page 817: Using Auto-Rp And A Bsr
If you have non-Cisco PIMv2 routers that need to interoperate with Cisco PIMv1 routers and multilayer switches, both Auto-RP and a BSR are required. We recommend that a Cisco PIMv2 router or multilayer switch be both the Auto-RP mapping agent and the BSR.
Page 818: Troubleshooting Pimv1 And Pimv2 Interoperability Problems
This type of distribution tree is called a shortest-path tree or source tree. By default, the Cisco IOS software switches to a source tree upon receiving the first data packet from a source.
Page 819: Delaying The Use Of Pim Shortest-Path Tree
Chapter 34 Configuring IP Multicast Routing Configuring Advanced PIM Features This process describes the move from a shared tree to a source tree: A receiver joins a group; leaf Router C sends a join message toward the RP. The RP puts a link to Router C in its outgoing interface list. A source sends data;...
Page 820: Modifying The Pim Router-Query Message Interval
Chapter 34 Configuring IP Multicast Routing Configuring Advanced PIM Features Beginning in privileged EXEC mode, follow these steps to configure a traffic rate threshold that must be reached before multicast routing is switched from the source tree to the shortest-path tree: Command Purpose Step 1...
Page 821: Configuring Optional Igmp Features
Chapter 34 Configuring IP Multicast Routing Configuring Optional IGMP Features By default, multicast routers and multilayer switches send PIM router-query messages every 30 seconds. Beginning in privileged EXEC mode, follow these steps to modify the router-query message interval: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 822: Changing The Igmp Version
Chapter 34 Configuring IP Multicast Routing Configuring Optional IGMP Features Table 34-2 Default IGMP Configuration (continued) Feature Default Setting Access to multicast groups All groups are allowed on an interface. IGMP host-query message interval 60 seconds on all interfaces. Multilayer switch as a statically connected member Disabled.
Page 823: Changing The Maximum Query Response Time For Igmpv2
Chapter 34 Configuring IP Multicast Routing Configuring Optional IGMP Features You can determine the query interval by entering the show ip igmp interface interface-id privileged EXEC command. Beginning in privileged EXEC mode, follow these steps to change the IGMP query timeout: Command Purpose Step 1...
Page 824: Configuring The Multilayer Switch As A Member Of A Group
ICMP echo-request packets addressed to a group of which they are members. Another example is the multicast trace-route tools provided in the Cisco IOS software. Beginning in privileged EXEC mode, follow these steps to configure the multilayer switch to be a...
Page 825: Controlling Access To Ip Multicast Groups
Chapter 34 Configuring IP Multicast Routing Configuring Optional IGMP Features Controlling Access to IP Multicast Groups The multilayer switch sends IGMP host-query messages to determine which multicast groups have members on attached local networks. The switch then forwards to these group members all packets addressed to the multicast group.
Page 826: Modifying The Igmp Host-Query Message Interval
(TTL) of 1. The switch sends host-query messages to refresh its knowledge of memberships present on the network. If, after some number of queries, the Cisco IOS software discovers that no local hosts are members of a multicast group, the software stops forwarding multicast packets to the local network from remote origins for that group and sends a prune message upstream toward the source.
Page 827: Configuring Optional Multicast Routing Features
Chapter 34 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Beginning in privileged EXEC mode, follow these steps to configure the switch itself to be a statically connected member of a group (and allow fast switching): Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 828: Enabling Cgmp Server Support
The multilayer switch serves as a CGMP server for devices that do not support IGMP snooping but have CGMP client functionality. CGMP is a protocol used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP. CGMP is necessary because the Layer 2 switch cannot distinguish between IP multicast data packets and IGMP report messages, which are both at the MAC-level and are addressed to the same group address.
Page 829: Configuring Sdr Listener Support
Chapter 34 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Configuring sdr Listener Support The MBONE is the small subset of Internet routers and hosts that are interconnected and capable of forwarding IP multicast traffic. Other interesting multimedia content is often broadcast over the MBONE.
Page 830: Configuring The Ttl Threshold
Chapter 34 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip sdr cache-timeout global configuration command.
Page 831 Chapter 34 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features multicast packets with an initial TTL value set to 99. The engineering and marketing departments have set a TTL threshold of 40 at the perimeter of their networks; therefore, multicast applications running on these networks can prevent their multicast transmissions from leaving their respective networks.
Page 832: Configuring An Ip Multicast Boundary
Chapter 34 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Configuring an IP Multicast Boundary Like TTL thresholds, administratively-scoped boundaries can also be used to limit the forwarding of multicast traffic outside of a domain or subdomain. This approach uses a special range of multicast addresses, called administratively-scoped addresses, as the boundary mechanism.
Page 833: Configuring Basic Dvmrp Interoperability Features
Chapter 34 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to set up an administratively-scoped boundary: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | Create a standard access list, repeating the command as many times as permit} source [source-wildcard] necessary.
Page 834: Configuring Dvmrp Interoperability
DVMRP routers or interoperate with DVMRP routers over an MBONE tunnel. DVMRP advertisements produced by the Cisco IOS software can cause older versions of the mrouted protocol to corrupt their routing tables and those of their neighbors.
Page 835 Chapter 34 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to configure the sources that are advertised and the metrics that are used when DVMRP route-report messages are sent: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 836: Configuring A Dvmrp Tunnel
Switch(config)# access-list 2 permit 0.0.0.0 255.255.255.255 Configuring a DVMRP Tunnel The Cisco IOS software supports DVMRP tunnels to the MBONE. You can configure a DVMRP tunnel on a router or multilayer switch if the other end is running DVMRP. The software then sends and receives multicast packets through the tunnel.
Page 837 Chapter 34 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to configure a DVMRP tunnel: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | Create a standard access list, repeating the command as many times as permit} source [source-wildcard] necessary.
Page 838: Advertising Network 0.0.0.0 To Dvmrp Neighbors
