Page 1 Catalyst 3750 Switch Software Configuration Guide Cisco IOS Release 12.2(20)SE May 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7816180= Text Part Number: 78-16180-02...
Page 2 CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,...
Page 3: Table Of Contents
Cisco.com xxxvii Ordering Documentation xxxviii Documentation Feedback xxxviii Obtaining Technical Assistance xxxviii Cisco Technical Support Website xxxix Submitting a Service Request xxxix Definitions of Service Request Severity xxxix Obtaining Additional Publications and Information Overview C H A P T E R...
Page 4 Contents Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features Enabling and Disabling Editing Features Editing Commands through Keystrokes Editing Command Lines that Wrap Searching and Filtering Output of show and more Commands Accessing the CLI Accessing the CLI through a Console Connection or through Telnet Accessing the CLI from a Browser...
Page 5 Contents Assigning the Switch IP Address and Default Gateway C H A P T E R Understanding the Boot Process Assigning Switch Information Default Switch Information Understanding DHCP-Based Autoconfiguration DHCP Client Request Process Configuring DHCP-Based Autoconfiguration DHCP Server Configuration Guidelines Configuring the TFTP Server Configuring the DNS Configuring the Relay Device...
Page 6 Contents Compatibility Recommendations 5-11 Incompatible Software and Stack Member Image Upgrades 5-11 Stack Protocol Version Compatibility 5-11 Switch Stack Configuration Files 5-12 Additional Considerations for System-Wide Configuration on Switch Stacks 5-13 Switch Stack Management Connectivity 5-14 Connectivity to the Switch Stack Through an IP Address 5-14 Connectivity to the Switch Stack Through an SSH Session 5-14...
Page 7 Contents SNMP Community Strings 6-14 Switch Clusters and Switch Stacks 6-14 TACACS+ and RADIUS 6-16 Access Modes in CMS 6-16 LRE Profiles 6-17 Availability of Switch-Specific Features in Switch Clusters 6-17 Creating a Switch Cluster 6-17 Enabling a Cluster Command Switch 6-17 Adding Cluster Member Switches 6-18...
Page 8 Contents Displaying the DNS Configuration 7-18 Creating a Banner 7-18 Default Banner Configuration 7-18 Configuring a Message-of-the-Day Login Banner 7-19 Configuring a Login Banner 7-20 Managing the MAC Address Table 7-20 Building the Address Table 7-21 MAC Addresses and VLANs 7-21 MAC Addresses and Switch Stacks 7-22...
Page 9 Contents Logging into and Exiting a Privilege Level 9-10 Controlling Switch Access with TACACS+ 9-10 Understanding TACACS+ 9-10 TACACS+ Operation 9-12 Configuring TACACS+ 9-13 Default TACACS+ Configuration 9-13 Identifying the TACACS+ Server Host and Setting the Authentication Key 9-13 Configuring TACACS+ Login Authentication 9-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 9-16...
Page 10 Contents Setting Up the Switch to Run SSH 9-39 Configuring the SSH Server 9-40 Displaying the SSH Configuration and Status 9-41 Configuring 802.1x Port-Based Authentication 10-1 C H A P T E R Understanding 802.1x Port-Based Authentication 10-1 Device Roles 10-2 Authentication Initiation and Message Exchange 10-3...
Page 11 Understanding Smartports Macros 12-1 Configuring Smartports Macros 12-2 Default Smartports Macro Configuration 12-2 Smartports Macro Configuration Guidelines 12-3 Creating Smartports Macros 12-4 Applying Smartports Macros 12-5 Applying Cisco-Default Smartports Macros 12-6 Displaying Smartports Macros 12-8 Catalyst 3750 Switch Software Configuration Guide 78-16180-02...
Page 12 Contents Configuring VLANs 13-1 C H A P T E R Understanding VLANs 13-1 Supported VLANs 13-3 VLAN Port Membership Modes 13-3 Configuring Normal-Range VLANs 13-5 Token Ring VLANs 13-6 Normal-Range VLAN Configuration Guidelines 13-6 VLAN Configuration Mode Options 13-7 VLAN Configuration in config-vlan Mode 13-7 VLAN Configuration in VLAN Database Configuration Mode...
Page 13 Contents VMPS Configuration Guidelines 13-29 Configuring the VMPS Client 13-30 Entering the IP Address of the VMPS 13-30 Configuring Dynamic-Access Ports on VMPS Clients 13-30 Reconfirming VLAN Memberships 13-31 Changing the Reconfirmation Interval 13-31 Changing the Retry Count 13-32 Monitoring the VMPS 13-32 Troubleshooting Dynamic-Access Port VLAN Membership 13-33...
Page 14 Configuring Voice VLAN 16-3 Default Voice VLAN Configuration 16-3 Voice VLAN Configuration Guidelines 16-3 Configuring a Port Connected to a Cisco 7960 IP Phone 16-4 Configuring IP Phone Voice Traffic 16-4 Configuring the Priority of Incoming Data Frames 16-6 Displaying Voice VLAN...
Page 15 Contents Learning State 17-7 Forwarding State 17-7 Disabled State 17-8 How a Switch or Port Becomes the Root Switch or Root Port 17-8 Spanning Tree and Redundant Connectivity 17-9 Spanning-Tree Address Management 17-9 Accelerated Aging to Retain Connectivity 17-9 Spanning-Tree Modes and Protocols 17-10 Supported Spanning-Tree Instances 17-10...
Page 16 Contents Understanding RSTP 18-6 Port Roles and the Active Topology 18-7 Rapid Convergence 18-8 Synchronization of Port Roles 18-9 Bridge Protocol Data Unit Format and Processing 18-10 Processing Superior BPDU Information 18-11 Processing Inferior BPDU Information 18-11 Topology Changes 18-11 Configuring MSTP Features 18-12 Default MSTP Configuration...
Page 17 21-1 DHCP Server 21-2 DHCP Relay Agent 21-2 DHCP Snooping 21-2 Option-82 Data Insertion 21-3 Cisco IOS DHCP Server Database 21-5 DHCP Snooping Binding Database 21-5 DHCP Snooping and Switch Stacks 21-6 Configuring DHCP Features 21-7 Default DHCP Configuration 21-7...
Page 18 Contents Enabling the Cisco IOS DHCP Server Database 21-12 Enabling the DHCP Snooping Binding Database Agent 21-12 Displaying DHCP Snooping Information 21-14 Displaying the DHCP Snooping Configuration 21-14 Displaying the DHCP Snooping Binding Database 21-14 Understanding IP Source Guard 21-15...
Page 19 Contents Configuring IGMP Snooping 23-6 Default IGMP Snooping Configuration 23-6 Enabling or Disabling IGMP Snooping 23-7 Setting the Snooping Method 23-7 Configuring a Multicast Router Port 23-9 Configuring a Host Statically to Join a Group 23-10 Enabling IGMP Immediate Leave 23-11 Disabling IGMP Report Suppression 23-11...
Page 20 Contents Understanding Port Security 24-7 Secure MAC Addresses 24-7 Security Violations 24-8 Default Port Security Configuration 24-9 Configuration Guidelines 24-10 Enabling and Configuring Port Security 24-10 Enabling and Configuring Port Security Aging 24-14 Port Security and Switch Stacks 24-15 Displaying Port-Based Traffic Control Settings 24-16 Configuring CDP 25-1...
Page 21 Contents Monitored Traffic 27-5 Source Ports 27-6 Source VLANs 27-7 VLAN Filtering 27-7 Destination Port 27-8 RSPAN VLAN 27-9 SPAN and RSPAN Interaction with Other Features 27-9 SPAN and RSPAN and Switch Stacks 27-10 Configuring SPAN and RSPAN 27-10 Default SPAN and RSPAN Configuration 27-11 Configuring Local SPAN 27-11...
Page 22 Contents Setting the Message Display Destination Device 29-5 Synchronizing Log Messages 29-6 Enabling and Disabling Time Stamps on Log Messages 29-7 Enabling and Disabling Sequence Numbers in Log Messages 29-8 Defining the Message Severity Level 29-9 Limiting Syslog Messages Sent to the History Table and to SNMP 29-10 Configuring UNIX Syslog Servers 29-11...
Page 23 Contents ACLs and Switch Stacks 31-6 Configuring IP ACLs 31-6 Creating Standard and Extended IP ACLs 31-7 Access List Numbers 31-7 Creating a Numbered Standard ACL 31-9 Creating a Numbered Extended ACL 31-11 Resequencing ACEs in an ACL 31-15 Creating Named Standard and Extended ACLs 31-15 Using Time Ranges with ACLs 31-17...
Page 24 Contents Configuring QoS 32-1 C H A P T E R Understanding QoS 32-1 Basic QoS Model 32-3 Classification 32-4 Classification Based on QoS ACLs 32-7 Classification Based on Class Maps and Policy Maps 32-7 Policing and Marking 32-8 Mapping Tables 32-10 Queueing and Scheduling Overview 32-11...
Page 25 Contents Configuring DSCP Maps 32-49 Configuring the CoS-to-DSCP Map 32-50 Configuring the IP-Precedence-to-DSCP Map 32-50 Configuring the Policed-DSCP Map 32-51 Configuring the DSCP-to-CoS Map 32-52 Configuring the DSCP-to-DSCP-Mutation Map 32-53 Configuring Ingress Queue Characteristics 32-55 Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds 32-56 Allocating Buffer Space Between the Ingress Queues 32-57...
Page 26 Contents Configuring the Physical Interfaces 33-16 Configuring EtherChannel Load Balancing 33-18 Configuring the PAgP Learn Method and Priority 33-19 Configuring LACP Hot-Standby Ports 33-20 Configuring the LACP System Priority 33-21 Configuring the LACP Port Priority 33-22 Displaying EtherChannel, PAgP, and LACP Status 33-23 Configuring IP Unicast Routing 34-1...
Page 27 Configuring BGP Route Reflectors 34-57 Configuring Route Dampening 34-58 Monitoring and Maintaining BGP 34-59 Configuring Protocol-Independent Features 34-60 Configuring Distributed Cisco Express Forwarding 34-60 Configuring the Number of Equal-Cost Routing Paths 34-62 Configuring Static Unicast Routes 34-62 Specifying Default Routes and Networks 34-63...
Page 28 Configuring HSRP Groups and Clustering 35-11 Displaying HSRP Configurations 35-11 Configuring IP Multicast Routing 36-1 C H A P T E R Understanding Cisco’s Implementation of IP Multicast Routing 36-2 Understanding IGMP 36-2 IGMP Version 1 36-3 IGMP Version 2...
Page 29 Contents PIMv1 and PIMv2 Interoperability 36-9 Auto-RP and BSR Configuration Guidelines 36-10 Configuring Basic Multicast Routing 36-10 Configuring a Rendezvous Point 36-12 Manually Assigning an RP to Multicast Groups 36-12 Configuring Auto-RP 36-14 Configuring PIMv2 BSR 36-18 Using Auto-RP and a BSR 36-22 Monitoring the RP Mapping Information 36-23...
Page 30 Contents Changing the DVMRP Route Threshold 36-46 Configuring a DVMRP Summary Address 36-47 Disabling DVMRP Autosummarization 36-49 Adding a Metric Offset to the DVMRP Route 36-49 Monitoring and Maintaining IP Multicast Routing 36-50 Clearing Caches, Tables, and Databases 36-51 Displaying System and Network Statistics 36-51 Monitoring IP Multicast Routing 36-52...
Page 31 Contents Adjusting Spanning-Tree Parameters 38-6 Changing the VLAN-Bridge Spanning-Tree Priority 38-7 Changing the Interface Priority 38-7 Assigning a Path Cost 38-8 Adjusting BPDU Intervals 38-9 Disabling the Spanning Tree on an Interface 38-11 Monitoring and Maintaining Fallback Bridging 38-11 Troubleshooting 39-1 C H A P T E R Recovering from Corrupted Software By Using the Xmodem Protocol...
Page 32 A P P E N D I X MIB List Using FTP to Access the MIB Files Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System...
Page 33 Working with Software Images B-20 Image Location on the Switch B-20 tar File Format of Images on a Server or Cisco.com B-21 Copying Image Files By Using TFTP B-22 Preparing to Download or Upload an Image File By Using TFTP...
Page 34 Contents IP Multicast Routing Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands IP Unicast Routing Unsupported Privileged EXEC or User EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands Unsupported BGP Router Configuration Commands Unsupported VPN Configuration Commands Unsupported Route Map Commands MAC Address Commands Unsupported Privileged EXEC Commands...
Page 35 This guide is for the networking professional managing the Catalyst 3750 switch, hereafter referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.
Page 36 Preface Conventions Conventions This publication uses these conventions to convey instructions and information: Command descriptions use these conventions: Commands and keywords are in boldface text. • Arguments for which you supply values are in italic. • Square brackets ([ ]) mean optional elements. •...
Page 37: Related Publications
For upgrading information, refer to the “Downloading Software” section in the release notes. • You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section on page xxxvii.
Page 38: Ordering Documentation
Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
Page 39: Cisco Technical Support Website
URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Page 40: Obtaining Additional Publications And Information
Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as • ordering and customer support services. Access the Cisco Product Catalog at this URL: http://cisco.com/univercd/cc/td/doc/pcat/...
Page 41 Some features noted in this chapter are available only on the cryptographic (that is, supports encryption) versions of the SMI and EMI. You must obtain authorization to use this feature and to download the cryptographic version of the software from Cisco.com. For more information, refer to the release notes for this release.
Page 42: Chapter 1 Overview
For more information about Express Setup, refer to the hardware installation guide. • User-defined and Cisco-default Smartports macros for creating custom switch configurations for simplified deployment across the network. Cluster Management Suite (CMS) graphical user interface (GUI) for •...
Page 43 Using a single IP address and configuration file to manage the entire switch stack. – – Automatic Cisco IOS version-check of new stack members with the option to automatically load images from the stack master or from a TFTP server. –...
Page 44 For more information about CMS, see Chapter 3, “Getting Started with CMS.” CLI—The Cisco IOS CLI software is enhanced to support desktop- and multilayer-switching • features. You can access the CLI either by connecting your management station directly to the switch console port or by using Telnet from a remote management station.
Page 45 Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external • source Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • In-band management access through CMS over a Netscape Communicator or Microsoft Internet •...
Page 46 Flex Link Layer 2 interfaces to back up one another as an alternative to STP for basic link redundancy • RPS support through the Cisco RPS 300 and Cisco RPS 675 for enhancing power reliability VLAN Features Support for up to 1005 VLANs for assigning users to VLANs associated with appropriate network •...
Page 47 Chapter 1 Overview Features Protected port option for restricting the forwarding of traffic to designated ports on the same switch • Port security option for limiting and identifying MAC addresses of the stations allowed to access • the port • Port security aging to set the aging time for secure addresses on a port BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs •...
Page 48 Trusted port states (CoS, DSCP, and IP precedence) within a QoS domain and with a port – bordering another QoS domain – Trusted boundary for detecting the presence of a Cisco IP phone, trusting the CoS value received, and ensuring port security • Policing Traffic-policing policies on the switch port for managing how much of the port bandwidth –...
Page 49 Power over Ethernet (PoE) Features • Ability to provide power to connected Cisco pre-standard and IEEE 802.3af-compliant powered devices from all 10/100 Ethernet ports if the switch detects that there is no power on the circuit 24-port PoE switch provides 15.4 W of power on each 10/100 port; 48-port PoE switch provides •...
Page 50: Default Settings After Initial Switch Configuration
“Configuring Interface Characteristics.” – Auto-MDIX is enabled. For more information, see Chapter 11, “Configuring Interface Characteristics.” In releases earlier than Cisco IOS Release 12.2(18)SE, the default setting for Note auto-MDIX is disabled. Catalyst 3750 Switch Software Configuration Guide 1-10 78-16180-02...
Page 51: Default Settings After Initial Switch Configuration
Chapter 1 Overview Default Settings After Initial Switch Configuration Flow control is off. For more information, see Chapter 11, “Configuring Interface – Characteristics.” PoE is autonegotiate. For more information, see Chapter 11, “Configuring Interface – Characteristics.” No Smartports macros are defined. For more information, see Chapter 12, “Configuring Smartports •...
Page 52: Network Configuration Examples
Chapter 1 Overview Network Configuration Examples CDP is enabled. For more information, see Chapter 25, “Configuring CDP.” • UDLD is disabled. For more information, see Chapter 26, “Configuring UDLD.” • • SPAN and RSPAN are disabled. For more information, see Chapter 27, “Configuring SPAN and RSPAN.”...
Page 53: Network Configuration Examples
Chapter 1 Overview Network Configuration Examples Table 1-1 Increasing Network Performance Network Demands Suggested Design Methods Too many users on a single network Create smaller network segments so that fewer users share the bandwidth, and use • segment and a growing number of VLANs and IP subnets to place the network resources in the same logical network users accessing the Internet as the users who access those resources most.
Page 54 Chapter 1 Overview Network Configuration Examples Table 1-2 Providing Network Services (continued) Network Demands Suggested Design Methods An evolving demand for IP telephony Use QoS to prioritize applications such as IP telephony during congestion and to • help control both delay and jitter within the network. •...
Page 55 Chapter 1 Overview Network Configuration Examples IP forwarding at the distribution layer, connect the switches in the access layer to a Gigabit multilayer switch in the backbone, such as a Catalyst 4500 Gigabit switch or Catalyst 6500 Gigabit switch. Each switch in this configuration provides users with a dedicated 1-Gbps connection to network resources.
Page 56 Chapter 1 Overview Network Configuration Examples QoS and policing on the switches provide preferential treatment for certain data streams, if required. They segment traffic streams into different paths for processing. Security features on the switch ensure rapid handling of packets. Dual homing of servers to dual switch stacks with redundant Gigabit EtherChannel and cross-stack EtherChannel provide fault tolerance from the server racks to the core.
Page 57: Small To Medium-Sized Network Using Catalyst 3750 Switches
Data and multimedia traffic are configured on the same VLAN. Voice traffic from the Cisco IP Phones are configured on separate VVIDs. If data, multimedia, and voice traffic are assigned to the same VLAN, only one VLAN can be configured per wiring closet.
Page 58: Large Network Using Catalyst 3750 Switches
Cisco CallManager controls call processing, routing, and IP phone features and configuration. Users with workstations running Cisco SoftPhone software can place, receive, and control calls from their PCs. Using Cisco IP Phones, Cisco CallManager software, and Cisco SoftPhone software integrates telephony and IP networks, and the IP network supports both voice and data.
Page 59 Chapter 1 Overview Network Configuration Examples In the wiring closet, each switch stack has IGMP snooping enabled to efficiently forward multimedia and multicast traffic. QoS ACLs that either drop or mark nonconforming traffic based on bandwidth limits are also configured on each switch stack. VLAN maps provide intra-VLAN security and prevent unauthorized users from accessing critical pieces of the network.
Page 60 Chapter 1 Overview Network Configuration Examples Figure 1-7 Catalyst 3750 Switch Stacks in Wiring Closets in a Backbone Configuration Cisco 7x00 routers Catalyst 6500 multilayer switches Catalyst 3750 Catalyst 3750 multilayer multilayer StackWise StackWise switch stack switch stack IEEE 802.3af-compliant IEEE 802.3af-compliant...
Page 61: Multidwelling Network Using Catalyst 3750 Switches
Chapter 1 Overview Network Configuration Examples Multidwelling Network Using Catalyst 3750 Switches A growing segment of residential and commercial customers are requiring high-speed access to Ethernet metropolitan-area networks (MANs). Figure 1-8 shows a configuration for a Gigabit Ethernet MAN ring using multilayer switch stacks as aggregation switches in the mini-point-of-presence (POP) location.
Page 62 The CWDM OADM modules on the receiving end separate (or demultiplex) the different wavelengths. For more information about the CWDM SFP modules and CWDM OADM modules, refer to the Cisco CWDM GBIC and CWDM SFP Installation Note. Catalyst 3750 Switch Software Configuration Guide...
Page 63: Chapter 4 Assigning The Switch Ip Address And Default Gateway
Chapter 1 Overview Where to Go Next Figure 1-9 Long-Distance, High-Bandwidth Transport Configuration Access layer Aggregation layer 8 Gbps CWDM CWDM OADM OADM Catalyst 4500 modules modules Eight multilayer 1-Gbps switches connections Catalyst switches Where to Go Next Before configuring the switch, review these sections for startup information: Chapter 2, “Using the Command-Line Interface”...
Page 64: Where To Go Next
Chapter 1 Overview Where to Go Next Catalyst 3750 Switch Software Configuration Guide 1-24 78-16180-02...
Page 65: Understanding Command Modes
C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your Catalyst 3750 switch. It contains these sections: Understanding Command Modes, page 2-1 •...
Page 66: C H A P T E R 2 Using The Command-Line Interface
Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with Enter logout or Use this mode to Switch> your switch. quit. Change terminal settings.
Page 67: Understanding The Help System
Chapter 2 Using the Command-Line Interface Understanding the Help System Understanding the Help System You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table 2-2.
Page 68: Understanding No And Default Forms Of Commands
Chapter 2 Using the Command-Line Interface Understanding no and default Forms of Commands Understanding no and default Forms of Commands Almost every configuration command also has a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface.
Page 69: Changing The Command History Buffer Size
Chapter 2 Using the Command-Line Interface Using Command History Changing the Command History Buffer Size By default, the switch records ten command lines in its history buffer. You can alter this number for a current terminal session or for all sessions on a particular line. These procedures are optional. Beginning in privileged EXEC mode, enter this command to change the number of command lines that the switch records during the current terminal session: Switch# terminal history...
Page 70: Using Editing Features
Chapter 2 Using the Command-Line Interface Using Editing Features Using Editing Features This section describes the editing features that can help you manipulate the command line. It contains these sections: • Enabling and Disabling Editing Features, page 2-6 (optional) • Editing Commands through Keystrokes, page 2-6 (optional) Editing Command Lines that Wrap, page 2-8...
Page 71 Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke Purpose Press Esc Y. Recall the next buffer entry. The buffer contains only the last 10 items that you have deleted or cut. If you press Esc Y more than ten times, you cycle to the first buffer entry.
Page 72: Editing Command Lines That Wrap
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Editing Command Lines that Wrap You can use a wraparound feature for commands that extend beyond a single line on the screen. When the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten characters of the line, but you can scroll back and check the syntax at the beginning of the command.
Page 73: Accessing The Cli
Chapter 2 Using the Command-Line Interface Accessing the CLI Accessing the CLI You can access the CLI through a console connection, through Telnet, or by using the browser. You manage the switch stack and the stack member interfaces through the stack master. You cannot manage stack members on an individual switch basis.
Page 74: Accessing The Cli From A Browser
Access page. You can access the CLI by clicking Web Console - HTML access to the command line interface from a cached copy of the Cisco Systems Access page. To prevent unauthorized access to the CLI or to the Cluster Management Suite (CMS), exit your browser to end the browser session.
Page 75: Understanding Cms
C H A P T E R Getting Started with CMS This chapter contains these sections that describe the Cluster Management Suite (CMS) on the Catalyst 3750 switch: “Understanding CMS” section on page 3-1 • “Configuring CMS” section on page 3-8 •...
Page 76: Chapter 3 Getting Started With Cm
Chapter 3 Getting Started with CMS Understanding CMS Front Panel View The Front Panel view displays the front-panel image of a specific set of switches in a cluster. From this view, you can select multiple ports or multiple switches and configure them with the same settings. For more information, see the “Displaying CMS”...
Page 77 Chapter 3 Getting Started with CMS Understanding CMS The toolbar provides buttons for commonly used switch and cluster configuration options and • information windows such as legends and online help. Table 3-1 lists the toolbar options from left to right on the toolbar. Table 3-1 Toolbar Buttons Toolbar Option...
Page 78 Chapter 3 Getting Started with CMS Understanding CMS The feature bar shows the features available for the devices in your cluster. By default, the feature • bar is in standard mode. In this mode, the feature bar is always visible, and you can reduce or increase the width of the feature bar.
Page 79: Online Help
You can send us feedback about the information provided in the online help. Click Feedback to display an online form. After completing the form, click Submit to send your comments to Cisco Systems Inc. We appreciate and value your comments.
Page 80: Expert Mode
Chapter 3 Getting Started with CMS Understanding CMS Figure 3-3 Guide Mode and Wizards Guide mode icon Wizards Guide mode is not available if your switch access level is read-only. For more information about the read-only access mode, see the “Privilege Levels”...
Page 81: Privilege Levels
If your cluster has these member switches running earlier software releases and if you have read-only access to these member switches, some configuration windows for those switches display incomplete information: Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS Release 12.0(5)WC2 • or earlier Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier...
Page 82: Configuring Cms
Chapter 3 Getting Started with CMS Configuring CMS Configuring CMS This section contains these topics that describe the requirements and configuration information for CMS: • “CMS Requirements” section on page 3-8 “Cross-Platform Considerations” section on page 3-9 • “Launching CMS” section on page 3-11 •...
Page 83: Operating System And Browser Support
When managing switch clusters through CMS, remember that clusters can have a mix of switch models using different Cisco IOS releases and that CMS in earlier Cisco IOS releases and on different switch platforms might look and function differently from CMS in this Cisco IOS release.
Page 84: Http Access To Cms
CMS on the Catalyst 1900 and Catalyst 2820 switches is referred to as Switch Manager. Cluster management options are not available on these switches. This is the earliest version of CMS. Refer to the documentation specific to the switch and its Cisco IOS release for descriptions of the CMS version.
Page 85: Displaying Cms
HTTP • server user authentication. • local—Local user database as defined on the Cisco router or access server is used. tacacs—TACACS server is used. • Step 3 Return to privileged EXEC mode.
Page 86 Tools—Accesses diagnostic and monitoring tools, such as Telnet, Extended Ping, and the show • interfaces privileged EXEC command Help Resources—Provides links to the Cisco website, technical documentation, and the Cisco • Technical Assistance Center (TAC) Click Cluster Management Suite to launch the CMS interface. The CMS Startup Report runs and Step 3 verifies that your PC or workstation can correctly run CMS.
Page 87 Chapter 3 Getting Started with CMS Displaying CMS Figure 3-5 CMS Startup Report The CMS Startup Report has links that instruct you how to correctly configure your PC or workstation. If the CMS Startup Report appears, click the links, and follow the instructions to configure your PC or workstation.
Page 88: Front Panel View
Chapter 3 Getting Started with CMS Displaying CMS Front Panel View When CMS is launched from a command switch, you can display the Front Panel view by clicking the Front Panel button on the tool bar, as shown in Figure 3-6.
Page 89: Topology View
Chapter 3 Getting Started with CMS Displaying CMS Figure 3-7 shows a cluster with a Catalyst 3550 switch as the command switch. Refer to the release notes Note for a list of switches that can be members of a cluster with a Catalyst 3750 switch as the command switch.
Page 90: Cms Icons
Chapter 3 Getting Started with CMS Where to Go Next The Topology view shows how the devices within a switch cluster are connected and how the switch cluster is connected to other clusters and devices. From this view, you can add and remove cluster members.
Page 91: Understanding The Boot Process
For complete syntax and usage information for the commands used in this chapter, refer to the command Note reference for this release and to the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2. This chapter consists of these sections: •...
Page 92: Assigning Switch Information
For more information about the setup program, refer to the release notes on Cisco.com. The switch stack is managed through a single IP address. The IP address is a system-level setting and is not specific to the stack master or to any other stack member.
Page 93: Default Switch Information
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information If you are using DHCP, do not respond to any of the questions in the setup program until the switch Note receives the dynamically assigned IP address and reads the configuration file. If you are an experienced user familiar with the switch configuration steps, manually configure the switch.
Page 94: Dhcp Client Request Process
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The DHCP server for your switch can be on the same LAN or on a different LAN than the switch. If the DHCP server is running on a different LAN, you should configure a DHCP relay device between your switch and the DHCP server.
Page 95: Configuring Dhcp-Based Autoconfiguration
Example Configuration, page 4-8 • If your DHCP server is a Cisco device, refer to the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 for additional information about configuring DHCP.
Page 96: Configuring The Dns
If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
Page 97: Obtaining Configuration Files
Note see the “Routed Ports” section on page 11-3 and the “Configuring Layer 3 Interfaces” section on page 11-21. Figure 4-2 Relay Device Used in Autoconfiguration Switch Cisco router (DHCP client) (Relay) 10.0.0.2 10.0.0.1 20.0.0.1 20.0.0.2 20.0.0.3 20.0.0.4 DHCP server...
Page 98: Example Configuration
Figure 4-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (tftpserver) Table 4-2 shows the configuration of the reserved leases on the DHCP server.
Page 99 Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Table 4-2 DHCP Server Configuration (continued) Switch A Switch B Switch C Switch D Boot filename (configuration file) switcha-confg switchb-confg switchc-confg switchd-confg (optional) Host name (optional) switcha switchb switchc switchd...
Page 100: Manually Assigning Ip Information
Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs) or ports: Command Purpose Step 1...
Page 101: Modifying The Startup Configuration
EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Modifying the Startup Configuration This section describes how to modify the switch startup configuration.
Page 102: Default Boot Configuration
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot cycle.
Page 103: Booting Manually
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Command Purpose Step 4 show boot Verify your entries. The boot config-file global configuration command changes the setting of the CONFIG_FILE environment variable. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
Page 104: Controlling Environment Variables
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration This command only works properly from a standalone switch. Note Beginning in privileged EXEC mode, follow these steps to configure the switch to boot a specific image during the next boot cycle: Command Purpose...
Page 105 Cisco IOS configuration file can be stored as an environment variable. You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
Page 106: Scheduling A Reload Of The Software Image
CONFIG_FILE set CONFIG_FILE flash:/file-url boot config-file flash:/file-url Changes the filename that Cisco IOS uses to read Specifies the filename that Cisco IOS uses to read and write a nonvolatile copy of the system and write a nonvolatile copy of the system configuration.
Page 107: Displaying Scheduled Reload Information
Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Use the at keyword only if the switch system clock has been set (through Network Time Note Protocol (NTP), the hardware calendar, or manually). The time is relative to the configured time zone on the switch.
Page 108 Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Catalyst 3750 Switch Software Configuration Guide 4-18 78-16180-02...
Page 109: Managing Switch Stacks
One of the switches controls the operation of the stack and is called the stack master. The stack master and the other switches in the stack are stack members. The stack members use the Cisco StackWise technology to behave and work together as a unified system. Layer 2 and Layer 3 protocols present the entire switch stack as a single entity to the network.
Page 110: Chapter 5 Managing Switch Stack
Chapter 5 Managing Switch Stacks Understanding Switch Stacks The system-level features supported on the stack master are supported on the entire switch stack. If the switch stack must have switches running both standard multilayer image (SMI) and enhanced multilayer image (EMI) software, we recommend that a switch running the EMI software be the stack master. EMI features are unavailable if the stack master is running the SMI software.
Page 111: Switch Stack Membership
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Switch Stack Membership A switch stack has up to nine stack members connected through their StackWise ports. A switch stack always has one stack master. A standalone switch is a switch stack with one stack member that also operates as the stack master. You can connect one standalone switch to another (Figure 5-1 on page 5-4) to create a switch stack...
Page 112: Stack Master Election And Re-Election
The Catalyst 3750 EMI cryptographic image has a higher priority than the Catalyst 3750 SMI image during the master switch election in a stack. However, when two or more switches in the stack use different software images, such as the SMI image for Cisco IOS Release 12.1(11)AX and the Catalyst 3750 Switch Software Configuration Guide...
Page 113: Switch Stack Bridge Id And Router Mac Address
10 seconds. To avoid this problem, upgrade the switch running the SMI to a software release later than Cisco IOS Release 12.1(11)AX or manually start the master switch and wait at least 8 seconds before starting the new member switch.
Page 114: Stack Member Numbers
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Stack Member Numbers The stack member number (1 to 9) identifies each member in the switch stack. The member number also determines the interface-level configuration that a stack member uses. You can display the stack member number by using the show switch user EXEC command.
Page 115: Stack Member Priority Values
You manually create the provisioned configuration through the switch stack-member-number provision type global configuration command. The provisioned configuration also is automatically created when a switch is added to a switch stack that is running Cisco IOS Release 12.2(20)SE or later and when no provisioned configuration exists.
Page 116: Effects Of Adding A Provisioned Switch To A Switch Stack
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Effects of Adding a Provisioned Switch to a Switch Stack When you add a provisioned switch to the switch stack, the stack applies either the provisioned configuration or the default configuration to it. Table 5-1 lists the events that occur when the switch stack compares the provisioned configuration with the provisioned switch:...
Page 117 In addition, any configured PoE-related commands that are valid only on PoE-capable interfaces are rejected, even for ports 1 through 24. If the switch stack is running Cisco IOS Release 12.2(20)SE or later and does not contain a provisioned Note configuration for a new switch, the switch joins the stack with the default interface configuration.
Page 118: Effects Of Replacing A Provisioned Switch In A Switch Stack
Effects of Removing a Provisioned Switch from a Switch Stack If a switch stack is running Cisco IOS Release 12.2(20)SE or later and you remove a provisioned switch from a switch stack, the configuration associated with the removed stack member remains in the running configuration as provisioned information.
Page 119: Compatibility Recommendations
“Hardware Compatibility in Switch Stacks” section on page 5-10. Compatibility Recommendations All stack members must run the same Cisco IOS software version to ensure compatibility between stack members. Follow these recommendations: The Cisco IOS software version on all stack members, including the stack master, should be the •...
Page 120: Switch Stack Configuration Files
Note We recommend that all stack members are installed with Cisco IOS Release 12.1(14)EA1 or later to ensure that the interface-specific settings of the stack master are saved, in case the stack master is replaced without saving the running configuration to the startup configuration.
Page 121: Additional Considerations For System-Wide Configuration On Switch Stacks
For more information about file systems and configuration files, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Additional Considerations for System-Wide Configuration on Switch Stacks These sections provide additional considerations for configuring system-wide features on switch stacks: •...
Page 122: Switch Stack Management Connectivity
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Switch Stack Management Connectivity You manage the switch stack and the stack member interfaces through the stack master. You can use the CMS, the CLI, and SNMP and CiscoWorks network management applications. You cannot manage stack members on an individual switch basis.
Page 123: Switch Stack Configuration Scenarios
Chapter 5 Managing Switch Stacks Understanding Switch Stacks To debug a specific stack member, you can access it from the stack master by using the session stack-member-number privileged EXEC command. The stack member number is appended to the system prompt. For example, is the prompt in privileged EXEC mode for stack member 2, and the Switch-2# system prompt for the stack master is...
Page 124 Chapter 5 Managing Switch Stacks Understanding Switch Stacks Table 5-2 Switch Stack Configuration Scenarios (continued) Scenario Result Stack master election Assuming that all stack members have the The stack member with the noncryptographic EMI specifically determined same priority value: software is elected stack master. by the EMI software Make sure that one stack member has the noncryptographic EMI software...
Page 125: Assigning Stack Member Information
Chapter 5 Managing Switch Stacks Assigning Stack Member Information Table 5-2 Switch Stack Configuration Scenarios (continued) Scenario Result Stack master failure Remove (or power off) the stack master. Based on the factors described in the “Stack Master Election and Re-Election” section on page 5-4, one of the remaining stack members becomes the new stack master.
Page 126: Setting The Stack Member Priority Value
Chapter 5 Managing Switch Stacks Assigning Stack Member Information Beginning in privileged EXEC mode, follow these steps to assign a member number to a stack member. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 switch current-stack-member-number Specify the current stack member number and the new stack member...
Page 127: Accessing The Cli Of A Specific Stack Member
Chapter 5 Managing Switch Stacks Accessing the CLI of a Specific Stack Member Beginning in privileged EXEC mode, follow these steps to provision a new member for a switch stack. This procedure is optional. Command Purpose Step 1 show switch Display summary information about the switch stack.
Page 128: Displaying Switch Stack Information
Chapter 5 Managing Switch Stacks Displaying Switch Stack Information Displaying Switch Stack Information To display configuration changes that you save after you reset a specific stack member or the switch stack, use the privileged EXEC commands listed in Table 5-4. Table 5-4 Commands for Displaying Switch Stack Information Command...
Page 129: Clustering Switches
C H A P T E R Clustering Switches This chapter provides the concepts and procedures to create and manage Catalyst 3750 switch clusters. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. This chapter focuses on Catalyst 3750 switch clusters.
Page 130: Chapter 6 Clustering Switche
Chapter 6 Clustering Switches Understanding Switch Clusters Understanding Switch Clusters A switch cluster is a set of up to 16 connected, cluster-capable Catalyst switches that are managed as a single entity. The switches in the cluster use the switch clustering technology so that you can configure and troubleshoot a group of different Catalyst desktop switch platforms through a single IP address.
Page 131: Cluster Command Switch Characteristics
It has an IP address. • • It has Cisco Discovery Protocol (CDP) version 2 enabled (the default). It is not a command or cluster member switch of another cluster. • It is connected to the standby cluster command switches through the management VLAN and to the •...
Page 132: Candidate Switch And Cluster Member Switch Characteristics
Chapter 6 Clustering Switches Planning a Switch Cluster Candidate Switch and Cluster Member Switch Characteristics Candidate switches are cluster-capable switches and switch stacks that have not yet been added to a cluster. Cluster member switches are switches and switch stacks that have actually been added to a switch cluster.
Page 133: Automatic Discovery Of Cluster Candidates And Members
Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
Page 134: Discovery Through Non-Cdp-Capable And Noncluster-Capable Devices
Switch 15 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Page 135: Discovery Through Different Vlans
Chapter 6 Clustering Switches Planning a Switch Cluster Discovery Through Different VLANs If the cluster command switch is a Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 switch, the cluster can have cluster member switches in different VLANs. As cluster member switches, they must be connected through at least one VLAN in common with the cluster command switch.
Page 136: Discovery Through Routed Ports
Chapter 6 Clustering Switches Planning a Switch Cluster If the switch cluster has a Catalyst 3750 switch or switch stack, that switch or switch stack must be the Note cluster command switch. The cluster command switch and standby command switch in Figure 6-4 (assuming they are Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 cluster command switches) have ports...
Page 137: Discovery Of Newly Installed Switches
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-5 Discovery Through Routed Ports Command switch VLAN 9 VLAN 62 VLAN VLAN 62 VLAN 9 Member (management VLAN 62) switch 7 VLAN 4 Discovery of Newly Installed Switches To join a cluster, the new, out-of-the-box switch must be connected to the cluster through one of its access ports.
Page 138: Hsrp And Standby Cluster Command Switches
Chapter 6 Clustering Switches Planning a Switch Cluster HSRP and Standby Cluster Command Switches The switch supports Hot Standby Router Protocol (HSRP) so that you can configure a group of standby cluster command switches. Because a cluster command switch manages the forwarding of all communication and configuration information to all the cluster member switches, we strongly recommend the following: For a cluster command switch stack, a standby cluster command switch is necessary if the entire...
Page 139: Virtual Ip Addresses
Chapter 6 Clustering Switches Planning a Switch Cluster Virtual IP Addresses You need to assign a unique virtual IP address and group number and name to the cluster standby group. This information must be configured on a specific VLAN or routed port on the active cluster command switch.
Page 140: Automatic Recovery Of Cluster Configuration
Chapter 6 Clustering Switches Planning a Switch Cluster Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL cluster member switches must be connected to the cluster standby group through their management VLANs. For more information about VLANs in switch clusters, see these sections: “Discovery Through Different VLANs”...