Switch(config)# access-list 1 permit 198.92.37.0 0.0.0.255 Advertising Network 0.0.0.0 to DVMRP Neighbors If your multilayer switch is a neighbor of an mrouted version 3.6 device, you can configure the Cisco IOS software to advertise network 0.0.0.0 (the default route) to the DVMRP neighbor. The DVMRP default route computes the RPF information for any multicast sources that do not match a more specific route.
Page 839: Responding To Mrinfo Requests
Responding to mrinfo Requests The Cisco IOS software answers mrinfo requests sent by mrouted systems and Cisco routers and multilayer switches. The software returns information about neighbors through DVMRP tunnels and all the routed interfaces. This information includes the metric (always set to 1), the configured TTL threshold, the status of the interface, and various flags.
Page 840: Configuring Advanced Dvmrp Interoperability Features
Configuring Advanced DVMRP Interoperability Features Configuring Advanced DVMRP Interoperability Features Cisco routers and multilayer switches run PIM to forward multicast packets to receivers and receive multicast packets from senders. It is also possible to propagate DVMRP routes into and through a PIM cloud.
Page 841: Rejecting A Dvmrp Nonpruning Neighbor
Configuring Advanced DVMRP Interoperability Features Rejecting a DVMRP Nonpruning Neighbor By default, Cisco devices accept all DVMRP neighbors as peers, regardless of their DVMRP capability. However, some non-Cisco devices run old versions of DVMRP that cannot prune, so they continuously receive forwarded packets, wasting bandwidth.
Page 842 Chapter 34 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 34-14 Router Rejects Nonpruning DVMRP Neighbor Source router or RP Router A Multicast Router B traffic gets Receiver to receiver, not to leaf DVMRP device Multilayer switch Configure the ip dvmrp reject-non-pruners command on this interface.
Page 843: Controlling Route Exchanges
Chapter 34 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Controlling Route Exchanges These sections describe how to tune the Cisco device advertisements of DVMRP routes: • Limiting the Number of DVMRP Routes Advertised, page 34-53 • Changing the DVMRP Route Threshold, page 34-54 •...
Page 844: Changing The Dvmrp Route Threshold
Cisco router that is not on these two Ethernet segments does not properly RPF-check on the DVMRP router and is discarded. You can force the Cisco router to advertise the summary address (specified by the address and mask pair in the ip dvmrp summary-address address mask interface configuration command) in place of any route that falls in this address range.
Page 845 = 1 ip pim dense-mode 176.32.15.0/24 m = 1 DVMRP router interface fastethernet 0/2 ip addr 176.32.15.1 255.255.255.0 ip pim dense-mode Tunnel Cisco DVMRP Route Table Unicast Routing Table (10,000 Routes) router Network Intf Metric Dist Src Network Intf...
Page 846: Disabling Dvmrp Autosummarization
Configuring Advanced DVMRP Interoperability Features Disabling DVMRP Autosummarization By default, the Cisco IOS software automatically performs some level of DVMRP summarization. Disable this function if you want to advertise all routes, not just a summary. In some special cases, you can use the neighboring DVMRP router with all subnet information to better control the flow of multicast traffic in the DVMRP network.
Page 847: Monitoring And Maintaining Ip Multicast Routing
Chapter 34 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to change the default metric: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be configured.
Page 848: Clearing Caches, Tables, And Databases
Chapter 34 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Clearing Caches, Tables, and Databases You can remove all contents of a particular cache, table, or database. Clearing a cache, table, or database might be necessary when the contents of the particular structure are or suspected to be invalid. You can use any of the privileged EXEC commands in Table 34-3 to clear IP multicast caches, tables,...
Page 849: Monitoring Ip Multicast Routing
Chapter 34 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Table 34-4 Commands for Displaying System and Network Statistics (continued) Command Purpose show ip pim interface [type number] [count] Display information about interfaces configured for PIM. show ip pim neighbor [type number] List the PIM neighbors discovered by the multilayer switch.
Page 850 Chapter 34 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Catalyst 3550 Multilayer Switch Software Configuration Guide 34-60 78-11194-09...
Page 851: Understanding Msdp
Catalyst 3550 multilayer switch. The MSDP connects multiple Protocol-Independent Multicast sparse-mode (PIM-SM) domains. MSDP is not fully supported in this Cisco IOS release because of a lack of support for Multicast Border Gateway Protocol (MBGP), which works closely with MSDP. However, it is possible to create default peers that MSDP can operate with if MBGP is not running.
Page 852: Chapter 35 Configuring Msdp
Chapter 35 Configuring MSDP Understanding MSDP The purpose of this topology is to have domains discover multicast sources in other domains. If the multicast sources are of interest to a domain that has receivers, multicast data is delivered over the normal, source-tree building mechanism in PIM-SM.
Page 853: Msdp Benefits
Chapter 35 Configuring MSDP Understanding MSDP Figure 35-1 MSDP Running Between RP Peers MSDP peer RP + MSDP peer MSDP SA Peer RPF flooding MSDP SA TCP connection Receiver MSDP peer Register Multicast (S,G) Join Source PIM sparse-mode domain MSDP Benefits MSDP has these benefits: •...
Page 854: Configuring Msdp
MSDP is not enabled, and no default MSDP peer exists. Configuring a Default MSDP Peer In this Cisco IOS release, because BGP and MBGP are not supported, you cannot configure an MSDP peer on the local multilayer switch by using the ip msdp peer global configuration command. Instead, you define a default MSDP peer (by using the ip msdp default-peer global configuration command) from which to accept all SA messages for the multilayer switch.
Page 855 Chapter 35 Configuring MSDP Configuring MSDP Figure 35-2 Default MSDP Peer Network Router C Default MSDP peer ISP C PIM domain 10.1.1.1 Multilayer Router A Switch B Default MSDP peer Default MSDP peer ISP A PIM domain Customer PIM domain Beginning in privileged EXEC mode, follow these steps to specify a default MSDP peer: Command Purpose...
Page 856: Caching Source-Active State
Chapter 35 Configuring MSDP Configuring MSDP Command Purpose Step 3 ip prefix-list name [description string] | (Optional) Create a prefix list using the name specified in Step 2. seq number {permit | deny} network • (Optional) For description string, enter a description of up to 80 length characters to describe this prefix list.
Page 857 Chapter 35 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to enable the caching of source/group pairs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp cache-sa-state [list Enable the caching of source/group pairs (create an SA state). Those access-list-number] pairs that pass the access list are cached.
Page 858: Requesting Source Information From An Msdp Peer
Chapter 35 Configuring MSDP Configuring MSDP Requesting Source Information from an MSDP Peer Local RPs can send SA requests and get immediate responses for all active sources for a given group. By default, the multilayer switch does not send any SA request messages to its MSDP peers when a new member joins a group and wants to receive multicast traffic.