Page 141: Ip Addresses
Chapter 6 Clustering Switches Planning a Switch Cluster When the previously active cluster command switch resumes its active role, it receives a copy of the latest cluster configuration from the active cluster command switch, including members that were added while it was down. The active cluster command switch sends a copy of the cluster configuration to the cluster standby group.
Page 142: Passwords
Chapter 6 Clustering Switches Planning a Switch Cluster Passwords You do not need to assign passwords to an individual switch if it will be a cluster member. When a switch joins a cluster, it inherits the command-switch password and retains it when it leaves the cluster. If no command-switch password is configured, the cluster member switch inherits a null password.
Page 143 Chapter 6 Clustering Switches Planning a Switch Cluster Table 6-1 Basic Comparison of Switch Stacks and Switch Clusters (continued) Switch Stack Switch Cluster Stack master is the single point of complete management for Cluster command switch is the single point of some manage- all stack members in a particular switch stack ment for all cluster members in a particular switch cluster Back-up stack master is automatically determined in case the...
Page 144: Tacacs+ And Radius
If your cluster has these cluster member switches running earlier software releases and if you have read-only access to these cluster member switches, some configuration windows for those switches display incomplete information: Catalyst 2900 XL or Catalyst 3500 XL cluster member switches running Cisco IOS • Release 12.0(5)WC2 or earlier Catalyst 2950 cluster member switches running Cisco IOS Release 12.0(5)WC2 or earlier...
Page 145: Lre Profiles
Chapter 6 Clustering Switches Creating a Switch Cluster LRE Profiles A configuration conflict occurs if a switch cluster has Long-Reach Ethernet (LRE) switches that use both private and public profiles. If one LRE switch in a cluster is assigned a public profile, all LRE switches in that cluster must have that same public profile.
Page 146: Adding Cluster Member Switches
Chapter 6 Clustering Switches Creating a Switch Cluster If you did not enable a cluster command switch during initial switch setup, launch Device Manager from a command-capable switch, and select Cluster > Create Cluster. Enter a cluster number (the default is 0), and use up to 31 characters to name the cluster (Figure 6-8).
Page 147 Chapter 6 Clustering Switches Creating a Switch Cluster Instead of using CMS to add members to the cluster, you can use the cluster member global configuration command from the cluster command switch. Use the password option in this command if the candidate switch has a password.
Page 148: Creating A Cluster Standby Group
Chapter 6 Clustering Switches Creating a Switch Cluster Figure 6-10 Using the Topology View to Add Cluster Member Switches stack1 - 4 stack1 - 6 stack10 stack1 - 5 stack1 - 2 Add To Cluster Add To Cluster Device Manager... Device Manager...
Page 149 “Configuring HSRP Authentication and Timers” section on page 35-9. Figure 6-11 Standby Command Configuration Window stack10 (cisco WS-C3750-24TS, HC, .. Active command switch. stack1 (cisco WS-3750-48, CC, 0) TRS (cisco WS-C37xx-24, HC, ...) G-M-C3550-24 (cisco WS-C3550-24, H Standby command switch.
Page 150: Verifying A Switch Cluster
Chapter 6 Clustering Switches Verifying a Switch Cluster Verifying a Switch Cluster When you finish adding cluster members, follow these steps to verify the cluster: Enter the cluster command switch IP address in the browser Location field (Netscape Communicator) Step 1 or Address field (Microsoft Internet Explorer) to access all switches in the cluster.
Page 151: Using The Cli To Manage Switch Clusters
Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
Page 152: Using Snmp To Manage Switch Clusters
Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Using SNMP to Manage Switch Clusters When you first power on the switch, SNMP is enabled if you enter the IP information by using the setup program and accept its proposed configuration. If you did not use the setup program to enter the IP information and SNMP was not enabled, you can enable it as described in the “Configuring SNMP”...
Page 153: Managing The System Time And Date
You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.2.
Page 154: Chapter 7 Administering The Switch
Chapter 7 Administering the Switch Managing the System Time and Date Understanding the System Clock The heart of the time service is the system clock. This clock runs from the moment the system starts up and keeps track of the date and time. The system clock can then be set from these sources: Network Time Protocol •...
Page 155 Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Page 156: Configuring Ntp
Chapter 7 Administering the Switch Managing the System Time and Date Configuring NTP The switch does not have a hardware-supported clock and cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available. The switch also has no hardware support for a calendar.
Page 157: Configuring Ntp Authentication
Chapter 7 Administering the Switch Managing the System Time and Date Configuring NTP Authentication This procedure must be coordinated with the administrator of the NTP server; the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server. Beginning in privileged EXEC mode, follow these steps to authenticate the associations (communications between devices running NTP that provide for accurate timekeeping) with other devices for security purposes:...
Page 158: Configuring Ntp Associations
Chapter 7 Administering the Switch Managing the System Time and Date Configuring NTP Associations An NTP association can be a peer association (this switch can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this switch synchronizes to the other device, and not the other way around).
Page 159: Configuring Ntp Broadcast Service
Chapter 7 Administering the Switch Managing the System Time and Date Configuring NTP Broadcast Service The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association.
Page 160: Configuring Ntp Access Restrictions
Chapter 7 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure the switch to receive NTP broadcast packets from connected peers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to receive NTP broadcast packets, and enter interface...
Page 161 Chapter 7 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1...
Page 162: Configuring The Source Ip Address For Ntp Packets
Chapter 7 Administering the Switch Managing the System Time and Date To remove access control to the switch NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command. This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99.
Page 163: Displaying The Ntp Configuration
• show ntp status • For detailed information about the fields in these displays, refer to the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted.
Page 164: Displaying The Time And Date Configuration
Chapter 7 Administering the Switch Managing the System Time and Date This example shows how to manually set the system clock to 1:32 p.m. on July 23, 2001: Switch# clock set 13:32:00 23 July 2001 Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command.
Page 165: Configuring Summer Time (Daylight Saving Time)
Chapter 7 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1...
Page 166: Configuring A System Name And Prompt
Chapter 7 Administering the Switch Configuring a System Name and Prompt Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1...
Page 167: Default System Name And Prompt Configuration
Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Page 168: Configuring A System Prompt
Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.
Page 169: Default Dns Configuration
Chapter 7 Administering the Switch Configuring a System Name and Prompt Default DNS Configuration Table 7-2 shows the default DNS configuration. Table 7-2 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
Page 170: Displaying The Dns Configuration
If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
Page 171: Configuring A Message-Of-The-Day Login Banner
Chapter 7 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1...
Page 172: Configuring A Login Banner
Chapter 7 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1...
Page 173: Building The Address Table
Chapter 7 Administering the Switch Managing the MAC Address Table This section contains this configuration information: Building the Address Table, page 7-21 • • MAC Addresses and VLANs, page 7-21 • MAC Addresses and Switch Stacks, page 7-22 Default MAC Address Table Configuration, page 7-22 •...
Page 174: Mac Addresses And Switch Stacks
Chapter 7 Administering the Switch Managing the MAC Address Table For more information about private VLANs, see Chapter 15, “Configuring Private VLANs.” MAC Addresses and Switch Stacks The MAC address tables on all stack members are synchronized. At any given time, each stack member has the same copy of the address tables for each VLAN.
Page 175: Removing Dynamic Address Entries
Chapter 7 Administering the Switch Managing the MAC Address Table Command Purpose Step 4 show mac address-table aging-time Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default value, use the no mac address-table aging-time global configuration command. Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode.
Page 176 Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message.
Page 177: Adding And Removing Static Address Entries
Chapter 7 Administering the Switch Managing the MAC Address Table Command Purpose Step 9 show mac address-table notification interface Verify your entries. show running-config Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the switch from sending MAC address notification traps, use the no snmp-server enable traps mac-notification global configuration command.
Page 178: Configuring Unicast Mac Address Filtering
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to add a static address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table static mac-addr Add a static address to the MAC address table. vlan vlan-id interface interface-id •...
Page 179 Chapter 7 Administering the Switch Managing the MAC Address Table If you add a unicast MAC address as a static address and configure unicast MAC address filtering, • the switch either adds the MAC address as a static address or drops packets with that MAC address, depending on which command was entered last.
Page 180: Displaying Address Table Entries
(represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, refer to the Cisco IOS Release 12.2 documentation on Cisco.com. Catalyst 3750 Switch Software Configuration Guide...
Page 181: Configuring Sdm Templates
C H A P T E R Configuring SDM Templates This chapter describes how to configure the Switch Database Management (SDM) templates on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
Page 182: Sdm Templates And Switch Stacks
Chapter 8 Configuring SDM Templates Understanding the SDM Templates Table 8-1 Approximate Number of Feature Resources Allowed by Each Template Desktop Templates Aggregator Templates Resource Default Routing VLAN Default Routing VLAN Unicast MAC addresses 12 K 12 K IGMP groups and multicast routes Unicast routes 11 K 12 K...
Page 183: Configuring The Switch Sdm Template
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template You can use the show switch privileged EXEC command to see if any stack members are in SDM mismatch mode. This example shows the output from the show switch privileged EXEC command when an SDM mismatch exists: Switch# show switch Current...
Page 184: Sdm Template Configuration Guidelines
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template SDM Template Configuration Guidelines You must reload the switch for the configuration to take effect. Use the sdm prefer vlan [desktop] global configuration command only on switches intended for Layer 2 switching with no routing. When you use the VLAN template, no system resources are reserved for routing entries, and any routing is done through software.
Page 185: Displaying The Sdm Templates
Chapter 8 Configuring SDM Templates Displaying the SDM Templates number of unicast mac addresses: number of igmp groups + multicast routes: number of unicast routes: number of directly connected hosts: number of indirect routes: number of qos aces: number of security aces: On next reload, template will be "aggregate routing"...
Page 186 Chapter 8 Configuring SDM Templates Displaying the SDM Templates This is an example of output from the show sdm prefer routing command entered on an aggregator switch: Switch# show sdm prefer routing "aggregate routing" template: The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.
Page 187: Chapter 9 Configuring Switch-Based Authentication
C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. This chapter consists of these sections: Preventing Unauthorized Access to Your Switch, page 9-1 •...
Page 188: Protecting Access To Privileged Exec Commands
Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference, Release 12.2. This section describes how to control access to the configuration file and privileged EXEC commands.
Page 189: Setting Or Changing A Static Enable Password
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1...
Page 190: Protecting Enable And Enable Secret Passwords With Encryption
The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined. (Optional) For encryption-type, only type 5, a Cisco • proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password that you...
Page 191: Disabling Password Recovery
Disable password recovery. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
Page 192: Setting A Telnet Password For A Terminal Line
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands To re-enable password recovery, use the service password-recovery global configuration command. Note Disabling password recovery will not work if you have set the switch to boot manually by using the boot manual global configuration command.
Page 193: Configuring Username And Password Pairs
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Configuring Username and Password Pairs You can configure username and password pairs, which are locally stored on the switch. These pairs are assigned to lines or ports and authenticate each user before that user can access the switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.
Page 194: Configuring Multiple Privilege Levels
Protecting Access to Privileged EXEC Commands Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Page 195: Changing The Default Privilege Level For Lines
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip traffic command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.
Page 196: Logging Into And Exiting A Privilege Level
TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Note Security Command Reference, Release 12.2.
Page 197 The goal of TACACS+ is to provide a method for managing multiple network access points from a single management service. Your switch can be a network access server along with other Cisco routers and access servers. A network access server provides connections to a single user, to a network or...
Page 198: Tacacs+ Operation
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ The TACACS+ protocol provides authentication between the switch and the TACACS+ daemon, and it ensures confidentiality because all protocol exchanges between the switch and the TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your switch. TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs:...
Page 199: Configuring Tacacs
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Configuring TACACS+ This section describes how to configure your switch to support TACACS+. At a minimum, you must identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+ authentication.
Page 200: Configuring Tacacs+ Login Authentication
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to identify the IP host or host maintaining TACACS+ server and optionally set the encryption key: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 201 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted.
Page 202: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 5 login authentication {default | Apply the authentication list to a line or set of lines. list-name} If you specify default, use the default list created with the aaa •...
Page 203: Starting Tacacs+ Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco IOS privilege level and for network services:...
Page 204: Controlling Switch Access With Radius
RADIUS is facilitated through AAA and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference, Release 12.2. This section contains this configuration information: •...
Page 205: Radius Operation
X.25 PAD connections. Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. • RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. • Networks using a variety of services. RADIUS generally binds a user to one service model.
Page 206: Configuring Radius
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or network authorization. Users must first successfully complete RADIUS authentication before proceeding to RADIUS authorization, if it is enabled. The additional data included with the ACCEPT or REJECT packets includes these items: Telnet, SSH, rlogin, or privileged EXEC services •...
Page 207: Identifying The Radius Server Host
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Identifying the RADIUS Server Host Switch-to-RADIUS-server communication involves several components: Host name or IP address • Authentication destination port • Accounting destination port • Key string • • Timeout period •...
Page 208 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or host name of the remote RADIUS server host.
Page 209: Configuring Radius Login Authentication
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2...
Page 210 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA.
Page 211: Defining Aaa Server Groups
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 5 login authentication {default | Apply the authentication list to a line or set of lines. list-name} If you specify default, use the default list created with the aaa •...
Page 212 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or host name of the remote RADIUS server host.
Page 213: Configuring Radius Authorization For User Privileged Access And Network Services
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 9-23.
Page 214: Starting Radius Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
Page 215: Configuring Settings For All Radius Servers
1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Page 216 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“...
Page 217: Configuring The Switch For Vendor-Proprietary Radius Server Communication
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Page 218: Controlling Switch Access With Kerberos
Configuring Kerberos, page 9-36 • For Kerberos configuration examples, refer to the “Kerberos Configuration Examples” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/ For complete syntax and usage information for the commands used in this section, refer to the “Kerberos Note Commands”...
Page 219 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts (such as UNIX servers and PCs).
Page 220: Kerberos Operation
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 9-2 Kerberos Terms (continued) Term Definition KEYTAB A password that a network service shares with the KDC. In Kerberos 5 and later Kerberos versions, the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it.
Page 221: Authenticating To A Boundary Switch
KDC and obtain a TGT from the KDC to access network services. For instructions about how to authenticate to a KDC, refer to the “Obtaining a TGT from a KDC” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfkerb.ht...
Page 222: Configuring Kerberos
• Configure the switch to use the Kerberos protocol. For instructions, refer to the “Kerberos Configuration Task List” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfkerb.ht m#1001027. Configuring the Switch for Local Authentication and...
Page 223: Configuring The Switch For Secure Shell
For complete syntax and usage information for the commands used in this section, refer to the command Note reference for this release and the command reference for Cisco IOS Release 12.2 at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Catalyst 3750 Switch Software Configuration Guide...
Page 224: Understanding Ssh
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
Page 225: Limitations
Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: Download the cryptographic software image from Cisco.com. This step is required. For more information, refer to the release notes for this release.
Page 226: Configuring The Ssh Server
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Generate an RSA key pair for the switch, which automatically enables SSH. Follow this procedure only if you are configuring the switch as an SSH server. Configure user authentication for local or remote access. This step is required. For more information, see the “Configuring the Switch for Local Authentication and Authorization”...
Page 227: Displaying The Ssh Configuration And Status
Shows the status of the SSH server. For more information about these commands, refer to the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fothercr/...
Page 228 Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Catalyst 3750 Switch Software Configuration Guide 9-42 78-16180-02...
Page 229 Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
Page 230: Understanding 802.1X Port-Based Authentication
Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 231: Authentication Initiation And Message Exchange
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication When the switch receives EAPOL frames and relays them to the authentication server, the Ethernet header is stripped and the remaining EAP frame is re-encapsulated in the RADIUS format. The EAP frames are not modified or examined during encapsulation, and the authentication server must support EAP within the native frame format.
Page 232: Ports In Authorized And Unauthorized States
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication Figure 10-2 Message Exchange Authentication server Client (RADIUS) EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS Access-Request EAP-Request/OTP RADIUS Access-Challenge EAP-Response/OTP RADIUS Access-Request EAP-Success RADIUS Access-Accept Port Authorized EAPOL-Logoff Port Unauthorized Ports in Authorized and Unauthorized States Depending on the switch port state, the switch can grant a client access to the network.
Page 233: Accounting
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication If the client is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated client are allowed through the port.
Page 234: Using 802.1X With Port Security
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication Figure 10-3 Wireless LAN Example Authentication server Access point (RADIUS) Wireless clients Using 802.1x with Port Security You can configure 802.1x port and port security in either single-host or multiple-hosts mode. (You also must configure port security on the port by using the switchport port-security interface configuration command.) When you enable port security and 802.1x on a port, 802.1x authenticates the port, and port security manages network access for all MAC addresses, including that of the client.
Page 235: Using 802.1X With Voice Vlan Ports
When 802.1x is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN. If you enable 802.1x on an access port on which a voice VLAN is configured and to which a Cisco IP Note Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
Page 236: Using 802.1X With Guest Vlan
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication When configured on the switch and the RADIUS server, 802.1x with VLAN assignment has these characteristics: If no VLAN is supplied by the RADIUS server or if 802.1x authorization is disabled, the port is •...
Page 237: Using 802.1X With Per-User Acls
If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
Page 238: 802.1X And Switch Stacks
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication The maximum size of the per-user ACL is 4000 ASCII characters. For examples of vendor-specific attributes, see the “Configuring the Switch to Use Vendor-Specific RADIUS Attributes” section on page 9-29. For more information about configuring ACLs, see Chapter 31, “Configuring Network Security with ACLs.”...
Page 239: Default 802.1X Configuration
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring the Switch-to-RADIUS-Server Communication, page 10-15 (required) • Configuring Periodic Re-Authentication, page 10-16 (optional) • • Manually Re-Authenticating a Client Connected to a Port, page 10-16 (optional) • Changing the Quiet Period, page 10-17 (optional) Changing the Switch-to-Client Retransmission Time, page 10-17 (optional)
Page 240: 802.1X Configuration Guidelines
EtherChannel as an 802.1x port. If you try to enable 802.1x on an EtherChannel port, an error message appears, and 802.1x is not enabled. In software releases earlier than Cisco IOS Release 12.2(18)SE, if 802.1x is enabled on Note a not-yet active port of an EtherChannel, the port does not join the EtherChannel.
Page 241: Upgrading From A Previous Software Release
Some global configuration commands became interface configuration commands, and new commands were added. If you have 802.1x configured on the switch and you upgrade to Cisco IOS Release 12.1(14)EA1 or later, the configuration file will not contain the new commands, and 802.1x will not operate. After the upgrade is complete, make sure to globally enable 802.1x by using the dot1x system-auth-control global...
Page 242 Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration. Step 3 The switch sends a start message to an accounting server. Step 4 Step 5 Re-authentication is performed, as necessary. Step 6 The switch sends an interim accounting update to the accounting server that is based on the result of re-authentication.
Page 243: Configuring The Switch-To-Radius-Server Communication
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring the Switch-to-RADIUS-Server Communication RADIUS security servers are identified by their host name or IP address, host name and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address.
Page 244: Configuring Periodic Re-Authentication
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, refer to the RADIUS server documentation.
Page 245: Changing The Quiet Period
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Changing the Quiet Period When the switch cannot authenticate the client, the switch remains idle for a set period of time and then tries again. The dot1x timeout quiet-period interface configuration command controls the idle period. A failed authentication of the client might occur because the client provided an invalid password.
Page 246: Setting The Switch-To-Client Frame-Retransmission Number
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show dot1xinterface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default retransmission time, use the no dot1x timeout tx-period interface configuration command.
Page 247: Configuring The Host Mode
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication You should change the default value of this command only to adjust for unusual circumstances such as Note unreliable links or specific behavioral problems with certain clients and authentication servers. Beginning in privileged EXEC mode, follow these steps to set the re-authentication number. This procedure is optional.
Page 248: Configuring A Guest Vlan
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 3 dot1x host-mode multi-host Allow multiple hosts (clients) on an 802.1x-authorized port. Make sure that the dot1x port-control interface configuration command set is set to auto for the specified interface. Step 4 Return to privileged EXEC mode.
Page 249: Resetting The 802.1X Configuration To The Default Values
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication This example shows how to set 3 as the quiet time on the switch, to set 15 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request, and to enable VLAN 2 as an 802.1x guest VLAN when an 802.1x port is connected to a DHCP client: Switch(config-if)# dot1x timeout quiet-period 3...
Page 250: Displaying 802.1X Statistics And Status
Chapter 10 Configuring 802.1x Port-Based Authentication Displaying 802.1x Statistics and Status Beginning in privileged EXEC mode, follow these steps to configure 802.1x accounting after AAA is enabled on your switch. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 251: Understanding Interface Types
• For complete syntax and usage information for the commands used in this chapter, refer to the switch Note command reference for this release and the online Cisco IOS Interface Command Reference, Release 12.2. Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface types.
Page 252: C H A P T E R 11 Configuring Interface Characteristics
Chapter 11 Configuring Interface Characteristics Understanding Interface Types EtherChannel Port Groups, page 11-5 • Connecting Interfaces, page 11-5 • Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 13, “Configuring VLANs.”...
Page 253: Access Ports
Catalyst 6500 series switch; the Catalyst 3750 switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 16, “Configuring Voice VLAN.”...
Page 254: 10-Gigabit Ethernet Interfaces
Chapter 11 Configuring Interface Characteristics Understanding Interface Types Configure routed ports by putting the interface into Layer 3 mode with the no switchport interface configuration command. Then assign an IP address to the port, enable routing, and assign routing protocol characteristics by using the ip routing and router protocol global configuration commands. Entering a no switchport interface configuration command shuts down the interface and then re-enables Note it, which might generate messages on the device to which the interface is connected.
Page 255: Etherchannel Port Groups
Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. Exceptions are the DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP), which operate only on physical ports.
Page 256 Chapter 11 Configuring Interface Characteristics Understanding Interface Types Figure 11-1 Connecting VLANs with Layer 2 Switches Cisco router Switch Host A Host B VLAN 20 VLAN 30 By using the switch with routing enabled, when you configure VLAN 20 and VLAN 30 each with an...
Page 257: Using Interface Configuration Mode
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode When the EMI is running on the stack master, the switch supports two methods of forwarding traffic between interfaces: routing and fallback bridging. If the SMI is on the stack master, only basic routing (static routing and RIP) is supported.
Page 258: Procedures For Configuring Interfaces
You can identify physical interfaces by physically checking the interface location on the switch. You can also use the Cisco IOS show privileged EXEC commands to display information about a specific interface or all the interfaces on the switch. The remainder of this chapter primarily provides physical interface configuration procedures.
Page 259: Configuring A Range Of Interfaces
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode You can also configure a range of interfaces by using the interface range or interface range macro global configuration commands. Interfaces configured in a range must be the same type and must be configured with the same feature options.
Page 260: Configuring And Using Interface Range Macros
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode port-channel port-channel-number - port-channel-number, where the port-channel-number is – 1 to 12 Note When you use the interface range command with port channels, the first and last port channel number must be active port channels. You must add a space between the first interface number and the hyphen when using the •...
Page 261 Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode Beginning in privileged EXEC mode, follow these steps to define an interface range macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 define interface-range macro_name Define the interface-range macro, and save it in NVRAM. interface-range •...
Page 262: Configuring Ethernet Interfaces
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to define an interface-range named enet_list to include ports 1 and 2 on switch 1 and to verify the macro configuration: Switch# configure terminal Switch(config)# define interface-range enet_list gigabitethernet1/0/1 - 2 Switch(config)# end Switch# show running-config | include define define interface-range enet_list GigabitEthernet1/0/1 - 2...
Page 263 Enabled. Note The switch might not support a pre-standard powered device—such as Cisco IP phones and access points that do not fully support IEEE 802.3af—if that powered device is connected to the switch through a crossover cable. This is regardless of whether Auto-MIDX is enabled on the switch port.
Page 264: Configuration Guidelines For 10-Gigabit Ethernet Interfaces
The speed and duplex features are not supported. The 10-Gigabit interfaces do not support these QoS features: • – Policing Auto-QoS for VoIP with Cisco IP Phones – Servicing the egress queues by using shaped round robin (SRR) weights – Limiting the bandwidth on an egress interface –...
Page 265: Configuration Guidelines
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces These sections describe how to configure the interface speed and duplex mode: Configuration Guidelines, page 11-15 • • Setting the Interface Speed and Duplex Parameters, page 11-15 Configuration Guidelines When configuring an interface speed and duplex mode, note these guidelines: If both ends of the line support autonegotiation, we highly recommend the default setting of auto •...
Page 266 Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Command Purpose Step 3 speed {10 | 100 | 1000 | auto | nonegotiate} Enter the appropriate speed parameter for the interface: Enter 10, 100, or 1000 to set a specific speed for the interface. •...
Page 267: Configuring Ieee 802.3Z Flow Control
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring IEEE 802.3z Flow Control Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. If one port experiences congestion and cannot receive any more traffic, it notifies the other port to stop sending until the condition clears by sending a pause frame.
Page 268: Configuring Auto-Mdix On An Interface
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Auto-MDIX on an Interface When automatic medium-dependent interface crossover (Auto-MDIX) is enabled on an interface, the interface automatically detects the required cable connection type (straight through or crossover) and configures the connection appropriately. When connecting switches without the Auto-MDIX feature, you must use straight-through cables to connect to devices such as servers, workstations, or routers and crossover cables to connect to other switches or repeaters.
Page 269: Configuring Power Over Ethernet On An Interface
After power is applied to an interface, the switch uses Cisco Discovery Protocol (CDP) to determine the power requirement of the connected Cisco PoE (standard and pre-standard) devices, and the switch adjusts the power budget accordingly.
Page 270: Adding A Description For An Interface
39-13. This example shows how to enable automatic PoE on a port and the response from the show power inline command for the interface when a Cisco IEEE-compliant IP Phone is being supplied with power: Switch# configure terminal Switch(config)# interface fastethernet1/0/1...
Page 271: Configuring Layer 3 Interfaces
Chapter 11 Configuring Interface Characteristics Configuring Layer 3 Interfaces Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show interfaces interface-id description Verify your entry. show running-config Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no description interface configuration command to delete the description.
Page 272: Configuring The System Mtu
Chapter 11 Configuring Interface Characteristics Configuring the System MTU If the switch is notified by VLAN Trunking Protocol (VTP) of a new VLAN, it sends a message that • there are not enough hardware resources available and shuts down the VLAN. The output of the show vlan user EXEC command shows the VLAN in a suspended state.
Page 273 Chapter 11 Configuring Interface Characteristics Configuring the System MTU support jumbo frames on all Gigabit Ethernet interfaces by using the system mtu jumbo global configuration command. Gigabit Ethernet ports are not affected by the system mtu command; 10/100 ports are not affected by the system jumbo mtu command. You cannot set the MTU size for an individual interface;...
Page 274: Monitoring And Maintaining The Interfaces
(You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference, Release 12.2. Table 11-3 Show Commands for Interfaces...
Page 275: Clearing And Resetting Interfaces And Counters
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Clearing and Resetting Interfaces and Counters Table 11-4 lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces. Table 11-4 Clear Commands for Interfaces Command Purpose clear counters [interface-id]...
Page 276 Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 3750 Switch Software Configuration Guide 11-26 78-16180-02...
Page 277: Configuring Smartports Macros
When the macro is applied to an interface, the existing interface configurations are not lost. The new commands are added to the interface and are saved in the running configuration file. There are Cisco-default Smartports macros embedded in the switch software (see Table 12-1).
Page 278: Configuring Smartports Macros
Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Page 279: Smartports Macro Configuration Guidelines
EXEC command. Follow these guidelines when you apply a Cisco-default Smartports macro on an interface: • Display all macros on the switch by using the show parser macro user EXEC command. Display the contents of a specific macro by using the show parser macro macro-name user EXEC command.
Page 280: Creating Smartports Macros
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros The Cisco-default macros use the $ character to help identify required keywords. There is no restriction on using the $ character to define keywords when you create a macro. Creating Smartports Macros...
Page 281: Applying Smartports Macros
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Applying Smartports Macros Beginning in privileged EXEC mode, follow these steps to apply a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro global {apply | trace} Apply each individual command defined in the macro to the switch by macro-name [parameter {value}] entering macro global apply macro-name.
Page 282: Applying Cisco-Default Smartports Macros
Enter global configuration mode. Step 4 macro global {apply | trace} Append the Cisco-default macro with the required values by using the macro-name [parameter {value}] parameter value keywords and apply the macro to the switch. [parameter {value}] [parameter...
Page 283 You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command. This example shows how to display the cisco-desktop macro, how to apply the macro, and to set the access VLAN ID to 25 on an interface:...
Page 284: Displaying Smartports Macros
Chapter 12 Configuring Smartports Macros Displaying Smartports Macros Displaying Smartports Macros To display the Smartports macros, use one or more of the privileged EXEC commands in Table 12-2. Table 12-2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros.
Page 285: Configuring Vlans
C H A P T E R Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 3750 switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS).
Page 286 Figure 13-1 VLANs as Logically Defined Networks Engineering Marketing Accounting VLAN VLAN VLAN Cisco router Floor 3 Gigabit Ethernet Floor 2 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Page 287: Chapter 13 Configuring Vlan
Chapter 13 Configuring VLANs Understanding VLANs Supported VLANs The switch supports 1005 VLANs in VTP client, server, and transparent modes. VLANs are identified with a number from 1 to 4094. VLAN IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs.
Page 288 Dynamic-Access Ports on VMPS Clients” section on page 13-30. Voice VLAN A voice VLAN port is an access port attached to a Cisco VTP is not required; it has no affect on a IP Phone, configured to use one VLAN for voice traffic voice VLAN.
Page 289: Configuring Normal-Range Vlans
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Configuring Normal-Range VLANs Normal-range VLANs are VLANs with VLAN IDs 1 to 1005. If the switch is in VTP server or transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database.
Page 290: Token Ring Vlans
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs This section includes information about these topics about normal-range VLANs: Token Ring VLANs, page 13-6 • • Normal-Range VLAN Configuration Guidelines, page 13-6 • VLAN Configuration Mode Options, page 13-7 Saving VLAN Configuration, page 13-8 •...
Page 291: Vlan Configuration Mode Options
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs are several adjacent switches that all have run out of spanning-tree instances. You can prevent this possibility by setting allowed lists on the trunk ports of switches that have used up their allocation of spanning-tree instances.
Page 292: Saving Vlan Configuration
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Saving VLAN Configuration The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN database (vlan.dat file). If VTP mode is transparent, they are also saved in the switch running configuration file and you can enter the copy running-config startup-config privileged EXEC command to save the configuration in the startup configuration file.
Page 293: Creating Or Modifying An Ethernet Vlan
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Table 13-2 Ethernet VLAN Defaults and Ranges (continued) Parameter Default Range Translational bridge 1 0–1005 Translational bridge 2 0–1005 VLAN state active active, suspend Remote SPAN disabled enabled, disabled Private VLANs none configured 2 to 1001, 1006 to 4094.
Page 294 Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Command Purpose Step 7 show vlan {name vlan-name | id vlan-id} Verify your entries. Step 8 copy running-config startup config (Optional) If the switch is in VTP transparent mode, the VLAN configuration is saved in the running configuration file as well as in the VLAN database.
Page 295: Deleting A Vlan
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs This example shows how to use VLAN configuration mode to create Ethernet VLAN 20, name it test20, and add it to the VLAN database: Switch# vlan database Switch(vlan)# vlan 20 name test20 Switch(vlan)# exit APPLY completed.
Page 296: Configuring Extended-Range Vlans
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Beginning in privileged EXEC mode, follow these steps to assign a port to a VLAN in the VLAN database: Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface-id Enter the interface to be added to the VLAN.
Page 297: Default Vlan Configuration
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Creating an Extended-Range VLAN, page 13-14 • Creating an Extended-Range VLAN with an Internal VLAN ID, page 13-15 • Default VLAN Configuration Table 13-2 on page 13-8 for the default configuration for Ethernet VLANs. You can change only the MTU size and remote SPAN configuration state on extended-range VLANs;...
Page 298: Creating An Extended-Range Vlan
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Although the switch stack supports a total of 1005 (normal-range and extended-range) VLANs, the • number of routed ports, SVIs, and other configured features affects the use of the switch hardware. If you try to create an extended-range VLAN and there are not enough hardware resources available, an error message is generated, and the extended-range VLAN is rejected.
Page 299: Creating An Extended-Range Vlan With An Internal Vlan Id
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Command Purpose Step 7 show vlan id vlan-id Verify that the VLAN has been created. Step 8 copy running-config startup config Save your entries in the switch startup configuration file. To save extended-range VLAN configurations, you need to save the VTP transparent mode configuration and the extended-range VLAN configuration in the switch startup configuration file.
Page 300: Displaying Vlans
Chapter 13 Configuring VLANs Displaying VLANs Command Purpose Step 11 Return to privileged EXEC mode. Step 12 copy running-config startup config Save your entries in the switch startup configuration file. To save an extended-range VLAN configuration, you need to save the VTP transparent mode configuration and the extended-range VLAN configuration in the switch startup configuration file.
Page 301: Trunking Overview
Ethernet trunks carry the traffic of multiple VLANs over a single link, and you can extend the VLANs across an entire network. Two trunking encapsulations are available on all Ethernet interfaces: Inter-Switch Link (ISL)—ISL is Cisco-proprietary trunking encapsulation. • 802.1Q—802.1Q is industry-standard trunking encapsulation.
Page 302: Encapsulation Types
Chapter 13 Configuring VLANs Configuring VLAN Trunks You can also specify on DTP interfaces whether the trunk uses ISL or 802.1Q encapsulation or if the encapsulation type is autonegotiated. The DTP supports autonegotiation of both ISL and 802.1Q trunks. Note DTP is not supported on private-VLAN ports.
Page 303: 802.1Q Configuration Considerations
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco 802.1Q switch.
Page 304: Interaction With Other Features
Chapter 13 Configuring VLANs Configuring VLAN Trunks By default, an interface is in Layer 2 mode. The default mode for Layer 2 interfaces is switchport mode Note dynamic auto. If the neighboring interface supports trunking and is configured to allow trunking, the link is a Layer 2 trunk or, if the interface is in Layer 3 mode, it becomes a Layer 2 trunk when you enter the switchport interface configuration command.
Page 305: Defining The Allowed Vlans On A Trunk
VLANs from the allowed list. VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a Note requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning tree advertisements) is sent or received on VLAN 1.
Page 306: Changing The Pruning-Eligible List
VLAN 1 from the allowed list. When you remove VLAN 1 from a trunk port, the interface continues to sent and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), DTP, and VLAN Trunking Protocol (VTP) in VLAN 1.
Page 307: Configuring The Native Vlan For Untagged Traffic
Chapter 13 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to remove VLANs from the pruning-eligible list on a trunk port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and select the trunk port for which VLANs should be pruned.
Page 308: Configuring Trunk Ports For Load Sharing
Chapter 13 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 3 switchport trunk native vlan vlan-id Configure the VLAN that is sending and receiving untagged traffic on the trunk port. For vlan-id, the range is 1 to 4094. Step 4 Return to privileged EXEC mode.
Page 309 Chapter 13 Configuring VLANs Configuring VLAN Trunks Figure 13-3 Load Sharing by Using STP Port Priorities Switch A Trunk 2 Trunk 1 VLANs 3 – 6 (priority 16) VLANs 8 – 10 (priority 16) VLANs 8 – 10 (priority 128) VLANs 3 –...
Page 310: Load Sharing Using Stp Path Cost
Chapter 13 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 15 show vlan When the trunk links come up, VTP passes the VTP and VLAN information to Switch B. Verify that Switch B has learned the VLAN configuration. Step 16 configure terminal Enter global configuration mode on Switch A.
Page 311: Configuring Vmps
Chapter 13 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 13-4: Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A. Step 2 interface gigabitethernet1/0/1 Enter interface configuration mode, and define the interface to be configured as a trunk.
Page 312: Understanding Vmps
Chapter 13 Configuring VLANs Configuring VMPS “VMPS Configuration Guidelines” section on page 13-29 • “Configuring the VMPS Client” section on page 13-30 • • “Monitoring the VMPS” section on page 13-32 • “Troubleshooting Dynamic-Access Port VLAN Membership” section on page 13-33 “VMPS Configuration Example”...
Page 313: Default Vmps Client Configuration
Chapter 13 Configuring VLANs Configuring VMPS Multiple hosts (MAC addresses) can be active on a dynamic-access port if they are all in the same VLAN; however, the VMPS shuts down a dynamic-access port if more than 20 hosts are active on the port.
Page 314: Configuring The Vmps Client
Chapter 13 Configuring VLANs Configuring VMPS The VTP management domain of the VMPS client and the VMPS server must be the same. • The VLAN configured on the VMPS server should not be a voice VLAN. • Configuring the VMPS Client You configure dynamic VLANs by using the VMPS (server).
Page 315: Reconfirming Vlan Memberships
Chapter 13 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to configure a dynamic-access port on a VMPS client switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode for the switch port that is connected to the end station.
Page 316: Changing The Retry Count
Chapter 13 Configuring VLANs Configuring VMPS Command Purpose Step 4 show vmps Verify the dynamic VLAN reconfirmation status in the Reconfirm Interval field of the display. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no vmps reconfirm global configuration command. Changing the Retry Count Beginning in privileged EXEC mode, follow these steps to change the number of times that the switch attempts to contact the VMPS before querying the next server:...
Page 317: Troubleshooting Dynamic-Access Port Vlan Membership
Chapter 13 Configuring VLANs Configuring VMPS VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.87 Reconfirmation status --------------------- VMPS Action: other Troubleshooting Dynamic-Access Port VLAN Membership The VMPS shuts down a dynamic-access port under these conditions: • The VMPS is in secure mode, and it does not allow the host to connect to the port. The VMPS shuts down the port to prevent the host from connecting to the network.
Page 318 Chapter 13 Configuring VLANs Configuring VMPS Figure 13-5 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6000 series switch A Primary VMPS Router Server 1 172.20.26.150 172.20.22.7 Client switch B Dynamic-access port 172.20.26.151 station 1 Trunk port Switch C Catalyst 6000 series 172.20.26.152 Secondary VMPS Server 2...
Page 319: Configuring Vtp
C H A P T E R Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
Page 320: Chapter 14 Configuring Vtp
Chapter 14 Configuring VTP Understanding VTP The switch supports 1005 VLANs, but the number of routed ports, SVIs, and other configured features affects the usage of the switch hardware. If the switch is notified by VTP of a new VLAN and the switch is already using the maximum available hardware resources, it sends a message that there are not enough hardware resources available and shuts down the VLAN.
Page 321: Vtp Modes
Chapter 14 Configuring VTP Understanding VTP If you configure a switch for VTP transparent mode, you can create and modify VLANs, but the changes are not sent to other switches in the domain, and they affect only the individual switch. However, configuration changes made when the switch is in this mode are saved in the switch running configuration and can be saved to the switch startup configuration file.
Page 322: Vtp Version 2
Chapter 14 Configuring VTP Understanding VTP Because trunk ports send and receive VTP advertisements, you must ensure that at least one trunk port Note is configured on the switch stack and that this trunk port is connected to the trunk port of another switch. Otherwise, the switch cannot receive any VTP advertisements.
Page 323: Vtp Pruning
Chapter 14 Configuring VTP Understanding VTP VTP Pruning VTP pruning increases network available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to reach the destination devices. Without VTP pruning, a switch floods broadcast, multicast, and unknown unicast traffic across all trunk links within a VTP domain even though receiving switches might discard them.
Page 324: Vtp And Switch Stacks
Chapter 14 Configuring VTP Understanding VTP Figure 14-2 Optimized Flooded Traffic with VTP Pruning Switch D Port 2 Flooded traffic Port is pruned. Switch B VLAN Switch E Flooded traffic Port is pruned. Port 1 Switch F Switch C Switch A Enabling VTP pruning on a VTP server enables pruning for the entire management domain.
Page 325: Default Vtp Configuration
Chapter 14 Configuring VTP Configuring VTP Configuring VTP This section includes guidelines and procedures for configuring VTP. These sections are included: • Default VTP Configuration, page 14-7 VTP Configuration Options, page 14-7 • VTP Configuration Guidelines, page 14-8 • Configuring a VTP Server, page 14-10 •...
Page 326: Vtp Configuration In Vlan Database Configuration Mode
Chapter 14 Configuring VTP Configuring VTP configuration file, and you can save it in the switch startup configuration file by entering the copy running-config startup-config privileged EXEC command. You must use this command if you want to save VTP mode as transparent, even if the switch resets. When you save VTP information in the switch startup configuration file and reboot the switch, the switch configuration is selected as follows: If the VTP mode is transparent in the startup configuration and the VLAN database and the VTP...
Page 327: Passwords
Chapter 14 Configuring VTP Configuring VTP Passwords You can configure a password for the VTP domain, but it is not required. If you do configure a domain password, all domain switches must share the same password and you must configure the password on each switch in the management domain.
Page 328: Configuring A Vtp Server
Chapter 14 Configuring VTP Configuring VTP Configuring a VTP Server When a switch is in VTP server mode, you can change the VLAN configuration and have it propagated throughout the network. Note If extended-range VLANs are configured on the switch, you cannot change VTP mode to server. You receive an error message, and the configuration is not allowed.
Page 329: Configuring A Vtp Client
Chapter 14 Configuring VTP Configuring VTP Command Purpose Step 3 vtp domain domain-name Configure a VTP administrative-domain name. The name can be from 1 to 32 characters. All switches operating in VTP server or client mode under the same administrative responsibility must be configured with the same domain name.
Page 330: Disabling Vtp (Vtp Transparent Mode)
Chapter 14 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to configure the switch as a VTP client: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp mode client Configure the switch for VTP client mode. The default setting is VTP server.
Page 331: Enabling Vtp Version 2
Chapter 14 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to configure VTP transparent mode and save the VTP configuration in the switch startup configuration file: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp mode transparent Configure the switch for VTP transparent mode (disable VTP).
Page 332: Enabling Vtp Pruning
Chapter 14 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to enable VTP Version 2: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp version 2 Enable VTP Version 2 on the switch. VTP Version 2 is disabled by default on VTP Version 2-capable switches.
Page 333: Adding A Vtp Client Switch To A Vtp Domain
Chapter 14 Configuring VTP Configuring VTP Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning-eligible on trunk ports. Reserved VLANs and extended-range VLANs cannot be pruned. To change the pruning-eligible VLANs, see the “Changing the Pruning-Eligible List”...
Page 334: Monitoring Vtp
Chapter 14 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 14-3 shows the privileged EXEC commands for monitoring VTP activity.
Page 335: Configuring Private Vlans
C H A P T E R Configuring Private VLANs This chapter describes how to configure private VLANs on the Catalyst 3750 switch. To use this feature, the stack master must be running the enhanced multilayer image (EMI). We strongly recommend that the stack members also run the EMI when private VLANs are configured.
Page 336: Chapter 15 Configuring Private Vlan
Chapter 15 Configuring Private VLANs Understanding Private VLANs Figure 15-1 Private-VLAN Domain Primary VLAN VLAN domain Subdomain Subdomain Subdomain Subdomain Secondary Secondary Secondary Secondary community VLAN community VLAN isolated VLAN isolated VLAN There are two types of secondary VLANs: Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the •...
Page 337: Ip Addressing Scheme With Private Vlans
Chapter 15 Configuring Private VLANs Understanding Private VLANs Primary and secondary VLANs have these characteristics: Primary VLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a • member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports.
Page 338: Private Vlans Across Multiple Switches
Chapter 15 Configuring Private VLANs Understanding Private VLANs Private VLANs across Multiple Switches As with regular VLANs, private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. The trunk port treats the private VLAN as any other VLAN.
Page 339: Private Vlans And Unicast, Broadcast, And Multicast Traffic
Chapter 15 Configuring Private VLANs Understanding Private VLANs You should also see the “Secondary and Primary VLAN Configuration” section on page 15-7 under the “Private-VLAN Configuration Guidelines” section. Private VLANs and Unicast, Broadcast, and Multicast Traffic In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but devices connected to interfaces in different VLANs must communicate at the Layer 3 level.
Page 340: Tasks For Configuring Private Vlans
Chapter 15 Configuring Private VLANs Configuring Private VLANs If a stack master stack that contains the only private-VLAN promiscuous port in the stack fails or • leaves the stack and a new stack master is elected, host ports in a private VLAN that had its promiscuous port on the old stack master lose connectivity outside of the private VLAN.
Page 341: Default Private-Vlan Configuration
Chapter 15 Configuring Private VLANs Configuring Private VLANs Default Private-VLAN Configuration No private VLANs are configured. Private-VLAN Configuration Guidelines Guidelines for configuring private VLANs fall into these categories: • Secondary and Primary VLAN Configuration, page 15-7 • Private-VLAN Port Configuration, page 15-8 Limitations with Other Features, page 15-9 •...
Page 342: Private-Vlan Port Configuration
Chapter 15 Configuring Private VLANs Configuring Private VLANs Connecting a device with a different MAC address but with the same IP address generates a message and the ARP entry is not created. Because the private-VLAN port sticky ARP entries do not age out, you must manually remove private-VLAN port ARP entries if a MAC address changes.
Page 343: Limitations With Other Features
Chapter 15 Configuring Private VLANs Configuring Private VLANs Limitations with Other Features When configuring private VLANs, remember these limitations with other features: In some cases, the configuration is accepted with no error messages, but the commands have no effect. Note Do not configure fallback bridging on switches with private VLANs.
Page 344: Configuring And Associating Vlans In A Private Vlan
Chapter 15 Configuring Private VLANs Configuring Private VLANs Configuring and Associating VLANs in a Private VLAN Beginning in privileged EXEC mode, follow these steps to configure a private VLAN: Note The private-vlan commands do not take effect until you exit VLAN configuration mode. Command Purpose Step 1...
Page 345: Configuring A Layer 2 Interface As A Private-Vlan Host Port
Chapter 15 Configuring Private VLANs Configuring Private VLANs When you associate secondary VLANs with a primary VLAN, note this syntax information: The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated • items. Each item can be a single private-VLAN ID or a hyphenated range of private-VLAN IDs. •...
Page 346: Configuration File
Chapter 15 Configuring Private VLANs Configuring Private VLANs Command Purpose Step 3 switchport mode private-vlan host Configure the Layer 2 port as a private-VLAN host port. Step 4 switchport private-vlan host-association Associate the Layer 2 port with a private VLAN. primary_vlan_id secondary_vlan_id Step 5 Return to privileged EXEC mode.
Page 347: Configuring A Layer 2 Interface As A Private-Vlan Promiscuous Port
Chapter 15 Configuring Private VLANs Configuring Private VLANs Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN promiscuous port and map it to primary and secondary VLANs: Note Isolated and community VLANs are both secondary VLANs.
Page 348: Mapping Secondary Vlans To A Primary Vlan Layer 3 Vlan Interface
Chapter 15 Configuring Private VLANs Configuring Private VLANs Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface If the private VLAN will be used for inter-VLAN routing, you configure an SVI for the primary VLAN and map secondary VLANs to the SVI. Note Isolated and community VLANs are both secondary VLANs.
Page 349: Monitoring Private Vlans
Chapter 15 Configuring Private VLANs Monitoring Private VLANs Monitoring Private VLANs Table 15-1 shows the privileged EXEC commands for monitoring private-VLAN activity. Table 15-1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces, including the VLANs to which they belongs.
Page 350 Chapter 15 Configuring Private VLANs Monitoring Private VLANs Catalyst 3750 Switch Software Configuration Guide 15-16 78-16180-02...
Page 351: Configuring Voice Vlan
The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. When the switch is connected to a Cisco 7960 IP Phone, the IP Phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service (CoS) values, which are both set to 5 by default. Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p CoS.
Page 352: Chapter 16 Configuring Voice Vlan
Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports on...
Page 353: Configuring Voice Vlan
• voice VLAN, the Port Fast feature is not automatically disabled. If the Cisco IP Phone and a device attached to the Cisco IP Phone are in the same VLAN, they must • be in the same IP subnet. These conditions indicate that they are in the same VLAN: They both use 802.1p or untagged frames.
Page 354: Configuring A Port Connected To A Cisco 7960 Ip Phone
Because a Cisco 7960 IP Phone also supports a connection to a PC or other device, a port connecting the switch to a Cisco IP Phone can carry mixed traffic. You can configure a port to decide how the IP phone carries voice traffic and data traffic.
Page 355 Cisco IP Phone to use 802.1p priority tagging for voice traffic and to use the default native VLAN (VLAN 0) to carry all traffic. By default, the Cisco IP Phone forwards the voice traffic with an 802.1p priority of 5.
Page 356: Displaying Voice Vlan
Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in 802.1Q or 802.1p frames), you can configure the switch to send CDP packets to instruct the IP phone how to send data packets from the device attached to the access port on the Cisco IP Phone.
Page 357: Configuring Stp
Catalyst 3750 switch. The switch uses the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or it can use the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard. A switch stack appears as a single spanning-tree node to the rest of the network, and all stack members use the same bridge ID.
Page 358: Chapter 17 Configuring Stp
The path cost value represents the media speed. In Cisco IOS Release 12.2(18)SE and later releases, the switch sends keepalive messages (to ensure the Note connection is up) only on interfaces that do not have small form-factor pluggable (SFP) modules.
Page 359: Spanning-Tree Topology And Bpdus
Chapter 17 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch.
Page 360: Bridge Id, Switch Priority, And Extended System Id
Chapter 17 Configuring STP Understanding Spanning-Tree Features Only one outgoing port on the stack root switch is selected as the root port. The remaining switches in the stack become its designated switches (Switch 2 and Switch 3) as shown in Figure 17-1 on page 17-4.
Page 361: Spanning-Tree Interface States
Chapter 17 Configuring STP Understanding Spanning-Tree Features uniqueness of the bridge ID. As shown in Table 17-1, the two bytes previously used for the switch priority are reallocated into a 4-bit priority value and a 12-bit extended system ID value equal to the VLAN ID.
Page 362 Chapter 17 Configuring STP Understanding Spanning-Tree Features Figure 17-2 illustrates how an interface moves through the states. Figure 17-2 Spanning-Tree Interface States Power-on initialization Blocking state Listening Disabled state state Learning state Forwarding state When you power up the switch, spanning tree is enabled by default, and every interface in the switch, VLAN, or network goes through the blocking state and the transitory states of listening and learning.
Page 363: Blocking State
Chapter 17 Configuring STP Understanding Spanning-Tree Features Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each switch interface. A switch initially functions as the root until it exchanges BPDUs with other switches.
Page 364: Disabled State
Chapter 17 Configuring STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational. A disabled interface performs these functions: Discards frames received on the interface •...
Page 365: Spanning Tree And Redundant Connectivity
Chapter 17 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices, as shown in Figure 17-4. Spanning tree automatically disables one interface but enables it if the other one fails.
Page 366: Spanning-Tree Modes And Protocols
Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary • extensions. It is the default spanning-tree mode used on all Ethernet, Fast Ethernet, and Gigabit Ethernet port-based VLANs.
Page 367: Spanning-Tree Interoperability And Backward Compatibility
VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.
Page 368: Vlan-Bridge Spanning Tree
Configuring Spanning-Tree Features VLAN-Bridge Spanning Tree Cisco VLAN-bridge spanning tree is used with the fallback bridging feature (bridge groups), which forwards non-IP protocols such as DECnet between two or more VLAN bridge domains or routed ports. The VLAN-bridge spanning tree allows the bridge groups to form a spanning tree on top of the individual VLAN spanning trees to prevent loops from forming if there are multiple connections among VLANs.
Page 369: Default Spanning-Tree Configuration
Chapter 17 Configuring STP Configuring Spanning-Tree Features Configuring a Secondary Root Switch, page 17-17 (optional) • Configuring Port Priority, page 17-18 (optional) • • Configuring Path Cost, page 17-20 (optional) • Configuring the Switch Priority of a VLAN, page 17-21 (optional) Configuring Spanning-Tree Timers, page 17-22 (optional)
Page 370: Changing The Spanning-Tree Mode
Chapter 17 Configuring STP Configuring Spanning-Tree Features If 128 instances of spanning tree are already in use, you can disable spanning tree on one of the VLANs and then enable it on the VLAN where you want it to run. Use the no spanning-tree vlan vlan-id global configuration command to disable spanning tree on a specific VLAN, and use the spanning-tree vlan vlan-id global configuration command to enable spanning tree on the desired VLAN.
Page 371: Disabling Spanning Tree
Chapter 17 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to change the spanning-tree mode. If you want to enable a mode that is different from the default mode, this procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 372: Configuring The Root Switch
Chapter 17 Configuring STP Configuring Spanning-Tree Features When spanning tree is disabled and loops are present in the topology, excessive traffic and indefinite Caution packet duplication can drastically reduce network performance. Beginning in privileged EXEC mode, follow these steps to disable spanning-tree on a per-VLAN basis. This procedure is optional.
Page 373: Configuring A Secondary Root Switch
Chapter 17 Configuring STP Configuring Spanning-Tree Features Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network). When you specify the network diameter, the switch automatically sets an optimal hello time, forward-delay time, and maximum-age time for a network of that diameter, which can significantly reduce the convergence time.
Page 374: Configuring Port Priority
Chapter 17 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure a switch to become the secondary root for the specified VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root secondary Configure a switch to become the secondary root for the specified...
Page 375 Chapter 17 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure the port priority of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Page 376: Configuring Path Cost
Chapter 17 Configuring STP Configuring Spanning-Tree Features Configuring Path Cost The spanning-tree path cost default value is derived from the media speed of an interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Page 377: Configuring The Switch Priority Of A Vlan
Chapter 17 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree path costs, see the “Configuring Trunk Ports for Load Sharing”...
Page 378: Configuring Spanning-Tree Timers
Chapter 17 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 17-4 describes the timers that affect the entire spanning-tree performance. Table 17-4 Spanning-Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches. Forward-delay timer Controls how long each of the listening and learning states last before the interface begins forwarding.
Page 379: Configuring The Forwarding-Delay Time For A Vlan
Chapter 17 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 380: Displaying The Spanning-Tree Status
Chapter 17 Configuring STP Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 17-5: Table 17-5 Commands for Displaying Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information on active interfaces only.
Page 381: Configuring Mstp
C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Catalyst 3750 switch. The multiple spanning-tree (MST) implementation is a pre-standard implementation. It is based on the Note draft version of the IEEE standard.
Page 382: Chapter 18 Configuring Mstp
Chapter 18 Configuring MSTP Understanding MSTP Configuring MSTP Features, page 18-12 • Displaying the MST Configuration and Status, page 18-24 • Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances.
Page 383: Ist, Cist, And Cst
Chapter 18 Configuring MSTP Understanding MSTP IST, CIST, and CST Unlike PVST+ and rapid PVST+ in which all the spanning-tree instances are independent, the MSTP establishes and maintains two types of spanning trees: An internal spanning tree (IST), which is the spanning tree that runs in an MST region. •...
Page 384: Operations Between Mst Regions
Chapter 18 Configuring MSTP Understanding MSTP Operations Between MST Regions If there are multiple regions or legacy 802.1D switches within the network, MSTP establishes and maintains the CST, which includes all MST regions and all legacy STP switches in the network. The MST instances combine with the IST at the boundary of the region to become the CST.
Page 385: Hop Count
Chapter 18 Configuring MSTP Understanding MSTP Hop Count The IST and MST instances do not use the message-age and maximum-age information in the configuration BPDU to compute the spanning-tree topology. Instead, they use the path cost to the root and a hop-count mechanism similar to the IP time-to-live (TTL) mechanism. By using the spanning-tree mst max-hops global configuration command, you can configure the maximum hops inside the region and apply it to the IST and all MST instances in that region.
Page 386: Mstp And Switch Stacks
Chapter 18 Configuring MSTP Understanding RSTP MSTP and Switch Stacks A switch stack appears as a single spanning-tree node to the rest of the network, and all stack members use the same bridge ID for a given spanning tree. The bridge ID is derived from the MAC address of the stack master.
Page 387: Port Roles And The Active Topology
Learning Enabled Forwarding Forwarding Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide documents the port state as blocking instead of discarding. Designated ports start in the listening state. Catalyst 3750 Switch Software Configuration Guide 18-7 78-16180-02...
Page 388: Rapid Convergence
Chapter 18 Configuring MSTP Understanding RSTP Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN. It provides rapid convergence for edge ports, new root ports, and ports connected through point-to-point links as follows: Edge ports—If you configure a port as an edge port on an RSTP switch by using the spanning-tree •...
Page 389: Synchronization Of Port Roles
Chapter 18 Configuring MSTP Understanding RSTP Figure 18-2 Proposal and Agreement Handshaking for Rapid Convergence Switch A Switch B Proposal Designated Root switch Agreement Designated Switch C Root switch Proposal Designated Root switch Agreement DP = designated port RP = root port F = forwarding Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new root...
Page 390: Bridge Protocol Data Unit Format And Processing
Chapter 18 Configuring MSTP Understanding RSTP Figure 18-3 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5. Forward Edge port 2. Block 3. Block 9. Forward 11. Forward 8. Agreement 6. Proposal 7. Proposal 10. Agreement Root port Designated port Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802.1D BPDU format except that the protocol version...
Page 391: Processing Superior Bpdu Information
Chapter 18 Configuring MSTP Understanding RSTP The RSTP does not have a separate topology change notification (TCN) BPDU. It uses the topology change (TC) flag to show the topology changes. However, for interoperability with 802.1D switches, the RSTP switch processes and generates TCN BPDUs. The learning and forwarding flags are set according to the state of the sending port.
Page 392: Configuring Mstp Features
Chapter 18 Configuring MSTP Configuring MSTP Features Propagation—When an RSTP switch receives a TC message from another switch through a • designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them.
Page 393: Default Mstp Configuration
Chapter 18 Configuring MSTP Configuring MSTP Features Default MSTP Configuration Table 18-3 shows the default MSTP configuration. Table 18-3 Default MSTP Configuration Feature Default Setting Spanning-tree mode PVST+ (Rapid PVST+ and MSTP are disabled). Switch priority (configurable on a per-CIST port basis) 32768.
Page 394: Specifying The Mst Region Configuration And Enabling Mstp
Chapter 18 Configuring MSTP Configuring MSTP Features For load balancing across redundant paths in the network to work, all VLAN-to-instance mapping • assignments must match; otherwise, all traffic flows on a single link. You can achieve load balancing across a switch stack by manually configuring the path cost. All MST boundary ports must be forwarding for load balancing between a PVST+ and an MST •...
Page 395: Configuring The Root Switch
Chapter 18 Configuring MSTP Configuring MSTP Features Command Purpose Step 8 spanning-tree mode mst Enable MSTP. RSTP is also enabled. Changing spanning-tree modes can disrupt traffic because all Caution spanning-tree instances are stopped for the previous mode and restarted in the new mode. You cannot run both MSTP and PVST+ or both MSTP and rapid PVST+ at the same time.
Page 396 4-bit switch priority value as shown in Table 17-1 on page 17-5.) Catalyst 3750 switches running software earlier than Cisco IOS Release 12.1(14)EA1 do not support the Note MSTP. If your network consists of switches that both do and do not support the extended system ID, it is unlikely Note that the switch with the extended system ID support will become the root switch.
Page 397: Configuring A Secondary Root Switch
Chapter 18 Configuring MSTP Configuring MSTP Features Command Purpose Step 4 show spanning-tree mst instance-id Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst instance-id root global configuration command.
Page 398: Configuring Port Priority
Chapter 18 Configuring MSTP Configuring MSTP Features Configuring Port Priority If a loop occurs, the MSTP uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last.
Page 399: Configuring Path Cost
Chapter 18 Configuring MSTP Configuring MSTP Features To return the interface to its default setting, use the no spanning-tree mst instance-id port-priority interface configuration command. Configuring Path Cost The MSTP path cost default value is derived from the media speed of an interface. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state.
Page 400: Configuring The Switch Priority
Chapter 18 Configuring MSTP Configuring MSTP Features Configuring the Switch Priority You can configure the switch priority and make it more likely that a standalone switch or a switch in the stack will be chosen as the root switch. Note Exercise care when using this command.
Page 401: Configuring The Forwarding-Delay Time
Chapter 18 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the hello time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst hello-time seconds Configure the hello time for all MST instances.
Page 402: Configuring The Maximum-Aging Time
Chapter 18 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Aging Time Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-age seconds Configure the maximum-aging time for all MST instances.
Page 403: Specifying The Link Type To Ensure Rapid Transitions
Chapter 18 Configuring MSTP Configuring MSTP Features Specifying the Link Type to Ensure Rapid Transitions If you connect a port to another port through a point-to-point link and the local port becomes a designated port, the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the “Rapid Convergence”...
Page 404: Displaying The Mst Configuration And Status
Chapter 18 Configuring MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 18-4: Table 18-4 Commands for Displaying MST Status Command Purpose show spanning-tree mst configuration...
Page 405: Understanding Optional Spanning-Tree Features
C H A P T E R Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Catalyst 3750 switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+).
Page 406: Understanding Port Fast
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. You can use Port Fast on interfaces connected to a single workstation or server, as shown in Figure 19-1, to allow those devices to...
Page 407: Understanding Bpdu Guard
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences. At the global level, you enable BPDU guard on Port Fast-enabled interfaces by using the spanning-tree portfast bpduguard default global configuration command.
Page 408: Understanding Uplinkfast
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding UplinkFast Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 19-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops. Figure 19-2 Switches in a Hierarchical Network Backbone switches Root bridge...
Page 409: Understanding Cross-Stack Uplinkfast
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 19-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure...
Page 410: How Csuf Works
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root. As shown in Figure 19-5, the stack-root port on Switch 1 provides the path to the root of the spanning tree. The alternate stack-root ports on Switches 2 and 3 can provide an alternate path to the spanning-tree root if the current stack-root switch fails or if its link to the spanning-tree root fails.
Page 411: Events That Cause Fast Convergence
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Each switch in the stack decides if the sending switch is a better choice than itself to be the stack root of this spanning-tree instance by comparing the root, cost, and bridge ID. If the sending switch is the best choice as the stack root, each switch in the stack returns an acknowledgement;...
Page 412 Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features BackboneFast, which is enabled by using the spanning-tree backbonefast global configuration command, starts when a root port or blocked interface on a switch receives inferior BPDUs from its designated switch. An inferior BPDU identifies a switch that declares itself as both the root bridge and the designated switch.
Page 413 Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If link L1 fails as shown in Figure 19-7, Switch C cannot detect this failure because it is not connected directly to link L1. However, because Switch B is directly connected to the root switch over L1, it detects the failure, elects itself the root, and begins sending BPDUs to Switch C, identifying itself as the root.
Page 414: Understanding Etherchannel Guard
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding EtherChannel Guard You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device. A misconfiguration can occur if the switch interfaces are configured in an EtherChannel, but the interfaces on the other device are not.
Page 415: Understanding Loop Guard
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Figure 19-9 Root Guard in a Service-Provider Network Customer network Service-provider network Potential spanning-tree root without root guard enabled Desired root switch Enable the root-guard feature on these interfaces to prevent switches in the customer network from becoming the root switch or being...
Page 416: Default Optional Spanning-Tree Configuration
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BackboneFast, page 19-16 (optional) • Enabling EtherChannel Guard, page 19-17 (optional) • • Enabling Root Guard, page 19-17 (optional) • Enabling Loop Guard, page 19-18 (optional) Default Optional Spanning-Tree Configuration Table 19-1 shows the default optional spanning-tree configuration.
Page 417: Enabling Bpdu Guard
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to enable Port Fast. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Page 418: Enabling Bpdu Filtering
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You also can use the spanning-tree bpduguard enable interface configuration command to enable BPDU guard on any interface without also enabling the Port Fast feature. When the interface receives a BPDU, it is put in the error-disabled state.
Page 419: Enabling Uplinkfast For Use With Redundant Links
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to globally enable the BPDU filtering feature. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree portfast bpdufilter default Globally enable BPDU filtering.
Page 420: Enabling Cross-Stack Uplinkfast
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show spanning-tree summary Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. When UplinkFast is enabled, the switch priority of all VLANs is set to 49152.
Page 421: Enabling Etherchannel Guard
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 4 show spanning-tree summary Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the BackboneFast feature, use the no spanning-tree backbonefast global configuration command.
Page 422: Enabling Loop Guard
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to enable root guard on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Page 423: Displaying The Spanning-Tree Status
Chapter 19 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 19-2: Table 19-2 Commands for Displaying the Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information on active interfaces only.
Page 424 Chapter 19 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Catalyst 3750 Switch Software Configuration Guide 19-20 78-16180-02...
Page 425: Configuring Flex Links
C H A P T E R Configuring Flex Links This chapter describes how to configure Flex Links, a pair of interfaces on the Catalyst 3750 switch that are used to provide a mutual backup. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Page 426: Configuring Flex Links
Chapter 20 Configuring Flex Links Configuring Flex Links Figure 20-1 Flex Links Configuration Example Uplink Uplink switch B switch C Port 1 Port 2 Switch A If a primary (forwarding) link goes down, a trap notifies the network management stations. If the standby link goes down, a trap notifies the users.
Page 427: Configuring Flex Links
Chapter 20 Configuring Flex Links Monitoring Flex Links Configuring Flex Links Beginning in privileged EXEC mode, follow these steps to configure a pair of Flex Links: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode.
Page 428: Configuring Flex Links
Chapter 20 Configuring Flex Links Monitoring Flex Links Catalyst 3750 Switch Software Configuration Guide 20-4 78-16180-02...
Page 429: Understanding Dhcp Features
For complete syntax and usage information for the commands used in this chapter, refer to the command Note reference for this release, and refer to the “DHCP Commands” section in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2.
Page 430: C H A P T E R 21 Configuring Dhcp Features And Ip Source Guard
Understanding DHCP Features For information about the DHCP client, refer to the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them.
Page 431: Option-82 Data Insertion
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Features The switch drops a DHCP packet when one of these situations occurs: A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or • DHCPLEASEQUERY packet, is received from outside the network or firewall. •...
Page 432 Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Features When you enable the DHCP snooping information option 82 on the switch, this sequence of events occurs: The host (DHCP client) generates a DHCP request and broadcasts it on the network. •...
Page 433: Cisco Ios Dhcp Server Database
An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address from a DHCP address pool.
Page 434: Dhcp Snooping And Switch Stacks
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Features When a switch learns of new bindings or when it loses bindings, the switch updates the entries in the database and in the binding file. The frequency at which database and file are updated is based on a configurable delay, and the updates are batched.
Page 435: Configuring Dhcp Features
Configuring DHCP Features These sections describe how to configure the DHCP server, the DHCP relay agent, DHCP snooping, option 82, the Cisco IOS DHCP server binding database, and the DHCP snooping binding database on your switch: Default DHCP Configuration, page 21-7 •...
Page 436: Dhcp Snooping Configuration Guidelines
NTP. Configuring the DHCP Server The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational.
Page 437: Dhcp Server And Switch Stacks
To disable the DHCP server and relay agent, use the no service dhcp global configuration command. Refer to the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 for these procedures: Checking (validating) the relay agent information •...
Page 438: Enabling Dhcp Snooping And Option 82
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Beginning in privileged EXEC mode, follow these steps to specify the packet forwarding address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface vlan vlan-id Enter interface configuration mode, and create a switch virtual interface.
Page 439 Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Command Purpose Step 3 ip dhcp snooping vlan vlan-range Enable DHCP snooping on a VLAN or range of VLANs. The range is 1 to 4094. You can enter a single VLAN ID identified by VLAN ID number, a series of VLAN IDs separated by commas, a range of VLAN IDs separated by hyphens, or a range of VLAN IDs separated by entering the starting and ending VLAN IDs separated by a space.
Page 440: Enabling Dhcp Snooping On Private Vlans
VLANs, on which DHCP snooping is enabled. Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database, refer to the “DHCP Configuration Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Page 441 Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Command Purpose Step 6 ip dhcp snooping binding mac-address (Optional) Add binding entries to the DHCP snooping binding database. vlan vlan-id ip-address interface The vlan-id range is from 1 to 4904. The seconds range is from 1 to interface-id expiry seconds 4294967295.
Page 442: Displaying Dhcp Snooping Information
Chapter 21 Configuring DHCP Features and IP Source Guard Displaying DHCP Snooping Information Displaying DHCP Snooping Information This section describes how to display configuration information for all interfaces on a switch and the configuration information, status, and statistics for the DHCP snooping binding database, also referred to as a binding table.
Page 443: Understanding Ip Source Guard
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding IP Source Guard Table 21-2 show ip dhcp snooping binding Command Output Field Description MacAddress Client hardware MAC address IpAddress Client IP address assigned from the DHCP server Lease(sec) Remaining lease time for the IP address Type Binding type VLAN...
Page 444: Source Ip Address Filtering