Page 859: Redistributing Sources
Chapter 35 Configuring MSDP Configuring MSDP Redistributing Sources SA messages are originated on RPs to which sources have registered. By default, any source that registers with an RP is advertised. The A flag is set in the RP when a source is registered, which means the source is advertised in an SA unless it is filtered.
Page 860 Chapter 35 Configuring MSDP Configuring MSDP Command Purpose Step 3 access-list access-list-number {deny | Create an IP standard access list, repeating the command as many times permit} source [source-wildcard] as necessary. access-list access-list-number {deny | Create an IP extended access list, repeating the command as many times permit} protocol source source-wildcard as necessary.
Page 861: Filtering Source-Active Request Messages
Chapter 35 Configuring MSDP Configuring MSDP Filtering Source-Active Request Messages By default, only multilayer switches that are caching SA information can respond to SA requests. By default, such a switch honors all SA request messages from its MSDP peers and supplies the IP addresses of the active sources.
Page 862: Controlling Source Information That Your Switch Forwards
Chapter 35 Configuring MSDP Configuring MSDP Controlling Source Information that Your Switch Forwards By default, the multilayer switch forwards all SA messages it receives to all its MSDP peers. However, you can prevent outgoing messages from being forwarded to a peer by using a filter or by setting a time-to-live (TTL) value.
Page 863 This example shows how to allow only (S,G) pairs that pass access list 100 to be forwarded in an SA message to the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet0/1 Switch(config)# ip msdp sa-filter out switch.cisco.com list 100 Switch(config)# access-list 100 permit ip 171.69.0.0 0.0.255.255 224.20 0 0.0.255.255 Catalyst 3550 Multilayer Switch Software Configuration Guide...
Page 864: Using Ttl To Limit The Multicast Data Sent In Sa Messages
Chapter 35 Configuring MSDP Configuring MSDP Using TTL to Limit the Multicast Data Sent in SA Messages You can use a TTL value to control what data is encapsulated in the first SA message for every source. Only multicast packets with an IP-header TTL greater than or equal to the ttl argument are sent to the specified MSDP peer.
Page 865 To remove the filter, use the no ip msdp sa-filter in {ip-address | name} [list access-list-number] [route-map map-tag] global configuration command. This example shows how to filter all SA messages from the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet0/1 Switch(config)# ip msdp sa-filter in switch.cisco.com...
Page 866: Configuring An Msdp Mesh Group
Chapter 35 Configuring MSDP Configuring MSDP Configuring an MSDP Mesh Group An MSDP mesh group is a group of MSDP speakers that have fully meshed MSDP connectivity among one another. Any SA messages received from a peer in a mesh group are not forwarded to other peers in the same mesh group.
Page 867: Including A Bordering Pim Dense-Mode Region In Msdp
Chapter 35 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to shut down a peer: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp shutdown {peer-name | peer Administratively shut down the specified MSDP peer without losing address} configuration information.
Page 868: Configuring An Originating Address Other Than The Rp Address
Chapter 35 Configuring MSDP Configuring MSDP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note that the ip msdp originator-id global configuration command also identifies an interface type and number to be used as the RP address.
Page 869: Monitoring And Maintaining Msdp
Chapter 35 Configuring MSDP Monitoring and Maintaining MSDP Monitoring and Maintaining MSDP To monitor MSDP SA messages, peers, state, or peer status, use one or more of the privileged EXEC commands in Table 35-1: Table 35-1 Commands for Monitoring and Maintaining MSDP Command Purpose debug ip msdp [peer-address | name] [detail] [routes]...
Page 870 Chapter 35 Configuring MSDP Monitoring and Maintaining MSDP Catalyst 3550 Multilayer Switch Software Configuration Guide 35-20 78-11194-09...
Page 871: Understanding Fallback Bridging
To use this feature, you must have the enhanced multilayer software (EMI) image installed on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Bridging and IBM Networking Command Reference for Release 12.1.
Page 872: C H A P T E R 36 Configuring Fallback Bridging
Chapter 36 Configuring Fallback Bridging Understanding Fallback Bridging data units (BPDUs) are not exchanged between different bridge groups on a switch. An interface can be a member of only one bridge group. Use a bridge group for each separately bridged (topologically distinct) network connected to the switch.
Page 873: Configuring Fallback Bridging
Chapter 36 Configuring Fallback Bridging Configuring Fallback Bridging Configuring Fallback Bridging These sections describe how to configure fallback bridging on your switch: • Default Fallback Bridging Configuration, page 36-3 Fallback Bridging Configuration Guidelines, page 36-3 • Creating a Bridge Group, page 36-4 •...
Page 874: Creating A Bridge Group
Chapter 36 Configuring Fallback Bridging Configuring Fallback Bridging Creating a Bridge Group To configure fallback bridging for a set of SVIs or routed ports, these interfaces must be assigned to bridge groups. All interfaces in the same group belong to the same bridge domain. Each SVI or routed port can be assigned to only one bridge group.
Page 875: Preventing The Forwarding Of Dynamically Learned Stations
Chapter 36 Configuring Fallback Bridging Configuring Fallback Bridging This example shows how to create bridge group 10, to specify that the VLAN-bridge STP runs in the bridge group, to define an interface as a routed port, and to assign the interface to the bridge group: Switch(config)# bridge 10 protocol vlan-bridge Switch(config)# interface gigabitethernet0/1 Switch(config-if)# no switchport...
Page 876: Configuring The Bridge Table Aging Time
Chapter 36 Configuring Fallback Bridging Configuring Fallback Bridging This example shows how to prevent the switch from forwarding frames for stations that it has dynamically learned in bridge group 10: Switch(config)# no bridge 10 acquire Configuring the Bridge Table Aging Time A switch forwards, floods, or drops packets based on the bridge table.
Page 877: Adjusting Spanning-Tree Parameters
Poorly planned adjustments can have a negative impact on performance. A good source on switching is the IEEE 802.1D specification; for more information, refer to the “References and Recommended Reading” appendix in the Cisco IOS Configuration Fundamentals Command Reference.
Page 878: Changing The Switch Priority
Chapter 36 Configuring Fallback Bridging Configuring Fallback Bridging Changing the Switch Priority You can globally configure the priority of an individual switch when two switches tie for position as the root switch, or you can configure the likelihood that a switch will be selected as the root switch. This priority is determined by default;...
Page 879: Assigning A Path Cost