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Source IP Address Filtering When IP source guard is enabled with this option, IP traffic is filtered based on the source IP address. The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table.
Page 445: Configuration Guidelines
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Configuration Guidelines These are the configuration guides for IP source guard: • You can configure static IP bindings only on nonrouted ports. If you enter the ip source binding ip-address mac-address vlan vlan-id interface interface-id global configuration command on a routed interface, this error message appears: Static IP source binding can only be configured on switch port.
Page 446 Chapter 21 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Command Purpose Step 8 show ip source binding [ip-address] Display the IP source bindings on the switch, on a specific VLAN, or on [mac-address] [dhcp-snooping | static] a specific interface.
Page 447: Displaying Ip Source Guard Information
Chapter 21 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information Displaying IP Source Guard Information This section describes how to display the IP source guard configuration and the IP source bindings on the switch. This example shows how to display the IP source guard configuration for a switch: Switch# show ip verify source Interface Filter-type...
Page 448 Chapter 21 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information Catalyst 3750 Switch Software Configuration Guide 21-20 78-16180-02...
Page 449: Configuring Dynamic Arp Inspection
C H A P T E R Configuring Dynamic ARP Inspection This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 3750 switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN.
Page 450: C H A P T E R 22 Configuring Dynamic Arp Inspection
Chapter 22 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Figure 22-1 ARP Cache Poisoning Host A Host B (IA, MA) (IB, MB) Host C (man-in-the-middle) (IC, MC) Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet.
Page 451: Interface Trust States And Network Security
Chapter 22 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header.
Page 452: Rate Limiting Of Arp Packets
Chapter 22 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the hosts connected to a switch running dynamic ARP inspection.
Page 453: Configuring Dynamic Arp Inspection
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection You use the ip arp inspection log-buffer global configuration command to configure the number of entries in the buffer and the number of entries needed in the specified interval to generate system messages.
Page 454: Dynamic Arp Inspection Configuration Guidelines
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Dynamic ARP Inspection Configuration Guidelines These are the dynamic ARP inspection configuration guidelines: • Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking. Dynamic ARP inspection is not effective for hosts connected to switches that do not support •...
Page 455: Configuring Dynamic Arp Inspection In Dhcp Environments
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection in DHCP Environments This procedure shows how to configure dynamic ARP inspection when two switches support this feature. Host 1 is connected to Switch A, and Host 2 is connected to Switch B as shown in Figure 22-2 on page 22-3.
Page 456: Configuring Arp Acls For Non-Dhcp Environments
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Command Purpose Step 7 show ip arp inspection interfaces Verify the dynamic ARP inspection configuration. show ip arp inspection vlan vlan-range Step 8 show ip dhcp snooping binding Verify the DHCP bindings. Step 9 show ip arp inspection statistics vlan Check the dynamic ARP inspection statistics.
Page 457 Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Command Purpose Step 3 permit ip host sender-ip mac host sender-mac [log] Permit ARP packets from the specified host (Host 2). For sender-ip, enter the IP address of Host 2. •...
Page 458: Limiting The Rate Of Incoming Arp Packets
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Command Purpose Step 7 no ip arp inspection trust Configure the Switch A interface that is connected to Switch B as untrusted. By default, all interfaces are untrusted. For untrusted interfaces, the switch intercepts all ARP requests and responses.
Page 459: Performing Validation Checks
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection For configuration guidelines for rate limiting trunk ports and EtherChannel ports, see the “Dynamic ARP Inspection Configuration Guidelines” section on page 22-6. Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This procedure is optional.
Page 460: Configuring The Log Buffer
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip arp inspection validate Perform a specific check on incoming ARP packets.
Page 461 Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time.
Page 462: Displaying Dynamic Arp Inspection Information
Chapter 22 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Command Purpose Step 3 ip arp inspection vlan vlan-range Control the type of packets that are logged per VLAN. By default, all denied logging {acl-match {matchlog | or all dropped packets are logged. The term logged means the entry is placed none} | dhcp-bindings {all | none | in the log buffer and a system message is generated.
Page 463 Chapter 22 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information To clear or display dynamic ARP inspection statistics, use the privileged EXEC commands in Table 22-3: Table 22-3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics.
Page 464 Chapter 22 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Catalyst 3750 Switch Software Configuration Guide 22-16 78-16180-02...
Page 465: Understanding Igmp Snooping
For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and the “IP Multicast Routing Commands” section in the Cisco IOS IP Command Reference, Volume 3 of 3:Multicast, Release 12.2.
Page 466: Chapter 23 Configuring Igmp Snooping And Mvr
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping the switch adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients.
Page 467: Joining A Multicast Group
An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast (SSM) feature. For more information, refer to the “Configuring IP Multicast Layer 3 Switching” chapter in the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, Cisco IOS Release 12.1(12c)EW at this URL: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_12/config/mcastmls.htm...
Page 468 Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Router A sends a general query to the switch, which forwards the query to ports 2 through 5, all members of the same VLAN. Host 1 wants to join multicast group 224.1.2.3 and multicasts an IGMP membership report (IGMP join message) to the group.
Page 469: Leaving A Multicast Group
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Leaving a Multicast Group The router sends periodic multicast general queries, and the switch forwards these queries through all ports in the VLAN. Interested hosts respond to the queries. If at least one host in the VLAN wishes to receive multicast traffic, the router continues forwarding the multicast traffic to the VLAN.
Page 470: Igmp Snooping And Switch Stacks
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping IGMP Snooping and Switch Stacks IGMP snooping functions across the switch stack; that is, IGMP control information obtained from one switch is distributed to all switches in the stack. (See Chapter 5, “Managing Switch Stacks,”...
Page 471: Enabling Or Disabling Igmp Snooping
Snooping on IGMP queries, Protocol Independent Multicast (PIM) packets, and Distance Vector Multicast Routing Protocol (DVMRP) packets • Listening to Cisco Group Management Protocol (CGMP) packets from other routers • Statically connecting to a multicast router port with the ip igmp snooping mrouter global...
Page 472 Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping You can configure the switch either to snoop on IGMP queries and PIM/DVMRP packets or to listen to CGMP self-join or proxy-join packets. By default, the switch snoops on PIM/DVMRP packets on all VLANs.
Page 473: Configuring A Multicast Router Port
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping This example shows how to configure IGMP snooping to use CGMP packets as the learning method and verify the configuration: Switch# configure terminal Switch(config)# ip igmp snooping vlan 1 mrouter learn cgmp Switch(config)# end Switch# show ip igmp snooping vlan 1 Global IGMP Snooping configuration:...
Page 474: Configuring A Host Statically To Join A Group
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping This example shows how to enable a static connection to a multicast router and verify the configuration: Switch# configure terminal Switch(config)# ip igmp snooping vlan 200 mrouter interface gigabitethernet1/0/2 Switch(config)# end Switch# show ip igmp snooping mrouter vlan 200 Vlan ports...
Page 475: Enabling Igmp Immediate Leave
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Enabling IGMP Immediate Leave When you enable IGMP Immediate Leave, the switch immediately removes a port when it detects an IGMP Version 2 leave message on that port. You should only use the Immediate-Leave feature when there is a single receiver present on every port in the VLAN.
Page 476: Displaying Igmp Snooping Information
Chapter 23 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information To re-enable IGMP report suppression, use the ip igmp snooping report-suppression global configuration command. Displaying IGMP Snooping Information You can display IGMP snooping information for dynamically learned and statically configured router ports and VLAN interfaces.
Page 477: Understanding Multicast Vlan Registration
Chapter 23 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service provider network (for example, the broadcast of multiple television channels over a service-provider network).
Page 478 VLAN as a forwarding destination of the specified multicast stream when it is received from the multicast VLAN. Uplink ports that send and receive multicast data to and from the multicast VLAN are called MVR source ports. Figure 23-3 Multicast VLAN Registration Example Multicast VLAN Cisco router Multicast server Switch B Multicast...
Page 479: Configuring Mvr
Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR the IGMP leave was received. As soon as the leave message is received, the receiver port is removed from multicast group membership, which speeds up leave latency. Enable the Immediate-Leave feature only on receiver ports to which a single receiver device is connected.
Page 480: Mvr Configuration Guidelines And Limitations
Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR MVR Configuration Guidelines and Limitations Follow these guidelines when configuring MVR: • Receiver ports can only be access ports; they cannot be trunk ports. Receiver ports on a switch can be in different VLANs, but should not belong to the multicast VLAN. The maximum number of multicast entries (MVR group addresses) that can be configured on a •...
Page 481: Configuring Mvr Interfaces
Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 4 mvr querytime value (Optional) Define the maximum time to wait for IGMP report memberships on a receiver port before removing the port from multicast group membership. The value is in units of tenths of a second. The range is from 1 to 100 and the default is 5 tenths or one-half second.
Page 482 Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 4 mvr type {source | receiver} Configure an MVR port as one of these: source—Configure uplink ports that receive and send multicast data as • source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN.
Page 483: Displaying Mvr Information
Chapter 23 Configuring IGMP Snooping and MVR Displaying MVR Information Displaying MVR Information You can display MVR information for the switch or for a specified interface. Beginning in privileged EXEC mode, use the commands in Table 23-6 to display MVR configuration: Table 23-6 Commands for Displaying MVR Information Command Purpose...
Page 484: Default Igmp Filtering And Throttling Configuration
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling You can also set the maximum number of IGMP groups that a Layer 2 interface can join. With the IGMP throttling feature, you can also set the maximum number of IGMP groups that a Layer 2 interface can join.
Page 485: Configuring Igmp Profiles
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Configuring IGMP Profiles To configure an IGMP profile, use the ip igmp profile global configuration command with a profile number to create an IGMP profile and to enter IGMP profile configuration mode. From this mode, you can specify the parameters of the IGMP profile to be used for filtering IGMP join requests from a port.
Page 486: Applying Igmp Profiles
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling This example shows how to create IGMP profile 4 allowing access to the single IP multicast address and how to verify the configuration. If the action was to deny (the default), it would not appear in the show ip igmp profile output display.
Page 487: Setting The Maximum Number Of Igmp Groups
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Setting the Maximum Number of IGMP Groups You can set the maximum number of IGMP groups that a Layer 2 interface can join by using the ip igmp max-groups interface configuration command.
Page 488 Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling If you configure the throttling action and set the maximum group limitation after an interface has • added multicast entries to the forwarding table, the forwarding-table entries are either aged out or removed, depending on the throttling action.
Page 489: Displaying Igmp Filtering And Throttling Configuration
Chapter 23 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Displaying IGMP Filtering and Throttling Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface. You can also display the IGMP throttling configuration for all interfaces on the switch or for a specified interface.
Page 490 Chapter 23 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Catalyst 3750 Switch Software Configuration Guide 23-26 78-16180-02...
Page 491: Configuring Storm Control
C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. For complete syntax and usage information for the commands used in this chapter, refer to the command Note reference for this release.
Page 492: Understanding Storm Control
When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. However, the switch does not differentiate between routing updates, such as OSPF, and regular multicast data traffic, so both types of traffic are blocked.
Page 493: C H A P T E R 24 Configuring Port-Based Traffic Control
Chapter 24 Configuring Port-Based Traffic Control Configuring Storm Control Because packets do not arrive at uniform intervals, the 200-millisecond time interval during which traffic Note activity is measured can affect the behavior of storm control. The switch continues to monitor traffic on the port, and when the utilization level is below the threshold level, the type of traffic that was dropped is forwarded again.
Page 494 Chapter 24 Configuring Port-Based Traffic Control Configuring Storm Control Command Purpose Step 4 storm-control multicast level level [.level] Specify the multicast traffic suppression level for an interface as a percentage of total bandwidth. The level can be from 1 to 100; the optional fraction of a level can be from 0 to 99.
Page 495: Configuring Protected Ports
Chapter 24 Configuring Port-Based Traffic Control Configuring Protected Ports Configuring Protected Ports Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.
Page 496: Configuring Port Blocking
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Blocking To disable protected port, use the no switchport protected interface configuration command. This example shows how to configure a port as a protected port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# switchport protected Switch(config-if)# end Configuring Port Blocking By default, the switch floods packets with unknown destination MAC addresses out of all ports.
Page 497: Configuring Port Security
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security This example shows how to block unicast and multicast flooding on a port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# switchport block multicast Switch(config-if)# switchport block unicast Switch(config-if)# end Configuring Port Security You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port.
Page 498: Security Violations
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security The switch supports these types of secure MAC addresses: Static secure MAC addresses—These are manually configured by using the switchport • port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.
Page 499: Default Port Security Configuration
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security restrict—when the number of secure MAC addresses reaches the maximum limit allowed on the • port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses.
Page 500: Configuration Guidelines
VLAN. When the port is connected to a Cisco IP phone, the IP phone requires up to two MAC addresses. The IP phone address is learned on the voice VLAN and might also be learned on the access VLAN.
Page 501 Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 5 switchport port-security (Optional) Set the maximum number of secure MAC addresses for the maximum value [vlan [vlan-list]] interface. The maximum number of secure MAC addresses that you can configure on a switch stack is set by the maximum number of available MAC addresses allowed in the system.
Page 502 Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 7 switchport port-security (Optional) Enter a secure MAC address for the interface. You can use this mac-address mac-address command to enter the maximum number of secure MAC addresses. If you [vlan vlan-id] configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
Page 503: Enabling And Configuring Port Security Aging
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security You must specifically delete configured secure MAC addresses from the address table by using the no switchport port-security mac-address mac-address interface configuration command. This example shows how to enable port security on a port and to set the maximum number of secure addresses to 50.
Page 504: Port Security And Switch Stacks
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 3 switchport port-security aging {static | time time | Enable or disable static aging for the secure port, or set the type {absolute | inactivity}} aging time or type. The switch does not support port security aging of Note sticky secure addresses.
Page 505: Displaying Port-Based Traffic Control Settings
Chapter 24 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings When a switch (either the stack master or a stack member) leaves the stack, the remaining stack members are notified, and the secure MAC addresses configured or learned by that switch are deleted from the secure MAC address table.
Page 506 Chapter 24 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Catalyst 3750 Switch Software Configuration Guide 24-16 78-16180-02...
Page 507: Configuring Cdp
• Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
Page 508: Cdp And Switch Stacks
Chapter 25 Configuring CDP Configuring CDP CDP and Switch Stacks A switch stack appears as a single switch in the network. Therefore, CDP discovers the switch stack, not the individual stack members. The switch stack sends CDP messages to neighboring network devices when there are changes to the switch stack membership, such as stack members being added or removed.
Page 509: Chapter 25 Configuring Cdp
Disabling and Enabling CDP CDP is enabled by default. Note Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Disabling CDP can interrupt cluster discovery and device connectivity. For more information, see Chapter 6, “Clustering Switches.”...
Page 510: Disabling And Enabling Cdp On An Interface
Chapter 25 Configuring CDP Configuring CDP Beginning in privileged EXEC mode, follow these steps to enable CDP when it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cdp run Enable CDP after disabling it. Step 3 Return to privileged EXEC mode.
Page 511: Monitoring And Maintaining Cdp
Chapter 25 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors.
Page 512 Chapter 25 Configuring CDP Monitoring and Maintaining CDP Catalyst 3750 Switch Software Configuration Guide 25-6 78-16180-02...
Page 513: Configuring Udld
C H A P T E R Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Page 514: Chapter 26 Configuring Udld
Chapter 26 Configuring UDLD Understanding UDLD A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection.
Page 515 Chapter 26 Configuring UDLD Understanding UDLD Event-driven detection and echoing • UDLD relies on echoing as its detection mechanism. Whenever a UDLD device learns about a new neighbor or receives a resynchronization request from an out-of-sync neighbor, it restarts the detection window on its side of the connection and sends echo messages in reply.
Page 516: Default Udld Configuration
Chapter 26 Configuring UDLD Configuring UDLD Configuring UDLD This section describes how to configure UDLD on your switch. It contains this configuration information: • Default UDLD Configuration, page 26-4 • Configuration Guidelines, page 26-4 Enabling UDLD Globally, page 26-5 • Enabling UDLD on an Interface, page 26-6 •...
Page 517: Enabling Udld Globally
Chapter 26 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch and all members in the switch stack: Command Purpose...
Page 518: Enabling Udld On An Interface
Chapter 26 Configuring UDLD Configuring UDLD Enabling UDLD on an Interface Beginning in privileged EXEC mode, follow these steps either to enable UDLD in the aggressive or normal mode or to disable UDLD on a port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 519: Displaying Udld Status
Chapter 26 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, refer to the command reference for this release.
Page 520 Chapter 26 Configuring UDLD Displaying UDLD Status Catalyst 3750 Switch Software Configuration Guide 26-8 78-16180-02...
Page 521: Configuring Span And Rspan
You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device can send TCP reset packets to close down the TCP session of a suspected attacker.
Page 522: Chapter 27 Configuring Span And Rspan
Chapter 27 Configuring SPAN and RSPAN Understanding SPAN and RSPAN This section includes these topics: Local SPAN, page 27-2 • • Remote SPAN, page 27-3 • SPAN and RSPAN Concepts and Terminology, page 27-4 SPAN and RSPAN Interaction with Other Features, page 27-9 •...
Page 523: Remote Span
Chapter 27 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 27-2 Example of Local SPAN Configuration on a Switch Stack Catalyst 3750 switch stack Switch 1 1/0/4 Port 4 on switch 1 in the stack Port 4 on switch 1 in the stack Port 4 on switch 1 in the stack mirrored on port 15 on switch 2 mirrored on port 15 on switch 2...
Page 524: Span And Rspan Concepts And Terminology
Chapter 27 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 27-3 Example of RSPAN Configuration RSPAN destination ports RSPAN Switch C destination session Intermediate switches must support RSPAN VLAN RSPAN VLAN Switch A Switch B RSPAN RSPAN source source session A session B RSPAN...
Page 525: Monitored Traffic
Chapter 27 Configuring SPAN and RSPAN Understanding SPAN and RSPAN An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed over normal trunk ports to the destination switch.
Page 526: Source Ports
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
Page 527: Source Vlans
Chapter 27 Configuring SPAN and RSPAN Understanding SPAN and RSPAN It can be any port type (for example, EtherChannel, Fast Ethernet, Gigabit Ethernet, and so forth). • For EtherChannel sources, you can monitor traffic for the entire EtherChannel or individually on a •...
Page 528: Destination Port
Chapter 27 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Destination Port Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user, usually a network analyzer.
Page 529: Rspan Vlan
On a source port, SPAN does not affect the STP status. STP can be active on trunk ports carrying an RSPAN VLAN. Cisco Discovery Protocol (CDP)—A SPAN destination port does not participate in CDP while the •...
Page 530: Span And Rspan And Switch Stacks
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN A physical port that belongs to an EtherChannel group can be configured as a SPAN source port and still be a part of the EtherChannel. In this case, data from the physical port is monitored as it participates in the EtherChannel.
Page 531: Default Span And Rspan Configuration
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Default SPAN and RSPAN Configuration Table 27-1 shows the default SPAN and RSPAN configuration. Table 27-1 Default SPAN and RSPAN Configuration Feature Default Setting SPAN state (SPAN and RSPAN) Disabled. Source port traffic to monitor Both received and sent traffic (both).
Page 532 Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN For local SPAN, outgoing packets through the SPAN destination port carry the original • encapsulation headers—untagged, ISL, or IEEE 802.1Q—if the encapsulation replicate keywords are specified. If the keywords are not specified, the packets are sent in native form. For RSPAN destination ports, outgoing packets are not tagged.
Page 533 Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 3 monitor session session_number source Specify the SPAN session and the source port (monitored port). {interface interface-id | vlan vlan-id} [, | -] For session_number, the range is from 1 to 66. [both | rx | tx] For interface-id, specify the source port or source VLAN to monitor.
Page 534 Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 6 show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command. To remove a source or destination port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command or the no monitor session session_number destination interface interface-id global configuration command.
Page 535 Beginning in privileged EXEC mode, follow these steps to create a SPAN session, to specify the source ports or VLANs and the destination ports, and to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). Refer to the “Creating a Local SPAN Session”...
Page 536: Specifying Vlans To Filter
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN monitor session session_number destination interface interface-id global configuration command. For destination interfaces, the encapsulation and ingress options are ignored with the no form of the command. This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor received traffic on Gigabit Ethernet source port 1, and send it to destination Gigabit Ethernet port 2 with the same egress encapsulation type as the source port, and to enable ingress forwarding with 802.1Q encapsulation and VLAN 6 as the default ingress VLAN.
Page 537: Configuring Rspan
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 6 Return to privileged EXEC mode. Step 7 show monitor [session session_number] Verify the configuration. show running-config Step 8 copy running-config startup-config (Optional) Save the configuration in the configuration file. To monitor all VLANs on the trunk port, use the no monitor session session_number filter global configuration command.
Page 538: Configuring A Vlan As An Rspan Vlan
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN RSPAN VLANs are included as sources for port-based RSPAN sessions when source trunk ports • have active RSPAN VLANs. RSPAN VLANs can also be sources in SPAN sessions. However, since the switch does not monitor spanned traffic, it does not support egress spanning of packets on any RSPAN VLAN identified as the destination of an RSPAN source session on the switch.
Page 539: Creating An Rspan Source Session
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating an RSPAN Source Session Beginning in privileged EXEC mode, follow these steps to start an RSPAN source session and to specify the monitored source and the destination RSPAN VLAN: Command Purpose Step 1...
Page 540: Creating An Rspan Destination Session
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN To remove a source port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command. To remove the RSPAN VLAN from the session, use the no monitor session session_number destination remote vlan vlan-id.
Page 541: Creating An Rspan Destination Session And Configuring Ingress Traffic
Beginning in privileged EXEC mode, follow these steps to create an RSPAN destination session, to specify the source RSPAN VLAN and the destination port, and to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). Refer to the “Creating an RSPAN Destination Session”...
Page 542 Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 3 monitor session session_number source Specify the RSPAN session and the source RSPAN VLAN. remote vlan vlan-id For session_number, the range is from 1 to 66. For vlan-id, specify the source RSPAN VLAN to monitor. Step 4 monitor session session_number Specify the SPAN session, the destination port, the packet...
Page 543: Specifying Vlans To Filter
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to configure the RSPAN source session to limit RSPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 544: Displaying Span And Rspan Status
Chapter 27 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions.
Page 545: Configuring Rmon
For complete syntax and usage information for the commands used in this chapter, refer to the “System Note Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. This chapter consists of these sections: •...
Page 546: Configuring Rmon
Chapter 28 Configuring RMON Configuring RMON Figure 28-1 Remote Monitoring Example Network management station with generic RMON console application RMON alarms and events configured. SNMP configured. RMON history and statistic collection enabled. Workstations Workstations The switch supports these RMON groups (defined in RFC 1757): Statistics (RMON group 1)—Collects Ethernet statistics (including Fast Ethernet and Gigabit •...
Page 547: Default Rmon Configuration
Chapter 28 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station.
Page 548 Chapter 28 Configuring RMON Configuring RMON Command Purpose Step 3 rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. For number, assign an event number. The range •...
Page 549: Collecting Group History Statistics On An Interface
Chapter 28 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface. This procedure is optional.
Page 550: Collecting Group Ethernet Statistics On An Interface
Displays the RMON statistics table. For information about the fields in these displays, refer to the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Catalyst 3750 Switch Software Configuration Guide 28-6...
Page 551: Configuring System Message Logging
This chapter describes how to configure system message logging on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Configuration Fundamentals Command Reference, for Release 12.2.
Page 552: Configuring System Message Logging
Chapter 29 Configuring System Message Logging Configuring System Message Logging You can access logged system messages by using the switch command-line interface (CLI) or by saving them to a properly configured syslog server. The switch software saves syslog messages in an internal buffer on a standalone switch, and in the case of a switch stack, on the stack master.
Page 553: C H A P T E R 29 Configuring System Message Logging
Chapter 29 Configuring System Message Logging Configuring System Message Logging Table 29-1 describes the elements of syslog messages. Table 29-1 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured.
Page 554: Default System Message Logging Configuration
Chapter 29 Configuring System Message Logging Configuring System Message Logging Default System Message Logging Configuration Table 29-2 shows the default system message logging configuration. Table 29-2 Default System Message Logging Configuration Feature Default Setting System message logging to the console Enabled.
Page 555: Setting The Message Display Destination Device
Chapter 29 Configuring System Message Logging Configuring System Message Logging The logging synchronous global configuration command also affects the display of messages to the console. When this command is enabled, messages appear only after you press Return. For more information, see the “Synchronizing Log Messages”...
Page 556: Synchronizing Log Messages
Chapter 29 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 6 terminal monitor Log messages to a nonconsole terminal during the current session. Terminal parameter-setting commands are set locally and do not remain in effect after the session has ended. You must perform this step for each session to see the debugging messages.
Page 557: Enabling And Disabling Time Stamps On Log Messages
Chapter 29 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to configure synchronous logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line [console | vty] line-number Specify the line to be configured for synchronous logging of [ending-line-number] messages.
Page 558: Enabling And Disabling Sequence Numbers In Log Messages
Chapter 29 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to enable time-stamping of log messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log time stamps.
Page 559: Defining The Message Severity Level
Chapter 29 Configuring System Message Logging Configuring System Message Logging This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) (Switch-2) Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message, which are described in Table 29-3.
Page 560: Limiting Syslog Messages Sent To The History Table And To Snmp
Chapter 29 Configuring System Message Logging Configuring System Message Logging Table 29-3 Message Logging Level Keywords Level Keyword Level Description Syslog Definition emergencies System unstable LOG_EMERG alerts Immediate action needed LOG_ALERT critical Critical conditions LOG_CRIT errors Error conditions LOG_ERR warnings Warning conditions LOG_WARNING notifications...
Page 561: Configuring Unix Syslog Servers
Chapter 29 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to change the level and history table size defaults. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 logging history level Change the default level of syslog messages stored in the history file and...
Page 562: Configuring The Unix System Logging Facility
Add a line such as the following to the file /etc/syslog.conf: Step 1 cisco.log local7.debug /usr/adm/logs/ The local7 keyword specifies the logging facility to be used; see Table 29-4 on page 29-13 information on the facilities.
Page 563: Displaying The Logging Configuration
Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.
Page 564 Chapter 29 Configuring System Message Logging Displaying the Logging Configuration Catalyst 3750 Switch Software Configuration Guide 29-14 78-16180-02...
Page 565: Configuring Snmp
For complete syntax and usage information for the commands used in this chapter, refer to the switch Note command reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. This chapter consists of these sections: Understanding SNMP, page 30-1 •...
Page 566: Chapter 30 Configuring Snmp
Chapter 30 Configuring SNMP Understanding SNMP This section includes information about these topics: SNMP Versions, page 30-2 • • SNMP Manager Functions, page 30-3 • SNMP Agent Functions, page 30-4 SNMP Community Strings, page 30-4 • Using SNMP to Access MIB Variables, page 30-5 •...
Page 567: Snmp Manager Functions
Chapter 30 Configuring SNMP Understanding SNMP Table 30-1 identifies the characteristics of the different combinations of security models and levels. Table 30-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No...
Page 568: Snmp Agent Functions
Chapter 30 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Page 569: Using Snmp To Access Mib Variables
Chapter 30 Configuring SNMP Understanding SNMP Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software. CiscoWorks 2000 software uses the switch MIB variables to set device variables and to poll devices on the network for specific information.
Page 570: Snmp Ifindex Mib Object Values
Chapter 30 Configuring SNMP Configuring SNMP SNMP ifIndex MIB Object Values In an NMS, the IF-MIB generates and assigns an interface index (ifIndex) object value that is a unique number greater than zero to identify a physical or a logical interface. When the switch reboots or the switch software is upgraded, the switch uses this same value for the interface.
Page 571: Default Snmp Configuration
Modifying the group's notify view affects all users associated with that group. Refer to the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 for information about when you should configure notify views.
Page 572: Disabling The Snmp Agent
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
Page 573 Chapter 30 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure a community string on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server community string [view Configure the community string. view-name] [ro | rw] [access-list-number] •...
Page 574: Configuring Snmp Groups And Users
Chapter 30 Configuring SNMP Configuring SNMP This example shows how to assign the string comaccess to SNMP, to allow read-only access, and to specify that IP access list 4 can use the community string to gain access to the switch SNMP agent: Switch(config)# snmp-server community comaccess ro 4 Configuring SNMP Groups and Users You can specify an identification name (engine ID) for the local or remote SNMP server engine on the...
Page 575 Chapter 30 Configuring SNMP Configuring SNMP Command Purpose Step 3 snmp-server group groupname {v1 | v2c | v3 Configure a new SNMP group on the remote device. {auth | noauth | priv}} [read readview] For groupname, specify the name of the group. •...
Page 576: Configuring Snmp Notifications
By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Many commands use the word traps in the command syntax. Unless there is an option in the command Note to select either traps or informs, the keyword traps refers to either traps, informs, or both.
Page 577 Chapter 30 Configuring SNMP Configuring SNMP Table 30-5 Switch Notification Types Notification Type Keyword Description Generates BGP state change traps. This option is only available when the enhanced multilayer image is installed. bridge Generates STP bridge MIB traps. cluster Generates a trap when the cluster configuration changes. config Generates a trap for SNMP configuration changes.
Page 578 Chapter 30 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure the switch to send traps or informs to a host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID remote Specify the engine ID for the remote host.
Page 579: Setting The Agent Contact And Location Information
Chapter 30 Configuring SNMP Configuring SNMP Command Purpose Step 9 snmp-server trap-timeout seconds (Optional) Define how often to resend trap messages. The range is 1 to 1000; the default is 30 seconds. Step 10 Return to privileged EXEC mode. Step 11 show running-config Verify your entries.
Page 580: Limiting Tftp Servers Used Through Snmp
Chapter 30 Configuring SNMP Configuring SNMP Limiting TFTP Servers Used Through SNMP Beginning in privileged EXEC mode, follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP to the servers specified in an access list: Command Purpose Step 1...
Page 581: Displaying Snmp Status
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
Page 582 Chapter 30 Configuring SNMP Displaying SNMP Status Though visible in the command-line help strings, the snmp-server enable informs global configuration Note command is not supported. To enable the sending of SNMP inform notifications, use the snmp-server enable traps global configuration command combined with the snmp-server host host-addr informs global configuration command.
Page 583: Configuring Network Security With Acls
For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release, refer to the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2, and to these software configuration guides and command references: Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2...
Page 584: C H A P T E R 31 Configuring Network Security With Acls
Chapter 31 Configuring Network Security with ACLs Understanding ACLs You configure access lists on a router or Layer 3 switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network.
Page 585: Port Acls
Chapter 31 Configuring Network Security with ACLs Understanding ACLs When a VLAN map, input router ACL, and input port ACL exist in an SVI, incoming packets • received on the ports to which a port ACL is applied are only filtered by the port ACL. Incoming routed IP packets received on other ports are filtered by both the VLAN map and the router ACL.
Page 586: Router Acls
Chapter 31 Configuring Network Security with ACLs Understanding ACLs When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
Page 587: Handling Fragmented And Unfragmented Traffic
Chapter 31 Configuring Network Security with ACLs Understanding ACLs Figure 31-2 Using VLAN Maps to Control Traffic Host A Host B (VLAN 10) (VLAN 10) = VLAN map denying specific type of traffic from Host A = Packet Handling Fragmented and Unfragmented Traffic IP packets can be fragmented as they cross the network.
Page 588: Acls And Switch Stacks
ACL information to all switches in the stack. Configuring IP ACLs Configuring IP ACLs on the switch is the same as configuring IP ACLs on other Cisco switches and routers. The process is briefly described here. For more detailed information on configuring ACLs, refer to the “Configuring IP Services”...
Page 589: Creating Standard And Extended Ip Acls
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Inbound and outbound rate limiting (except with QoS ACLs) • Reflexive ACLs or dynamic ACLs (except for some specialized dynamic ACLs used by the switch • clustering feature) • ACL logging for port ACLs and VLAN maps These are the steps to use IP ACLs on the switch: Create an ACL by specifying an access list number or name and the access conditions.
Page 590 Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Table 31-1 Access List Numbers Access List Number Type Supported 1–99 IP standard access list 100–199 IP extended access list 200–299 Protocol type-code access list 300–399 DECnet access list 400–499 XNS standard access list 500–599 XNS extended access list...
Page 591: Creating A Numbered Standard Acl
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Creating a Numbered Standard ACL Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} Define a standard IP access list by using a source address and source [source-wildcard] [log]...
Page 592 Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Use the no access-list access-list-number global configuration command to delete the entire ACL. You cannot delete individual ACEs from numbered access lists. Note When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny statement for all packets that it did not find a match for before reaching the end.
Page 593: Creating A Numbered Extended Acl
For more details on the specific keywords for each protocol, refer to these software configuration guides and command references: Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 • Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2 •...
Page 594 Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2a access-list access-list-number Define an extended IP access list and the access conditions. {deny | permit} protocol The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
Page 595 TCP port. To see TCP port names, use the ? or refer to the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2. Use only TCP port numbers or names when filtering TCP.
Page 596 ICMP message type and code name. To see a list of ICMP message type names and code names, use the ?, or refer to the “Configuring IP Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. Step 2e access-list access-list-number (Optional) Define an extended IGMP access list and the access conditions.
Page 597: Resequencing Aces In An Acl
31-30). Resequencing ACEs in an ACL In Cisco IOS Release 12.2(18)SE and later, sequence numbers for the entries in an access list are automatically generated when you create a new ACL.You can use the ip access-list resequence global configuration command to edit the sequence numbers in an ACL and change the order in which ACEs are applied.