Chapter 36 Configuring Fallback Bridging Configuring Fallback Bridging Command Purpose Step 5 show running-config Verify your entry. Step 6 copy running-config startup-config (Optional) Save your entry in the configuration file. No no form of this command exists. To return to the default setting, use the no bridge-group bridge-group priority interface configuration command.
Page 880: Adjusting Bpdu Intervals
Chapter 36 Configuring Fallback Bridging Configuring Fallback Bridging Adjusting BPDU Intervals You can adjust BPDU intervals as described in these sections: Adjusting the Interval between Hello BPDUs, page 36-10 • Changing the Forward-Delay Interval, page 36-10 • • Changing the Maximum-Idle Interval, page 36-11 Note Each switch in a spanning tree adopts the interval between hello BPDUs, the forward delay interval, and the maximum idle interval parameters of the root switch, regardless of what its individual configuration...
Page 881 Chapter 36 Configuring Fallback Bridging Configuring Fallback Bridging Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entry. Step 5 copy running-config startup-config (Optional) Save your entry in the configuration file. To return to the default setting, use the no bridge bridge-group forward-time global configuration command.
Page 882: Disabling The Spanning Tree On An Interface
Displays classes of entries in the bridge forwarding [address] [group] [verbose] database. For information about the fields in these displays, refer to the Cisco IOS Bridging and IBM Networking Command Reference for Release 12.1. Catalyst 3550 Multilayer Switch Software Configuration Guide...
Page 883: Using Recovery Procedures
C H A P T E R Troubleshooting This chapter describes how to identify and resolve Catalyst 3550 software problems related to the Cisco IOS software. Depending on the nature of the problem, you can use the command-line interface (CLI) or the Cluster Management Suite (CMS) to identify and solve problems.
Page 884: Chapter 37 Troubleshooting
Chapter 37 Troubleshooting Using Recovery Procedures Recovering from Corrupted Software Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity.
Page 885: Password Recovery With Password Recovery Enabled
Chapter 37 Troubleshooting Using Recovery Procedures Note On Catalyst 3550 Fast Ethernet switches, a system administrator can disable some of the functionality of this feature by allowing an end user to reset a password only by agreeing to return to the default configuration.
Page 886 Chapter 37 Troubleshooting Using Recovery Procedures Step 4 Display the contents of Flash memory: switch# dir flash: Directory of flash: drwx Mar 01 1993 22:30:48 c3550-i5q3l2-mz-121-0.0.53 -rwx 5825 Mar 01 1993 22:31:59 config.text -rwx Mar 01 1993 22:30:57 env_vars -rwx Mar 01 1993 22:30:57 system_env_vars -rwx...
Page 887: Procedure With Password Recovery Disabled
Chapter 37 Troubleshooting Using Recovery Procedures Note This procedure is likely to leave your switch virtual interface in a shutdown state. You can see which interface is in this state by entering the show running-config privileged EXEC command. To re-enable the interface, enter the interface vlan vlan-id global configuration command, and specify the VLAN ID of the shutdown interface.
Page 888: Recovering From A Command Switch Failure
Chapter 37 Troubleshooting Using Recovery Procedures Step 4 Boot the system: Switch# boot You are prompted to start the setup program. To continue with password recovery, enter N at the prompt: Continue with the configuration dialog? [yes/no]: N At the switch prompt, enter privileged EXEC mode: Step 5 Switch>...
Page 889: Replacing A Failed Command Switch With A Cluster Member
Chapter 37 Troubleshooting Using Recovery Procedures If you have not configured a standby command switch, and your command switch loses power or fails in some other way, management contact with the member switches is lost, and you must install a new command switch.
Page 890: Replacing A Failed Command Switch With Another Switch
Chapter 37 Troubleshooting Using Recovery Procedures Basic management setup configures only enough connectivity for management of the system, extended setup will ask you to configure each interface on the system Would you like to enter basic management setup? [yes/no]: Enter Y at the first prompt. Step 10 The prompts in the setup program vary depending on the member switch you selected to be the command switch:...
Page 891 Chapter 37 Troubleshooting Using Recovery Procedures Step 3 At the switch prompt, enter privileged EXEC mode: Switch> enable Switch# Enter the password of the failed command switch. Step 4 Step 5 Use the setup program to configure the switch IP information. This program prompts you for IP address information and passwords.
Page 892: Recovering From Lost Member Connectivity
ID, and recompute the security code and CRC. If the serial number, the vendor name or vendor ID, the security code, or CRC is invalid, the switch places the interface in an error-disabled state. If you are using a non-Cisco approved CWDM GBIC module, remove the GBIC module from the switch, Note and replace it with a Cisco-approved module.
Page 893: Diagnosing Connectivity Problems
Troubleshooting Diagnosing Connectivity Problems After inserting a Cisco-approved GBIC module, use the errdisable recovery cause gbic-invalid global configuration command to verify the port status, and enter a time interval for recovering from the error-disabled state. After the elapsed interval, the switch brings the interface out of the error-disabled state and retries the operation.
Page 894: Using Ip Traceroute
Chapter 37 Troubleshooting Diagnosing Connectivity Problems Beginning in privileged EXEC mode, use this command to ping another device on the network from the switch: Command Purpose ping [ip] {host | address} Ping a remote host through IP or by supplying the host name or network address.
Page 895: Understanding Ip Traceroute
Chapter 37 Troubleshooting Diagnosing Connectivity Problems Understanding IP Traceroute You can use IP traceroute to identify the path that packets take through the network on a hop-by-hop basis. The command output displays all network layer (Layer 3) devices, such as routers, that the traffic passes through on the way to the destination.
Page 896: Using Layer 2 Traceroute
Chapter 37 Troubleshooting Diagnosing Connectivity Problems This example shows how to perform a traceroute to an IP host: Switch# traceroute ip 171.9.15.10 Type escape sequence to abort. Tracing the route to 171.69.115.10 1 172.2.52.1 0 msec 0 msec 4 msec 2 172.2.1.203 12 msec 8 msec 0 msec 3 171.9.16.6 4 msec 0 msec 0 msec 4 171.9.4.5 0 msec 4 msec 0 msec...
Page 897: Usage Guidelines
These are the Layer 2 traceroute usage guidelines: • Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 traceroute to functional properly, do not disable CDP. If any devices in the physical path are transparent to CDP, the switch cannot identify the path through these devices.
Page 898: Displaying The Physical Path
For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Page 899: Enabling All-System Diagnostics
Chapter 37 Troubleshooting Using Debug Commands To disable debugging of SPAN, enter this command in privileged EXEC mode: Switch# no debug span-session Alternately, in privileged EXEC mode, you can enter the undebug form of the command: Switch# undebug span-session To display the state of each debugging option, enter this command in privileged EXEC mode: Switch# show debugging Enabling All-System Diagnostics Beginning in privileged EXEC mode, enter this command to enable all-system diagnostics:...
Page 900: Using The Debug Autoqos Command
Step 3 interface interface-id Enter interface configuration mode, and specify the interface that is connected to a Cisco IP Phone. You also can specify the uplink interface that is connected to another switch or router in the interior of the network.
Page 901: Using The Show Forward Command
Chapter 37 Troubleshooting Using the show forward Command Using the show forward Command The output from the show forward privileged EXEC command has some useful information about the disposition of a packet entering an interface. Depending upon the parameters entered about the packet, the output shows lookup table results, maps and masks used to calculate forwarding destinations, bitmaps, and egress information.
Page 902: Using The Crashinfo File
The information in the file includes the software image name and version that failed, a dump of the processor registers, and a stack trace. You can give this information to the Cisco technical support representative by using the show tech-support privileged EXEC command.
Page 903: Supported Mibs
This appendix lists the Catalyst 3550 supported management information base (MIBs) for this release. It contains these sections: MIB List, page A-1 • • Using FTP to Access the MIB Files, page A-3 MIB List • BRIDGE-MIB (RFC1493) CISCO-BULK-FILE-MIB • • CISCO-CDP-MIB CISCO-CLUSTER-MIB • CISCO_CONFIG_COPY_MIB • •...
Page 904: Appendix A Supported Mib
You can also check this URL for a list of MIBs supported by the Catalyst 3550 switch: ftp://ftp.cisco.com/pub/mibs/supportlists/cat3550/cat3550-supportlist.html You can access other information about MIBs and Cisco products on the Cisco web site: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Catalyst 3550 Multilayer Switch Software Configuration Guide...
Page 905: Using Ftp To Access The Mib Files
Using FTP to Access the MIB Files Using FTP to Access the MIB Files You can obtain each MIB file by using this procedure: Step 1 Use FTP to access the server ftp.cisco.com. Step 2 Log in with the username anonymous. Step 3 Enter your e-mail username when prompted for the password.
Page 906: Using Ftp To Access The Mib Files
Appendix A Supported MIBs Using FTP to Access the MIB Files Catalyst 3550 Multilayer Switch Software Configuration Guide 78-11194-09...
Page 907: Working With The Flash File System
Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 3550 Multilayer Switch Command Reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This appendix consists of these sections: •...
Page 908: Displaying Available File Systems
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC...
Page 909: A P P E N D I X B Working With The Cisco Ios File System, Configuration Files, And Software Images
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Setting the Default File System You can specify the file system or directory that the system uses as the default file system by using the cd filesystem: privileged EXEC command.
Page 910: Creating And Removing Directories
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Command Purpose...
Page 911: Deleting Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Some invalid combinations of source and destination exist. Specifically, you cannot copy these combinations: • From a running configuration to a running configuration •...
Page 912: Displaying The Contents Of A Tar File
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System For destination-url, specify the destination URL alias for the local or network file system and the name of the tar file to create. These options are supported: •...
Page 913: Extracting A Tar File
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System This example shows how to display only the c3550-i5q3l2-mz.121-6.EA1/html directory and its contents: Switch# archive tar /table flash:c3550-tv0-m.tar c3550-i5q3l2-mz.121-6.EA1/html c3550-i5q3l2-mz.121-6.EA1/html/ (directory) c3550-i5q3l2-mz.121-6.EA1/html/foo.html (0 bytes)
Page 914: Working With Configuration Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Working with Configuration Files This section describes how to create, load, and maintain configuration files. You can create a basic configuration file by using the setup program or by entering the setup privileged EXEC command. For more information, see Chapter 4, “Assigning the Switch IP Address and Default Gateway.”...
Page 915: Configuration File Types And Location
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • If passwords already exist, you cannot enter the enable secret secret-password global configuration command in the file because the password verification will fail. If you enter a password in the configuration file, the switch mistakenly attempts to execute the passwords as commands as it executes the file.
Page 916: Copying Configuration Files By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Copying Configuration Files By Using TFTP You can configure the switch by using configuration files you create, download from another switch, or download from a TFTP server.
Page 917: Uploading The Configuration File By Using Tftp
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy a configuration file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
Page 918: Preparing To Download Or Upload A Configuration File By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • The username set by the ip ftp username username global configuration command if the command is configured. • Anonymous. The switch sends the first valid password in this list: •...
Page 919: Downloading A Configuration File By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading a Configuration File By Using FTP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using FTP:...
Page 920: Uploading A Configuration File By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using FTP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using FTP:...
Page 921: Copying Configuration Files By Using Rcp
The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: •...
Page 922: Downloading A Configuration File By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • When you upload a file to the RCP server, it must be properly configured to accept the RCP write request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server.
Page 923: Uploading A Configuration File By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to specify a remote username of netadmin1. Then it copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101...
Page 924: Clearing Configuration Information
Depending on the setting of the file prompt global configuration command, you might be prompted for confirmation before you delete a file. By default, the switch prompts for confirmation on destructive file operations. For more information about the file prompt command, refer to the Cisco IOS Command Reference for Release 12.1.
Page 925: Image Location On The Switch
Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the HTML files needed for web management. The image is stored on the system board Flash memory (flash:).