Page 598 Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Command Purpose Step 3 deny {source [source-wildcard] | host source | In access-list configuration mode, specify one or more conditions any} [log] denied or permitted to decide if the packet is forwarded or dropped. host source—A source and source wildcard of source 0.0.0.0.
Page 599: Using Time Ranges With Acls
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACL entries to a specific ACL. However, you can use no permit and no deny access-list configuration mode commands to remove entries from a named ACL.
Page 600 Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Command Purpose Step 3 absolute [start time date] Specify when the function it will be applied to is operational. [end time date] You can use only one absolute statement in the time range. If you •...
Page 601: Including Comments In Acls
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs 30 deny tcp any any time-range christmas_2003 (inactive) 40 permit tcp any any time-range workhours (inactive) This example uses named ACLs to permit and deny the same traffic. Switch(config)# ip access-list extended deny_access Switch(config-ext-nacl)# deny tcp any any time-range new_year_day_2003 Switch(config-ext-nacl)# deny tcp any any time-range thanksgiving_2003 Switch(config-ext-nacl)# deny tcp any any time-range christmas_2003...
Page 602: Applying An Ip Acl To An Interface
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs For procedures for applying ACLs to interfaces, see the “Applying an IP ACL to an Interface” section on page 31-20. For applying ACLs to VLANs, see the “Configuring VLAN Maps” section on page 31-30.
Page 603 Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Beginning in privileged EXEC mode, follow these steps to control access to an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Identify a specific interface for configuration, and enter interface configuration mode.
Page 604: Hardware And Software Treatment Of Ip Acls
This section provides examples of configuring and applying IP ACLs. For detailed information about compiling ACLs, refer to the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Page 605 Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Use router ACLs to do this in one of two ways: Create a standard ACL, and filter traffic coming to the server from Port 1. • • Create an extended ACL, and filter traffic coming from the server into Port 1. Figure 31-3 Using Router ACLs to Control Traffic Server A Server B...
Page 606: Numbered Acls
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Numbered ACLs In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host.
Page 607: Time Range Applied To An Ip Acl
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.255 and denies any other TCP traffic. It permits ICMP traffic, denies UDP traffic from any source to the destination address range 171.69.0.0 through 179.69.255.255 with a destination port less than 1024, denies any other IP traffic, and provides a log of the result.
Page 608: Acl Logging
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs In this example of a named ACL, the Jones subnet is not allowed access: Switch(config)# ip access-list standard prevention Switch(config-std-nacl)# remark Do not allow Jones subnet through Switch(config-std-nacl)# deny 171.69.0.0 0.0.255.255 In this example of a named ACL, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out...
Page 609: Creating Named Mac Extended Acls
Chapter 31 Configuring Network Security with ACLs Creating Named MAC Extended ACLs 01:26:12:%SEC-6-IPACCESSLOGP:list ext1 denied udp 0.0.0.0(0) -> 255.255.255.255(0), 1 packet 01:31:33:%SEC-6-IPACCESSLOGP:list ext1 denied udp 0.0.0.0(0) -> 255.255.255.255(0), 8 packets Note that all logging entries for IP ACLs start with with minor variations in format %SEC-6-IPACCESSLOG depending on the kind of ACL and the access entry that has been matched.
Page 610 Chapter 31 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Command Purpose Step 3 {deny | permit} {any | host source MAC In extended MAC access-list configuration mode, specify to address | source MAC address mask} {any | permit or deny any source MAC address, a source MAC address host destination MAC address | destination with a mask, or a specific host source MAC address and any...
Page 611: Applying A Mac Acl To A Layer 2 Interface
Chapter 31 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Applying a MAC ACL to a Layer 2 Interface After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that interface.
Page 612: Configuring Vlan Maps
Chapter 31 Configuring Network Security with ACLs Configuring VLAN Maps Configuring VLAN Maps This section describes how to configure VLAN maps, which is the only way to control filtering within a VLAN. VLAN maps have no direction. To filter traffic in a specific direction by using a VLAN map, you need to include an ACL with specific source or destination addresses.
Page 613: Creating A Vlan Map
Chapter 31 Configuring Network Security with ACLs Configuring VLAN Maps If the VLAN map has at least one match clause for the type of packet (IP or MAC) and the packet • does not match any of these match clauses, the default is to drop the packet. If there is no match clause for that type of packet in the VLAN map, the default is to forward the packet.
Page 614: Examples Of Acls And Vlan Maps
Chapter 31 Configuring Network Security with ACLs Configuring VLAN Maps Command Purpose Step 4 match {ip | mac} address {name | Match the packet (using either the IP or MAC address) against one or more number} [name | number] standard or extended access lists. Note that packets are only matched against access lists of the correct protocol type.
Page 615 Chapter 31 Configuring Network Security with ACLs Configuring VLAN Maps Forward all UDP packets • Drop all IGMP packets • • Forward all TCP packets • Drop all other IP packets Forward all non-IP packets • Switch(config)# access-list 101 permit udp any any Switch(config)# ip access-list extended igmp-match Switch(config-ext-nacl)# permit igmp any any Switch(config)# ip access-list extended tcp-match...
Page 616: Applying A Vlan Map To A Vlan
Chapter 31 Configuring Network Security with ACLs Configuring VLAN Maps Example 4 In this example, the VLAN map has a default action of drop for all packets (IP and non-IP). Used with access lists tcp-match and good-hosts from Examples 2 and 3, the map will have the following results: Forward all TCP packets •...
Page 617: Wiring Closet Configuration
Chapter 31 Configuring Network Security with ACLs Configuring VLAN Maps Wiring Closet Configuration In a wiring closet configuration, routing might not be enabled on the switch. In this configuration, the switch can still support a VLAN map and a QoS classification ACL. In Figure 31-4, assume that Host X and Host Y are in different VLANs and are connected to wiring closet switches A and C.
Page 618: Denying Access To A Server On Another Vlan
Chapter 31 Configuring Network Security with ACLs Configuring VLAN Maps Denying Access to a Server on Another VLAN You can restrict access to a server on another VLAN. For example, server 10.1.1.100 in VLAN 10 needs to have access denied to these hosts (see Figure 31-5): Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access.
Page 619: Using Vlan Maps With Router Acls
Chapter 31 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Using VLAN Maps with Router ACLs To access control both bridged and routed traffic, you can use VLAN maps only or a combination of router ACLs and VLAN maps. You can define router ACLs on both input and output routed VLAN interfaces, and you can define a VLAN map to access control the bridged traffic.
Page 620: Examples Of Router Acls And Vlan Maps Applied To Vlans
Chapter 31 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Avoid including Layer 4 information in an ACL; adding this information complicates the merging • process. The best merge results are obtained if the ACLs are filtered based on IP addresses (source and destination) and not on the full flow (source IP address, destination IP address, protocol, and protocol ports).
Page 621: Acls And Routed Packets
Chapter 31 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 31-7 Applying ACLs on Bridged Packets VLAN 10 VLAN 20 Frame Host A Host B (VLAN 10) (VLAN 20) Fallback bridge VLAN 10 VLAN 20 Packet ACLs and Routed Packets Figure 31-8 shows how ACLs are applied on routed packets.
Page 622: Acls And Multicast Packets
Chapter 31 Configuring Network Security with ACLs Displaying ACL Configuration ACLs and Multicast Packets Figure 31-9 shows how ACLs are applied on packets that are replicated for IP multicasting. A multicast packet being routed has two different kinds of filters applied: one for destinations that are other ports in the input VLAN and another for each of the destinations that are in other VLANs to which the packet has been routed.
Page 623 Chapter 31 Configuring Network Security with ACLs Displaying ACL Configuration Table 31-2 Commands for Displaying Access Lists and Access Groups (continued) Command Purpose show ip interface interface-id Display detailed configuration and status of an interface. If IP is enabled on the interface and ACLs have been applied by using the ip access-group interface configuration command, the access groups are included in the display.
Page 624 Chapter 31 Configuring Network Security with ACLs Displaying ACL Configuration Catalyst 3750 Switch Software Configuration Guide 31-42 78-16180-02...
Page 625: Configuring Qos
The switch supports some of the modular QoS CLI (MQC) commands. For more information about the MQC commands, refer to the “Modular Quality of Service Command Line Interface Overview” at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt8/ qcfmdcli.htm#89799 Understanding QoS Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner.
Page 626 Chapter 32 Configuring QoS Understanding QoS The QoS implementation is based on the Differentiated Services (Diff-Serv) architecture, an emerging standard from the Internet Engineering Task Force (IETF). This architecture specifies that each packet is classified upon entry into the network. The classification is carried in the IP packet header, using 6 bits from the deprecated IP type of service (ToS) field to carry the classification (class) information.
Page 627: Chapter 32 Configuring Qo
Chapter 32 Configuring QoS Understanding QoS Layer 3 IPv6 packets are treated as non-IP packets and are bridged by the switch. Note All switches and routers that access the Internet rely on the class information to provide the same forwarding treatment to packets with the same class information and different treatment to packets with different class information.
Page 628: Classification
Chapter 32 Configuring QoS Understanding QoS Actions at the egress port include queueing and scheduling: Queueing evaluates the QoS label and the corresponding DSCP or CoS value to select into which of • the four egress queues to place a packet. Because congestion can occur when multiple ingress ports simultaneously send data to an egress port, WTD is used to differentiate traffic classes and to subject the packets to different thresholds based on the QoS label.
Page 629 Chapter 32 Configuring QoS Understanding QoS You specify which fields in the frame or packet that you want to use to classify incoming traffic. For non-IP traffic, you have these classification options as shown in Figure 32-3: Trust the CoS value in the incoming frame (configure the port to trust CoS). Then use the •...
Page 630 Chapter 32 Configuring QoS Understanding QoS Figure 32-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface Trust DSCP (IP traffic). configuration for classification. IP and non-IP Trust DSCP or Trust IP traffic IP precedence precedence (non-IP traffic). (IP traffic).
Page 631: Classification Based On Qos Acls
Chapter 32 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: •...
Page 632: Policing And Marking
Chapter 32 Configuring QoS Understanding QoS You create and name a policy map by using the policy-map global configuration command. When you enter this command, the switch enters the policy-map configuration mode. In this mode, you specify the actions to take on a specific traffic class by using the class, trust, or set policy-map configuration and policy-map class configuration commands.
Page 633 Chapter 32 Configuring QoS Understanding QoS Policing uses a token-bucket algorithm. As each frame is received by the switch, a token is added to the bucket. The bucket has a hole in it and leaks at a rate that you specify as the average traffic rate in bits per second.
Page 634: Mapping Tables
Chapter 32 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an QoS label based on the DSCP or CoS value from the classification stage: During classification, QoS uses configurable mapping tables to derive a corresponding DSCP or •...
Page 635: Queueing And Scheduling Overview
Chapter 32 Configuring QoS Understanding QoS Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 32-5. Figure 32-5 Ingress and Egress Queue Location Policer Marker Egress queues Stack ring Policer Marker Ingress queues...
Page 636: Srr Shaping And Sharing
Chapter 32 Configuring QoS Understanding QoS Figure 32-6 WTD and Queue Operation CoS 6-7 100% 1000 CoS 4-5 CoS 0-3 For more information, see the “Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds” section on page 32-56, the “Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set”...
Page 637: Queueing And Scheduling On Ingress Queues
Chapter 32 Configuring QoS Understanding QoS Queueing and Scheduling on Ingress Queues Figure 32-7 shows the queueing and scheduling flowchart for ingress ports. Figure 32-7 Queueing and Scheduling Flowchart for Ingress Ports Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds.
Page 638 Chapter 32 Configuring QoS Understanding QoS You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Page 639: Queueing And Scheduling On Egress Queues
Chapter 32 Configuring QoS Understanding QoS Queueing and Scheduling on Egress Queues Figure 32-8 shows the queueing and scheduling flowchart for egress ports. Figure 32-8 Queueing and Scheduling Flowchart for Egress Ports Start Receive packet from the stack ring. Read QoS label (DSCP or CoS value).
Page 640 Chapter 32 Configuring QoS Understanding QoS Figure 32-9 shows the egress queue buffer. The buffer space is divided between the common pool and the reserved pool. The switch uses a buffer allocation scheme to reserve a minimum amount of buffers for each egress queue, to prevent any queue or port from consuming all the buffers and depriving other queues, and to control whether to grant buffer space to a requesting queue.
Page 641: Packet Modification
Chapter 32 Configuring QoS Understanding QoS threshold-id cos1...cos8} global configuration command. You can display the DSCP output queue threshold map and the CoS output queue threshold map by using the show mls qos maps privileged EXEC command. The queues use WTD to support distinct drop percentages for different traffic classes. Each queue has three drop thresholds: two configurable (explicit) WTD thresholds and one nonconfigurable (implicit) threshold preset to the queue-full state.
Page 642: Configuring Auto-Qos
The switch uses the resulting classification to choose the appropriate egress queue. You use auto-QoS commands to identify ports connected to Cisco IP Phones and to devices running the Cisco SoftPhone application. You also use the commands to identify ports that receive trusted traffic through an uplink.
Page 643 The switch uses the Cisco Discovery Protocol (CDP) to detect the presence or absence of a Cisco IP Phone. When a Cisco IP Phone is detected, the ingress classification on the port is set to trust the QoS label received in the packet. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet.
Page 644 Ensure Port Security” section on page 32-35. When you enable auto-QoS by using the auto qos voip cisco-phone, the auto qos voip cisco-softphone, or the auto qos voip trust interface configuration command, the switch automatically generates a QoS configuration based on the traffic type and ingress packet label and applies the commands listed in Table 32-5 to the port.
Page 645 Chapter 32 Configuring QoS Configuring Auto-QoS Table 32-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically maps DSCP values to an ingress Switch(config)# no mls qos srr-queue input dscp-map Switch(config)# mls qos srr-queue input dscp-map queue and to a threshold ID. queue 1 threshold 2 9 10 11 12 13 14 15 Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7...
Page 646 DSCP value received in the packet on a routed port. If you entered the auto qos voip cisco-phone command, the Switch(config-if)# mls qos trust device cisco-phone switch automatically enables the trusted boundary feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone.
Page 647: Effects Of Auto-Qos On The Configuration
By default, the CDP is enabled on all ports. For auto-QoS to function properly, do not disable the • CDP. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address • to the IP phone.
Page 648: Upgrading From A Previous Software Release
Cisco IP Phones on routed ports was added. If auto-QoS is configured on the switch, your switch is running a release earlier than Cisco IOS Release 12.2(20)SE, and you upgrade to Cisco IOS Release 12.2(20)SE or later, the configuration file will not contain the new configuration, and auto-QoS will not operate.
Page 649 Chapter 32 Configuring QoS Configuring Auto-QoS Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show auto qos interface interface-id Verify your entries. This command displays the auto-QoS command on the interface on which auto-QoS was enabled. You can use the show running-config privileged EXEC command to display the auto-QoS configuration and the user modifications.
Page 650: Auto-Qos Configuration Example
IP phones IP phones Cisco IP phones Cisco IP phones Figure 32-10 shows a network in which the VoIP traffic is prioritized over all other traffic. Auto-QoS is enabled on the switches in the wiring closets at the edge of the QoS domain.
Page 651 Step 6 exit Return to global configuration mode. Step 7 Repeat Steps 4 to 6 for as many ports as are connected to the Cisco IP Phone. Step 8 interface interface-id Specify the switch port identified as connected to a trusted switch or router, and enter interface configuration mode.
Page 652: Displaying Auto-Qos Information
Chapter 32 Configuring QoS Displaying Auto-QoS Information Displaying Auto-QoS Information To display the initial auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings.
Page 653: Default Standard Qos Configuration
Chapter 32 Configuring QoS Configuring Standard QoS Default Standard QoS Configuration QoS is disabled. There is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
Page 654: Default Egress Queue Configuration
Chapter 32 Configuring QoS Configuring Standard QoS Default Egress Queue Configuration Table 32-9 shows the default egress queue configuration for each queue-set when QoS is enabled. All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited. Table 32-9 Default Egress Queue Configuration Feature Queue 1...
Page 655: Standard Qos Configuration Guidelines
Chapter 32 Configuring QoS Configuring Standard QoS Standard QoS Configuration Guidelines Before beginning the QoS configuration, you should be aware of this information: • You configure QoS only on physical ports; there is no support for it on the VLAN or switch virtual interface level.
Page 656: Enabling Qos Globally
Chapter 32 Configuring QoS Configuring Standard QoS Enabling QoS Globally By default, QoS is disabled on the switch. Beginning in privileged EXEC mode, follow these steps to enable QoS. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS globally.
Page 657 Chapter 32 Configuring QoS Configuring Standard QoS Figure 32-11 Port Trusted States within the QoS Domain Trusted interface Trunk Traffic classification performed here Trusted boundary Catalyst 3750 Switch Software Configuration Guide 32-33 78-16180-02...
Page 658 Chapter 32 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be trusted, and enter interface configuration mode.
Page 659 To return to the default setting, use the no mls qos cos {default-cos | override} interface configuration command. Configuring a Trusted Boundary to Ensure Port Security In a typical network, you connect a Cisco IP Phone to a switch port, as shown in Figure 32-11 on page 32-33, and cascade devices that generate data packets from the back of the telephone.
Page 660 CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue.
Page 661 Chapter 32 Configuring QoS Configuring Standard QoS Figure 32-12 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 IP traffic Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. Beginning in privileged EXEC mode, follow these steps to configure the DSCP-trusted state on a port and modify the DSCP-to-DSCP-mutation map.
Page 662: Configuring A Qos Policy
Chapter 32 Configuring QoS Configuring Standard QoS To return a port to its non-trusted state, use the no mls qos trust interface configuration command. To return to the default DSCP-to-DSCP-mutation map values, use the no mls qos map dscp-mutation dscp-mutation-name global configuration command. This example shows how to configure a port to the DSCP-trusted state and to modify the DSCP-to-DSCP-mutation map (named gi1/0/2-mutation) so that incoming DSCP values 10 to 13 are mapped to DSCP 30:...
Page 663 Chapter 32 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | Create an IP standard ACL, repeating the command as many times as permit} source [source-wildcard] necessary.
Page 664 Chapter 32 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | Create an IP extended ACL, repeating the command as many times as permit} protocol source source-wildcard necessary.
Page 665 Chapter 32 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Create a Layer 2 MAC ACL by specifying the name of the list.
Page 666: Classifying Traffic By Using Class Maps
Chapter 32 Configuring QoS Configuring Standard QoS Classifying Traffic by Using Class Maps You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. The class map defines the criteria to use to match against a specific traffic flow to further classify it.
Page 667 Chapter 32 Configuring QoS Configuring Standard QoS Command Purpose Step 4 match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported.
Page 668: Classifying, Policing, And Marking Traffic By Using Policy Maps
Chapter 32 Configuring QoS Configuring Standard QoS Classifying, Policing, and Marking Traffic by Using Policy Maps A policy map specifies which traffic class to act on. Actions can include trusting the CoS, DSCP, or IP precedence values in the traffic class; setting a specific DSCP or IP precedence value in the traffic class; and specifying the traffic bandwidth limitations for each matched traffic class (policer) and the action to take when the traffic is out of profile (marking).
Page 669 Chapter 32 Configuring QoS Configuring Standard QoS Command Purpose Step 4 class class-map-name Define a traffic classification, and enter policy-map class configuration mode. By default, no policy map class-maps are defined. If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command.
Page 670 Chapter 32 Configuring QoS Configuring Standard QoS Command Purpose Step 7 police rate-bps burst-byte [exceed-action Define a policer for the classified traffic. {drop | policed-dscp-transmit}] By default, no policer is defined. For information on the number of policers supported, see the “Standard QoS Configuration Guidelines”...
Page 671: Classifying, Policing, And Marking Traffic By Using Aggregate Policers
Chapter 32 Configuring QoS Configuring Standard QoS Switch(config-pmap-c)# police 48000 8000 exceed-action policed-dscp-transmit Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# service-policy input flow1t This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to an ingress port.
Page 672 Chapter 32 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an aggregate policer: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos aggregate-policer Define the policer parameters that can be applied to multiple traffic aggregate-policer-name rate-bps burst-byte classes within the same policy map.
Page 673: Configuring Dscp Maps
Chapter 32 Configuring QoS Configuring Standard QoS Command Purpose Step 11 show mls qos aggregate-policer Verify your entries. [aggregate-policer-name] Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the specified aggregate policer from a policy map, use the no police aggregate aggregate-policer-name policy map configuration mode.
Page 674: Configuring The Cos-To-Dscp Map
Chapter 32 Configuring QoS Configuring Standard QoS Configuring the CoS-to-DSCP Map You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. Table 32-12 shows the default CoS-to-DSCP map.
Page 675: Configuring The Policed-Dscp Map
Chapter 32 Configuring QoS Configuring Standard QoS If these values are not appropriate for your network, you need to modify them. Beginning in privileged EXEC mode, follow these steps to modify the IP-precedence-to-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 676: Configuring The Dscp-To-Cos Map
Chapter 32 Configuring QoS Configuring Standard QoS To return to the default map, use the no mls qos policed-dscp global configuration command. This example shows how to map DSCP 50 to 57 to a marked-down DSCP value of 0: Switch(config)# mls qos map policed-dscp 50 51 52 53 54 55 56 57 to 0 Switch(config)# end Switch# show mls qos maps policed-dscp Policed-dscp map:...
Page 677: Configuring The Dscp-To-Dscp-Mutation Map
Chapter 32 Configuring QoS Configuring Standard QoS Command Purpose Step 4 show mls qos maps dscp-to-cos Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default map, use the no mls qos dscp-cos global configuration command. This example shows how to map DSCP values 0, 8, 16, 24, 32, 40, 48, and 50 to CoS value 0 and to display the map: Switch(config)# mls qos map dscp-cos 0 8 16 24 32 40 48 50 to 0...
Page 678 Chapter 32 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-DSCP-mutation map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-mutation Modify the DSCP-to-DSCP-mutation map.
Page 679: Configuring Ingress Queue Characteristics
Chapter 32 Configuring QoS Configuring Standard QoS This example shows how to define the DSCP-to-DSCP-mutation map. All the entries that are not explicitly configured are not modified (remains as specified in the null map): Switch(config)# mls qos map dscp-mutation mutation1 1 2 3 4 5 6 7 to 0 Switch(config)# mls qos map dscp-mutation mutation1 8 9 10 11 12 13 to 10 Switch(config)# mls qos map dscp-mutation mutation1 20 21 22 to 20 Switch(config)# mls qos map dscp-mutation mutation1 30 31 32 33 34 to 30...
Page 680 Chapter 32 Configuring QoS Configuring Standard QoS Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and to set WTD thresholds.
Page 681: Allocating Buffer Space Between The Ingress Queues
Chapter 32 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent. It maps DSCP values 20 to 26 to ingress queue 1 and to threshold 2 with a drop threshold of 70 percent: Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 1 0 1 2 3 4 5 6 Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 2 20 21 22 23 24 25 26...
Page 682: Allocating Bandwidth Between The Ingress Queues
Chapter 32 Configuring QoS Configuring Standard QoS Allocating Bandwidth Between the Ingress Queues You need to specify how much of the available bandwidth is allocated between the ingress queues. The ratio of the weights is the ratio of the frequency in which the SRR scheduler sends packets from each queue.
Page 683: Configuring The Ingress Priority Queue
Chapter 32 Configuring QoS Configuring Standard QoS Configuring the Ingress Priority Queue You should use the priority queue only for traffic that needs to be expedited (for example, voice traffic, which needs minimum delay and jitter). The priority queue is guaranteed part of the bandwidth to reduce the delay and jitter under heavy network traffic on an oversubscribed ring (when there is more traffic than the backplane can carry, and the queues are full and dropping frames).
Page 684: Configuring Egress Queue Characteristics
Chapter 32 Configuring QoS Configuring Standard QoS Configuring Egress Queue Characteristics Depending on the complexity of your network and your QoS solution, you might need to perform all of the tasks in the next sections. You will need to make decisions about these characteristics: Which packets are mapped by DSCP or CoS value to each queue and threshold ID? •...
Page 685 Chapter 32 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and to drop thresholds for a queue-set. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos queue-set output qset-id Allocate buffers to a queue-set.
Page 686: Mapping Dscp Or Cos Values To An Egress Queue And To A Threshold Id
Chapter 32 Configuring QoS Configuring Standard QoS Command Purpose Step 6 Return to privileged EXEC mode. Step 7 show mls qos interface [interface-id] Verify your entries. buffers Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos queue-set output qset-id buffers global configuration command.
Page 687 Chapter 32 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an egress queue and to a threshold ID. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 688: Configuring Srr Shaped Weights On Egress Queues
Chapter 32 Configuring QoS Configuring Standard QoS Configuring SRR Shaped Weights on Egress Queues You cannot configure SSR shaped weights on the 10-Gigabit interfaces. Note You can specify how much of the available bandwidth is allocated to each queue. The ratio of the weights is the ratio of frequency in which the SRR scheduler sends packets from each queue.
Page 689: Configuring Srr Shared Weights On Egress Queues
Chapter 32 Configuring QoS Configuring Standard QoS This example shows how to configure bandwidth shaping on queue 1. Because the weight ratios for queues 2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.5 percent: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# srr-queue bandwidth shape 8 0 0 0...
Page 690: Configuring The Egress Expedite Queue
Configuring Standard QoS Configuring the Egress Expedite Queue Beginning in Cisco IOS Release 12.1(19)EA1, you can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. SRR services this queue until it is empty before servicing the other queues.
Page 691: Displaying Standard Qos Information
Chapter 32 Configuring QoS Displaying Standard QoS Information Beginning in privileged EXEC mode, follow these steps to limit the bandwidth on an egress port. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be rate limited, and enter interface configuration mode.
Page 692 Chapter 32 Configuring QoS Displaying Standard QoS Information Table 32-15 Commands for Displaying Standard QoS Information (continued) Command Purpose show mls qos queue-set [qset-id] Display QoS settings for the egress queues. show policy-map [policy-map-name [class Display QoS policy maps, which define classification criteria for class-map-name]] incoming traffic.
Page 693: Configuring Etherchannels
C H A P T E R Configuring EtherChannels This chapter describes how to configure EtherChannels on Layer 2 and Layer 3 ports on the Catalyst 3750 switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Page 694: C H A P T E R 33 Configuring Etherchannels
Chapter 33 Configuring EtherChannels Understanding EtherChannels EtherChannel Overview An EtherChannel consists of individual Fast Ethernet or Gigabit Ethernet links bundled into a single logical link as shown in Figure 33-1. Figure 33-1 Typical EtherChannel Configuration Catalyst 8500 series switch Gigabit EtherChannel 1000BASE-X 1000BASE-X 10/100...
Page 695 Chapter 33 Configuring EtherChannels Understanding EtherChannels Figure 33-2 Single-Switch EtherChannel Catalyst 3750 switch stack Switch 1 Channel group 1 StackWise port connections Switch A Channel Switch 2 group 2 Switch 3 Figure 33-3 Cross-Stack EtherChannel Catalyst 3750 switch stack Switch 1 StackWise port connections...
Page 696: Port-Channel Interfaces
Chapter 33 Configuring EtherChannels Understanding EtherChannels Port-Channel Interfaces When you create an EtherChannel, a port-channel logical interface is involved: • With Layer 2 ports, use the channel-group interface configuration command to dynamically create the port-channel logical interface. You also can use the interface port-channel port-channel-number global configuration command to manually create the port-channel logical interface, but then you must use the channel-group channel-group-number command to bind the logical interface to a physical port.
Page 697: Port Aggregation Protocol
Understanding EtherChannels Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports. You can use PAgP only in single-switch EtherChannel configurations;...
Page 698: Pagp Interaction With Other Features
Link Aggregation Control Protocol The LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the 802.3ad protocol. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports. You can use LACP only in single-switch EtherChannel configurations;...
Page 699: Lacp Modes
Chapter 33 Configuring EtherChannels Understanding EtherChannels LACP Modes Table 33-2 shows the user-configurable EtherChannel LACP modes for the channel-group interface configuration command. Table 33-2 EtherChannel LACP Modes Mode Description active Places a port into an active negotiating state in which the port starts negotiations with other ports by sending LACP packets.
Page 700 Chapter 33 Configuring EtherChannels Understanding EtherChannels With source-MAC address forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the channel based on the source-MAC address of the incoming packet. Therefore, to provide load balancing, packets from different hosts use different ports in the channel, but packets from the same host use the same port in the channel.
Page 701: Etherchannel And Switch Stacks
Figure 33-5 Load Distribution and Forwarding Methods Switch with source-based forwarding enabled EtherChannel Cisco router with destination-based forwarding enabled EtherChannel and Switch Stacks If a stack member that has ports participating in an EtherChannel fails or leaves the stack, the stack master removes the failed stack member switch ports from the EtherChannel.
Page 702: Configuring Etherchannels
Chapter 33 Configuring EtherChannels Configuring EtherChannels Configuring EtherChannels These sections describe how to configure EtherChannel on Layer 2 and Layer 3 ports: • Default EtherChannel Configuration, page 33-10 EtherChannel Configuration Guidelines, page 33-11 • Configuring Layer 2 EtherChannels, page 33-12 (required) •...
Page 703: Etherchannel Configuration Guidelines
If you try to enable 802.1x on an EtherChannel port, an error message appears, and 802.1x is not enabled. In software releases earlier than Cisco IOS Release 12.1(18)SE, if 802.1x is enabled on a Note not-yet-active port of an EtherChannel, the port does not join the EtherChannel.
Page 704: Configuring Layer 2 Etherchannels
Chapter 33 Configuring EtherChannels Configuring EtherChannels For Layer 2 EtherChannels: • Assign all ports in the EtherChannel to the same VLAN, or configure them as trunks. Ports with – different native VLANs cannot form an EtherChannel. – If you configure an EtherChannel from trunk ports, verify that the trunking mode (ISL or 802.1Q) is the same on all the trunks.
Page 705 Chapter 33 Configuring EtherChannels Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to assign a Layer 2 Ethernet port to a Layer 2 EtherChannel. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify a physical port, and enter interface configuration mode.
Page 706 Chapter 33 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 4 channel-group channel-group-number mode Assign the port to a channel group, and specify the PAgP or the {auto [non-silent] | desirable [non-silent] | on} | LACP mode. {active | passive} For channel-group-number, the range is 1 to 12. For mode, select one of these keywords: auto—Enables PAgP only if a PAgP device is detected.
Page 707: Configuring Layer 3 Etherchannels
Chapter 33 Configuring EtherChannels Configuring EtherChannels This example shows how to configure an EtherChannel on a single switch in the stack. It assigns two ports as static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable: Switch# configure terminal Switch(config)# interface range gigabitethernet2/0/1 -2 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 10...
Page 708: Configuring The Physical Interfaces
Chapter 33 Configuring EtherChannels Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to create a port-channel interface for a Layer 3 EtherChannel. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface port-channel port-channel-number Specify the port-channel logical interface, and enter interface configuration mode.
Page 709 Chapter 33 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 5 channel-group channel-group-number mode Assign the port to a channel group, and specify the PAgP or the {auto [non-silent] | desirable [non-silent] | on} | LACP mode. {active | passive} For channel-group-number, the range is 1 to 12. This number must be the same as the port-channel-number (logical port) configured in the “Creating Port-Channel Logical Interfaces”...
Page 710: Configuring Etherchannel Load Balancing
Chapter 33 Configuring EtherChannels Configuring EtherChannels This example shows how to configure an EtherChannel. It assigns two ports to channel 5 with the LACP mode active: Switch# configure terminal Switch(config)# interface range gigabitethernet2/0/1 -2 Switch(config-if-range)# no ip address Switch(config-if-range)# no switchport Switch(config-if-range)# channel-group 5 mode active Switch(config-if-range)# end This example shows how to configure cross-stack EtherChannel.
Page 711: Configuring The Pagp Learn Method And Priority
Chapter 33 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command.
Page 712: Configuring Lacp Hot-Standby Ports
Chapter 33 Configuring EtherChannels Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to configure your switch as a PAgP physical-port learner and to adjust the priority so that the same port in the bundle is selected for sending packets.
Page 713: Configuring The Lacp System Priority
Chapter 33 Configuring EtherChannels Configuring EtherChannels If you configure more than eight links for an EtherChannel group, the software automatically decides which of the hot-standby ports to make active based on the LACP priority. The software assigns to every link between systems that operate LACP a unique priority made up of these elements (in priority order): LACP system priority •...
Page 714: Configuring The Lacp Port Priority
Chapter 33 Configuring EtherChannels Configuring EtherChannels Configuring the LACP Port Priority By default, all ports use the same port priority. If the local system has a lower value for the system priority and the system ID than the remote system, you can affect which of the hot-standby links become active first by changing the port priority of LACP EtherChannel ports to a lower value than the default.
Page 715: Displaying Etherchannel, Pagp, And Lacp Status
Chapter 33 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Displaying EtherChannel, PAgP, and LACP Status To display EtherChannel, PAgP, and LACP status information, use the privileged EXEC commands described in Table 33-4: Table 33-4 Commands for Displaying EtherChannel, PAgP , and LACP Status Command Description show etherchannel [channel-group-number {detail |...
Page 716 Chapter 33 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Catalyst 3750 Switch Software Configuration Guide 33-24 78-16180-02...
Page 717: Configuring Ip Unicast Routing
For more detailed IP unicast configuration information, refer to the Cisco IOS IP Configuration Guide, Release 12.1 For complete syntax and usage information for the commands used in this chapter, refer to these command references: Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2...
Page 718: Understanding Ip Routing
Chapter 34 Configuring IP Unicast Routing Understanding IP Routing Understanding IP Routing In some network environments, VLANs are associated with individual networks or subnetworks. In an IP network, each subnetwork is mapped to an individual VLAN. Configuring VLANs helps control the size of the broadcast domain and keeps local traffic local.
Page 719: Chapter 34 Configuring Ip Unicast Routing
It processes routing protocol messages and updates received from peer routers. • It generates, maintains, and distributes the distributed Cisco Express Forwarding (dCEF) database • to all stack members. The routes are programmed on all switches in the stack bases on this database.
Page 720: Steps For Configuring Routing
Steps for Configuring Routing By default, IP routing is disabled on the switch, and you must enable it before routing can take place. For detailed IP routing configuration information, refer to the Cisco IOS IP Configuration Guide, Release 12.2 In the following procedures, the specified interface must be one of these Layer 3 interfaces: •...
Page 721: Configuring Ip Addressing
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing A Layer 3 switch can have an IP address assigned to each routed port and SVI. The number of routed Note ports and SVIs that you can configure is not limited by software. However, the interrelationship between this number and the number and volume of features being implemented might have an impact on CPU utilization because of hardware limitations.
Page 722: Assigning Ip Addresses To Network Interfaces
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing Table 34-1 Default Addressing Configuration (continued) Feature Default Setting IP default gateway Disabled. IP directed broadcast Disabled (all IP directed broadcasts are dropped). IP domain Domain list: No domain names defined. Domain lookup: Enabled.
Page 723: Use Of Subnet Zero
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 3 no switchport Remove the interface from Layer 2 configuration mode (if it is a physical interface). Step 4 ip address ip-address subnet-mask Configure the IP address and IP subnet mask. Step 5 no shutdown Enable the interface.
Page 724 Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing Figure 34-2 IP Classless Routing 128.0.0.0/8 128.20.4.1 IP classless 128.20.0.0 128.20.1.0 128.20.3.0 128.20.2.0 128.20.4.1 Host Figure 34-3, the router in network 128.20.0.0 is connected to subnets 128.20.1.0, 128.20.2.0, and 128.20.3.0. If the host sends a packet to 120.20.4.1, because there is no network default route, the router discards the packet.
Page 725: Configuring Address Resolution Methods
Using RARP requires a RARP server on the same network segment as the router interface. Use the ip rarp-server address interface configuration command to identify the server. For more information on RARP, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2.
Page 726: Define A Static Arp Cache
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing Define a Static ARP Cache ARP and other address resolution protocols provide dynamic mapping between IP addresses and MAC addresses. Because most hosts support dynamic address resolution, you usually do not need to specify static ARP cache entries.
Page 727: Set Arp Encapsulation
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing Set ARP Encapsulation By default, Ethernet ARP encapsulation (represented by the arpa keyword) is enabled on an IP interface. You can change the encapsulation methods to SNAP if required by your network. Beginning in privileged EXEC mode, follow these steps to specify the ARP encapsulation type: Command Purpose...
Page 728: Routing Assistance When Ip Routing Is Disabled
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing Routing Assistance When IP Routing is Disabled These mechanisms allow the switch to learn about routes to other networks when it does not have IP routing enabled: Proxy ARP, page 34-12 •...
Page 729: Icmp Router Discovery Protocol (Irdp)
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing ICMP Router Discovery Protocol (IRDP) Router discovery allows the switch to dynamically learn about routes to other networks using IRDP. IRDP allows hosts to locate routers. When operating as a client, the switch generates router discovery packets.
Page 730: Configuring Broadcast Packet Handling
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing If you change the maxadvertinterval value, the holdtime and minadvertinterval values also change, so it is important to first change the maxadvertinterval value, before manually changing either the holdtime or minadvertinterval values. Use the no ip irdp interface configuration command to disable IRDP routing.
Page 731: Forwarding Udp Broadcast Packets And Protocols
By default, both UDP and ND forwarding are enabled if a helper address has been defined for an interface. The description for the ip forward-protocol interface configuration command in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 lists the ports that are forwarded by default if you do not specify any UDP ports.
Page 732: Establishing An Ip Broadcast Address
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing If you do not specify any UDP ports when you configure the forwarding of UDP broadcasts, you are configuring the router to act as a BOOTP forwarding agent. BOOTP packets carry DHCP information. Beginning in privileged EXEC mode, follow these steps to enable forwarding UDP broadcast packets on an interface and specify the destination address: Command...
Page 733: Flooding Ip Broadcasts
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing Flooding IP Broadcasts You can allow IP broadcasts to be flooded throughout your internetwork in a controlled fashion by using the database created by the bridging STP. Using this feature also prevents loops. To support this capability, bridging must be configured on each interface that is to participate in the flooding.
Page 734: Monitoring And Maintaining Ip Addressing
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to increase spanning-tree-based flooding: Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip forward-protocol turbo-flood Use the spanning-tree database to speed up flooding of UDP datagrams. Step 3 Return to privileged EXEC mode.
Page 735: Enabling Ip Unicast Routing
(RIP) router configuration command. For information on specific protocols, refer to sections later in this chapter and to the Cisco IOS IP Configuration Guide, Release 12.2. Note The SMI supports only RIP as a routing protocol Step 4 Return to privileged EXEC mode.
Page 736: Configuring Rip
Protocol (UDP) data packets to exchange routing information. The protocol is documented in RFC 1058. You can find detailed information about RIP in IP Routing Fundamentals, published by Cisco Press. RIP is the only routing protocol supported by the SMI; other routing protocols require the stack master Note to be running the EMI.
Page 737: Configuring Basic Rip Parameters
Chapter 34 Configuring IP Unicast Routing Configuring RIP Table 34-4 Default RIP Configuration (continued) Feature Default Setting IP split horizon Varies with media. Neighbor None defined. Network None specified. Offset list Disabled. Output delay 0 milliseconds. Timers basic Update: 30 seconds. •...
Page 738 Chapter 34 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 7 timers basic update invalid holddown (Optional) Adjust routing protocol timers. Valid ranges for all timers are flush 0 to 4294967295 seconds. update—The time between sending routing updates. The default is •...
Page 739: Configuring Rip Authentication
Chapter 34 Configuring IP Unicast Routing Configuring RIP Configuring RIP Authentication RIP version 1 does not support authentication. If you are sending and receiving RIP Version 2 packets, you can enable RIP authentication on an interface. The key chain specifies \the set of keys that can be used on the interface.
Page 740: Configuring Split Horizon
Chapter 34 Configuring IP Unicast Routing Configuring RIP Beginning in privileged EXEC mode, follow these steps to set an interface to advertise a summarized local IP address and to disable split horizon on the interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 741: Configuring Ospf
This section briefly describes how to configure Open Shortest Path First (OSPF). For a complete description of the OSPF commands, refer to the “OSPF Commands” chapter of the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Page 742: Default Ospf Configuration
Chapter 34 Configuring IP Unicast Routing Configuring OSPF This section briefly describes how to configure OSPF. It includes this information: Default OSPF Configuration, page 34-26 • • Configuring Basic OSPF Parameters, page 34-27 • Configuring OSPF Interfaces, page 34-28 Configuring OSPF Area Parameters, page 34-29 •...
Page 743: Configuring Basic Ospf Parameters
Chapter 34 Configuring IP Unicast Routing Configuring OSPF Table 34-5 Default OSPF Configuration (continued) Feature Default Setting Distance OSPF dist1 (all routes within an area): 110. dist2 (all routes from one area to another): 110. and dist3 (routes from other routing domains): 110. OSPF database filter Disabled.
Page 744: Configuring Ospf Interfaces
Chapter 34 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 3 network address wildcard-mask area area-id Define an interface on which OSPF runs and the area ID for that interface. You can use the wildcard-mask to use a single command to define one or more multiple interfaces to be associated with a specific OSPF area.
Page 745: Configuring Ospf Area Parameters
Chapter 34 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 8 ip ospf dead-interval seconds (Optional) Set the number of seconds after the last device hello packet was seen before its neighbors declare the OSPF router to be down. The value must be the same for all nodes on a network. The range is 1 to 65535 seconds.
Page 746: Configuring Other Ospf Parameters
Chapter 34 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 3 area area-id authentication (Optional) Allow password-based protection against unauthorized access to the identified area. The identifier can be either a decimal value or an IP address. Step 4 area area-id authentication message-digest (Optional) Enable MD5 authentication on the area.
Page 747 Chapter 34 Configuring IP Unicast Routing Configuring OSPF Default route: When you specifically configure redistribution of routes into an OSPF routing • domain, the route automatically becomes an autonomous system boundary router (ASBR). You can force the ASBR to generate a default route into the OSPF routing domain. Domain Name Server (DNS) names for use in all OSPF show privileged EXEC command displays •...
Page 748: Changing Lsa Group Pacing
Chapter 34 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 10 timers spf spf-delay spf-holdtime (Optional) Configure route calculation timers. spf-delay—Enter an integer from 0 to 65535. The default is 5 • seconds; 0 means no delay. spf-holdtime—Enter an integer from 0 to 65535. The default is •...
Page 749: Monitoring Ospf
EXEC commands for displaying statistics. For more show ip ospf database privileged EXEC command options and for explanations of fields in the resulting display, refer to the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Table 34-6 Show IP OSPF Statistics Commands...
Page 750: Configuring Eigrp
Configuring EIGRP Configuring EIGRP Enhanced IGRP (EIGRP) is a Cisco proprietary enhanced version of the IGRP. EIGRP uses the same distance vector algorithm and distance information as IGRP; however, the convergence properties and the operating efficiency of EIGRP are significantly improved.
Page 751: Default Eigrp Configuration
Chapter 34 Configuring IP Unicast Routing Configuring EIGRP feasible successors, but there are neighbors advertising the destination, a recomputation must occur. This is the process whereby a new successor is determined. The amount of time it takes to recompute the route affects the convergence time. Recomputation is processor-intensive; it is advantageous to avoid recomputation if it is not necessary.
Page 752: Configuring Basic Eigrp Parameters
Chapter 34 Configuring IP Unicast Routing Configuring EIGRP Table 34-7 Default EIGRP Configuration (continued) Feature Default Setting Distance Internal distance: 90. External distance: 170. EIGRP log-neighbor changes Disabled. No adjacency changes logged. IP authentication key-chain No authentication provided. IP authentication mode No authentication provided.
Page 753: Configuring Eigrp Interfaces
Chapter 34 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 3 network network-number Associate networks with an EIGRP routing process. EIGRP sends updates to the interfaces in the specified networks. If an interface’s network is not specified, it is not advertised in any IGRP or EIGRP update.
Page 754: Configuring Eigrp Route Authentication
15 seconds for all other networks. Do not adjust the hold time without consulting Caution Cisco technical support. Step 7 no ip split-horizon eigrp autonomous-system-number (Optional) Disable split horizon to allow route information to be advertised by a router out any interface from which that information originated.
Page 755: Monitoring And Maintaining Eigrp
You can delete neighbors from the neighbor table. You can also display various EIGRP routing statistics. Table 34-8 lists the privileged EXEC commands for deleting neighbors and displaying statistics. For explanations of fields in the resulting display, refer to the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Table 34-8...
Page 756: Configuring Bgp
“Configuring BGP” chapter in the Cisco IOS IP and IP Routing Configuration Guide. For details about BGP commands and keywords, refer to the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. For a list of BGP commands that are visible but not supported by the switch, see Appendix C, “Unsupported Commands in Cisco IOS Release 12.2(20)SE.”...
Page 757 AS-level policy decisions. A router or switch running Cisco IOS does not select or use an IBGP route unless it has a route available to the next-hop router and it has received synchronization from an IGP (unless IGP synchronization is disabled).
Page 758: Default Bgp Configuration
Default BGP Configuration Table 34-9 shows the basic default BGP configuration. For the defaults for all characteristics, refer to the specific commands in the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Table 34-9 Default BGP Configuration...
Page 759 Chapter 34 Configuring IP Unicast Routing Configuring BGP Table 34-9 Default BGP Configuration (continued) Feature Default Setting Multi exit discriminator (MED) Always compare: Disabled. Does not compare MEDs for paths from neighbors in • different autonomous systems. • Best path compare: Disabled. MED missing as worst path: Disabled.
Page 760: Enabling Bgp Routing
Chapter 34 Configuring IP Unicast Routing Configuring BGP Enabling BGP Routing To enable BGP routing, you establish a BGP routing process and define the local network. Because BGP must completely recognize the relationships with its neighbors, you must also specify a BGP neighbor. BGP supports two kinds of neighbors: internal and external.
Page 761 Chapter 34 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 8 no auto-summary (Optional) Disable automatic network summarization. By default, when a subnet is redistributed from an IGP into BGP, only the network route is inserted into the BGP table. Step 9 bgp fast-external-fallover (Optional) Automatically reset a BGP session when a link...
Page 762: Managing Routing Policy Changes
BGP sessions so that the configuration changes take effect. There are two types of reset, hard reset and soft reset. Cisco IOS Releases 12.1 and later support a soft reset without any prior configuration. To use a soft reset without preconfiguration, both BGP peers must support the soft route refresh capability, which is advertised in the OPEN message sent when the peers establish a TCP session.
Page 763: Configuring Bgp Decision Attributes
Prefer the path with the largest weight (a Cisco proprietary parameter). The weight attribute is local to the router and not propagated in routing updates. By default, the weight attribute is 32768 for paths that the router originates and zero for other paths.
Page 764 Chapter 34 Configuring IP Unicast Routing Configuring BGP Prefer the route with the highest local preference. Local preference is part of the routing update and exchanged among routers in the same AS. The default value of the local preference attribute is 100. You can set local preference by using the bgp default local-preference router configuration command or by using a route map.
Page 765: Configuring Bgp Filtering With Route Maps
Chapter 34 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 7 bgp bestpath med missing-as-worst (Optional) Configure the switch to consider a missing MED as having a value of infinity, making the path without a MED value the least desirable path. Step 8 bgp always-compare med (Optional) Configure the switch to compare MEDs for...
Page 766: Configuring Bgp Filtering By Neighbor
Chapter 34 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 3 set ip next-hop ip-address [...ip-address] (Optional) Set a route map to disable next-hop processing [peer-address] In an inbound route map, set the next hop of matching routes to •...
Page 767: Configuring Prefix Lists For Bgp Filtering
BGP autonomous system paths. Each filter is an access list based on regular expressions. (Refer to the “Regular Expressions” appendix in the Cisco IOS Dial Services Command Reference for more information on forming regular expressions.) To use this method, define an autonomous system path access list, and apply it to updates to and from particular neighbors.
Page 768: Configuring Bgp Community Filtering
Chapter 34 Configuring IP Unicast Routing Configuring BGP You do not need to specify a sequence number when removing a configuration entry. Show commands include the sequence numbers in their output. Before using a prefix list in a command, you must set up the prefix list. Beginning in privileged EXEC mode, follow these steps to create a prefix list or to add an entry to a prefix list: Command Purpose...
Page 769 (Optional) Display and parse BGP communities in the format AA:NN. A BGP community is displayed in a two-part format 2 bytes long. The Cisco default community format is in the format NNAA. In the most recent RFC for BGP, a community takes the form AA:NN, where the first part is the AS number and the second part is a 2-byte number.
Page 770: Configuring Bgp Neighbors And Peer Groups
Chapter 34 Configuring IP Unicast Routing Configuring BGP Configuring BGP Neighbors and Peer Groups Often many BGP neighbors are configured with the same update policies (that is, the same outbound route maps, distribute lists, filter lists, update source, and so on). Neighbors with the same update policies can be grouped into peer groups to simplify configuration and to make updating more efficient.
Page 771 Chapter 34 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 13 neighbor {ip-address | peer-group-name} (Optional) Control how many prefixes can be received from a maximum-prefix maximum [threshold] neighbor. The range is 1 to 4294967295. The threshold (optional) is the percentage of maximum at which a warning message is generated.
Page 772: Configuring Aggregate Addresses
Chapter 34 Configuring IP Unicast Routing Configuring BGP Configuring Aggregate Addresses Classless interdomain routing (CIDR) enables you to create aggregate routes (or supernets) to minimize the size of routing tables. You can configure aggregate routes in BGP either by redistributing an aggregate route into BGP or by creating an aggregate entry in the BGP routing table.
Page 773: Configuring Bgp Route Reflectors
Chapter 34 Configuring IP Unicast Routing Configuring BGP To configure a BGP confederation, you must specify a confederation identifier that acts as the autonomous system number for the group of autonomous systems. Beginning in privileged EXEC mode, use these commands to configure a BGP confederation: Command Purpose Step 1...
Page 774: Configuring Route Dampening
Chapter 34 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, use these commands to configure a route reflector and clients: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enter BGP router configuration mode. Step 3 neighbor ip-address | peer-group-name Configure the local router as a BGP route reflector and the...
Page 775: Monitoring And Maintaining Bgp
Table 34-8 lists the privileged EXEC commands for clearing and displaying BGP. For explanations of the display fields, refer to the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Table 34-11 IP BGP Clear and Show Commands...
Page 776: Configuring Protocol-Independent Features
RIP. For a complete description of the IP routing protocol-independent commands in this chapter, refer to the “IP Routing Protocol-Independent Commands” chapter of the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Page 777 Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features The two main components in dCEF are the distributed FIB and the distributed adjacency tables. The FIB is similar to a routing table or information base and maintains a mirror image of the •...
Page 778: Configuring The Number Of Equal-Cost Routing Paths
Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features Configuring the Number of Equal-Cost Routing Paths When a router has two or more routes to the same network with the same metrics, these routes can be thought of as having an equal cost. The term parallel path is another way to refer to occurrences of equal-cost routes in a routing table.
Page 779: Specifying Default Routes And Networks
Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features Use the no ip route prefix mask {address | interface} global configuration command to remove a static route. The switch retains static routes until you remove them. However, you can override static routes with dynamic routing information by assigning administrative distance values.
Page 780: Using Route Maps To Redistribute Routing Information
The system periodically scans its routing table to choose the optimal default network as its default route. In IGRP networks, there might be several candidate networks for the system default. Cisco routers use administrative distance and metric information to set the default route or the gateway of last resort.
Page 781 Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features You can also identify route-map statements as permit or deny. If the statement is marked as a deny, the packets meeting the match criteria are sent back through the normal forwarding channels (destination-based routing).
Page 782 Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 11 match route-type {local | internal | external [type-1 | Match the specified route-type: type-2]} local—Locally generated BGP routes. • • internal—OSPF intra-area and interarea routes or EIGRP internal routes. external—OSPF external routes (Type 1 or Type 2) •...
Page 783 Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 23 show route-map Display all route maps configured or only the one specified to verify configuration. Step 24 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete an entry, use the no route-map map tag global configuration command or the no match or no set route-map configuration commands.
Page 784: Configuring Policy-Based Routing
For details about PBR commands and keywords, refer to the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. For a list of PBR commands that are visible but not supported by the switch, see Appendix C, “Unsupported Commands in Cisco IOS Release 12.2(20)SE.”...
Page 785: Pbr Configuration Guidelines
Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features PBR Configuration Guidelines Before configuring PBR, you should be aware of this information: To use PBR, you must have the EMI installed on the stack master. • Multicast traffic is not policy-routed. PBR applies to only to unicast traffic. •...
Page 786 Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to configure PBR: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 route-map map-tag [permit | deny] [sequence Define any route maps used to control where packets are number] output, and enter route-map configuration mode.
Page 787: Filtering Routing Information
Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 14 show ip local policy (Optional) Display whether or not local policy routing is enabled and, if so, the route map being used. Step 15 copy running-config startup-config (Optional) Save your entries in the configuration file.
Page 788: Controlling Advertising And Processing In Routing Updates
Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features Use a network monitoring privileged EXEC command such as show ip ospf interface to verify the interfaces that you enabled as passive, or use the show ip interface privileged EXEC command to verify the interfaces that you enabled as active.
Page 789: Managing Authentication Keys
Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to filter sources of routing information: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router {bgp | rip | ospf | igrp | eigrp} Enter router configuration mode.
Page 790: Monitoring And Maintaining The Ip Network
Chapter 34 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Command Purpose Step 4 key-string text Identify the key string. The string can contain from 1 to 80 uppercase and lowercase alphanumeric characters, but the first character cannot be a number. Step 5 accept-lifetime start-time {infinite | end-time | duration (Optional) Specify the time period during which the key...
Page 791: Configuring Hsrp
For complete syntax and usage information for the commands used in this chapter, refer to the switch Note command reference for this release and the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2. This chapter consists of these sections: •...
Page 792: Chapter 35 Configuring Hsrp
2 as an active router with another interface on switch 1 as its standby router. Note Cisco IOS Release 12.2(18)SE and above supports Multiple HSRP (MHSRP), an extension of HSRP that allows load sharing between two or more Hot Standby groups.
Page 793: Configuring Hsrp
Chapter 35 Configuring HSRP Configuring HSRP Figure 35-1 Typical HSRP Configuration Host B 172.20.130.5 Active Virtual Standby router router router 172.20.128.1 172.20.128.3 172.20.128.2 Router A Router B 172.20.128.55 172.20.128.32 Host C Host A Configuring HSRP These sections include HSRP configuration information: Default HSRP Configuration, page 35-4 •...
Page 794: Default Hsrp Configuration
Chapter 35 Configuring HSRP Configuring HSRP Default HSRP Configuration Table 35-1 shows the default HSRP configuration. Table 35-1 Default HSRP Configuration Feature Default Setting HSRP groups None configured Standby group number Standby MAC address System assigned as: 0000.0c07.acXX, where XX is the HSRP group number Standby priority Standby delay...
Page 795: Configuring Hsrp Group Attributes
Chapter 35 Configuring HSRP Configuring HSRP Beginning in privileged EXEC mode, follow these steps to create or enable HSRP on a Layer 3 interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the Layer 3 interface on which you want to enable HSRP.
Page 796: Configuring Hsrp Priority
Chapter 35 Configuring HSRP Configuring HSRP Configuring HSRP Priority The standby priority, standby preempt, and standby track interface configuration commands are all used to set characteristics for finding active and standby routers and behavior regarding when a new active router takes over. When configuring priority, follow these guidelines: •...
Page 797 Chapter 35 Configuring HSRP Configuring HSRP Figure 35-2 MHSRP Load Sharing Active router for group 1 Active router for group 2 Standby router for group 2 Standby router for group 1 Router A Router B 10.0.0.1 E0 10.0.0.2 Client 1 Client 2 Client 3 Client 4...
Page 798 Chapter 35 Configuring HSRP Configuring HSRP Beginning in privileged EXEC mode, use one or more of these steps to configure HSRP priority characteristics on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the HSRP interface on which you want to set priority.
Page 799: Configuring Hsrp Authentication And Timers
[group-number] authentication string (Optional) authentication string—Enter a string to be carried in all HSRP messages. The authentication string can be up to eight characters in length; the default string is cisco. (Optional) group-number—The group number to which the command applies.
Page 800: Enabling Hsrp Support For Icmp Redirect Messages
Switch# Enabling HSRP Support for ICMP Redirect Messages In releases earlier than Cisco IOS Release 12.2(18)SE, ICMP (Internet Control Message Protocol) redirect messages were automatically disabled on interfaces configured with HSRP. ICMP is a network layer Internet protocol that provides message packets to report errors and other information relevant to IP processing.
Page 801: Configuring Hsrp Groups And Clustering
HSRP. This feature filters outgoing ICMP redirect messages through HSRP, in which the next hop IP address might be changed to an HSRP virtual IP address. For more information, refer to the Cisco IOS IP Configuration Guide, Release 12.2.
Page 802 Chapter 35 Configuring HSRP Displaying HSRP Configurations Catalyst 3750 Switch Software Configuration Guide 35-12 78-16180-02...
Page 803: Configuring Ip Multicast Routing
To use this feature, the stack master must be running the enhanced multilayer image (EMI). Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note IP Command Reference, Volume 3 of 3: Multicast, Release 12.2.
Page 804: C H A P T E R 36 Configuring Ip Multicast Routing
• Internet (MBONE). The software supports PIM-to-DVMRP interaction. • Cisco Group Management Protocol (CGMP) is used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP. Figure 36-1 shows where these protocols operate within the IP multicast environment.
Page 805: Igmp Version 1
Chapter 36 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing what members it has can vary from group to group and from time to time. A multicast group can be active for a long time, or it can be very short-lived. Membership in a group can constantly change. A group that has members can have no activity.
Page 806: Pim Versions
Chapter 36 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing PIM Versions PIMv2 includes these improvements over PIMv1: A single, active rendezvous point (RP) exists per multicast group, with multiple backup RPs. This • single RP compares to multiple active RPs for the same group in PIMv1.
Page 807: Auto-Rp
This proprietary feature eliminates the need to manually configure the RP information in every router and multilayer switch in the network. For Auto-RP to work, you configure a Cisco router or multilayer switch as the mapping agent. It uses IP multicast to learn which routers or switches in the network are possible candidate RPs to receive candidate RP announcements.
Page 808: Multicast Forwarding And Reverse Path Check
Chapter 36 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Multicast Forwarding and Reverse Path Check With unicast routing, routers and multilayer switches forward traffic through the network along a single path from the source to the destination host whose IP address appears in the destination address field of the IP packet.
Page 809: Understanding Dvmrp
This protocol has been deployed in the MBONE and in other intradomain multicast networks. Cisco routers and multilayer switches run PIM and can forward multicast packets to and receive from a DVMRP neighbor. It is also possible to propagate DVMRP routes into and through a PIM cloud. The software propagates DVMRP routes and builds a separate database for these routes on each router and multilayer switch, but PIM uses this routing information to make the packet-forwarding decision.
Page 810: Multicast Routing And Switch Stacks
(required if the interface is in sparse-dense mode, and • you want to treat the group as a sparse group) Using Auto-RP and a BSR, page 36-22 (required for non-Cisco PIMv2 devices to interoperate with • Cisco PIM v1 devices)) Monitoring the RP Mapping Information, page 36-23 (optional) •...
Page 811: Multicast Routing Configuration Guidelines
PIMv2 BSR. However, Auto-RP is a standalone protocol, separate from PIMv1, and is a proprietary Cisco protocol. PIMv2 is a standards track protocol in the IETF. We recommend that you use PIMv2. The BSR mechanism interoperates with Auto-RP on Cisco routers and multilayer switches.
Page 812: Auto-Rp And Bsr Configuration Guidelines
If you have a network that includes non-Cisco routers, configure the Auto-RP mapping agent and • the BSR on a Cisco PIMv2 router or multilayer switch. Ensure that no PIMv1 device is on the path between the BSR and a non-Cisco PIMv2 router.
Page 813 Chapter 36 Configuring IP Multicast Routing Configuring IP Multicast Routing By default, multicast routing is disabled, and there is no default mode setting. This procedure is required. Beginning in privileged EXEC mode, follow these steps to enable IP multicasting, to configure a PIM version, and to configure a PIM mode.
Page 814: Configuring A Rendezvous Point
You can use several methods, as described in these sections: Manually Assigning an RP to Multicast Groups, page 36-12 • Configuring Auto-RP, page 36-14 (a standalone, Cisco-proprietary protocol separate from PIMv1) • Configuring PIMv2 BSR, page 36-18 (a standards track protocol in the Internet Engineering Task •...
Page 815 Chapter 36 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to manually configure the address of the RP. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip pim rp-address ip-address Configure the address of a PIM RP.
Page 816: Configuring Auto-Rp
Configuring IP Multicast Routing Configuring Auto-RP Auto-RP uses IP multicast to automate the distribution of group-to-RP mappings to all Cisco routers and multilayer switches in a PIM network. It has these benefits: It is easy to use multiple RPs within a network to serve different group ranges.
Page 817 Chapter 36 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to deploy Auto-RP in an existing sparse-mode cloud. This procedure is optional. Command Purpose Step 1 show running-config Verify that a default RP is already configured on all PIM devices and the RP in the sparse-mode network.
Page 818 Chapter 36 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 5 ip pim send-rp-discovery scope ttl Find a switch whose connectivity is not likely to be interrupted, and assign it the role of RP-mapping agent. For scope ttl, specify the time-to-live value in hops to limit the RP discovery packets.
Page 819 Chapter 36 Configuring IP Multicast Routing Configuring IP Multicast Routing Filtering Incoming RP Announcement Messages You can add configuration commands to the mapping agents to prevent a maliciously configured router from masquerading as a candidate RP and causing problems. Beginning in privileged EXEC mode, follow these steps to filter incoming RP announcement messages. This procedure is optional.
Page 820: Configuring Pimv2 Bsr
Chapter 36 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows a sample configuration on an Auto-RP mapping agent that is used to prevent candidate RP announcements from being accepted from unauthorized candidate RPs: Switch(config)# ip pim rp-announce-filter rp-list 10 group-list 20 Switch(config)# access-list 10 permit host 172.16.5.1 Switch(config)# access-list 10 permit host 172.16.2.1 Switch(config)# access-list 20 deny 239.0.0.0 0.0.255.255...
Page 821 Chapter 36 Configuring IP Multicast Routing Configuring IP Multicast Routing To remove the PIM border, use the no ip pim bsr-border interface configuration command. Figure 36-3 Constraining PIMv2 BSR Messages PIMv2 sparse-mode network Configure the Configure the ip pim bsr-border ip pim bsr-border command on command on...
Page 822 Chapter 36 Configuring IP Multicast Routing Configuring IP Multicast Routing To remove the boundary, use the no ip multicast boundary interface configuration command. This example shows a portion of an IP multicast boundary configuration that denies Auto-RP information: Switch(config)# access-list 1 deny 224.0.1.39 Switch(config)# access-list 1 deny 224.0.1.40 Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip multicast boundary 1...
Page 823 IP multicast address space or a portion of it. Candidate RPs send candidate RP advertisements to the BSR. When deciding which devices should be RPs, consider these options: • In a network of Cisco routers and multilayer switches where only Auto-RP is used, any device can be configured as an RP. •...
Page 824: Using Auto-Rp And A Bsr
Switch(config)# access-list 4 permit 239.0.0.0 0.255.255.255 Using Auto-RP and a BSR If there are only Cisco devices in you network (no routers from other vendors), there is no need to configure a BSR. Configure Auto-RP in a network that is running both PIMv1 and PIMv2.
Page 825: Monitoring The Rp Mapping Information
Chapter 36 Configuring IP Multicast Routing Configuring Advanced PIM Features Monitoring the RP Mapping Information To monitor the RP mapping information, use these commands in privileged EXEC mode: • show ip pim bsr displays information about the elected BSR. show ip pim rp-hash group displays the RP that was selected for the specified group. •...
Page 826 Chapter 36 Configuring IP Multicast Routing Configuring Advanced PIM Features Figure 36-4 Shared Tree and Source Tree (Shortest-Path Tree) Source Router B Router A Source tree Shared tree (shortest from RP path tree) Router C Receiver If the data rate warrants, leaf routers (routers without any downstream connections) on the shared tree can use the data distribution tree rooted at the source.
Page 827: Delaying The Use Of Pim Shortest-Path Tree
Chapter 36 Configuring IP Multicast Routing Configuring Advanced PIM Features Delaying the Use of PIM Shortest-Path Tree The change from shared to source tree happens when the first data packet arrives at the last-hop router (Router C in Figure 36-4). This change occurs because the ip pim spt-threshold global configuration command controls that timing.
Page 828: Modifying The Pim Router-Query Message Interval
Chapter 36 Configuring IP Multicast Routing Configuring Advanced PIM Features Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip pim spt-threshold {kbps | infinity} global configuration command.
Page 829: Configuring Optional Igmp Features
Chapter 36 Configuring IP Multicast Routing Configuring Optional IGMP Features Configuring Optional IGMP Features These sections describe how to configure optional IGMP features: • Default IGMP Configuration, page 36-27 Configuring the Switch as a Member of a Group, page 36-27 (optional) •...
Page 830: Controlling Access To Ip Multicast Groups
Chapter 36 Configuring IP Multicast Routing Configuring Optional IGMP Features Beginning in privileged EXEC mode, follow these steps to configure the switch to be a member of a group. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration...
Page 831: Changing The Igmp Version
Chapter 36 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 5 access-list access-list-number {deny | Create a standard access list. permit} source [source-wildcard] For access-list-number, specify the access list created in Step 3. • • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Page 832: Modifying The Igmp Host-Query Message Interval
Chapter 36 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 5 show ip igmp interface [interface-id] Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip igmp version interface configuration command. Modifying the IGMP Host-Query Message Interval The switch periodically sends IGMP host-query messages to discover which multicast groups are present on attached networks.
Page 833: Changing The Igmp Query Timeout For Igmpv2
Chapter 36 Configuring IP Multicast Routing Configuring Optional IGMP Features Changing the IGMP Query Timeout for IGMPv2 If you are using IGMPv2, you can specify the period of time before the switch takes over as the querier for the interface. By default, the switch waits twice the query interval controlled by the ip igmp query-interval interface configuration command.
Page 834: Configuring The Switch As A Statically Connected Member
Chapter 36 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features To return to the default setting, use the no ip igmp query-max-response-time interface configuration command. Configuring the Switch as a Statically Connected Member Sometimes there is either no group member on a network segment or a host cannot report its group membership by using IGMP.
Page 835: Enabling Cgmp Server Support
The switch serves as a CGMP server for devices that do not support IGMP snooping but have CGMP client functionality. CGMP is a protocol used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP. CGMP is necessary because the Layer 2 switch cannot distinguish between IP multicast data packets and IGMP report messages, which are both at the MAC-level and are addressed to the same group address.
Page 836: Configuring Sdr Listener Support
Chapter 36 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Configuring sdr Listener Support The MBONE is the small subset of Internet routers and hosts that are interconnected and capable of forwarding IP multicast traffic. Other multimedia content is often broadcast over the MBONE. Before you can join a multimedia session, you need to know what multicast group address and port are being used for the session, when the session is going to be active, and what sort of applications (audio, video, and so forth) are required on your workstation.
Page 837: Limiting How Long An Sdr Cache Entry Exists
Chapter 36 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Limiting How Long an sdr Cache Entry Exists By default, entries are never deleted from the sdr cache. You can limit how long the entry remains active so that if a source stops advertising SAP information, old advertisements are not needlessly kept. Beginning in privileged EXEC mode, follow these steps to limit how long an sdr cache entry stays active in the cache.
Page 838 Chapter 36 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Figure 36-5 Administratively-Scoped Boundaries Company XYZ Engineering Marketing 239.128.0.0/16 239.0.0.0/8 You can define an administratively-scoped boundary on a routed interface for multicast group addresses. A standard access list defines the range of addresses affected. When a boundary is defined, no multicast data packets are allowed to flow across the boundary from either direction.
Page 839: Configuring Basic Dvmrp Interoperability Features
DVMRP routers or interoperate with DVMRP routers over an MBONE tunnel. DVMRP advertisements produced by the Cisco IOS software can cause older versions of the mrouted protocol to corrupt their routing tables and those of their neighbors.
Page 840 Chapter 36 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to configure the sources that are advertised and the metrics that are used when DVMRP route-report messages are sent. This procedure is optional. Command Purpose Step 1...
Page 841: Configuring A Dvmrp Tunnel
You cannot configure a DVMRP tunnel between two routers. When a Cisco router or multilayer switch runs DVMRP through a tunnel, it advertises sources in DVMRP report messages, much as it does on real networks. The software also caches DVMRP report messages it receives and uses them in its RPF calculation.
Page 842 Chapter 36 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to configure a DVMRP tunnel. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | Create a standard access list, repeating the command as many times as permit} source [source-wildcard]...
Page 843: Advertising Network 0.0.0.0 To Dvmrp Neighbors
This example shows how to configure a DVMRP tunnel. In this configuration, the IP address of the tunnel on the Cisco switch is assigned unnumbered, which causes the tunnel to appear to have the same IP address as port 1. The tunnel endpoint source address is 172.16.2.1, and the tunnel endpoint address of the remote DVMRP router to which the tunnel is connected is 192.168.1.10.
Page 844: Responding To Mrinfo Requests
171.69.214.18 -> 171.69.214.17 (mm1-45a.cisco.com) [1/0/pim] Configuring Advanced DVMRP Interoperability Features Cisco routers and multilayer switches run PIM to forward multicast packets to receivers and receive multicast packets from senders. It is also possible to propagate DVMRP routes into and through a PIM cloud.
Page 845: Enabling Dvmrp Unicast Routing
DVMRP unicast routes, to which PIM can then reverse-path forward. Cisco devices do not perform DVMRP multicast routing among each other, but they can exchange DVMRP routes. The DVMRP routes provide a multicast topology that might differ from the unicast topology.
Page 846 Chapter 36 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 36-6 Leaf Nonpruning DVMRP Neighbor Source router or RP PIM dense mode Router A Valid Router B multicast Receiver traffic Layer 3 switch Unnecessary multicast traffic Leaf nonpruning DVMRP device Stub LAN with no members You can prevent the switch from peering (communicating) with a DVMRP neighbor if that neighbor does...
Page 847 Chapter 36 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 36-7 Router Rejects Nonpruning DVMRP Neighbor Source router or RP Router A Multicast Router B traffic gets Receiver to receiver, not to leaf DVMRP device Layer 3 switch Configure the ip dvmrp reject-non-pruners command on this interface.
Page 848: Controlling Route Exchanges
Chapter 36 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Controlling Route Exchanges These sections describe how to tune the Cisco device advertisements of DVMRP routes: • Limiting the Number of DVMRP Routes Advertised, page 36-46 (optional) Changing the DVMRP Route Threshold, page 36-46 (optional) •...
Page 849: Configuring A Dvmrp Summary Address
Cisco router that is not on these two Ethernet segments does not properly RPF-check on the DVMRP router and is discarded. You can force the Cisco router to advertise the summary address (specified by the address and mask pair in the ip dvmrp summary-address address mask interface configuration command) in place of any route that falls in this address range.
Page 850 176.32.10.0/24 m = 1 ip pim dense-mode 176.32.15.0/24 m = 1 DVMRP router interface fastethernet1/0/2 ip addr 176.32.15.1 255.255.255.0 ip pim dense-mode Tunnel Cisco DVMRP Route Table Unicast Routing Table (10,000 Routes) router Network Intf Metric Dist Src Network Intf Metric Dist 176.13.10.0/24 Fa1/0/1 10514432 90...
Page 851: Disabling Dvmrp Autosummarization
Chapter 36 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Disabling DVMRP Autosummarization By default, the software automatically performs some level of DVMRP summarization. Disable this function if you want to advertise all routes, not just a summary. In some special cases, you can use the neighboring DVMRP router with all subnet information to better control the flow of multicast traffic in the DVMRP network.
Page 852: Monitoring And Maintaining Ip Multicast Routing
Chapter 36 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to change the default metric. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Page 853: Clearing Caches, Tables, And Databases
Chapter 36 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Clearing Caches, Tables, and Databases You can remove all contents of a particular cache, table, or database. Clearing a cache, table, or database might be necessary when the contents of the particular structure are or suspected to be invalid. You can use any of the privileged EXEC commands in Table 36-4 to clear IP multicast caches, tables,...
Page 854: Monitoring Ip Multicast Routing
Chapter 36 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Table 36-5 Commands for Displaying System and Network Statistics (continued) Command Purpose show ip mpacket [source-address | name] Display the contents of the circular cache-header [group-address | name] [detail] buffer.
Page 855: Configuring Msdp
To use this feature, the stack master must be running the enhanced multilayer image (EMI). Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note IP Command Reference, Volume 3 of 3: Multicast, Release 12.2.
Page 856: Chapter 37 Configuring Msdp
Chapter 37 Configuring MSDP Understanding MSDP The purpose of this topology is to have domains discover multicast sources in other domains. If the multicast sources are of interest to a domain that has receivers, multicast data is delivered over the normal, source-tree building mechanism in PIM-SM.
Page 857: Msdp Benefits
Chapter 37 Configuring MSDP Understanding MSDP Figure 37-1 MSDP Running Between RP Peers MSDP peer RP + MSDP peer MSDP SA Peer RPF flooding MSDP SA TCP connection Receiver MSDP peer Register Multicast (S,G) Join Source PIM sparse-mode domain MSDP Benefits MSDP has these benefits: It breaks up the shared multicast distribution tree.
Page 858: Configuring Msdp
Chapter 37 Configuring MSDP Configuring MSDP Configuring MSDP These sections describe how to configure MSDP: • Default MSDP Configuration, page 37-4 Configuring a Default MSDP Peer, page 37-4 (required) • Caching Source-Active State, page 37-6 (optional) • Requesting Source Information from an MSDP Peer, page 37-8 (optional) •...