Page 926: Copying Image Files By Using Tftp
Flash space is required to hold just the Cisco IOS image total_image_file_size Specifies the size of all the images (the Cisco IOS image and the HTML files) in the tar file, which is an approximate measure of how much Flash space is required to hold them...
Page 927: Downloading An Image File By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images • Ensure that the switch has a route to the TFTP server. The switch and the TFTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the TFTP server by using the ping command.
Page 928 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 3 archive download-sw /overwrite /reload Download the image file from the TFTP server to the switch, and tftp:[[//location]/directory]/image-name.tar overwrite the current image.
Page 929: Uploading An Image File By Using Tftp
The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, the HTML files, and info.ver. After these files are uploaded, the upload algorithm creates the tar file format.
Page 930: Preparing To Download Or Upload An Image File By Using Ftp
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
Page 931: Downloading An Image File By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Downloading an Image File By Using FTP You can download a new image file and overwrite the current image or keep the current image.
Page 932: Uploading An Image File By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 8 archive download-sw /leave-old-sw /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and keep the current image.
Page 933: Copying Image Files By Using Rcp
The archive upload-sw command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, the HTML files, and info.ver. After these files are uploaded, the upload algorithm creates the tar file format.
Page 934: Preparing To Download Or Upload An Image File By Using Rcp
RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
Page 935: Downloading An Image File By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images • When you upload an image to the RCP to the server, it must be properly configured to accept the RCP write request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server.
Page 936 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 6 archive download-sw /overwrite /reload Download the image file from the RCP server to the switch, rcp:[[[//[username@]location]/directory]/image-na and overwrite the current image.
Page 937: Uploading An Image File By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board Flash device (flash:). The image is placed in a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Page 938 The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, the HTML files, and info.ver. After these files are uploaded, the upload algorithm creates the tar file format.
Page 939: Access Control Lists
A P P E N D I X Unsupported CLI Commands in Cisco IOS Release 12.1(19)EA1 This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Catalyst 3550 switch prompt but are not supported in this release, either because they are not tested, or because of Catalyst 3550 hardware limitations.
Page 940: Fallback Bridging
Appendix C Unsupported CLI Commands in Cisco IOS Release 12.1(19)EA1 FallBack Bridging FallBack Bridging Unsupported Privileged EXEC Commands clear bridge [bridge-group] multicast [router-ports | groups | counts] [group-address] [interface-unit] [counts] clear vlan statistics show bridge [bridge-group] circuit-group [circuit-group] [src-mac-address] [dst-mac-address]...
Page 941: Hsrp
Appendix C Unsupported CLI Commands in Cisco IOS Release 12.1(19)EA1 HSRP bridge-group bridge-group input-pattern-list access-list-number bridge-group bridge-group input-type-list access-list-number bridge-group bridge-group lat-compression bridge-group bridge-group output-address-list access-list-number bridge-group bridge-group output-lat-service-deny group-list bridge-group bridge-group output-lat-service-permit group-list bridge-group bridge-group output-lsap-list access-list-number bridge-group bridge-group output-pattern-list access-list-number...
Page 942: Interface Configuration Commands
These commands were replaced in Cisco IOS release 12.1(8)EA1 by the storm-control {broadcast | Note multicast | unicast} level level [.level] interface configuration command. IP Multicast Routing Unsupported Privileged EXEC Commands clear ip rtp header-compression [type number] The debug ip packet command displays packets received by the switch CPU.
Page 943: Unsupported Interface Configuration Commands
Appendix C Unsupported CLI Commands in Cisco IOS Release 12.1(19)EA1 IP Unicast Routing Unsupported Interface Configuration Commands frame-relay ip rtp header-compression [active | passive] frame-relay map ip ip-address dlci [broadcast] compress frame-relay map ip ip-address dlci rtp header-compression [active | passive]...
Page 944: Unsupported Global Configuration Commands
Appendix C Unsupported CLI Commands in Cisco IOS Release 12.1(19)EA1 IP Unicast Routing Unsupported Global Configuration Commands ip accounting-list ip-address wildcard ip accounting-transits count ip cef accounting [per-prefix] [non-recursive] ip cef traffic-statistics [load-interval seconds] [update-rate seconds]] ip flow-aggregation ip flow-cache...
Page 945: Unsupported Vpn Configuration Commands
Appendix C Unsupported CLI Commands in Cisco IOS Release 12.1(19)EA1 MSDP neighbor description network backdoor table-map Unsupported VPN Configuration Commands The switch does support multi-VPN routing/forwarding (multi-VRF) commands shown in the command Note reference for this release. Unsupported Route Map Commands...
Page 946: Unsupported Global Configuration Commands
Appendix C Unsupported CLI Commands in Cisco IOS Release 12.1(19)EA1 Network Address Translation (NAT) commands Unsupported Global Configuration Commands ip msdp default-peer ip-address | name [prefix-list list] (Because BGP/MBGP is not supported, use the ip msdp peer command instead of this command.)
Page 947: Snmp
Appendix C Unsupported CLI Commands in Cisco IOS Release 12.1(19)EA1 SNMP SNMP Unsupported Global Configuration Commands snmp-server enable informs snmp-server enable traps flash insertion snmp-server enable traps flash removal snmp-server ifindex persist Spanning Tree Unsupported Global Configuration Commands spanning-tree etherchannel guard misconfig...
Page 948 Appendix C Unsupported CLI Commands in Cisco IOS Release 12.1(19)EA1 VLAN Catalyst 3550 Multilayer Switch Software Configuration Guide C-10 78-11194-09...
Page 949 I N D E X access-denied response, VMPS 12-27 Numerics access groups 144-bit Layer 3 TCAM 7-28, 31-68 28-21 802.1D Layer 3 28-21 See STP accessing 802.1Q clusters, switch 6-16 and trunk ports 10-3 command switches 6-13 configuration limitations 12-18 member switches 6-16 encapsulation...
Page 950 Index to Layer 2 and Layer 3 interfaces matching 28-20 28-8, 28-21, 28-28 to QoS 29-7 merge failure examples 28-46 classifying traffic for QoS monitoring 29-36 28-41 comments in named 28-19 28-15 compatibility on the same switch 28-2 not fitting in hardware 28-45 compiling number per QoS class map...
Page 951 Index multicast group address range 34-1 configuring 31-9 STP address management defined 16-8 31-8 static encapsulation 31-10 adding and removing 7-25 static cache configuration 31-9 defined support for 7-20 address resolution ASBRs 31-8 31-29 Address Resolution Protocol AS-path filters, BGP 31-54 See ARP asymmetrical links, and 802.1Q tunneling...
Page 952 Index different VLANs management VLANs 6-8, 6-9 aggregate addresses 31-60 non-CDP-capable devices aggregate routes, configuring 31-60 non-cluster-capable devices CIDR 31-60 routed ports 6-10 clear commands 31-63 creating a cluster standby group community filtering 6-22 31-56 in switch clusters configuring neighbors 31-58 See also CDP default configuration...
Page 953 34-11 CAMs, ACLs not loading in 28-45 server support only 34-11 candidate switch switch support of adding 6-20 CIDR 31-60 automatic discovery Cisco Discovery Protocol defined See CDP 6-23 passwords 6-20 Catalyst 3550 Multilayer Switch Software Configuration Guide IN-5 78-11194-09...
Page 954 6-25 See CEF no and default forms of commands Cisco Group Management Protocol client mode, VTP 13-3 See CGMP clock Cisco Intelligence Engine 2100 Series Configuration See system clock Registrar clusters, switch See IE2100 accessing 6-16 Cisco IOS File System...
Page 955 Index cluster standby group recovery and HSRP group 32-10 from command-switch failure 6-13 automatic recovery from failure 6-15 37-6 considerations from lost member connectivity 6-13 37-10 creating 6-22 redundant 6-12, 6-22 defined replacing requirements with another switch 37-8 virtual IP address 6-13 with cluster member 37-7...
Page 956 Index guidelines for creating and using CoS-to-DSCP map for QoS 29-52 invalid combinations when copying CoS-to-egress-queue map 29-57 limiting TFTP server access counters, clearing interface 27-15 10-21 obtaining with DHCP CPU q, in show forward command output 37-20 password recovery disable considerations crashinfo file 37-20 specifying the filename...
Page 957 Index UDLD 22-2 23-4 DHCP 19-3 VLAN, Layer 2 Ethernet interfaces 12-19 VLANs 7-17 12-7 EIGRP VMPS 31-39 12-30 EtherChannel 30-8 voice VLAN 14-2 fallback bridging 36-3 13-6 HSRP WCCP 32-4 33-5 IGMP 34-31 default gateway 4-10, 31-11 IGMP filtering 20-22 default networks 31-78...
Page 958 Index enabling document conventions xxxvi relay agent 19-6 domain names relay agent information option 19-6 7-16 forwarding address, specifying 19-7 13-8 helper address 19-7 Domain Name System overview See DNS 19-2 policy for reforwarding dot1q-tunnel switchport mode 19-7 12-17 reforwarding policy 19-7 double-tagged packets support for...
Page 959 Index enabling unicast routing Dynamic Host Configuration Protocol 34-50 interoperability See DHCP-based autoconfiguration with Cisco devices dynamic port VLAN membership 34-44 with Cisco IOS software described 34-11 12-28 mrinfo requests, responding to 34-49 reconfirming 12-32, 12-33 neighbors troubleshooting 12-34 advertising the default route to...
Page 960 Index error messages port-channel interfaces during command entry described 30-2 setting the display destination device numbering of 26-4 30-3 severity levels port groups 26-8 10-5 system message format 26-2 source MAC address forwarding 30-6 EtherChannel support for automatic creation of EtherChannel guard 30-3 channel groups...
Page 961 Index external BGP path cost 36-9 See EBGP switch priority 36-8 external neighbors, BGP VLAN-bridge STP 31-48 36-1, 36-2 support for SVIs and routed ports 36-1 VLAN-bridge STP 16-10 fallback VLAN name 12-28 fallback bridging Fast Uplink Transition Protocol 18-6 and protected ports 36-4 feature manager, ACL...
Page 962 Index Flash device, number of CWDM module 1-19 Flash updates, IGRP 31-25 GigaStack module 1-10 flooded traffic, blocking security and identification 21-6 37-10 flow-based packet classification get-bulk-request operation 27-3 flowcharts get-next-request operation 27-3, 27-4 QoS classification get-request operation 29-6 27-3, 27-4 QoS policing and marking get-response operation 29-10...
Page 963 Index hosts, limit on dynamic ports IE2100 12-34 Hot Standby Router Protocol CNS embedded agents See HSRP described HP OpenView enabling automated configuration HSRP enabling configuration agent authentication string enabling event agent 32-9 automatic cluster recovery Configuration Registrar 6-15 binding to cluster group 32-10 configID, deviceID, hostname cluster standby group considerations...
Page 964 Index Version 1 IGMP throttling changing to Version 2 34-32 configuring 20-25 hosts joining a group default configuration 34-3 20-22 hosts leaving a group described 34-3 20-22 membership queries 34-3 displaying action 20-27 overview 34-3 31-29 query-response model IGRP 34-3 Version 2 advertisements 31-24...
Page 965 See IDS all-hosts 34-1 inventory, cluster 6-24 all-multicast-routers 34-1 IOS File System all-PIM-routers 34-10 See IFS Cisco-RP-Announce 34-8 ip access-group command 28-21 Cisco-RP-Discovery 34-8 IP ACLs host group address range 34-1 applying to an interface administratively-scoped boundaries, described 28-19...
Page 966 Auto-RP 34-5 34-18 overview 34-8 configuring PIMv2 BSR 34-22 using with Auto-RP 34-27 monitoring mapping information 34-27 Cisco implementation using Auto-RP and BSR 34-2 34-27 configuring statistics, displaying system and network 34-58 basic multicast routing 34-15 TTL thresholds, described 34-40...
Page 967 Index IP traceroute dynamic 31-2 executing 37-13 link-state 31-2 overview proxy ARP 37-13 31-8 IP unicast routing redistribution 31-79 address resolution 31-8 reverse address resolution 31-8 administrative distances routed ports 31-77, 31-87 31-3 static routing 31-8 31-2 assigning IP addresses to Layer 3 interfaces 31-6 steps to configure 31-3...
Page 968 Index Kerberos IP addresses and subnets 37-15 authenticating to MAC addresses and VLANs 37-15 boundary switch multicast traffic 8-35 37-15 multiple devices on a port 8-35 37-15 network services 8-35 unicast traffic 37-14 configuration examples usage guidelines 8-32 37-15 configuring Layer 2 trunks 8-35 12-16...
Page 969 Index mac access-group command 28-28 overview MAC ACLs and Layer 2 interfaces 28-28 management VLAN MAC addresses considerations in switch clusters 6-8, 6-9 aging time 7-22 discovery through different management VLANs and VLAN association 7-21 discovery through same management VLAN building the address table 7-21 mapping tables for QoS...
Page 970 Index memory, optimizing fit in hardware 7-27 28-45 menu bar information 28-41 variations 31-63 messages cables for unidirectional links 23-1 logging ACL violations 28-16 22-5 messages to users through banners 7-18 31-76 metrics, in BGP EIGRP 31-52 31-43 metric translations, between routing protocols 31-82 fallback bridging 36-12...
Page 971 Index VLANs monitoring 12-15 35-19 VMPS 12-34 restricting advertised sources 35-9 MSTP 13-15 MSDP boundary ports and dense-mode regions configuration guidelines 17-13 sending SA messages to described 35-17 17-5 specifying the originating address BPDU filtering 35-18 benefits of 35-3 described 18-3 clearing MSDP connections and statistics 35-19...
Page 972 Index effects on secondary root switch multicast groups 17-16 unexpected behavior 17-15 and IGMP snooping 20-6 instances supported Immediate Leave 16-9 20-5 interface state, blocking to forwarding joining 18-2 20-3 interoperability and compatibility among modes 16-10 leaving 20-4 interoperability with 802.1D static joins 20-9 described...