Page 859 Chapter 37 Configuring MSDP Configuring MSDP Figure 37-2 Default MSDP Peer Network Router C Default MSDP peer ISP C PIM domain 10.1.1.1 Switch B Router A Default MSDP peer Default MSDP peer ISP A PIM domain Customer PIM domain Beginning in privileged EXEC mode, follow these steps to specify a default MSDP peer. This procedure is required.
Page 860: Caching Source-Active State
Chapter 37 Configuring MSDP Configuring MSDP Command Purpose Step 3 ip prefix-list name [description string] | (Optional) Create a prefix list using the name specified in Step 2. seq number {permit | deny} network (Optional) For description string, enter a description of up to 80 •...
Page 861 Chapter 37 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to enable the caching of source/group pairs. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp cache-sa-state [list Enable the caching of source/group pairs (create an SA state).
Page 862: Requesting Source Information From An Msdp Peer
Chapter 37 Configuring MSDP Configuring MSDP Requesting Source Information from an MSDP Peer Local RPs can send SA requests and get immediate responses for all active sources for a given group. By default, the switch does not send any SA request messages to its MSDP peers when a new member joins a group and wants to receive multicast traffic.
Page 863: Controlling Source Information That Your Switch Originates
Chapter 37 Configuring MSDP Configuring MSDP Controlling Source Information that Your Switch Originates You can control the multicast source information that originates with your switch: • Sources you advertise (based on your sources) Receivers of source information (based on knowing the requestor) •...
Page 864 Chapter 37 Configuring MSDP Configuring MSDP Command Purpose Step 3 access-list access-list-number {deny | Create an IP standard access list, repeating the command as many times permit} source [source-wildcard] as necessary. access-list access-list-number {deny | Create an IP extended access list, repeating the command as many times permit} protocol source source-wildcard as necessary.
Page 865: Filtering Source-Active Request Messages
Chapter 37 Configuring MSDP Configuring MSDP Filtering Source-Active Request Messages By default, only switches that are caching SA information can respond to SA requests. By default, such a switch honors all SA request messages from its MSDP peers and supplies the IP addresses of the active sources.
Page 866: Controlling Source Information That Your Switch Forwards
Chapter 37 Configuring MSDP Configuring MSDP Controlling Source Information that Your Switch Forwards By default, the switch forwards all SA messages it receives to all its MSDP peers. However, you can prevent outgoing messages from being forwarded to a peer by using a filter or by setting a time-to-live (TTL) value.
Page 867 This example shows how to allow only (S,G) pairs that pass access list 100 to be forwarded in an SA message to the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet1/0/1 Switch(config)# ip msdp sa-filter out switch.cisco.com list 100 Switch(config)# access-list 100 permit ip 171.69.0.0 0.0.255.255 224.20 0 0.0.255.255 Catalyst 3750 Switch Software Configuration Guide...
Page 868: Using Ttl To Limit The Multicast Data Sent In Sa Messages
Chapter 37 Configuring MSDP Configuring MSDP Using TTL to Limit the Multicast Data Sent in SA Messages You can use a TTL value to control what data is encapsulated in the first SA message for every source. Only multicast packets with an IP-header TTL greater than or equal to the ttl argument are sent to the specified MSDP peer.
Page 869 To remove the filter, use the no ip msdp sa-filter in {ip-address | name} [list access-list-number] [route-map map-tag] global configuration command. This example shows how to filter all SA messages from the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet1/0/1 Switch(config)# ip msdp sa-filter in switch.cisco.com...
Page 870: Configuring An Msdp Mesh Group
Chapter 37 Configuring MSDP Configuring MSDP Configuring an MSDP Mesh Group An MSDP mesh group is a group of MSDP speakers that have fully meshed MSDP connectivity among one another. Any SA messages received from a peer in a mesh group are not forwarded to other peers in the same mesh group.
Page 871: Including A Bordering Pim Dense-Mode Region In Msdp
Chapter 37 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to shut down a peer. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp shutdown {peer-name | peer Administratively shut down the specified MSDP peer without losing address} configuration information.
Page 872: Configuring An Originating Address Other Than The Rp Address
Chapter 37 Configuring MSDP Configuring MSDP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note that the ip msdp originator-id global configuration command also identifies an interface to be used as the RP address.
Page 873: Monitoring And Maintaining Msdp
Chapter 37 Configuring MSDP Monitoring and Maintaining MSDP Monitoring and Maintaining MSDP To monitor MSDP SA messages, peers, state, or peer status, use one or more of the privileged EXEC commands in Table 37-1: Table 37-1 Commands for Monitoring and Maintaining MSDP Command Purpose debug ip msdp [peer-address | name] [detail] [routes]...
Page 874 Chapter 37 Configuring MSDP Monitoring and Maintaining MSDP Catalyst 3750 Switch Software Configuration Guide 37-20 78-16180-02...
Page 875: Configuring Fallback Bridging
To use this feature, the stack master must be running the enhanced multilayer image (EMI). Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Bridging and IBM Networking Command Reference, Volume 1 of 2, Release 12.2.
Page 876 Chapter 38 Configuring Fallback Bridging Understanding Fallback Bridging acts like a port on a router, but it is not connected to a router. A routed port is not associated with a particular VLAN, does not support VLAN subinterfaces, but behaves like a normal routed port. For more information about SVIs and routed ports, see Chapter 11, “Configuring Interface Characteristics.”...
Page 877: Fallback Bridging And Switch Stacks
Chapter 38 Configuring Fallback Bridging Configuring Fallback Bridging Fallback Bridging and Switch Stacks When the stack master fails, a stack member becomes the new stack master by using the election process described in Chapter 5, “Managing Switch Stacks.” The new stack master creates new VLAN-bridge spanning-tree instance, which temporarily puts the spanning-tree ports used for fallback bridging into a nonforwarding state.
Page 878: Default Fallback Bridging Configuration
Chapter 38 Configuring Fallback Bridging Configuring Fallback Bridging Default Fallback Bridging Configuration Table 38-1 shows the default fallback bridging configuration. Table 38-1 Default Fallback Bridging Configuration Feature Default Setting Bridge groups None are defined or assigned to a port. No VLAN-bridge STP is defined.
Page 879 Chapter 38 Configuring Fallback Bridging Configuring Fallback Bridging Beginning in privileged EXEC mode, follow these steps to create a bridge group and to assign an interface to it. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 bridge bridge-group protocol Assign a bridge group number, and specify the VLAN-bridge...
Page 880: Adjusting Spanning-Tree Parameters
Poorly planned adjustments can have a negative impact on performance. A good source on switching is the IEEE 802.1D specification. For more information, refer to the “References and Recommended Reading” appendix in the Cisco IOS Configuration Fundamentals Command Reference.
Page 881: Changing The Vlan-Bridge Spanning-Tree Priority
Chapter 38 Configuring Fallback Bridging Configuring Fallback Bridging Changing the VLAN-Bridge Spanning-Tree Priority You can globally configure the VLAN-bridge spanning-tree priority of a switch when it ties with another switch for the position as the root switch. You also can configure the likelihood that the switch will be selected as the root switch.
Page 882: Assigning A Path Cost
Chapter 38 Configuring Fallback Bridging Configuring Fallback Bridging Command Purpose Step 5 show running-config Verify your entry. Step 6 copy running-config startup-config (Optional) Save your entry in the configuration file. To return to the default setting, use the no bridge-group bridge-group priority interface configuration command.
Page 883: Adjusting Bpdu Intervals
Chapter 38 Configuring Fallback Bridging Configuring Fallback Bridging Adjusting BPDU Intervals You can adjust BPDU intervals as described in these sections: Adjusting the Interval between Hello BPDUs, page 38-9 (optional) • Changing the Forward-Delay Interval, page 38-10 (optional) • Changing the Maximum-Idle Interval, page 38-10 (optional) •...
Page 884 Chapter 38 Configuring Fallback Bridging Configuring Fallback Bridging Changing the Forward-Delay Interval The forward-delay interval is the amount of time spent listening for topology change information after a port has been activated for switching and before forwarding actually begins. Beginning in privileged EXEC mode, follow these steps to change the forward-delay interval. This procedure is optional.
Page 885: Disabling The Spanning Tree On An Interface
[bridge-group] [interface-id | mac-address | verbose] privileged EXEC command at the stack member prompt. For information about the fields in these displays, refer to the Cisco IOS Bridging and IBM Networking Command Reference, Volume 1 of 2, Release 12.2.
Page 886 Chapter 38 Configuring Fallback Bridging Monitoring and Maintaining Fallback Bridging Catalyst 3750 Switch Software Configuration Guide 38-12 78-16180-02...
Page 887: Troubleshooting
C H A P T E R Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the Catalyst 3750 switch. Depending on the nature of the problem, you can use the command-line interface (CLI) or the Cluster Management Suite (CMS) to identify and solve problems.
Page 888: Chapter 39 Troubleshooting
From your PC, download the software image tar file (image_filename.tar) from Cisco.com. Step 1 The Cisco IOS image is stored as a bin file in a directory in the tar file. For information about locating the software image files on Cisco.com, refer to the release notes.
Page 889 Step 11 start the transfer and to copy the software image into flash memory. Step 12 Boot the newly downloaded Cisco IOS image. switch:boot flash: image_filename.bin Step 13 Use the archive download-sw privileged EXEC command to download the software image to the switch or to the switch stack.
Page 890: Recovering From A Lost Or Forgotten Password
Chapter 39 Troubleshooting Recovering from a Lost or Forgotten Password Recovering from a Lost or Forgotten Password The default configuration for the switch allows an end user with physical access to the switch to recover from a lost password by interrupting the boot process during power-on and by entering a new password. These recovery procedures require that you have physical access to the switch.
Page 891: Procedure With Password Recovery Enabled
Chapter 39 Troubleshooting Recovering from a Lost or Forgotten Password Procedure with Password Recovery Enabled If the password-recovery mechanism is enabled, this message appears: The system has been interrupted prior to initializing the flash file system. The following commands will initialize the flash file system, and finish loading the operating system software: flash_init load_helper...
Page 892: Procedure With Password Recovery Disabled
Chapter 39 Troubleshooting Recovering from a Lost or Forgotten Password Copy the configuration file into memory: Step 9 Switch# copy flash: config.text system: running-config Source filename [config.text]? Destination filename [running-config]? Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password. Enter global configuration mode: Step 10 Switch# configure terminal...
Page 893 Chapter 39 Troubleshooting Recovering from a Lost or Forgotten Password If you enter n (no), the normal boot process continues as if the Mode button had not been pressed; • you cannot access the boot loader prompt, and you cannot enter a new password. You see the message: Press Enter to continue..
Page 894: Preventing Switch Stack Problems
Chapter 39 Troubleshooting Preventing Switch Stack Problems Write the running configuration to the startup configuration file: Step 9 Switch# copy running-config startup-config The new password is now in the startup configuration. This procedure is likely to leave your switch virtual interface in a shutdown state. You can see Note which interface is in this state by entering the show running-config privileged EXEC command.
Page 895: Recovering From A Command Switch Failure
Chapter 39 Troubleshooting Recovering from a Command Switch Failure For the commands that you can use to monitor the switch stack and its members, see the “Displaying Switch Stack Information” section on page 5-20. Recovering from a Command Switch Failure This section describes how to recover from a failed command switch.
Page 896 Chapter 39 Troubleshooting Recovering from a Command Switch Failure Enter global configuration mode. Step 6 Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Remove the member switch from the cluster. Step 7 Switch(config)# no cluster commander-address Return to privileged EXEC mode.
Page 897: Replacing A Failed Command Switch With Another Switch
Chapter 39 Troubleshooting Recovering from a Command Switch Failure Start your browser, and enter the IP address of the new command switch. Step 17 From the Cluster menu, select Add to Cluster to display a list of candidate switches to add to the cluster. Step 18 Replacing a Failed Command Switch with Another Switch To replace a failed command switch with a switch that is command-capable but not part of the cluster,...
Page 898: Recovering From Lost Cluster Member Connectivity
Chapter 39 Troubleshooting Recovering from Lost Cluster Member Connectivity Enter Y at the first prompt. Step 6 The prompts in the setup program vary depending on the switch you selected to be the command switch: Continue with configuration dialog? [yes/no]: y Configuring global parameters: If this prompt does not appear, enter enable, and press Return.
Page 899: Preventing Autonegotiation Mismatches
Troubleshooting Power over Ethernet Switch Ports If a powered device (such as a Cisco IP Phone 7910) that is connected to a Power over Ethernet (PoE) switch port and is being powered by an AC power source loses power from the AC power source, the device might enter an error-disabled state.
Page 900: Monitoring Sfp Module Status
For more information about error messages, refer to the system message guide for this release. If you are using a non-Cisco approved SFP module, remove the SFP module from the switch, and replace it with a Cisco-approved module. After inserting a Cisco-approved SFP module, use the errdisable recovery cause gbic-invalid global configuration command to verify the port status, and enter a time interval for recovering from the error-disabled state.
Page 901: Executing Ping
Chapter 39 Troubleshooting Using Ping Executing Ping If you attempt to ping a host in a different IP subnetwork, you must define a static route to the network or have IP routing configured to route between those subnets. For more information, see Chapter 34, “Configuring IP Unicast Routing.”...
Page 902: Using Layer 2 Traceroute
Usage Guidelines These are the Layer 2 traceroute usage guidelines: Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 • traceroute to function properly, do not disable CDP. For a list of switches that support Layer 2 traceroute, see the “Usage Guidelines”...
Page 903: Displaying The Physical Path
Chapter 39 Troubleshooting Using IP Traceroute The traceroute mac ip command output shows the Layer 2 path when the specified source and • destination IP addresses belong to the same subnet. When you specify the IP addresses, the switch uses the Address Resolution Protocol (ARP) to associate the IP addresses with the corresponding MAC addresses and the VLAN IDs.
Page 904: Executing Ip Traceroute
Chapter 39 Troubleshooting Using IP Traceroute of 1 or 0, it drops the datagram and sends an Internet Control Message Protocol (ICMP) time-to-live-exceeded message to the sender. Traceroute finds the address of the first hop by examining the source address field of the ICMP time-to-live-exceeded message. To identify the next hop, traceroute sends a UDP packet with a TTL value of 2.
Page 905: Using Tdr
• Understanding TDR In Cisco IOS Release 12.1(19)EA1 or later, you can use the Time Domain Reflector (TDR) feature to diagnose and resolve cabling problems. When running TDR, a local device sends a signal through a cable and compares the reflected signal to the initial signal.
Page 906: Running Tdr And Displaying The Results
Chapter 39 Troubleshooting Using TDR Running TDR and Displaying the Results When you run TDR on an interface, you can run it on the stack master or a stack member. To run TDR, enter the test cable-diagnostics tdr interface interface-id privileged EXEC command: Switch# test cable-diagnostics tdr interface gigabitethernet1/0/2 TDR test started on interface Gi1/0/2 A TDR test can take a few seconds to run on an interface...
Page 907: Using Debug Commands
For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Page 908: Enabling Debugging On A Specific Feature
Chapter 39 Troubleshooting Using Debug Commands Enabling Debugging on a Specific Feature When you enable debugging, it is enabled only on the stack master. To enable debugging on a stack member, you must start a session from the stack master by using the session switch-number privileged EXEC command.
Page 909: Using The Show Platform Forward Command
Chapter 39 Troubleshooting Using the show platform forward Command Possible destinations include the console, virtual terminals, internal buffer, and UNIX hosts running a syslog server. The syslog format is compatible with 4.3 Berkeley Standard Distribution (BSD) UNIX and its derivatives. Be aware that the debugging destination you use affects system overhead.
Page 910 Chapter 39 Troubleshooting Using the show platform forward Command ------------------------------------------ Packet 1 Lookup Key-Used Index-Hit A-Data OutptACL 50_0D020202_0D010101-00_40000014_000A0000 01FFE 03000000 Port Vlan SrcMac DstMac Dscpv Gi1/0/1 0005 0001.0001.0001 0002.0002.0002 ------------------------------------------ Packet 2 Lookup Key-Used Index-Hit A-Data OutptACL 50_0D020202_0D010101-00_40000014_000A0000 01FFE 03000000 Port Vlan SrcMac...
Page 911: Using The Crashinfo File
Cisco IOS image to fail (crash). The switch writes the crash information to the console at the time of the failure, and the file is created the next time you boot the Cisco IOS image after the failure (instead of while the system is failing).
Page 912 Chapter 39 Troubleshooting Using the crashinfo File You can display the most recent crashinfo file (that is, the file with the highest sequence number at the end of its filename) by entering the show stacks or the show tech-support privileged EXEC command. You also can access the file by using any command that can copy or display files, such as the more or the copy privileged EXEC command.
Page 913: Appendix
• CISCO-CLUSTER-MIB CISCO-CONFIG-COPY-MIB • • CISCO-CONFIG-MAN-MIB CISCO-ENTITY-FRU-CONTROL-MIB • CISCO-ENVMON-MIB • CISCO-FLASH-MIB (Flash memory on all switches is modeled as removable flash memory.) • CISCO-FTP-CLIENT-MIB • CISCO-HSRP-MIB • CISCO-HSRP-EXT-MIB (partial support) • CISCO-IGMP-FILTER-MIB • CISCO-IMAGE-MIB (Only stack master image details are shown.) •...
Page 914: Appendix A Supported Mib
CISCO-PAE-MIB • CISCO-PAGP-MIB CISCO-PING-MIB • CISCO-PROCESS-MIB (Only stack master details are shown.) • CISCO-RTTMON-MIB • CISCO-STACK-MIB (Partial support: for some objects, only stack master information is supported. • ENTITY MIB is a better alternative.) CISCO-STACKMAKER-MIB • CISCO-STP-EXTENSIONS-MIB • CISCO-SYSLOG-MIB •...
Page 915: Using Ftp To Access The Mib Files
You can also use this URL for a list of supported MIBs for the Catalyst 3750 switch: Note ftp://ftp.cisco.com/pub/mibs/supportlists/cat3750/cat3750-supportlist.html You can access other information about MIBs and Cisco products on the Cisco web site: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Using FTP to Access the MIB Files You can obtain each MIB file by using this procedure: Use FTP to access the server ftp.cisco.com.
Page 916 Appendix A Supported MIBs Using FTP to Access the MIB Files Catalyst 3750 Switch Software Configuration Guide 78-16180-02...
Page 917: Appendix
Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, refer to the switch Note command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. This appendix consists of these sections: •...
Page 918: Displaying Available File Systems
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Information about Files on a File System, page B-3 • Creating and Removing Directories, page B-4 • • Copying Files, page B-5 •...
Page 919: A P P E N D I X B Working With The Cisco Ios File System, Configuration Files, And Software Images
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table B-1 show file systems Field Descriptions (continued) Field Value Prefixes Alias for file system. flash:—Flash file system. nvram:—NVRAM. null:—Null destination for copies. You can copy a remote file to null to find its size.
Page 920: Changing Directories And Displaying The Working Directory
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Changing Directories and Displaying the Working Directory Beginning in privileged EXEC mode, follow these steps to change directories and display the working directory.
Page 921: Copying Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Copying Files To copy a file from a source to a destination, use the copy source-url destination-url privileged EXEC command. For the source and destination URLs, you can use running-config and startup-config keyword shortcuts.
Page 922: Creating, Displaying, And Extracting Tar Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating, Displaying, and Extracting tar Files You can create a tar file and write files into it, list the files in a tar file, and extract the files from a tar file as described in the next sections.
Page 923: Extracting A Tar File
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System For source-url, specify the source URL alias for the local or network file system. These options are supported: For the local flash file system, the syntax is •...
Page 924: Displaying The Contents Of A File
5-12. Configuration files contain commands entered to customize the function of the Cisco IOS software. A way to create a basic configuration file is to use the setup program or to enter the setup privileged EXEC command. For more information, see Chapter 4, “Assigning the Switch IP Address and Default...
Page 925: Guidelines For Creating And Using Configuration Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This section includes this information: Guidelines for Creating and Using Configuration Files, page B-9 • Configuration File Types and Location, page B-9 •...
Page 926: Preparing To Download Or Upload A Configuration File By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Creating a Configuration File By Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately.
Page 927 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server • (usually /tftpboot on a UNIX workstation).
Page 928 The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy a configuration file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
Page 929: Downloading A Configuration File By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This section includes this information: Preparing to Download or Upload a Configuration File By Using FTP, page B-13 • • Downloading a Configuration File By Using FTP, page B-13 •...
Page 930 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 Return to privileged EXEC mode. Step 7 copy Using FTP, copy the configuration file from a network server...
Page 931 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using FTP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using FTP:...
Page 932: Copying Configuration Files By Using Rcp
The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
Page 933: Downloading A Configuration File By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files When you upload a file to the RCP server, it must be properly configured to accept the RCP write • request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server.
Page 934: Uploading A Configuration File By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to specify a remote username of netadmin1. Then it copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101...
Page 935: Clearing Configuration Information
Depending on the setting of the file prompt global configuration command, you might be prompted for confirmation before you delete a file. By default, the switch prompts for confirmation on destructive file operations. For more information about the file prompt command, refer to the Cisco IOS Command Reference for Release 12.2.
Page 936: Working With Software Images
Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management. The image is stored on the system board flash memory (flash:).
Page 937 Cisco IOS image total_image_file_size Specifies the size of all the images (the Cisco IOS image and the web management files) in the tar file, which is an approximate measure of how much flash memory is required to hold them...
Page 938: Copying Image Files By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Copying Image Files By Using TFTP You can download a switch image from a TFTP server or upload the image from the switch to a TFTP server.
Page 939 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Before uploading the image file, you might need to create an empty file on the TFTP server. To • create an empty file, enter the touch filename command, where filename is the name of the file you will use when uploading the image to the server.
Page 940 The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 941: Copying Image Files By Using Ftp
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: •...
Page 942 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Use the ip ftp username and ip ftp password commands to specify a username and password for all copies. Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify a username only for that operation.
Page 943 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 7 archive download-sw /overwrite /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and overwrite the current image.
Page 944 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Page 945: Copying Image Files By Using Rcp
The archive upload-sw command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 946 RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
Page 947 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Downloading an Image File By Using RCP You can download a new image file and replace or keep the current image. Beginning in privileged EXEC mode, follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image.
Page 948 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 7 archive download-sw /leave-old-sw /reload Download the image file from the RCP server to the switch, rcp:[[[//[username@]location]/directory]/image-na and keep the current image.
Page 949 The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 950: Copying An Image File From One Stack Member To Another
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Copying an Image File from One Stack Member to Another For switch stacks, the archive download-sw and archive upload-sw privileged EXEC commands can be used only through the stack master.
Page 951: Appendix
A P P E N D I X Unsupported Commands in Cisco IOS Release 12.2(20)SE This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Catalyst 3750 switch prompt but are not supported in this release, either because they are not tested or because of Catalyst 3750 hardware limitations.
Page 952: A P P E N D I X C Unsupported Commands In Cisco Ios Release 12.2(20)Se
Appendix C Unsupported Commands in Cisco IOS Release 12.2(20)SE ARP Commands ARP Commands Unsupported Global Configuration Commands arp ip-address hardware-address smds arp ip-address hardware-address srp-a arp ip-address hardware-address srp-b Unsupported Interface Configuration Commands arp probe ip probe proxy FallBack Bridging...
Page 953: Unsupported Interface Configuration Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(20)SE FallBack Bridging bridge bridge-group domain domain-name bridge irb bridge bridge-group mac-address-table limit number bridge bridge-group multicast-source bridge bridge-group protocol dec bridge bridge-group route protocol bridge bridge-group subscriber policy policy subscriber-policy policy [[no | default] packet [permit | deny]]...
Page 954: Hsrp
Appendix C Unsupported Commands in Cisco IOS Release 12.2(20)SE HSRP HSRP Unsupported Global Configuration Commands interface Async interface BVI interface Dialer interface Group-Async interface Lex interface Multilink interface Virtual-Template interface Virtual-Tokenring Unsupported Interface Configuration Commands standby mac-refresh seconds standby use-bia...
Page 955: Unsupported Interface Configuration Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(20)SE IP Multicast Routing Unsupported Interface Configuration Commands switchport broadcast level switchport multicast level switchport unicast level These commands have been replaced by the storm-control {broadcast | multicast | unicast} level level Note [.level] interface configuration command.
Page 956: Unsupported Interface Configuration Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(20)SE IP Unicast Routing Unsupported Interface Configuration Commands frame-relay ip rtp header-compression [active | passive] frame-relay map ip ip-address dlci [broadcast] compress frame-relay map ip ip-address dlci rtp header-compression [active | passive]...
Page 957: Unsupported Global Configuration Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(20)SE IP Unicast Routing Unsupported Global Configuration Commands ip accounting-list ip-address wildcard ip as-path access-list ip accounting-transits count ip cef accounting [per-prefix] [non-recursive] ip cef traffic-statistics [load-interval seconds] [update-rate seconds]] ip flow-aggregation...
Page 958: Unsupported Bgp Router Configuration Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(20)SE IP Unicast Routing Unsupported BGP Router Configuration Commands address-family vpnv4 default-information originate neighbor advertise-map neighbor allowas-in neighbor default-originate neighbor description network backdoor table-map Unsupported VPN Configuration Commands Unsupported Route Map Commands...
Page 959: Mac Address Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(20)SE MAC Address Commands MAC Address Commands Unsupported Privileged EXEC Commands show mac address-table multicast Use the show ip igmp snooping groups privileged EXEC command to display Layer 2 multicast Note address-table entries for a VLAN.
Page 960: Unsupported Global Configuration Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(20)SE Network Address Translation (NAT) Commands Unsupported Global Configuration Commands ip msdp default-peer ip-address | name [prefix-list list] (Because BGP/MBGP is not supported, use the ip msdp peer command instead of this command.)
Page 961: Snmp
Appendix C Unsupported Commands in Cisco IOS Release 12.2(20)SE SNMP SNMP Unsupported Global Configuration Commands snmp-server enable informs snmp-server ifindex persist Spanning Tree Unsupported Global Configuration Command spanning-tree pathcost method {long | short} Unsupported Interface Configuration Command spanning-tree stack-port VLAN...
Page 962 Appendix C Unsupported Commands in Cisco IOS Release 12.2(20)SE Catalyst 3750 Switch Software Configuration Guide C-12 78-16180-02...
Page 963: I N D E X
I N D E X access control entries Numerics See ACEs 10-Gigabit Ethernet interfaces access-denied response, VMPS 13-28 configuration guidelines 11-14 access groups defined 11-4 applying ACLs to interfaces 31-21 802.1D 31-21 See STP Layer 2 31-21 802.1Q Layer 3 31-21 and trunk ports 11-3...
Page 964 Index ACLs (continued) ACLs (continued) applying named 31-15 on bridged packets number per QoS class map 31-38 32-31 on multicast packets numbers 31-40 31-7 on routed packets port 31-39 31-2 on switched packets precedence of 31-38 31-2 time ranges to 31-17 32-7, 32-38 to an interface...
Page 965 Index addresses (continued) static configuring 34-10 adding and removing defined 7-25 1-4, 7-28, 34-9 defined encapsulation 7-20 34-11 address resolution static cache configuration 7-28, 34-9 34-10 Address Resolution Protocol table See ARP address resolution 7-28 adjacency tables, with CEF managing 34-61 7-28 administrative distances...
Page 966 Index automatic discovery backup interfaces adding member switches 6-18 See Flex Links considerations backup links 20-1 beyond a noncandidate device banners brand new switches configuring connectivity login 7-20 different VLANs message-of-the-day login 7-19 management VLANs default configuration 7-18 non-CDP-capable devices when displayed 7-18 noncluster-capable devices...
Page 967 Index binding database BPDU guard address, DHCP server described 19-3 See DHCP, Cisco IOS server database disabling 19-14 DHCP snooping enabling 19-13 See DHCP snooping binding database support for bindings bridged packets, ACLs on 31-38 address, Cisco IOS DHCP server...
Page 968 Cisco Group Management Protocol See system clock See CGMP Cluster Management Suite Cisco IOS DHCP server See CMS See DHCP, Cisco IOS DHCP server cluster requirements Cisco IOS File System See release notes See IFS clusters, switch Cisco StackWise technology...
Page 969 Index clusters, switch (continued) compatibility benefits creating configuration modes 6-17 creating a cluster standby group described 6-20 1-2, 1-4 described downloading image files 1-2, 3-16, B-20 LRE profile considerations Front Panel view, described 6-17 managing operating systems and supported browsers through CLI privilege levels 6-23...
Page 970 Index command switch (continued) configuration files (continued) requirements guidelines for creating and using standby (SC) invalid combinations when copying 6-10, 6-20 See also candidate switch, cluster standby group, limiting TFTP server access 30-16 member switch, and standby command switch obtaining with DHCP community list, BGP 34-53 password recovery disable considerations...
Page 971 Index counters, clearing interface default configuration (continued) 11-25 crashinfo file 39-25 34-42 cross-stack EtherChannel booting 4-12 configuration guidelines 33-12 25-2 configuring DHCP 21-7 on Layer 2 interfaces DHCP option 82 33-12 21-7 on Layer 3 physical interfaces DHCP snooping 33-16 21-7 described DHCP snooping binding database...
Page 972 19-8 overview 21-3 device discovery protocol 25-1 packet format, suboption Device Manager circuit ID 21-4 DHCP remote ID 21-4 Cisco IOS server database remote ID suboption 21-4 configuring 21-12 DHCP snooping default configuration 21-7 and private VLANs 21-12 described 21-5...
Page 973 Index DHCP snooping (continued) Differentiated Services Code Point 32-2 displaying binding database 21-14 Diffusing Update Algorithm (DUAL) 34-34 displaying configuration directed unicast requests 21-14 message exchange process directories 21-4 option 82 data insertion changing 21-3 trusted interface creating and removing 21-2 untrusted interface displaying the working...
Page 974 36-43 See addresses interoperability dynamic ARP inspection with Cisco devices 36-37 ARP cache poisoning 22-1 with Cisco IOS software 36-7 ARP requests, described 22-1 mrinfo requests, responding to 36-42 ARP spoofing attack 22-1 neighbors clearing...
Page 975 Index dynamic ARP inspection (continued) dynamic port VLAN membership default configuration 22-5 described 13-28 denial-of-service attacks, preventing reconfirming 22-10 13-31 described troubleshooting 22-1 13-33 DHCP snooping binding database types of connections 22-2 13-30 displaying dynamic routing 34-3 ARP ACLs Dynamic Trunking Protocol 22-14 configuration and operating state See DTP...
Page 976 Index EtherChannel EtherChannel (continued) 802.3ad, described 33-6 port-channel interfaces automatic creation of described 33-5, 33-6 33-4 channel groups numbering of 33-4 binding physical and logical interfaces port groups 33-4 11-5 numbering of stack changes, effects of 33-4 33-9 configuration guidelines support for 33-11 configuring...
Page 977 Index Fast Uplink Transition Protocol 19-6 34-60 failover support fiber-optic, detecting unidirectional links 26-1 fallback bridging files and protected ports 38-4 copying bridge groups crashinfo creating 38-4 description 39-25 described 38-2 displaying the contents of 39-25 displaying 38-11 location 39-25 function of 38-2 deleting...
Page 978 Index flowcharts QoS classification 32-6 hardware limitations and Layer 3 interfaces 11-21 QoS egress queueing and scheduling 32-15 HC (candidate switch) 6-21 QoS ingress queueing and scheduling 32-13 hello time QoS policing and marking 32-9 MSTP 18-20 flow control 1-3, 11-17 17-22 forward-delay time help, for the command line...
Page 979 Index HSRP (continued) IGMP (continued) switch stack considerations 35-2 join messages 23-3 timers leave processing, enabling 35-9 23-11 tracking leaving multicast group 35-6 23-5 See also clusters, cluster standby group, and standby multicast reachability 36-27 command switch overview 36-2 queries 23-4 report suppression described...
Page 980 Index IGMP snooping (continued) interfaces (continued) enabling and disabling 23-7 counters, clearing 11-25 global configuration described 23-7 11-20 Immediate Leave descriptive name, adding 23-5 11-20 in the switch stack displaying information about 23-6 11-24 method flow control 23-7 11-17 monitoring management 23-12 support for...
Page 981 PIM domain border 36-18 MAC address association overview 34-9 36-5 monitoring using with Auto-RP 34-18 36-22 redundant clusters Cisco implementation 6-11 36-2 standby command switch configuring 6-11, 6-13 See also IP information basic multicast routing 36-10 IP broadcast address IP multicast boundary...
Page 982 Index IP multicast routing (continued) IP protocols SAP packets for conference session in ACLs 31-12 announcement 36-34 routing Session Directory (sdr) tool, described 36-34 IP routes, monitoring 34-74 monitoring IP routing packet rate loss 36-52 connecting interfaces with 11-7 peering devices 36-52 disabling 34-19...
Page 983 Index IP traceroute IP unicast routing (continued) executing 39-18 protocols overview distance-vector 39-17 34-3 IP unicast routing dynamic 34-3 address resolution link-state 34-9 34-3 administrative distances proxy ARP 34-63, 34-72 34-9 redistribution 34-9 34-64 assigning IP addresses to Layer 3 interfaces reverse address resolution 34-6 34-9...
Page 984 Index Layer 2 traceroute (continued) IP addresses and subnets 39-17 MAC addresses and VLANs 39-16 described 9-32 multicast traffic 39-16 See also Kerberos multiple devices on a port 39-17 keepalive messages 17-2 unicast traffic 39-16 Kerberos usage guidelines 39-16 authenticating to Layer 2 trunks 13-17 boundary switch...
Page 985 Index management access in-band MAC addresses browser session aging time 7-22 CLI session and VLAN association 7-21 building the address table 7-21 SNMP default configuration 7-22 out-of-band console port connection discovering 7-28 management options displaying 7-28 displaying in DHCP snooping binding database 21-14 clustering displaying in the IP source binding table...
Page 986 Index maximum-paths command monitoring (continued) 34-47, 34-62 membership mode, VLAN port 13-3 34-61 member switch EIGRP 34-39 adding fallback bridging 6-18 38-11 automatic discovery features defined Flex Links 20-3 managing HSRP 6-23 35-11 passwords IGMP 6-13 recovering from lost connectivity 39-12 filters 23-25...
Page 987 Index MSDP MSTP benefits of 37-3 boundary ports clearing MSDP connections and statistics configuration guidelines 37-19 18-14 controlling source information described 18-5 forwarded by switch BPDU filtering 37-12 originated by switch described 37-9 19-3 received by switch enabling 37-14 19-14 default configuration BPDU guard 37-4...
Page 988 Index MSTP (continued) multicast groups interface state, blocking to forwarding 19-2 Immediate Leave 23-5 interoperability and compatibility among modes joining 17-11 23-3 interoperability with 802.1D leaving 23-5 described static joins 18-6 23-10 restarting migration process multicast packets 18-23 ACLs on 31-40 defined blocking...
Page 989 Index network configuration examples NTP (continued) cost-effective wiring closet 1-14 displaying the configuration 7-11 high-performance wiring closet overview 1-14 increasing network performance restricting access 1-12 large network creating an access group 1-18 long-distance, high-bandwidth transport disabling NTP services per interface 1-22 7-10 multidwelling network...
Page 990 Index default configuration 36-8 packet modification, with QoS 32-17 dense mode PAgP overview 36-4 See EtherChannel rendezvous point (RP), described 36-4 parallel paths, in routing tables 34-62 RPF lookups 36-7 passive interfaces displaying neighbors 36-52 configuring 34-71 enabling a mode 36-11 OSPF 34-31...
Page 991 Index policers (continued) port-based authentication (continued) number of 32-31 device roles 10-2 types of displaying statistics 32-8 10-22 policing EAPOL-start frame 10-3 described EAP-request/identity frame 32-3 10-3 token-bucket algorithm EAP-response/identity frame 32-9 10-3 policy-based routing encapsulation 10-3 See PBR guest VLAN policy maps for QoS configuration guidelines 10-9...
Page 992 Index port-based authentication (continued) port security VLAN assignment aging 24-14 AAA authorization and QoS trusted boundary 10-13 32-35 characteristics and stacking 10-8 24-15 configuration tasks configuring 10-8 24-10 described default configuration 10-7 24-9 voice VLAN described 24-7 described displaying 10-7 24-16 PVID 10-7...
Page 993 Index private VLANs (continued) Protocol-Independent Multicast Protocol configuration guidelines 15-7, 15-8 See PIM configuration tasks provisioning new members for a switch stack 15-6 configuring proxy ARP 15-10 default configuration configuring 15-7 34-11 end station access to definition 15-3 34-9 IP addressing with IP routing disabled 15-3 34-12...
Page 994 Index QoS (continued) QoS (continued) auto-QoS (continued) configuring (continued) enabling for VoIP port trust states within the domain 32-24 32-32 example configuration trusted boundary 32-26 32-35 ingress queue defaults default auto configuration 32-19 32-18 list of generated commands default standard configuration 32-20 32-29 basic model...
Page 995 Index QoS (continued) QoS (continued) ingress queues (continued) queues setting WTD thresholds configuring egress characteristics 32-56 32-60 WTD, described configuring ingress characteristics 32-14 32-55 IP phones high priority (expedite) 32-17, 32-66 automatic classification and queueing location of 32-18 32-11 detection and trusted settings SRR, described 32-18, 32-35 32-12...
Page 996 Index RADIUS (continued) redundancy in clusters 6-16 EtherChannel 33-2 limiting the services to the user HSRP 9-27 35-1 method list, defined 9-20 operation of backbone 9-19 17-9 overview multidrop backbone 9-18 19-5 suggested network environments path cost 9-18 13-26 support for port priority 13-24 tracking services accessed by user...
Page 997 Index reverse address resolution root guard 34-9 Reverse Address Resolution Protocol described 19-10 See RARP enabling 19-17 support for 1058, RIP root switch 34-20 1112, IP multicast and IGMP MSTP 23-2 18-15 1157, SNMPv1 30-2 17-16 1163, BGP route calculation timers, OSPF 34-40 34-31 1166, IP addresses...
Page 998 Index RSPAN RSPAN (continued) and stack changes 27-10 rapid convergence characteristics cross-stack rapid convergence 27-9 18-8 configuration guidelines described 27-17 18-8 default configuration edge ports and Port Fast 27-11 18-8 destination ports point-to-point links 27-8 18-8, 18-23 displaying status root ports 27-24 18-8 in a switch stack...
Page 999 Index security, port Smartports macros 24-7 security features applying Cisco-default macros 12-6 sequence numbers in log messages applying global parameter values 29-8 12-5, 12-6 server mode, VTP applying macros 14-3 12-5 service-provider network, MSTP and RSTP applying parameter values 18-1...
Page 1000 Index SNMP (continued) source addresses, in ACLs 31-12 limiting access by TFTP servers 30-16 source-and-destination-IP address based forwarding, EtherChannel 33-8 limiting system log messages to NMS 29-10 source-and-destination MAC address forwarding, manager functions 1-4, 30-3 EtherChannel 33-8 managing clusters with 6-24 source-IP address based forwarding, EtherChannel 33-8...