Page 973 Index modes note, described 20-17 xxxvi monitoring 20-20 not-so-stubby areas setting global parameters See NSSA 20-17 support for NSSA, OSPF 31-33 associations authenticating named IP ACLs 28-15 defined NameSpace Mapper enabling broadcast messages See NSM peer native VLAN server and 802.1Q tunneling 15-4 default configuration configuring...
Page 974 Index default configuration path cost metrics 31-34 MSTP 17-18 route 31-34 16-18 settings 31-30 described 31-29 defined 31-82 interface parameters, configuring enabling 31-32 31-84 LSA group pacing fast-switched policy-based routing 31-36 31-84 monitoring 31-37 local policy-based routing 31-84 router IDs 31-36 support for route summarization...
Page 975 Index support for port-based authentication versions authentication server interoperability defined 34-14 supported RADIUS server 34-5 troubleshooting interoperability problems 34-28 client, defined v2 improvements configuration guidelines 34-5 9-10 PIM-DVMRP, as snooping method configuring 20-8 ping 802.1X authentication 9-11 character output description 37-12 guest VLAN 9-17...
Page 976 Index support for violations 21-9 switch with other features 21-10 as proxy port-shutdown response, VMPS 12-27 RADIUS client power, inline 10-14 topologies, supported preferential treatment of traffic port blocking See QoS 1-2, 21-6 port-channel prefix lists, BGP 31-55 See EtherChannel preventing unauthorized access Port Fast priority...
Page 977 Index for VTP pruning class maps 13-4 VLANs 13-14 configuring per physical port 29-39 publications, related configuring per-port per-VLAN xxxvi 29-41 PVST+ displaying 29-69 802.1Q trunking interoperability 16-10 configuration examples described distribution layer 16-9 29-72 instances supported existing wiring closet 16-9 29-70 intelligent wiring closet...
Page 978 Index mapping tables WRED drop-percentage thresholds 29-13, 29-61 CoS-to-DSCP 29-52 WRR scheduling 29-63 CoS-to-egress-queue scheduling 29-57 displaying allocating bandwidth on 10/100 Ethernet ports 29-69 29-67 DSCP-to-CoS 29-54 allocating bandwidth on Gigabit-capable ports 29-63 DSCP-to-DSCP-mutation defined 29-55 29-4 DSCP-to-threshold support for 29-60 IP-precedence-to-DSCP 29-52...
Page 979 Index identifying the server features 8-20 in clusters 6-17 HSRP 32-1 limiting the services to the user 8-27 method list, defined backbone 8-20 16-7 operation of 8-19 multidrop backbone 18-5 overview path cost 8-18 12-25 suggested network environments port priority 8-18 12-24 tracking services accessed by user...
Page 980 Index 1253, OSPF routed packets, ACLs on 31-29 28-39 1267, BGP 31-44 routed ports 1305, NTP configuring 31-3 1587, NSSAs defined 31-29 10-4 1757, RMON 25-2 in switch clusters 6-10 1771, BGP IP addresses on 31-44 10-18, 31-3 1901, SNMPv2C route-map command, for policy-based routing 27-2 31-84...
Page 981 Index defined 24-3 limiting source traffic to specific VLANs 24-22 configuring 7-30 monitoring VLANs described 24-21 7-27 removing source (monitored) ports templates 24-20 specifying monitored ports 24-17 number of 7-27 source ports resources used for Fast Ethernet switches 24-4 7-28 transmitted traffic resources used for Gigabit Ethernet switches 24-4...
Page 982 Index show tcam command notifications 28-43 27-5 shutdown command on interfaces 10-22 overview 27-1, 27-4 shutdown threshold for Layer 2 protocol packets status, displaying 15-10 27-17 Simple Network Management Protocol system contact and location 27-15 See SNMP trap manager, configuring 27-12, 27-14 SmartPort macros traps...
Page 983 Index removing destination (monitoring) ports clearing 24-13 B-18 removing source (monitored) ports 24-13 configuration file specifying monitored ports automatically downloading 24-10 4-12 source ports specifying the filename 24-4 4-13 transmitted traffic 24-4 default boot configuration 4-12 VLAN-based static access ports 24-6 spanning tree and native VLANs assigning to VLAN...
Page 984 Index extended system ID accelerating root port selection 18-4 affects on root switch 16-14 BackboneFast affects on the secondary root switch 16-16 described overview 18-10 16-3 enabling 18-20 unexpected behavior 16-15 BPDU filtering features supported described inferior BPDU 18-3 16-3 enabling 18-16 instances supported...
Page 985 Index root guard switchport command 10-11 described 18-12 switchport mode dot1q-tunnel command 15-6 enabling switchport protected command 18-21 21-5 root port, defined switch priority 16-3 root switch MSTP 17-19 affects of extended system ID 16-3, 16-14 16-20 configuring switch software features 16-14 election 16-3...
Page 986 Index UNIX syslog servers tagged packets configuring the daemon 26-11 802.1Q 15-3 configuring the logging facility Layer 2 protocol 26-11 15-7 facilities supported tail drop 26-12 system MTU described 29-13 802.1Q tunneling support for 15-5 maximums tar files 15-5 system name creating default configuration 7-15...
Page 987 Index TFTP server notification types 27-11 threshold, traffic level 21-2 overview 27-1, 27-4 time troubleshooting See NTP and system clock connectivity problems 37-11 time-range command 28-17 detecting unidirectional links 23-1 time ranges in ACLs determining packet disposition 28-17 37-19 time stamps in log messages displaying crash information 26-7 37-20...
Page 988 Index tunnel ports UniDirectional Link Detection protocol 802.1Q, configuring 15-6 See UDLD 802.1Q and ACLs UNIX syslog servers 28-3 defined daemon configuration 12-3 26-11 described 10-4, 15-1 facilities supported 26-12 incompatibilities with other features message logging configuration 15-5 26-11 twisted-pair Ethernet, detecting unidirectional links unrecognized Type-Length-Value (TLV) support 23-1 13-4...
Page 989 Index Virtual Private Network VLAN membership See VPN confirming 12-32 virtual router modes 32-1, 32-3 12-3 vlan.dat file VLAN Query Protocol 12-4 VLAN 1 minimization, support for See VQP VLAN ACLs VLANs See VLAN maps adding 12-8 VLAN configuration adding to VLAN database 12-8 at bootup 12-7...
Page 990 12-32 saving 13-7 retry count, changing VLAN configuration mode 12-33 13-7 voice VLAN configuration mode options 13-7 Cisco 7960 phone, port connections 14-1 configuration requirements 13-9 configuration guidelines configuration revision number 14-3 configuring IP phones for data traffic guideline 13-14...
Page 991 Index disabling displaying 13-11 33-9 domain names 13-8 enabling 33-6 domains features unsupported 13-2 33-4 Layer 2 protocol tunneling forwarding method 15-7 33-3 modes Layer-2 header rewrite 33-3 client MD5 security 13-3, 13-10 33-4 server message exchange 13-3, 13-9 33-3 transitions 13-3 monitoring and maintaining...
Page 992 Index Catalyst 3550 Multilayer Switch Software Configuration Guide IN-44 78-11194-09...

Cisco Catalyst 3550 series Software Configuration Manual

Chapter 1 Overview

Chapter 3 Getting Started with CM

Chapter 5 Configuring IE2100 CN Agent

Chapter 6 Clustering Switche

Chapter 7 Administering the Switch

Chapter 12 Configuring VLAN

Chapter 13 Configuring VTP

Chapter 14 Configuring Voice VLAN

Chapter 16 Configuring STP

Chapter 17 Configuring MSTP

Quick Links

Troubleshooting

Related Manuals for Cisco Catalyst 3550 series

Summary of Contents for Cisco Catalyst 3550 series