This manual is also suitable for:

Catalyst 3750

Cisco WS-C3750-48PS-S Software Configuration Manual

Chapter 1 Overview

Chapter 4 Assigning the Switch IP Address and Default Gateway

Understanding Command Modes

Understanding the Help System

Understanding Abbreviated Commands

Understanding no and Default Forms of Commands

Understanding CLI Error Messages

Using Command History

Using Editing Features

Searching and Filtering Output of Show and more Commands

Accessing the CLI

Chapter 3 Getting Started with CM

Default Boot Configuration

Automatically Downloading a Configuration File

Booting Manually

Booting a Specific Software Image

Controlling Environment Variables

Managing Switch Stacks

Chapter 5 Managing Switch Stack

Clustering Switches

Chapter 6 Clustering Switche

Automatic Discovery of Cluster Candidates and Members

HSRP and Standby Cluster Command Switches

IP Addresses

Host Names

SNMP Community Strings

Switch Clusters and Switch Stacks

Passwords

TACACS+ and RADIUS

Access Modes in CMS

LRE Profiles

Availability of Switch-Specific Features in Switch Clusters

Chapter 7 Administering the Switch

MAC Addresses and Switch Stacks

Default MAC Address Table Configuration

Changing the Address Aging Time

Removing Dynamic Address Entries

Configuring MAC Address Notification Traps

Adding and Removing Static Address Entries

Configuring Unicast MAC Address Filtering

Displaying Address Table Entries

Configuring SDM Templates

Chapter 9 Configuring Switch-Based Authentication

Controlling Switch Access with TACACS

Controlling Switch Access with RADIUS

Controlling Switch Access with Kerberos

Configuring the Switch for Local Authentication and Authorization

Configuring the Switch for Secure Shell

CHAPTER 10 Configuring 802.1X Port-Based Authentication

Configuring the Switch-To-RADIUS-Server Communication

Configuring Periodic Re-Authentication

Manually Re-Authenticating a Client Connected to a Port

Changing the Quiet Period

Changing the Switch-To-Client Retransmission Time

Setting the Switch-To-Client Frame-Retransmission Number

Configuring the Host Mode

Configuring a Guest VLAN

Resetting the 802.1X Configuration to the Default Values

Configuring 802.1X Accounting

CHAPTER 11 Configuring Interface Characteristics

Configuration Guidelines for 10-Gigabit Ethernet Interfaces

Configuring Interface Speed and Duplex Mode

Configuring IEEE 802.3Z Flow Control

Configuring Auto-MDIX on an Interface

Configuring Power over Ethernet on an Interface

Adding a Description for an Interface

Quick Links

Troubleshooting

Related Manuals for Cisco WS-C3750-48PS-S

Summary of Contents for Cisco WS-C3750-48PS-S